Risk management and internal controls

Arion Bank faces many risks arising from its day-to-day operations as a financial institution. Managing risk and taking informed decisions is a crucial component of the Bank's activities and its responsibility towards society. Managing risk is therefore a core activity within the Bank. The key to effective risk management is a process of ongoing identification of significant risk, quantification of risk exposure, action to limit risk and constant monitoring of risk.

The Board of Directors is ultimately responsible for implementing risk management and approves risk policies which specify the risk framework, governance structure and appropriate monitoring systems among other things. The risk management of the Bank‘s subsidiaries is the responsibility of the board of directors of the relevant subsidiary. The subsidiaries adhere to their respective ownership policies, approved by the Board of Directors, which stipulate among other things the Group‘s internal control policy, risk appetite and reporting mechanisms. The Board of Directors sets a risk appetite for the parent company (the Bank) and, where appropriate, for the Group, which is translated into exposure limits and targets monitored by the Bank‘s Risk Management division. It is ensured that the Bank‘s strategy, business plan and limit frameworks are aligned with risk appetite.

The CEO is responsible for sustaining an effective risk management framework, processes and controls, as well as maintaining a high level of risk awareness among the employees, making risk everyone’s business. The Bank operates a three line model in accordance with its internal control policy


The Board Risk Committee (BRIC) performs an advisory and supervisory role to the Board with respect to the Bank’s risk management framework and risk appetite and ensures alignment with the Bank’s business plan, goals and values. The committee is also responsible for the internal capital adequacy assessment process (ICAAP) and the internal liquidity adequacy assessment process (ILAAP). The Board Credit Committee (BCC) decides on all major credit risk exposures, underwriting and investments which are outside the scope of the CEO’s credit authority, and it advises the Board on matters which constitute a risk beyond defined risk appetite.

The CEO has appointed six risk committees which address key risk factors in the Bank’s operations. 

The Asset and Liability Committee (ALCO) manages the asset-liability mismatch, liquidity risk, market risk, interest rate risk, and capital management. The committee also makes decisions on underwriting and investments. 

The role of the Operational Risk Committee (ORCO) is to ensure the effective management of operational risk at the Bank in accordance with risk appetite and legal requirements. The committee is responsible for managing non-financial risk, including information security and data risk, financial crime, business processes, outsourcing, model risk, compliance risk and conduct risk.

The Arion Credit Committee (ACC) takes decisions on lending exposures and is responsible for the Bank’s credit rules. The Arion Composition and Debt Cancellation Committee (ADC) makes decisions on composition and debt cancellation. Both committees operate within limits set by the BCC. 

The Sustainability Committee ensures that the Bank's strategy and decision-making are aligned with the Bank's commitments in relation to the environmental, social and governance (ESG) agenda. The committee oversees the Bank's Green Financing Framework.

An Executive Risk Committee was established during the year. The committee is responsible for the implementation and follow-up of the strategy set out by the Board. The creation of this committee ensures that the executive management has a comprehensive overview of the risk management framework and the numerous risk factors which the Bank faces at any given time.

The Bank's Internal Audit conducts independent and objective reviews of the Bank, its subsidiaries and pension funds administered by the Bank. Internal Audit communicates its results to management and reports its findings and recommendations to the Board Audit Committee and the Board of Directors.

Compliance, headed by the Compliance Officer, is an independent unit which reports directly to the CEO. Compliance manages the Bank's conduct and compliance risks, including those relating to data protection, and financial crime risk.

The Bank’s Risk Management division is headed by the Chief Risk Officer. It is independent and centralized and reports directly to the CEO. Risk Management is divided into three departments. Risk Analysis, which is responsible for the quantification of risk on a portfolio level, including risk modelling and reporting; Risk Monitoring and Framework, which facilitates and monitors the management of risk and controls in the first line of defence; and Credit Analysis, which supports the Bank's credit transaction process and participates in credit decisions. The Bank’s Security Officer and the Bank’s Pension Risk Officer are part of the Risk Management division.


Arion Bank is a small bank in an international context but classified as systemically important in Iceland. The Group operates in a small economy with its own currency, which is subject to sectoral concentration, fluctuations in capital flows, and exchange rate volatility. The most significant risks to which the Bank is exposed are credit risk, concentration risk, liquidity risk, interest rate risk, cyber risk, business risk and sustainability risk. These risk factors are mainly encountered within the parent company. Through the Bank's subsidiaries, the Group bears risk arising from insurance activities and fund management. 

The Bank’s Pillar 3 Risk Disclosures 2022 report discusses risk factors and risk management in detail.