'Three Lines of Defence' model
Our risk management is based on a ‘Three Lines of Defence' model, to shield us against risks that might threaten the achievement of our goals.
- The business itself. The business operations side is fully responsible for all the risks in its area of activity and has to ensure that effective controls are in place. In so doing, it ensures that the right controls are performed in the right way, that self-assessment of the business side is of a sufficiently high standard, that there is adequate awareness of risk and that sufficient priority/capacity is allocated to risk themes.
- The Risk function, Compliance, and – for certain matters – Finance, Legal and Tax, and Information Risk Security. Independent of the business side, the second-line risk and control functions formulate their own opinion regarding the risks confronting KBC. In this way, they provide an adequate degree of certainty that the first-line control function is keeping these risks under control, without taking over primary responsibility from the first line. In this regard, the second-line functions are tasked to identify, measure and report risks. The risk function has a veto right to ensure that it is respected. The second-line risk and control functions also support the consistent implementation of the risk policy, the risk framework, etc., throughout the group, and supervise how they are applied. Compliance is an independent function that aims to prevent KBC from being exposed to compliance risk or suffering harm through non-compliance with the prevailing laws, regulations or internal rules. It pays particular attention in this regard to compliance with the Integrity Policy.
- Internal audit. As the independent third-line of control, Internal Audit is responsible for the quality control of the existing business processes. It performs risk-based and general audits to ensure that the internal control and risk management system, including Risk Policy, are effective and efficient, and to ensure that policy measures and processes are in place and consistently applied within the group to guarantee the continuity of operations.