The Neste Board of Directors has the ultimate accountability for risk oversight. Among other duties the Board is in this role responsible for setting the Group’s risk appetite and for approving the Risk Management Policy.
The practical implementation, development and monitoring of risk management processes is based on the three lines of defense model. The model distinguishes between:
1st Line of Defense
The first line of defense is responsible for setting the objectives, managing day-to-day performance and reinforcing risk responses in order to achieve the set targets. At Neste, the first-line actors include Business Units and Functions in their first-line roles. As a part of the first line of defense, Neste’s President and CEO and the Neste Executive Committee have the overall accountability for appropriate risk management practices.
In practice, Business Units and Functions own and manage risks with the help of a dedicated network of risk champions and coordinators. The role of the risk champions/coordinators is to represent different risk disciplines and to ensure that risk discussions are embedded in everyday management routines.
2nd Line of Defense
The role of the actors in the second line of defense is to provide guidance, support, facilitation, and consultation for risk management. The second line of defense needs to have some degree of independence from the first line of defense in order to be able to challenge the first line in managing performance and making risk-informed decisions.
At Neste, the second line of defense includes Functions in their second-line roles and specialist teams (corporate risk management, compliance and internal controls). In addition, Neste has established a separate Ethics and Compliance Committee that aims at increasing management oversight of compliance- and ethics-related issues within the Group. The Committee also ascertains the adequacy of mitigation actions in higher risk compliance areas.
The corporate risk management team has the overall responsibility to confirm that risk management activities are carried out consistently throughout Neste Group and all risk classes. Corporate risk management also drives the overall development of risk management practices and tools. The team is supported by the network of risk champions and coordinators.
3rd Line of Defense
Internal Audit as an independent team evaluates the effectiveness and efficiency of the corporate-level risk governance model and related risk management processes, including the effectiveness of internal controls and other risk treatment actions in the scope of each audit. Internal Audit also provides recommendations for improvement areas.