Internal control and risk management

The purpose of internal control is to ensure that the risks associated with lending, funding, investment activities and other business operations align with the company’s approved risk profiles and that the company achieves the objectives set for its operations. The goal is to keep the overall risk position at such a low level that the company’s credit rating is the best possible relative to the credit rating of the Finnish government and that the company’s own operations do not jeopardise this rating.

MuniFin’s internal control includes:

• The finance function, which ensures the integrity of financial reporting.
• The independent risk management function, which reports on the company’s risk position and any changes to it and oversees the development of risk management methods. This function is independent of the business of the company.
• The internal control performed by each business function, which produces reports that are processed by function heads, the CEO with the support of the Executive Management Team, and the Board.

The Board of Directors determines the general principles, limits and measurement methods of risk management at MuniFin. The Board receives monthly reports on the company’s risk position in relation to the established limits and reports on any significant risk events as needed. The implementation of risk management is overseen by the CEO, with the support of the Executive Management Team and various functions, each handling tasks delegated to them.

The organisation and responsibilities of risk management at MuniFin are structured around three lines of defence:

1. First line of defence: Business operations apply established risk management principles in their day-to-day activities.
2. Second line of defence: The independent Risk Management and Compliance function monitors the risk management principles and processes established by the Board. This function operates under the leadership of the CRO. The Compliance and Operational Risk unit, which is part of the Risk Management and Compliance function, monitors compliance with both external and internal regulations and reports to the Audit Committee.
3. Third line of defence: Internal audit conducts regular assessments of various areas of the company’s operations and reports its findings to the Audit Committee and the Board.

The purpose of MuniFin’s internal audit is to assess the reliability and accuracy of MuniFin’s information on finances and other management. It also evaluates whether the company has adequate and appropriately organised processes and IT systems for its operations and ensures that the risks associated with the operations are sufficiently managed.

The Board approves an internal audit plan for each year. The head of internal audit reports directly to the Board and its Audit Committee, and all audits conducted by the internal audit are also reported to the Executive Management Team.

MuniFin’s external auditor is PricewaterhouseCoopers Oy.

According to MuniFin’s Articles of Association, the company has one auditor, which must be an auditing firm as defined in the Auditing Act. The auditor’s term ends at the conclusion of the Annual General Meeting following their appointment.

The company’s financial period is the calendar year. The principal auditor can serve as the company’s auditor for a maximum of seven consecutive terms.

The Board’s Audit Committee prepares the appointment of the auditor and makes a proposal to the Board, which presents its proposal to the Annual General Meeting. The Audit Committee must consider the auditor’s independence in the appointment process. The Audit Committee monitors and oversees all auditing activities.

As an issuer of financial instruments traded on a regulated market, MuniFin is obliged to maintain an insider list. This list includes a section of permanent insiders that includes MuniFin employees who have regular access to inside information as well as other individuals and entities who are deemed by MuniFin to have regular access to the company’s inside information.

Although MuniFin does not offer investment services related to shares, for example, as a credit institution entitled to provide such services it is nevertheless obliged to maintain a public insider register, in which the members of the Board, the CEO and the Deputy CEO must be declared. Other individuals in the company are not subject to this obligation because the company’s business operations do not include offering investment services in a way that would give employees the opportunity to access inside information.

MuniFin has separate insider guidelines approved by the Executive Management Team, which all individuals included in the insider register and list are obligated to follow. The disclosure obligations regarding transactions conducted by the management and persons closely associated with them also apply to MuniFin as an issuer of financial instruments traded on a regulated market. The company has determined that the obligation applies to the members of the Board of Directors and the Executive Management Team.

The company has a Sustainability Policy, Code of Conduct and principles for managing conflicts of interest approved by the Board. MuniFin’s key principle is to always seek to treat its customers and other partners fairly. The company’s operations must not be based on anyone’s personal interests. MuniFin will always inform its customers or other counterparties if a business transaction may involve a risk of a conflict of interest. The Board is independent in its work and takes into account the interests of the company and all its shareholders.