Risk Management is an integral part of Moneyport’s business model.

In pursuing its strategy and business, Moneyport is exposed to risks, e.g. events which may have an impact on its financial, business, regulatory and reputational standing. Risk management as a result is an integral part of the Company’s business model and is designed to protect its franchise and reputation.


Risk management framework

The Company’s Risk Management Framework (‘RMF’) links and integrates all relevant activities, governance and processes of the Company to identify, assess, manage, monitor and report risks across the organisation.

Risk management activities are structured according to the Company’s Risk Categorisation which represents the material risks the organisation is exposed to. Beside credit, market and treasury risk, the Company is exposed to non-financial risks, covering operational risk, compliance and legal risk, as well as strategic, business and reputational risk. The Risk Categorisation allows for individual assignment of responsibilities to Risk Type Owners (RTO), who maintain the risk management framework of each material risk type by means and in accordance with the RMF.


Risk tolerance framework

Not all risks can be eliminated, fully controlled and mitigated at all times. However, the Company’s Risk Tolerance Framework (‘RTF’) supports and ensures that risk-taking is in line with the strategic objectives and within the Company’s overall risk capacity. The Company’s risk tolerance is defined as the aggregate level of risk, subject to appropriate mitigating actions, that the Company is willing to accept across all relevant risk categories. It is formalised by a set of qualitative risk statements and quantitative risk metrics along the Company’s key risk categories.

The risk capacity describes the maximum level of risk the Company can assume given the Company’s capabilities and resources taking account of capital, earnings and liquidity constraints (financial risk capacity), regulatory requirements and the firm’s reputational standing (regulatory and reputational risk capacity).


Risk culture

The Company recognises that successful risk management requires a combination of a sound risk culture, organisation and supporting processes as well as controls.

A sound risk culture is the key pillar in effectively managing risks. It promotes sound risk-taking and ensures that emerging risks or risk-taking activities beyond the Company’s risk tolerance are appropriately identified, assessed, escalated and addressed in a timely manner. To this effect, the following four levers are viewed as critical elements in ensuring a strong alignment between the expected behaviour standards and the strategic objectives of the Company:

  • Strong leadership and tone from the top;
  • Accountability and clear roles and responsibilities;
  • Effective communication and challenge;
  • Employee life cycle and incentives.


    • Company risk landscape

    In order to make risks transparent and to put them into perspective, a Risk Landscape is compiled annually and is continuously maintained. To comprehensively and holistically identify, assess existing and emerging risks and disclose them transparently to the BoD and ExB, the following multi-layered approach is applied:

  • A bottom-up ‘Risk and Control Self-Assessment’ of operational, legal and compliance risks performed by the Company’s entities and the Business Functions at Head Office and challenged by the second line of defence;
  • This bottom-up assessment is complemented by the top-down ‘Risk Type Owner Assessments’ which are being performed annually by the RTOs for all operational, legal and compliance risk types;
  • This process is supplemented by an annual stress risk assessment across all key risk categories with a view to quantify the total financial and business risk exposures under unlikely events and to put those in context of the Company’s overall risk capacity.

    • The Risk Landscape, which is discussed and evaluated at ExB and BoD level, is an integral part of the Company’s strategic capital planning process.

    The three lines of defence

    The Company has adopted the ‘Three Lines of Defence’ model as a guiding organisational framework for managing risk in the functions operating across the Company. This encompasses the Internal Control System (‘ICS’), which is, amongst others, the sum of controls and processes that operate across the three lines of defence to ensure that risk is being incurred in a deliberate and disciplined manner.

    The Company seeks to follow an approach of assigning clear accountability in identifying, assessing, managing, monitoring and reporting risks. In doing so, the Company has implemented and continues to strengthen the three lines of defence model across its global business operations.

    The ‘Three Lines of Defence’ model is defined according to the following key principles:

    Moneyport

    For comprehensive information on risk management and control, please refer to the “Comment on Risk Management” section of our Annual Report.



    Risk governance

    The Company has established a robust Risk Governance, involving several stakeholders across the organisation and various committees, functions and business units.

    The Board of Directors (BoD) is responsible for establishing the strategic course of the Company and the guiding principles for the Company’s corporate culture. It approves the Company-wide RMF and RTF. This ensures that risks are managed effectively at Company level and that suitable processes are in place.

    Regular reporting enables the BoD to monitor whether the risk tolerance, policies, instructions and mandates are being complied with and whether they remain appropriate, given the Company’s business model, risk profile and strategy. In addition, the BoD regularly reviews reports analysing the Company’s risk exposure.

    The Company has defined the underlying risk management processes for every risk type along a Risk Management Cycle.

    Moneyport


    The continuous identification (step 1) of relevant risks is a key risk management activity. This relates to both emerging threats/risks as well as to increasing risk profiles. New risks may arise by developing and launching new products and services, a change in the regulatory landscape or a change to the business model.

    The assessment (step 2) of identified risks consists of the qualitative analysis and quantification of the inherent risk, the control risk and finally the residual risk along defined risk management principles and methods. It also includes the development, testing and validation of models to measure risks, as well as stress testing procedures to assess and measure risks in pre-defined scenarios.

    The day-to-day risk management (step 3) has to ensure an adequate response to identified risks and the set risk tolerance. It includes all activities from risk evaluation to the definition and implementation of risk mitigation measures, which aim to prevent or reduce risks and damages, e.g. the setting of standards and controls, education and training, automation of processes, and the implementation of standards, limits and metrics.

    Monitoring activities (step 4) include the performance of control activities or quality assurance procedures on implemented standards and controls to ensure that the risk profile and exposure is kept within the risk tolerance, e.g. via risk metrics (KRIs or KPIs) and limits.

    The reporting (step 5) supports all hierarchy levels to have a transparent and accurate overview of the underlying risk profile and risk exposure. This includes also the timely escalation in case of breaches of set risk tolerances. The frequency and depth of the reporting is defined, assessed and aligned where appropriate by the recipients of the reports depending on the size and complexity of the respective areas.