Principles of

corporate governance,
organisational design
and risk management

Paper for internal auditors

in the financial sector

Royal Netherlands
Institute of Chartered
Accountants
2

This paper has been drawn up by a working group of IIA Netherlands and the Members’ Group of
Internal and Government Auditors of the Royal Netherlands Institute of Chartered Accountants
(NBA), consisting of the following people:

John Bendermacher, ABN AMRO Bank

Reinout Hoogendoorn, Nederlandse Waterschapsbank
René de Jong, Bank Nederlandse Gemeenten
Gertjan Langelaan, Van Lanschot Bankiers
Hans Moison, Great Too
Leen van der Plas, ING Bank
Vincent Wanders, Compliant & More

December 2015
Contents

1 Preface 4

2 Introduction to the principles 5

3 Responsibilities of the company 6

3.1 Determining the mission, core values, strategy and policy 6
3.2 Design of corporate governance, organisation and risk management 7
3.3 Accountability 9

4 Corporate governance 10
4.1 Executive Board 10
4.2 Supervisory Board 12

5 Organisational design and risk management 15

5.1 Measures for organisational design and risk management 15
5.2 Primary business processes 21
5.3 Risk management function and compliance function 22
5.4 Internal audit function 25

6 Reporting 28

Footnotes 29

NBA/IIA
 1. Preface

Companies in the Dutch financial sector have to comply with a wide range of requirements, which
include regulations in the areas of corporate governance, organisational design and risk mana-
gement: domestic laws and regulations, laws and regulations for the regulation of certain indus-
tries, and corporate governance codes. These requirements are often detailed, address specific
areas, and are aimed at specific types of companies. The level of insight into these requirements
and compliance with these requirements can be increased by creating a compact accessible and
broadly applicable overview of the principles of corporate governance, organisational design and
risk management.

It would be impossible to formulate requirements that apply to all financial companies, as the
activities, size, complexity, risk profile and public interest of the various companies are too diverse.
Nonetheless, there are many general principles that have been found to apply to many financial
companies. The principles of corporate governance, organisational design and risk management
included in this paper represent an attempt to formulate such a set of general principles. In this
way, IIA Netherlands (IIA NL) and the NBA’s Members’ Group of Internal and Government Auditors
(NBA LIO) want to provide internal auditors with clear principles for audits of governance, risk
management and control processes. These principles should be translated into a tailored refe-
rence framework based on the specific situation.

The principles are not based on a specific model or particular assumption or paradigms, but on
the ‘largest common denominator’ of the laws and regulations, other requirements, theories and
concepts applying to the relevant companies. In specific circumstances, it will have to be deter-
mined whether laws and regulations or other requirements go beyond or have to be applied more
strictly than these principles. If that is the case, those requirements will prevail over these princi-
4 ples. The principles are listed below, each followed by an explanation or further details.

December 2015
2. Introduction to the principles

2.1 The principles describe, at a high level of abstraction, the requirements that
can reasonably be imposed on financial companies1 for the mentioned sub-
aspects2.

The principles can be elaborated in further detail, but that impedes the extent to which they
can be applied. In practice, a tailored and flexible approach is required. While a high level of
abstraction means that the principles are formulated in an open way, that should not lead
in practice to an insufficiently strict interpretation and application of the principles. The
principles are limited to the mentioned sub-aspects and do not relate to other aspects of
operational management3.

2.2 The principles are applicable to most financial companies based on the propor-
tionality principle.

Most of the principles are applicable to all financial companies without any limitation. In a
number of cases, based on the nature, size, activities and complexity of the company, it can
be concluded that not all principles have to be complied with. If it doesn’t concern any legal
and regulatory requirements, a company may then deviate from the principles, provided
that it explains its reasons for doing so.

2.3 The principles have been drawn up by the Institute of Internal Auditors Nether-
lands and the NBA’s Member’s Group of Internal and Government Auditors.
5
The aim of the principles is to provide auditors with a clear reference framework for audits
of governance, risk management and control processes, and they don’t replace laws and
regulations or existing codes. The principles should be applied in a tailored and flexible way.

NBA/IIA
 3. Responsibilities of the company

3.1 Determining the mission, core values, strategy and policy

3.1.1 The company determines its mission, core values and strategy and documents
these in a systematic, clear and accessible way.This includes the desired cul-
ture, the accompanying required behaviour and the company’s risk appetite.

Having a clear mission in place, responsible core values and clear strategy resulting in an
effective policy, create the prerequisites for the operational management and the achieve-
ment of the business objectives. In order to encourage and motivate personnel and other
parties involved, it’s important to adequately document and communicate these prerequi-
sites. Creating and enforcing the right culture (‘tone at the top’) and appropriate behaviour
is vital. Only applying hard organisational controls is insufficient. The organisation’s risk
appetite should be clearly defined to prevent opportunistic organisational management.
The risk appetite is approved in advance by the Supervisory Board.

3.1.2 The company considers in a balanced way the interest of persons and organi-
sations involved in the company.

A Company is at the heart of society. The company should prevent a situation where the
short-term (financial) interest of the company, its shareholders, Executive Board or person-
nel, play a dominant role in the decision-making. To this end, the company should explicitly
document how and to what extent it considers the interests of all parties involved in the
decision-making and how it weighs them up, and should document the risks and the balan-
6 cing of these interests. This includes society4, clients5, business relations, personnel, capi-
tal providers6, tax authorities and regulators. The extent to which the company’s Executive
Board and personnel adhere to these principles plays an important role in their perfor-
mance assessment and remuneration.

3.1.3 Partly based on changing environmental factors, the company regularly7

assesses its strategy and policy, adjusting it if necessary or considered advi-
sable. To this end, careful (authorisation) procedures are applied.

Companies can run into problems or topple over because they don’t adapt to changing fac-
tors in their environment quickly enough. Even when a company has a strong market posi-
tion and is posting good results, it’s vital to stay alert to changes, including earning models,
products and services reaching the end of their lifecycle and new earning models, products
and services that are on the horizon or should be developed. Companies should have the
flexibility and adaptability to anticipate these changes.

