Neste Board of Directors has the ultimate accountability for risk oversight. Among other duties the Board is in this role responsible for setting the Group’s risk appetite and for approving the Risk Management Policy.
Practical implementation, development and monitoring of risk management processes is based on the three lines of defense model. The model distinguishes between:
1st Line of Defense
The first line of defense is responsible for setting the objectives, managing day-to-day performance and reinforcing risk responses in order to reach the set targets. At Neste, the first line actors include Business Areas and Common Functions in their first-line roles. As a part of the first line of defense, Neste’s President and CEO and the Neste Executive Committee have the overall accountability for appropriate risk management practices.
In practice, Business Areas and Common Functions are owning and managing risks with the help from a dedicated network of risk champions and coordinators. The role of the risk champions / coordinators is to represent different risk disciplines and to ensure that risk discussions are embedded into everyday management routines.
2nd Line of Defense
Role of the actors in the second line of defense is to provide guidance, support, facilitation, and consultation for risk management. Second line of defense needs to have some degree of independence from the first line of defense in order to be able to challenge the first line in managing performance and making risk informed decisions.
At Neste, second line of defense includes Common Functions in their second-line roles and specialist teams (corporate risk management, compliance and internal controls). In addition, Neste has established a separate Ethics and Compliance Committee that aims at increasing management oversight on compliance and ethics related issues within the Group. The Committee also ascertains adequacy of mitigation actions in higher risk compliance areas.
The corporate risk management team has the overall responsibility to confirm that risk management activities are carried out consistently throughout Neste Group and all risk classes. Corporate risk management also drives overall development of risk management practices and tools. The team is supported by the network of risk champions and coordinators.
3rd Line of Defense
Internal Audit as an independent team evaluates the effectiveness and efficiency of the corporate level risk governance model and related risk management processes, including the effectiveness of internal controls and other risk treatment actions in the scope of each audit. Internal Audit also provides recommendations for improvement areas.