Compliance And Risk Management
Risk and its management
VIPA has an implemented internal control system which complies with and is supported by the implementation of the requirements for internal control set out in the Law on Financial Institutions, the Description of Internal Control Requirements for National Promotional Institutions, and is improved by recommendations on pillar assessment provided by Ernst & Young, good work practice of NPIs and financial institutions (banks) of other European countries and recommendations of the internal auditor.
For comprehensive risk supervision and management, VIPA has established a Risk Management Department with the Credit Risk Management Division and the Operational Risk Management Division.
The Credit Policy and the Money Laundering and Terrorist Financing Prevention Policy approved by resolutions of VIPA’s Board with a consent of VIPA’s Supervisory Board, also Procedure of Risk Management, Customer Credit Assessment, Project Risk Management, Operational Risk Management and Customer Liability Guarantee Evaluation govern risk management at VIPA. The paragraphs below present their application in detail.
Taking into account VIPA’s operational guidelines, strategic objectives and shareholder expectations, an integral part of the implementation of VIPA’s operational strategy in 2021 – the risk appetite together with a description – a set of acceptable and tolerable indicators reflecting various operational risks, which is used as a basis for measuring VIPA’s operating success with general strategic indicators, has been developed. VIPA assesses application of limits limiting risk periodically, presenting the VIPA’s Supervisory Board with results of the assessment.
In assessing financial and market risks, the company invests its free funds in accordance with the procedures for investing free funds and the procedure for investing financial assets and managing financial risk. Unlike in the case of credit institutions, the main risks are related to credit operations, long-term asset and liability management, while short-term liquidity or market risks are less relevant (VIPA does not have a trading book).
In managing the risk, VIPA aims to implement best banking practices taking into account the scale and complexity of VIPA’s activities, create a risk-based operating culture and environment in all key areas of activity. Risk management is understood as a proactive and continuous process that is implemented through three lines of defence. The first line of defence is business divisions responsible for observing the set limits and restrictions when giving credits, the second line involves the risk management and compliance function developing the risk management and control system, controlling implementation, advising on risk management issues and ensuring compliance, while the third is internal audit, when the adequacy and effectiveness of VIPA’s risk management and internal control is independently and objectively assessed, providing recommendations and encouraging continuous improvement.
In the scope of operational risk management, customer identification is one of the key measures to prevent money laundering and terrorist financing. The services provided by VIPA are related to incentive financing, where knowing the customer is important not only for ensuring money laundering prevention, but is also a part of secure and reliable financing, therefore VIPA always identifies and verifies the identity of the customer and the beneficiary in accordance with legal requirements. VIPA does not establish business relationships or provide services to persons whose identities cannot be identified.
So far, all VIPA’s customers fall within the low MLTF risk category. Currently, the collection and verification of each new customers is controlled by specialists of the Operational Risk Management Division of the Risk Management Department. Before submitting an application for consideration of the Loan and Guarantee Committee, they periodically review the quality of customer identification and customer awareness and report any deficiencies for elimination.
Other operational risks, including transaction risks, are also consistently identified and monitored, and significant risk mitigation measures are planned, completing the risk register on the basis of which measures are taken to reduce the probable impact of significant risk factors.
After VIPA has become an NPI, it has sought to establish a risk management structure, reviewing risk management processes for the purpose of credit risk, making the existing ones more efficient and introducing new ones, taking into account new measures that are still being developed. VIPA pays great attention to the process of comprehensive customer assessment, structuring the lending limit system, estimating expected losses in accordance with International Accounting Standards, and implementing a monitoring and supervision and reporting system that will help to more effectively monitor changes in risk and make timely strategic decisions. An updated statistical modelling-based model for rating VIPA’s customers meeting the requirements of calculation of the internal rating-based capital needs in line with requirements of the Capital Requirements Directive and the Regulation will be implemented along with the pricing model in 2022, also reviewing VIPA’s creditworthiness assessment procedures and updating them as necessary.