December 2015
3.1.4 The company’s mission, core values, policy and policy adjustments are effec-
tively and efficiently translated into the design of its corporate governance,
organisation, risk management, business plans and budgets.

The mission, core values and strategy should be effectuated in concrete terms. The princi-
ples, which may be of an abstract nature, are translated into detailed concrete organisatio-
nal measures, objectives and procedures. Reports on the daily operations should provide
insight into whether or not, and to what extent the principles and objectives, as defined in
general terms in the organisation’s formulated mission, have been fulfilled. There should be
a verifiable relationship between the mission, core values, strategy and policy and the con-
crete medium-term objectives, plans and budgets. The company should also translate the
mission and core values into clear objectives in terms of the interests of clients and corpo-
rate social responsibility.

3.2 Design of corporate governance, organisation and risk management

3.2.1 The company designs its corporate governance, organisation and risk manage-
ment on the basis of its mission, core values, strategy and policy.

The mission, core values, strategy and policy should provide a sufficient basis for the design
of the corporate governance, organisation and risk management. In detailing this, the com-
pany should explain clearly and in concrete terms how the design relates to the principles.

3.2.2 The corporate governance, organisational design and risk management contri-
bute optimally to the achievement of the strategy and policy. 7
In designing their corporate governance, organisation and risk management, companies
are faced with choices, as there are many alternatives available. In choosing between the
available economically sound solutions, the company should choose the option that contri-
butes most effectively to the achievement of its strategy and policy.

3.2.3 In designing its corporate governance, organisation and risk management, the
company also focuses on controlling the business risks and ensuring ethical
behaviour.

The dynamics of daily operational management may create a certain degree of opportu-
nism when seemingly attractive business propositions arise. It’s vital to continuously moni-
tor that the careful considerations made in determining the values underlying the risk
management (risk appetite) and ethical behaviour are adhered to. Any deviations from the-
se considerations may be approved only after they have been carefully weighed up and they
should be documented.

NBA/IIA
 3.2.4 The company translates its corporate governance, organisational design and
risk management framework into an integrated system of governance, risk
management and process control.

A sound, integrated systems of controls is vital for monitoring and controlling the operatio-
nal management and the production of clear and verifiable management information. This
information is necessary to enable the company to guide, evaluate, adjust and account for
its operational management.

3.2.5 The design of the decision-making processes ensures there is sufficient coun-
terweight within the company.

To enable responsible decision-making, organisations need to have some counterweight.

This counterweight can come from multiple levels and positions within and outside of the
organisation. The added value of this counterweight lies in the specific perspectives and
interests of each of the parties involved. The effectiveness of the counterweight largely
depends on the competencies of the persons involved. Prior to important decisions a risk
analysis should be performed to determine whether this requirement is sufficiently met.

3.2.6 The company documents its corporate governance, organisational design, risk
management and administrative procedures and measures in a systematic,
clear and accessible way by means of a framework for the control of its opera-
tional management.

By having a framework for the control of its operational management, a company works
8 towards the achievement of its objectives in a structured and controlled way and can
demonstrate this to the public, its clients, business relations, personnel, capital providers
and regulators. Risks should be adequately monitored and controlled to ensure that they
don’t exceed the risk appetite framework. This way, the risk of any financial fallout and
reputational damage will remain within the acceptable limits set by the company.

3.2.7 The company regularly assesses its corporate governance, organisational de-
sign and risk management, adjusting it if necessary or considered advisable.

To be able to remain successful, companies should constantly assess and improve their
organisation. To ensure a constant focus on this, the organisation should have an embed-
ded cyclical process of continuous improvement. This involves monitoring the design and
operating effectiveness of the framework for the control of the operational management
across all levels of the organisation8.

December 2015
3.3 Accountability

3.3.1 The company reports to the individuals and organisations involved in the com-
pany. This includes society, clients, business relations, personnel, capital pro-
viders and regulators.

A company should report not only to its providers of venture capital and creditors, but also
to the personnel relying on the company for their income, or their works council or trade
union representatives. The company’s social responsibility also extends to parties that have
a less direct relationship to the company or are not directly dependent on it. The company
should meet the responsibility this creates, in addition to its formal external reporting
requirements. The accountability entails an integrated set of reports containing financial
and non-financial information. This includes specific statements by the company’s Execu-
tive Board on the control of the operational management9, compliance with rules and
codes of conduct, and acting in accordance with statutory requirements or requirements
set by regulators.

NBA/IIA
 4. Corporate governance

4.1 Executive Board

4.1.1 The company’s Executive Board is responsible for the company, its mission,
core values, strategy, policy, corporate governance, organisational design and
risk management.

The formal responsibility and liability of the executive directors is defined by the statutory
requirements for legal entities and other applicable laws and regulations. Corporate gover-
nance codes and other codes of contact may also be relevant. The company should analyse
the applicable laws and regulations and codes of conduct and incorporate the relevant pro-
visions in the administrative regulations of the Executive Board.

4.1.2 The composition of the Executive Board appropriately reflects the experience
and expertise which the Executive Board as a whole needs to possess to ade-
quately fulfil its managerial task.

The number of Executive Board members, their diversity and complementarity, and the
experience and expertise of the individual Board members, should be appropriate and sui-
ted to the task of the Executive Board as a whole. The executive directors should be suffi-
ciently available to perform their duties. The position of executive director should generally
be a full-time position.

10 4.1.3 The Executive Board determines its allocation of tasks and working methods
and documents this in its administrative regulations.

Agreeing on and documenting the allocation of tasks and working methods, ensures there
is clarity about what is expected of the individual Executive Board members, not only within
the Executive Board, but also for the company and for the Supervisory Board. The allocation
of tasks and the working method should be tailored as much as possible to the responsibi-
lity of the Executive Board as a whole, the organisational structure and the segregation of
duties within the organisation. The Executive Board should have a chairman.

