'Three Lines of Defence' model
Our risk management is based on a ‘Three Lines of Defence' model, to
shield us against risks that might threaten the achievement of our
- The business itself. The business operations side is fully
responsible for all the risks in its area of activity and has to
ensure that effective controls are in place. In so doing, it ensures
that the right controls are performed in the right way, that
self-assessment of the business side is of a sufficiently high
standard, that there is adequate awareness of risk and that
sufficient priority/capacity is allocated to risk themes.
- The Risk function, Compliance, and – for certain
matters – Finance, Legal and Tax, and Information Risk Security.
Independent of the business side, the second-line risk and control
functions formulate their own opinion regarding the risks
confronting KBC. In this way, they provide an adequate degree of
certainty that the first-line control function is keeping these
risks under control, without taking over primary responsibility from
the first line. In this regard, the second-line functions are tasked
to identify, measure and report risks. The risk function has a veto
right to ensure that it is respected. The second-line risk and
control functions also support the consistent implementation of the
risk policy, the risk framework, etc., throughout the group, and
supervise how they are applied. Compliance is an independent
function that aims to prevent KBC from being exposed to compliance
risk or suffering harm through non-compliance with the prevailing
laws, regulations or internal rules. It pays particular attention in
this regard to compliance with the Integrity Policy.
- Internal audit. As the independent third-line of control, Internal Audit is responsible for the quality control of the existing business processes. It performs risk-based and general audits to ensure that the internal control and risk management system, including Risk Policy, are effective and efficient, and to ensure that policy measures and processes are in place and consistently applied within the group to guarantee the continuity of operations.