Risk management

The Company’s internal policy and strategy for managing governance, risk and control define principles of internal governance and control, the magnitude of risk, limits for each type of risk, and procedures for identifying, assessing, monitoring, mitigating and controlling risk.

The Company follows the principles of the Three Lines of Defence risk management model, which helps it determine what structures and processes best meet its objectives and strengthen its risk management.


First line functions include business units and all staff responsible for identifying and understanding the risks inherent in the products, service processes and systems for which they are accountable.

Second line functions include independent control functions like the control and management of the Company’s risks in a broad sense, the compliance function, the information security and personal data security functions, and the risk management and oversight function for the outsourcing of operations.

Third line functions are performed by internal audit, which provides independent and objective assurance and advice on the adequacy and effectiveness of the Company’s governance and risk management.


The Company has designated persons responsible for control functions whose appointment process takes into account the requirements of the law and the nature, extent and complexity of the Company’s risks:

• An official responsible for risk management;

• An official responsible for compliance with the law and the Company’s internal documents, including anti-money laundering and anti-terrorist financing requirements;

• An official responsible for the management of information and communication technology risks and security risks; • An official responsible for the management of personal data risks;

• An official responsible for managing and overseeing the risk of transferring operations to third parties;

• A chief financial officer;

• A person responsible for organising internal audit.

The Company’s risk management process comprises the following phases: risk identification; risk assessment including assessment of the likelihood and impact of the risk on the financial position, business continuity, reputation and achievement of strategic objectives; risk mapping; determination of risk appetite; preparation of a risk management action plan; and ongoing risk monitoring, control and communication.

Values and code of conduct the implemented standards aim to mitigate the risks to the Company, in particular operational and reputational risks, which can have a significant negative impact on the Company’s profitability and sustainability due to fines, litigation costs and restrictions imposed by competent authorities, other financial and criminal penalties and loss of goodwill and consumer confidence.

Conflicts of interest policy The Company aims to take sufficient measures to prevent conflicts of interest from adversely affecting the interests of its clients. The policy seeks to identify conflicts of interest of employees, including those of their immediate family members. The Company takes into account that conflicts of interest may arise not only from current, but also from previous personal or professional relationships. In the event of a conflict of interest, the Company shall assess its significance and decide on and implement appropriate mitigation measures.


You can find more information and related documents on NEO Finance, AB’s risk and conflict of interest management or business continuity plan at the following links:

Contingency and Business continuity plan

Conflicts of interest management policy