4.1.4 Within the Executive Board, there should be segregation of duties between the
responsibility for risk management, for the financial function and for the com-
mercial function10.

The dynamics of daily operational management may create a certain degree of opportu-
nism when seemingly attractive business propositions arise. It’s vital to continuously moni-
tor that the careful considerations made in determining the values underlying the risk
management (risk appetite) and ethical behaviour are adhered to. Therefore, there should
always be a segregation of duties within the Executive Board between the responsibility for
risk management and the financial function and the responsibility for the commercial
function. Financial companies have a higher risk profile and are of major public interest.

December 2015
 This means that there should also be a segregation of duties within the Executive Board,
between the responsibility for risk management and the responsibility for the financial
function.

4.1.5 The Executive Board communicates the company’s mission, strategy, policy,
culture, standards and values, including by setting the right example.

It’s not inconceivable for an organisation to lose sight of its carefully formulated principles
due to the daily dynamics, leading its management and personnel to no longer behave, or at
least not always or not entirely, in line with these principles. As a result, the organisation
may drift off course and no longer operate coherently. It’s essential to continuously bring
the mission, core values, strategy, policy, culture, standards and values to the attention of
the Executive Board and the personnel through codes of conduct, education and training,
providing information, and during daily work activities.

4.1.6 The Executive Board avoids all (perceived or actual) conflicts of interests due
to private interests conflicting with the company’s business interests.

There should be no doubt whatsoever about the fact that the Executive Board acts exclusi-
vely in the interest of the company and the parties involved in it, and within the limits of the
applicable laws and regulations. Executive directors should be accountable for setting the
right example, which goes beyond the codified agreements on avoiding conflicts of inte-
rests. To this end, rules (a ban or requiring prior approval) should be laid down on extending
financing to executive directors, other transactions with executive directors, and private
investments and outside activities of executive directors. The executive directors should
confirm at least once a year to the compliance function or the Supervisory Board that they 11
have acted and will continue to act in accordance with the applicable rules.

4.1.7 The Executive Board provides the Supervisory Board with timely information
relevant to the performance of the Supervisory Board’s tasks.

The ability of the Supervisory Board to adequately perform its tasks, depends partly on the
information provided by the Executive Board. This information should be provided timely,
well in advance of Supervisory Board meetings and ad hoc if necessary. The information
should be accessible (clear and informative, correctly aggregated) and complete, but limited
to what is necessary for the adequate performance of the Supervisory Board’s tasks. If con-
sidered advisable, the Supervisory Board may ask the internal audit function to perform an
audit of the reliability and relevance of the information provided.

4.1.8 The Executive Board holds regular meetings, which are documented in minutes.

The frequency of the meetings should be appropriate to the company’s activities and the
developments and risks that occur. The minutes should at least specify who was present at
the meeting, who was not present, the agenda, the follow-up given to the action points from
the previous meeting, the key considerations that have led to decisions, the decisions, and

NBA/IIA
 the new action points. For each topic, it should be stated which executive director made a
contribution and in what way. The minutes should show whether the decision-making
involved sufficient debate and counterweight.

4.1.9 The Executive Board participates in a tailored continuous education program-

me that covers all relevant aspects of its managerial task.

The continuous education programme should be tailored to the specific needs of the Exe-
cutive Board and the organisation and should cover topics relevant to the industry in which
the company operates, macroeconomic developments, laws and regulations, compliance,
risk management, IT, personnel matters, etc. The programme should preferably be hosted
by experts from within and outside of the organisation.

4.2 Supervisory Board

4.2.1 The Supervisory Board is responsible for supervising the company as a whole
and the Executive Board, including the appointment and dismissal of execu-
tive directors. The Supervisory Board represents the interests of all stakehol-
ders in a balanced way.

The formal responsibility and liability of the supervisory directors is defined by the statu-
tory requirements for legal entities and other applicable laws and regulations. Corporate
governance codes and other codes of conduct may also be relevant. The company should
analyse the applicable laws and regulations and codes of conduct and incorporate the rele-
12 vant provisions in the administrative regulations of the Supervisory Board. To safeguard
their independence, the supervisory directors should not have any financial interests in the
company.

4.2.2 The composition of the Supervisory Board appropriately reflects the expe-
rience and expertise which the Supervisory Board as a whole need to possess
to adequately fulfil its supervisory task.

The number of Supervisory Board members, their diversity and complementarity, and the
experience and expertise of the individual Board members, should be appropriate and sui-
ted to its supervisory task11. The supervisory directors should be sufficiently available to
perform their duties. The Supervisory Board should stipulate a fixed number of Board mem-
bers (this must be least three) and limitations to the nature and number of outside Super-
visory and Executive Board memberships that the supervisory directors may fulfil. The
Supervisory Board should exercise restraint when it comes to appointing former executive
directors as members of the Supervisory Board, and should observe a ‘cooling-off’ period if
necessary. The chairman of the Supervisory Board may not be a former executive director of
the company.

December 2015
4.2.3 The Supervisory Board determines its allocation of tasks and working methods
and documents this in its administrative regulations.

Agreeing on and documenting the allocation of tasks and working methods not only ensure
clarity about what is expected of the individual supervisory directors, but also for the Exe-
cutive Board, the shareholders and other stakeholders. The allocation of tasks and the wor-
king method should be tailored as much as possible to the responsibility of the Supervisory
Board as a whole. The Supervisory Board should have a chairman.

4.2.4 The Supervisory Board may12 appoint committees from among its members to
focus on specific issues such as a corporate governance committee13, audit
committee14, risk committee15, appointments committee16 and remuneration
committee17. These committees review specific topics in depth, inform the
Supervisory Board about these topics, make proposals to the Supervisory
Board, and handle the preparations for the Supervisory Board’s decision-
making.

The appointment of committees for specific reasons, should reflect the fact that certain
topics require more specialised attention. These topics should be reviewed in depth within
these committees. The committees should meet as often as necessary. The committees
may gather information from specialists and may invite them to their meetings, such as
employees of the company, executive directors, the actuary, the auditor, or third parties.

