Governance and Internal control
Entercard is licensed under the Act on banking and finance to pursue credit granting. As a credit granting company Entercard is inherently exposed to risk as part of its business model. As such Entercard does not attempt to eliminate risk, but rather to understand and where appropriate manage and mitigate risk in order to ensure Entercard is sufficient funded and cover all risks taken. As required, Entercard is structured to at an ongoing basis identify, measure, manage, control and internal report on risks so that the board, management and other decision makers in the organization are informed of the risks exposure and development.
To achieve our mission in a successful and sustainable way and to meet requirements we have integrated and effective system of internal control and management in our business.
Internal Control System
Our internal control system consists of five components that pervade our business: control environment, risk identification and assessment, control activities, information and communication and monitoring activities.
The control environment is set by the tone of the organization, influenced by the control consciousness of the employees. This is the foundation for all other components of internal control within Entercard, providing discipline and structure. As an example, the control environment factors include the integrity, ethical values and competence of the employees and management’s philosophy and operating style.
Risk identification and Risk Assessment
An effective internal control system requires relevant risks that could adversely affect the achievement of the Entercard’s objectives, are being identified and continually assessed and analyzed. Out risk assessment forming a basis for determining how the risks should be managed.
Control activities are an integral part of the daily activities at every business level within the Entercard Group. Control activities include a range of activities as diverse as approvals, authorizations, verifications, reviews of operating performance, and segregation of duties etc.
Information and communication
Relevant information must be identified, captured and communicated in a form and time-frame that enables personnel to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business.
Monitoring is a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing review and monitoring of activities and independent evaluations. The scope and frequency of separate evaluations depend primarily on an assessment of risks.
Risk appetite is the maximum amount of risk Entercard is willing to accept in the course of pursuing its business objectives.
Entercard will level its risk exposures through the Board, who sets the Risk Appetite. Limits and targets embedded in the Risk Appetite may be adjusted in order to establish the risk strategy within the operations of Entercard. The aim of Entercard enterprise risk management is to ensure the risk exposures of Entercard remain within the risk appetite. It is therefore essential that a clearly defined risk appetite is in place and that risk reporting is sufficient to allow senior management to base decisions on these reports in order to steer the business within the risk appetite.
Entercard exercises a risk management framework which covers risk identification and assessment, control design and implementation, control self-assessment and control remediation as well as reporting to ensure that risks are managed pursuant to the applicable laws and within set risk appetites. This approach to dealing with risk at all levels in the organization is required to ensure that all material risks are identified and appropriately managed.
Governance according to the Three Lines of Defence-Model
Entercard has structured roles, responsibilities, accountabilities, reporting and decision making according to the three lines of defence model.
The business management at all levels represents the first line of defence. Business Management owns the risks and makes management decisions in line with risk appetite. The GRC function, particularly the risk and compliance functions represent the second line of defence. These functions establishes policies and framework, facilitates risk identification and follow-up. Internal audit represent the third line of defence. Internal Audit monitors the activities of the whole organization. Internal Audit evaluates the effectiveness of control systems, and contributes to ongoing effectiveness.
Incident Management and Business Continuity Management
Incident management and business continuity management is established as an integral part of Entercard’s normal business operations.
The structure and procedures aim to handle serious incidents resulting in undesired business outcome and potential impacts that threaten the organization in a professional and consistent manner. The incident management procedure consists of activities that intend to identify, manage, track, analyze and escalate incidents. The procedure can also invoke crisis management according to Entercard’s business continuity management framework.