VIPA periodically (at least once per year) assesses capital requirements based on the requirements for credit institutions to ensure that VIPA’s capital is sufficient to cover not only expected but also unexpected losses.
Risk management procedures
Risk management at VIPA is based on the concept of three lines of defence:
- First line of defence – performs day-to-day risk management at the operational level, assumes and manages risks, and takes immediate corrective action if necessary. This level is responsible for the implementation of internal controls and relevant procedures and limits. Direct responsibility for risk management lies with the heads of units, who, in their areas of responsibility, actively manage risks on an ongoing basis;
- Second line of defence – performs residual risk management and control of risk management processes, provides methodological support to the first line, defines risk limits, performs compliance monitoring functions and ensures dissemination of risk information at the Agency level;
- Third line of defence – performs an independent assessment of the risk framework and provides an opinion to the management on the robustness of the risk management framework, this function is carried out by the internal auditor of VIPA.
In the risk management procedure, the types of identified risks to VIPA’s activities, the factors, the main measures to manage them, and the risk management process are described. In carrying out its activities, the Agency is or may be exposed to all the risks specific to financial institutions:
- • Strategic risk – likelihood that the objectives and strategic targets of VIPA will not be achieved in a timely manner due to certain internal or external factors;
- • Financial risk – credit (including counterparty), market (including interest rate risk), liquidity risk arising to VIPA from the financial assets and liabilities managed by or entrusted to VIPA;
- • Operational risk – likelihood of losses due to inadequate or inoperative internal processes, staff, systems or external events. VIPA’s definition of operational risk includes compliance and reputational risks, as these risks are closely interlinked.
The Agency’s risk management framework is designed to identify the optimal measures to address these risks by assessing the risk factors associated with the Agency’s activities and main functions.
Risk factors, their likelihood of occurrence and potential impact are continuously assessed by maintaining the risk register and designing risk management measures. VIPA follows the risk appetite matrix approved by the Supervisory Board.
Pursuant to the VIPA’s Anti-Corruption Policy, targeted corruption prevention has been implemented by the Corruption Prevention Coordination and Control Working Group in place, according to the annually developed Anti-Corruption and Fraud Prevention Plan. The Anti-Corruption Policy developed and updated as needed and VIPA’s action plan aims to:
- • reduce the identified likelihood of manifestation of corruption;
- • improve the organization of anti-corruption measures;
- • increase knowledge of employees and their intolerance to potential corruption and unethical behaviour in VIPA and the society;
- • increase the confidence of VIPA’s stakeholders (customers and suppliers, the public, the shareholder and investors) in the transparency of activities of VIPA as a state-owned enterprise;
- • increase the availability of transparent and relevant information on VIPA’s activities.
Prevention of money laundering
As a financial institution, VIPA complies with the Law of the Republic of Lithuania on the Prevention of Money Laundering and Terrorist Financing and orders of the Director of the FCIS detailing the Law. The Agency, in all cases, determines and verifies the identity of the customer and beneficiaries in accordance with requirements of legal acts. VIPA does not enter into business relationships with, or provide services to, persons who cannot be identified (their beneficiaries). For the purposes of the individual Money Laundering and Terrorist Financing (ML/TF) risk assessment, three types of customer and beneficiary due diligence are used: simplified, regular, and enhanced identity. The Agency determines the identity of the customer in the physical presence of the customer or remotely. Customers are classified into 3 risk groups: low, medium and high risk. Individual customer risk assessment includes Politically Exposed Persons (PEPs), International Sanctions and Negative Information Checks. The Agency does not restrict the establishment of business relations with PEPs from the Republic of Lithuania and Member States of the EU. In addition, VIPA carries out the actions set out in the resolutions of the Government of the Republic of Lithuania on the implementation of international sanctions and in the EU regulations on international sanctions and their implementation.
As a financial institution, the Agency complies with financial and economic restrictions imposed by the authorities imposing sanctions, including the granting of loans or other financing to entities, the freezing of assets, and the refusal to execute, or refraining from entering into, contracts with entities included in the international (EU/USA) sanctions lists. VIPA also follows additional lists identified by its international partners.