4.2.5 The Supervisory Board holds regular meetings, which are documented in
minutes and in the Supervisory Board’s report as included in the external
reporting. 13
The frequency of the meetings should be appropriate to the company’s activities and the
developments and risks that occur. The minutes should at least specify who was present at
the meeting, who was not present, the agenda, the follow-up given to the action points from
the previous meeting, the key considerations that have led to decisions, the decisions, and
the new action points. For each topic, it should be stated which supervisory director made a
contribution and in what way.

4.2.6 The Supervisory Board or the audit committee appointed from among its
members is involved in the decisions regarding the appointment, assessment,
remuneration and dismissal of the management of the internal audit
function.

The internal audit function should be independent and the internal auditors should be
objective in performing their activities. To ensure this and remove any impediments to this,
any decisions by the Executive Board on the appointment, assessment, remuneration or
dismissal of the management of the internal audit function should be subject to the appro-
val of the Supervisory Board or audit committee

NBA/IIA
 4.2.7 The Supervisory Board participates in a tailored continuous education pro-
gramme that covers all relevant aspects its supervisory task.

The continuous education programme, should be tailored to the specific needs of the
Supervisory Board and should cover topics relevant to the industry in which the company
operates, macroeconomic developments, laws and regulations, compliance, risk manage-
ment, IT, personnel matters, etc. The programme should preferably be hosted by experts
from within and outside of the organisation.

4.2.8 The Supervisory Board evaluates its own performance and that of the commit-
tees appointed from among its members at least once a year.

The purpose of this evaluation is to critically assess its performance. The evaluation may
facilitate the Supervisory Board’s performance of its duties and may contribute to the right
choices being made for appointments and reappointments. The evaluations should pre-
ferably be performed periodically by an independent party from outside of the orga-
nisation.

14

December 2015
5. Organisational design and risk management

5.1 Measures for organisational design and risk management

General principles

5.1.1 The measures for the operational design and risk management are tailored to
the nature, size, activities and complexity of the company.

This should include measures regarding the culture and behaviour, the appointment, re-
muneration and assessment of personnel, the allocation of duties and tasks, codes of
conduct, risk committees, information and communication, three lines of defence, and
emergency management measures. The organisational design and risk management
should not be exclusively based on one or a few of these aspects, as that provides insuffi-
cient guarantees for the operating effectiveness of the controls. There should be an inte-
grated framework for the control of the operational management. This can be sufficiently
assured only if the company adopts an approach embedding all the aspects in its organisa-
tion through the complementarity of the measures.

5.1.2 The company has an adequate management cycle, including regular reporting
and analysis, that leads to adjustments if necessary.

The management cycle is the process of (strategic) planning, implementing, adjusting and
reporting. The management cycle is the basis for the company’s internal control and exter-
nal reporting. 15
The management cycle should generally include the following or comparable steps:
• Determining the strategic options;
• Analysing the strengths, weaknesses, opportunities and threats;
• Multi-annual plan and budget;
• Annual plan and budget;
• Operational implementation and management;
• Monitoring and testing;
• Reports and analyses; and
• Market and competitor comparison.

Necessary adjustments should be made at strategic level (managerial, such as mission,

core values, strategy policy), tactical level (management control, such as multi-annual
plans and budgets) and operational level (process control, such as annual plans, budget,
forecast, monitoring, testing and reporting).

NBA/IIA
 5.1.3 The company encourages the right culture and proper behaviour through the
Executive Board and management setting the right example.Properly opera-
ting soft controls and behavioural controls are an essential part of the frame-
work for the control of the operational management.Culture and behaviour are
included in the assessment criteria for the Executive Board and personnel and
in the remuneration policy.

So-called hard controls are not always sufficiently effective, if they are not supported by the
right culture and proper behaviour. To this end, a distinction is often made between formal
and informal controls. Informal controls relate to the behaviour of the Executive Board and
personnel and are also referred to as soft controls. These should be embedded in the orga-
nisation and the daily processes. The company should raise awareness of the importance
of internal control, for example through training programmes. The operating effectiveness
of the controls should be monitored and reported on within the organisation. The remune-
ration policy should be approved in advance by the Supervisory Board.

5.1.4 The company has an independent confidential hotline18 where personnel,

clients, business relations and third parties can report any potentially illegal,
unethical or unprofessional behaviour. There is a segregation of duties between
this hotline and the relevant departments or employees. The Executive Board
and Supervisory Board are regularly informed about the number and nature of
the complaints reported to the hotline.

Such a hotline makes a preventive and repressive contribution to enforcing the right culture
and proper behaviour. The reported complaints should be handled promptly and adequa-
tely and brought to the attention of the Executive Board so that corrective action can be
16 taken if necessary. This may involve not only adjusting procedures and measures but also
the sanctioning of individuals. The privacy of the person reporting the complaint (the whis-
tleblower) should be protected through confidentiality.

Personnel

5.1.5 The company defines clear job profiles and competency criteria for its key
positions (per job group or per job) and hires personnel that meets these pro-
files and criteria.

The company should hire personnel with the right qualifications (education, experience,
competencies) for the right positions so as to fulfil its capacity needs. The employees should
be motivated to achieve the business objectives and thereby meet the expectations of the
parties involved.

December 2015
5.1.6 Employee performance is regularly assessed based on the company’s mission,
core values, strategy and policy and the performance indicators for depart-
ments and individuals documented the job profiles.The remuneration policy is
tailored accordingly.

The business objectives should be clearly translated into tasks, authorisations and per-
formance indicators for departments and individuals, so that the assessment generates
reliable performance assessment outcomes. The performance and remuneration of em-
ployees should be evaluated at least once a year to encourage the desired behaviour. The
remuneration arrangements should not include any perverse incentives. Restraint should
be exercised in the variable remuneration, which should focus only on the achievement of
the long-term business objectives. Employees in the risk management function, com-
pliance function and internal audit function should not receive any variable remuneration
that depends on the company’s (financial) performance.

5.1.7 The company puts in place procedures and measures to safeguard the conti-
nuity of its critical functions.

The company should take measures to reduce any major dependence on one or a few indi-
viduals. The company should have a succession plan for its key positions, providing for the
succession in the short, medium and long term of the employees in these positions.

Jobs and tasks

5.1.8 The company clearly and coherently allocates the various jobs, tasks, respon-
sibilities and authorisations, and tailors the reporting line accordingly. The 17
company tailors the allocation of jobs, tasks, responsibilities and authorisa-
tions to the company’s activities, the required capacity and the competency
criteria.

The correct allocation of jobs, tasks, responsibilities and authorisations makes a signifi-
cant contribution to the efficient and effective operation of the company. This allocation
should not be static. To facilitate a company’s development and the progression of talent
through the ranks, it’s important to have flexibility in the personnel structure. Jobs, tasks,
responsibilities and authorisations should be clearly documented, up-to-date, and provide
guidance to employees in the performance of their tasks.

Segregation of duties

5.1.9 The company applies adequate segregation of duties to ensure controlled and
ethical operational management.

Having in place the right segregation of duties between individuals and departments, crea-
tes opposing interests within the company, which contributes to the operating effective-
ness of the controls. It’s important to ensure that this division into opposing interests is not
subverted by collusion or fraud.

NBA/IIA
 5.1.10 The company applies primary segregation of duties between at least the
authorisation19, custody20, verification21, record-keeping22 and operational
functions23.

When these types of functions are performed by one and the same individual or depart-
ment, the segregation of duties an organisation should aim for is non-existent. Any con-
cessions to the principle of primary segregation of duties should be avoided as much as
possible. The scope of the custody function extends beyond the physical custody of assets,
and can also include monitoring the financial assets, from which no items may be with-
drawn without a good reason or without authorisation. In the largely electronic environment
of a modern company, this is achieved by various measures, including by access rights to
the data processing and data storage systems used to support and design the business
processes.

5.1.11 When the combination of functions within one and the same department is
unavoidable, secondary segregation is applied by allocating tasks to diffe-
rent individuals.

In small organisations, this situation cannot always be avoided. In that case, the tasks are
allocated to individuals within the department who are separated by the greatest possible
organisational distance. This segregation can also be achieved by applying the four-eyes
principle.

Accounting, information and communication

18 5.1.12 The company has the resources and procedures to ensure the correct, timely
and complete recording, processing and availability of data on the business
processes and the resulting rights and obligations.

This type of data and information is vital to the operational management, risk management
and management information and the associated external reporting. In today’s information
age, information and data communication are of critical importance for companies. Making
good and timely investments in IT24 is very important25.

5.1.13 The company safeguards the continuous availability, reliability and integrity
of data. The company takes measures to protect data against illegitimate use
or misuse.

Because information is so important, companies are gathering and storing ever more data.
In doing so, they must comply with the statutory data retention period and data privacy
legislation. If data are used incorrectly or end up with unauthorised parties, this can lead to
reputational damage. Protecting the privacy and integrity of the data is, therefore, crucial.

December 2015
5.1.14 The data are accessible and correctly, timely and fully processed into up-to-
date, reliable and integrated financial and non-financial information as
required for (insight into) the operational management and risk management
and the associated external reporting. The information can be easily traced
back to the source data.

The quality of information depends to a large extent on the quality of the data on which it is
based. A structured approach is required to ensure that the quality of data and information
is adequate. Such an approach should cover the gathering and analysis of data (content,
structure and relationship to other data), the standardisation, formalising, updating and
improvement of data, designing of a quality process, and monitoring and reporting on data
quality. The information should have sufficient depth and detail and be promptly available.
The quality and clarity of the data should not be in any doubt. To enable additional analysis,
the individual elements of the information should be retraceable to source data. The com-
pany should preferably use databases in which all entities, attributes and relationships are
aggregated, with the final step being to derive the required information from these data.

5.1.15 The company has the necessary insight at all required levels into the state of
affairs and risks at the business units, also when considered in combination,
to enable it to control the business processes and risks.

To enable the company to adequately control and adjust its business processes, it should
at least have up-to-date, timely and full insight into all developments, positions and risks.
This requires good cooperation between the business units responsible for the primary
business processes (the users of the data and information) and the business units gathering
and supplying the information (such as IT, the accounting units at the various departments,
and the controlling, risk management and compliance departments). 19

5.1.16 The company can promptly meet information needs by providing information
that meets the applicable requirements.

The capacity and flexibility of systems and procedures should be such that, using a number
of relatively simple steps, the company can meet regular and ad-hoc information requests
from within the company and from third parties, such as regulators, without any conces-
sions to data quality.

Three lines of defence

5.1.17 The company systematically tests and assesses it internal control.This is done
by the line management (first line of defence), the business units specifically
tasked with adequately controlling risks (monitoring and testing by the risk
management and compliance function as the second line of defences), and the
internal audit function (third line of defence).

NBA/IIA
 The three-lines-of-defence model26 is a broadly accepted model for the design of risk
management and monitoring and the allocation of risk management tasks and responsibi-
lities. The model embeds the effectiveness of the risk management. The model is particu-
larly suited to companies with a higher risk profile, such as financial companies.

5.1.18 In addition to the regular hierarchical reporting lines, the second and third
line of defence have functional reporting lines to specific risk committees,
the (chairman of) the Executive Board, the audit committee or the Supervi-
sory Board.

The operating effectiveness of the second and third line of defence is increased if they can
also report directly to the bodies responsible for supervising the day-to-day policymaking.
Sometimes these reporting lines are only set up as an escalation line. This is not the prefer-
red option, as it may impede the supply of information.

Emergency management measures

5.1.19 The company has a business continuity plan. This business continuity plan is
regularly tested.

A business continuity plan contains measures through which the company can continue its
operational management when this is jeopardised by emergencies (unavailability of per-
sonnel, company sites, utilities, IT, information, suppliers, logistics, etc.).

In its business continuity plan, the company focuses on:

20 • Prevention;
• Alternative operational management; and
• Insurance policies.

The business continuity plan should be regularly tested to assess the effectiveness and to
keep awareness among the employees at the desired level.

5.1.20 The company has a recovery plan.

A recovery plan contains measures through which the company can improve its business,
operational management and financial position after these have suffered due to an
emergency.

5.1.21 The company has a winding-up plan.

A winding-up plan contains measures for an orderly winding up of the company when its
recovery is unlikely, so as to minimise the losses of third parties.

December 2015
5.2 Primary business processes

5.2.1 The company has procedures and controls that safeguard the unhindered,
reliable and ethical operation of its business processes.

The primary and key safeguards for the unhindered, reliable and ethical operation of the
business processes are put in place in the so-called line organisation. This involves map-
ping the key risks and the measures through which these risks are reduced. The line orga-
nisation has the primary responsibility for identifying, flagging, monitoring and controlling
risks27.

5.2.2 The company designs procedures and controls, including for managing its
business processes and business risks, monitoring the integrity of employees
and clients, preventing damage to the trust in the company or the sector, and
assuring the solidity of the company.

The system of control should extend beyond the correct operation of processes within the
organisation. This will also prevent irresponsible positions or risks being taken by the com-
pany, the company or industry suffering reputational damage or financial losses due to
undesirable behaviour of clients, or an erosion occurring of the company’s long-term profi-
tability or solvency.

5.2.3 The company uses authorisation procedures, sets limits, and monitors com-
pliance with the limits, which are tailored to the nature, size, risk profile and
complexity of the company’s activities.
21
The risks can be reduced in various ways, including by putting in place a stepped authorisa-
tion procedure, using limits for positions in certain assets and counterparty exposures, and
monitoring compliance with these measures.

5.2.4 The company regularly tests the effectiveness of the key controls within the
line organisation.

The primary and key safeguards for the unhindered, reliable and ethical operation of the
business processes are put in place in the line organisation. That means that the line orga-
nisation is responsible for regularly resting the effectiveness of the key controls. The second
line of defence can play a facilitating and monitoring role in this. The outcome of this testing
can help the management and Executive Board to form an opinion and can serve as a basis
for an ‘in-control statement’, which may be issued as part of the financial reporting.

5.2.5 When outsourcing activities, the company ensures that these activities can be
adequately controlled.

The outsourcing of activities should not lead to unacceptable business risks. The condi-
tions for outsourcing, the responsibilities of the parties involved, the way in which risks are

NBA/IIA
 controlled and how this is reported, should be documented in a service agreement. The
company will retain ultimate responsibility for the quality of the activities performed by the
service organisation and should monitor this. If necessary, it should be stipulated that the
company or its regulators may perform on-site audits at the service organisation.

5.2.6 The company has a complaints handling procedure for its clients and business
relations. There is a segregation of duties between this complaints handling
desk and the departments or employees concerned. The Executive Board and
Supervisory Board are periodically informed about the number and nature of
the complaints submitted to this desk.

The complaints handling procedure makes a preventive and repressive contribution to

enforcing an unhindered, reliable and ethical operational management. The submitted
complaints should be handled timely and adequately and brought to the attention of the
Executive Board so that corrective action can be taken if necessary. This may involve not
only adjusting procedures and measures but also sanctioning individuals.

5.3 Risk management function and compliance function

Risk management function

5.3.1 The company has an independent risk management function.

22 This risk management function should at least be independent of the functions that report
on the company’s operating and financial performance.

5.3.2 The risk management function monitors the operating effectiveness of risk
management in the line organisation and advises on policy to optimise this
risk management.

Risk management takes place primarily in the line organisation. The risk management
function should regularly advise the Executive Board on the optimal design of the risk
management. The risk management function should determine the risk management
framework and monitor whether risk management is performed adequately.

5.3.3 The risk management function systematically identifies, measures and eva-
luates the risks to which the company is or may be exposed. To this end, the
risk management function considers the risks arising from the (macroeco-
nomic) environment in which the company operates.

The risks to which the company are exposed to, depend on various factors, including the
nature of its activities, its size, regional diversification, and the jurisdictions in which the
company operates. These risks are not static.

December 2015
 The risk categories and areas of attention may include:
• Strategic (e.g. macroeconomic developments, ageing populations, emerging markets,
energy prices, consumer demand, market entrants, corporate social responsibility);
• Financial (e.g. liquidity, profitability, solvency, market and counterparty risk, financing
costs, regulatory requirements); and
• Operational (e.g. disruption of processed due to human or IT systems failures, outsour-
cing, legal agreements, fraud, access to data and systems, burglary).

5.3.4 The risk management function reports directly to the Executive Board member
responsible for risk management and to the chairman of the Supervisory Board
or chairman of the risk committee.

It’s important that the risk management function can operate with sufficient independence
and that the findings and conclusions of the risk management function are reported at the
right organisational level, without being filtered or watered down by the line management.
This means that the reporting line to the chairman of the Supervisory Board or chairman of
the risk committee should not be used only for escalations.

5.3.5 The risk management function has an up-to-date mandate describing its
tasks, authorisations and responsibilities and its expertise and skills level are
appropriate to the risks to which the company is exposed.

There should be a solid framework for the operation of the risk management function and
the requirements it must fulfil. This should include task-based requirements for the level of
experience, expertise and competencies of the employees, the quantitative and qualitative
staffing of the function, and an appropriately tailored budget. The organisation should 23
regularly review, preferably annually, whether the mandate is still up-to-date.

5.3.6 The risk management function has unimpeded access to all of the company’s
relevant activities, officials, locations and information.

To be able to adequately perform its tasks, the risk management function needs to have
unimpeded access to all the company’s relevant activities, officials, locations and in-
formation.

Compliance function

5.3.7 The company has an independent compliance function.

The compliance function should at least be independent of the functions that report on the
company’s operating and financial performance.

NBA/IIA
 5.3.8 The compliance function monitors the operating effectiveness of the com-
pliance risk management in the line organisation and advises on policy to opti-
mise this control.

Compliance risks are managed primarily in the line organisation. The compliance function
should regularly advise the Executive Board on the optimal design of the compliance risk
management. The compliance function determines the framework for the compliance risks
management and monitor whether it is performed.

5.3.9 The compliance function systematically identifies, measures and evaluates

the risks of non-compliance with laws and regulations and internal and exter-
nal codes of conduct.

The risks to which the company are exposed to, depend on various factors, including the
nature of its activities, its size, regional diversification, and the jurisdictions in which the
company operates. These risks are not static.

5.3.10 The compliance function reports directly to the Executive Board member
responsible for compliance and to the chairman of the Supervisory Board or
chairman of the relevant committee of the Supervisory Board.

It’s important that the compliance function can operate with sufficient independence and
that the findings and conclusions of the compliance function are reported at the right ope-
rational level, without being filtered or watered down by the line management. This means
that the reporting line to the Supervisory Board should not be used only for escalations.
24
5.3.11 The compliance function has an up-to-date mandate describing its tasks,
authorisations and responsibilities and its expertise level and skills are
appropriate to the compliance risks to which the company is exposed.

There should be a solid framework for the operation of the compliance function and the
requirements it must fulfil. This should include task-based requirements for the expe-
rience, expertise and competencies of the employees, the quantitative and qualitative staf-
fing of the function, and an appropriately tailored budget. The organisation should regularly
review, preferably annually, whether the mandate is still up-to-date.

5.3.12 The compliance function has unimpeded access to all the company’s relevant
activities, officials, locations and information.

To be able to adequately perform its tasks, the compliance function needs to have unimpe-
ded access to all the company’s relevant activities, officials, locations and information.

December 2015
5.4 Internal audit function

5.4.1 The company has an independent internal audit function that meets the fra-
mework of standards of the Institute of Internal Auditors Netherlands and the
requirements set out in laws and regulations and by regulators28.

According to the definition of the IIA, the term ‘internal audit function’ means ‘an indepen-
dent, objective function that provides assurance and performs consulting assignments to
add value and improve an organisation’s operations. The internal audit function helps the
organisation achieve its objectives by applying a systematic, disciplined approach to eva-
luate and improve the effectiveness of its risk management, control, and governance pro-
cesses.’ Many organisations and regulated companies are required to have this function. If
no internal audit function is in place, the Executive Board and Supervisory Board should
assess annually whether there is a need for it.

5.4.2 The internal audit function supplements the activities of the first and second
line of defence. It tests the design, existence and operating effectiveness of
the corporate governance, organisational design and risk management, provi-
des assurance on this and advises the Executive Board and the Supervisory
Board or audit committee on improvements.

The internal audit function provides assurance to the Executive Board and senior manage-
ment on the basis of the highest level of organisational independence and objectivity. The
internal audit function provides assurance on the effectiveness of the corporate governan-
ce, organisational design and risk management. The opinion expressed by the internal audit
function should preferably cover the audited entity as a whole29 and should not be limited
to a list of points requiring improvement. The opinion also addresses the manner in which 25
the first and second line of defence have achieved their objectives. The scope of the activi-
ties relating to corporate governance, may be limited to the company and the Executive
Board, with the Supervisory Board and audit committee being excluded from the scope of
the activities.

5.4.3 The internal audit function reports directly to the chairman of the Executive
Board and to the chairman of the Supervisory Board or chairman of the audit
committee.

It is important that the internal audit function can operate with full independence, can
autonomously initiate audits, and that the findings and conclusions of the internal audit
function are reported at the right organisational level, without being filtered or watered
down by the line management. This means that the reporting line to the Supervisory Board
or audit committee should not be used only for escalations.

NBA/IIA
 5.4.4 The internal audit function has an up-to-date mandate describing its tasks,
authorisations and responsibilities and its expertise level and skills are appro-
priate to the risks to which the company is exposed.This mandate has been
approved by the Supervisory Board or the audit committee.

There should be a solid framework for the operation of the internal audit function and the
requirements it must fulfil. This should include task-based requirements regarding the
experience, expertise and competencies of the employees, the quantitative and qualitative
staffing of the function, and an appropriately tailored budget. The organisation should
regularly review, preferably annually, whether the mandate is still up-to-date.

5.4.5 The internal audit function has unimpeded access to all of the company’s rele-
vant activities, officials, locations and information.

To be able to adequately perform its tasks, the internal audit function needs to have unim-
peded access to all of the company’s relevant activities, officials, locations and infor-
mation.

5.4.6 The internal audit function prepares a risk analysis for the entire audited en-
tity and, based on this analysis, an audit plan. The internal audit function
discusses the risk analysis and audit plan with the external auditor and an-
nually submits them to the Executive Board for discussion and to Supervisory
Board or audit committee for approval.

Discussing the risk analysis with the external auditor can help to improve the quality of the
26 risks analysis in the audit plan. The primary role of the internal audit function is to assist the
Executive Board and the Supervisory Board or audit committee. The Supervisory Board or
audit committee plays an important role in the assessment and approval of the perfor-
mance of the internal audit function. For this reason, the Executive Board and the Supervi-
sory Board or audit committee are closely involved in the discussion, assessment and
approval of the risk analysis and the audit plan prepared by the internal audit function.

5.4.7 The internal audit function implements the audit plan, makes recommenda-
tions to the Executive Board based on its activities, and establishes whether
these recommendations are followed up.

The internal audit function tests whether the reality meets the requirements set out by the
company or under the assessment framework determined, if necessary in consultation
with the company, by the internal audit function. This testing leads to findings and recom-
mendations for improvements in the corporate governance, organisational design and risk
management. These may range from valuable but non-essential suggestions to recom-
mendations that need to be immediately adopted and implemented. The internal audit
function ensures that its findings and recommendations are acted upon and informs the
Supervisory Board or audit committee about this. The internal audit function periodically
monitors the follow-up of its recommendations and reports this to the Executive Board and
the Supervisory Board or audit committee.

December 2015
5.4.8 The internal audit function reports to the Supervisory Board or audit commit-
tee on its activities, its recommendations to the Executive Board and whether
these recommendations have been followed up, reporting at least once a quar-
ter and in a summarised format at least once a year.

If necessary, the internal audit function may also report more frequently to the Supervisory
board or audit committee. The internal audit function attends the meetings of the Supervi-
sory Board of audit committee (in part or in full) to explain the contents of its reports and
answer questions of the Supervisory Board members. The Supervisory Board or audit com-
mittee has periodical meetings with the internal audit function, which are not attended by
the Executive Board, to discuss the internal audit function’s activities and the recommen-
dations to the Executive Board.

27

NBA/IIA
 6. Reporting

6.1 The company meets the information needs of the public, clients, business
relations, personnel, capital providers and regulators by providing appropriate
and clear information.

Part of this information need and its reporting have not been fully codified or laid down in
requirements or rules. Nonetheless, the company has the responsibility to appropriately
meet the information needs of the parties involved in the following areas:
• Its strategy;
• Its business and earning model;
• How it serves its clients’ interests;
• Its corporate governance and compliance with codes;
• Its remuneration policy;
• Its business risks and risk management;
• The continuity of its operations;
• Compliance with laws and regulations;
• Whether it meets regulatory requirements; and
• Corporate social responsibility.

28

December 2015
Footnotes

1. This refers to all organisational units with or without legal personality aiming to do business
on a long-term basis by deploying labour and capital in order to generate a profit.

2. These principles are broadly based on generally acceptable principles for the quality of corpo
rate governance, risk management and internal control processes, including:
• Principles of Corporate Governance - Organisation for Economic Co-operation and Deve-
lopment;
• Internal Control Framework - Committee of Sponsoring Organisations of the Treadway
Commission;
• Dutch Corporate Governance Code;
• Enhancing corporate governance for banking organisations - Basel Committee on Banking
Supervision;
• Guidelines on Internal Governance - European Banking Authority;
• The internal audit function in banks - Basel Committee on Banking Supervision;
• Dutch Financial Supervision Act (Wft) and subordinate legislation; and
• Dutch Banking Code and Governance Principles for Insurers.

3. Such as the personnel policy, IT architecture, office network, marketing, etc.

4. Corporate social responsibility.

5. ‘The client’s interests come first.’

6. Creditors, banks, other lenders, shareholders.

29
7. The frequency of this assessment depends on individual circumstances, but it is generally
advisable to do this at least once a year.

8. This includes the so-called three lines of defence, which are discussed below.

9. ‘In control statement’.

10. The CFO and CRO may not have any commercial responsibilities. Similar considerations apply
in deciding whether Supervisory Board members may also sit on the Supervisory Boards of
group companies.

11. The Supervisory Board should have experience and expertise in various fields, including:
• Management, organisation, communication,
• The company’s products, services and markets;
• Controlled and ethical operational management, risk management;
• Financial information and reporting; and
• Balanced and consistent decision-making.

12. Whether it’s necessary to appoint committees to focus on specific areas depends in part on
the size and complexity of the organisation and its activities. If the size and complexity of the
company and its activities allow for it, committees can be joined.

NBA/IIA
 13. The corporate governance committee focuses on monitoring and evaluating the corporate
governance as a whole, and how this has been reported in the Executive Board’s report
(management report) and in the general meeting of shareholders, and advising the Super-
visory Board on improvements.

14. The focus points for the audit committee are the administrative organisation and internal
control, IT, internal audit, and the auditing of the financial reporting. The audit committee
plays a specific role in the appointment, assessment and dismissal of the management of the
internal audit function, as well as the appointment (on which the committee advises the
shareholders) and remuneration of the external auditor.

15. The focus points for the risk committee are the risk appetite, risk profile, risk management
systems, risk reporting and external reporting on risks and risk management.

16. The focus points for the remuneration committee are selecting and appointing the Executive
Board and Supervisory Board members, monitoring the Executive Board’s appointments of
senior managers, assessing the size and composition of the Executive Board and Supervisory
Board, and assessing the performance of the Executive Board as a whole and the Supervisory
Board as a whole.

17. The priorities for the remuneration committee are making suggestions for the remuneration
policy for the members of the Executive Board, monitoring the Executive Board’s remunera-
tion policy, assessing the performance of the individual Executive Board members, and the
remuneration of individual Executive Board members.

18. In practice, companies often have an internal hotline or confidential adviser, as well as an
external hotline for sensitive issues, which may take the form of a whistleblower mechanism.
30
19. For example, concluding contracts for services, entering into obligations, approving trans-
actions, and granting discharge from liability.

20. For example, storage and custody of securities and cash, as well as accounts receivable
monitoring.

21. For example, departmental control, specific internal control, and the controlling department.

22. For example, dealing room’s recording of transactions, accounting, and accounts receivables
accounts.

23. For example, planning, invoicing, and payment processing.

24. IT many also be of major strategic importance to companies because their competitive advan-
tage is based on it. Some companies operate in a network or chain of companies where
IT-based collaboration is an important aspect. Small companies increasingly see IT as a com-
modity, without explicitly addressing the issue of controls.

25. See also: Control Objectives for Information and related Technology (COBIT framework)

December 2015
26. See: IIA (Global) Position Paper: The three lines of defence in effective risk management and
control, January 2013.

27. See also: Committee of Sponsoring Organisations of the Treadway Commission - Enterprise
Risk Management - Integrated Framework (COSO-ERM)

28. The legislation on the regulation of financial companies (Financial Supervision Act (Wft) and
subordinate legislation) sets outs requirements for the internal audit function at financial
companies. The Dutch central bank (DNB) uses the principles of the Basel Committee on Ban-
king Supervision for internal auditors at banks as the standard for its requirements. Codes of
conduct may also contain requirements for the internal audit function.

29. This is not the case when ‘agreed-upon procedures’ are performed.

31

NBA/IIA