Note 6 - Risk factors

Risk Management

SpareBank 1 SMN aims to maintain a moderate risk profile and to apply risk monitoring of such high quality that no single event will seriously impair the group’s financial position. The group’s risk profile is quantified through targets for rating, concentration, risk-adjusted return, probability of default, loss ratios, expected loss, necessary economic capital, regulatory capital adequacy, and liquidity-related regulatory requirements.

The principles underlying SpareBank 1 SMN’s risk management are laid down in the risk management policy. The group gives much emphasis to identifying, measuring, managing and monitoring central risks in such a way that the group progresses in line with its adopted risk profile and strategies.

The bank’s three lines of defence against financial loss or impaired reputation comprise:

1. Prudent risk limits which reduce the probability of a bank-specific event, and a good internal control function which ensure compliance with the limits.
2. The period’s financial result, a buffer to absorb volatility and loss within the adopted risk appetite, and which allows time to make adjustments in business plans/risk profile.
3. Sufficient liquidity and equity capital to manage unexpected events and crises.

Risk management within the group is intended to support the group’s strategic development and target attainment. The risk management regime is also designed to ensure financial stability and prudent asset management. This will be achieved through:

• A strong organisation culture featuring high risk-management awareness
• A sound understanding of the risks that drive earnings and risk costs, thereby creating a better basis for decision-making
• Striving for an optimal use of capital within the adopted business strategy
• Avoiding unexpected negative events which could be seriously detrimental to the group’s financial position
• Exploiting synergies and diversification effects

The group’s risk is quantified inter alia by calculating expected loss and the need for risk-adjusted capital (economic capital) to meet unexpected losses.

Expected loss is the amount which statistically can be expected to be lost in a 12-month period. Risk-adjusted capital is the volume of capital the group considers it needs to meet the actual risk incurred by the group. The board of directors has decided that the risk-adjusted capital should cover 99.9 per cent of all possible unexpected losses. Statistical methods are employed to compute expected loss and risk-adjusted capital, but the calculation requires expert assessments in some cases. In the case of risk types where no recognised methods of calculating capital needs are available, the group defines risk management limits that limit loss risk in accordance with the adopted risk appetite. For further details see the group’s Pillar III reporting which is available on the bank’s website.

The group has incorporated ESG in steering documents, including risk management policy, credit strategy and credit policy. ESG risk, including climate risk, is considered a driver of financial risk and reputational risk.

The group’s overall risk exposure and risk trend are monitored on a continual basis. Status and development are reported on by way of periodic risk reports to the administration and the board of directors. Overall risk monitoring and reporting are performed by Risk Management which is independent of the group’s business lines.

Credit risk

Credit risk is the risk of loss resulting from the inability or unwillingness of customers or counterparties to honour their commitments to the group.

The group is exposed to credit risk through all customer and counterparty receivables. The main exposure is through ordinary lending and leasing activities, but the group’s credit risk also has a bearing on the liquidity reserve portfolio through counterparty risk arising from interest rate and foreign exchange derivatives.

Credit risk associated with the group’s lending activity is the risk area with the highest requirement as to capital, both under internal assessments and capital requirement calculations under the CRR.

Through its annual review of the bank’s credit strategy, the board of directors concretises the group’s risk appetite by establishing thresholds and limits for the bank’s credit portfolio. The limits define the lending activity’s boundaries. Deviations with respect to thresholds obliges the credit manager to comment on the deviation to the board of directors and in most cases to prepare action plans in order to reduce risk. The bank’s credit strategy and credit policy are derived from the bank’s main strategy, and contain guidelines for the risk profile, including credit quality and concentration risk.

Concentration risk is managed by distribution between Retail Banking and Corporate Banking, limits on the size of loan and loss ratio on single exposures, limits on maximum exposure for the twenty largest grouped exposures, limits on maximum exposure within industries and a limit that ensures industry diversification among the 20 largest customers.

Compliance with credit strategy and thresholds and limits adopted by the board of directors is monitored on a continual basis by the Group Credit Committee and reported quarterly to the board of directors by way of the risk report.

The board of directors delegates lending authorisation to the group CEO. The group CEO can further delegate authorisations below divisional director level. Lending authorisations are graded in relation to exposure size and risk profile.

The board of directors delegates lending authorisation to the group CEO. The group CEO can further delegate authorisations to levels below executive director level. Lending authorisations are graded by size of commitment and risk profile.

The bank has a department dedicated to credit support which assists in or takes over dealings with customers who are clearly unable, or are highly likely to become unable, to service their debts unless action is taken beyond ordinary follow-up.

The bank’s exposure to climate risk is mapped by means of qualitative assessments of physical risk and transition risk at industry level, and through the requirement of ESG scoring of all credit cases above NOK 10m for corporate customers. In addition, the bank has estimated greenhouse gas emissions from the bank’s loan customers. The board of directors has adopted a strategy requiring the bank to be a driver for green transition, and transition plans are accordingly prepared towards a low emissions society for all significant industries in the bank. Transition plans for agriculture, commercial property and fishery were published in 2023. The transition plans communicate expectations and requirements we place on our customers. Strategies and policies are regularly assessed to ensure that measures against climate risk in the loan portfolio are adequate with reference to risk appetite. The bank has in 2023 not applied exclusion of industries or customer groups as a tool to curb climate risk.

The bank’s risk classification system was developed to quantify credit risk, and thus to enable management of the bank’s loan portfolio in keeping with the bank’s credit strategy and to measure risk-adjusted return.

The bank has approval to use internal models in its risk management and capital calculation (IRB) with respect to loans and guarantees to the mass market and undertakings. Approval to use the advanced IRB approach was given by Finanstilsynet in 2015. The bank uses IRB models for risk classification, capital allocation, risk pricing and portfolio management.

In 2022 the bank package, including CRR2, was introduced in Norwegian law. The bank package contains comprehensive requirements and guidelines for the development, application and validation of the IRB models. In June 2022 an application to apply the revised models was delivered to Finanstilsynet. The process is still ongoing.

The risk classification system (IRB) builds on the following main components:

1. Probability of Default (PD)

The group’s credit models are based on statistical computations of probability of default. The calculations are based on scoring models that take into account financial position and internal and external behavioural data. The models are partly point-in-time oriented, and reflect the probability of default in the course of the next 12 months under current economic conditions.

Customers are assigned to one of nine risk classes based on PD, in addition to two risk classes for exposures in default and/or subject to impairment write down.

The models are validated on an ongoing basis and at least once per year both with respect to their ability to rank customers and to estimate PD levels. The validation results confirm that the models’ accuracy meets internal criteria and international recommendations.

The bank has also developed a cashflow-based PD model used for exposures to commercial property lease. The bank has applied to Finanstilsynet for permission to use this model in its capital calculation (IRB).

2. Exposure at Default (EAD)

EAD is an estimation of the size of an exposure in the event of, and at the time of, a counterparty’s default. For drawing rights, a conversion factor (CF) is used to estimate how much of the present unutilised credit ceiling will have been utilised at a future default date. For guarantees, a government-determined CF is used to estimate what portion of issued guarantees will be brought to bear upon default. The CF is validated monthly for drawing rights in the retail market and corporate market. The bank’s EAD model takes account of differences both between products and customer types.

3. Loss Given Default (LGD)

The bank estimates the loss ratio for each loan based on expected recovery rate, realisable value (RE value) of the underlying collateral, recovery rate on unsecured debt, as well as direct costs of recovery. Values are determined using standard models, and actual realised values are validated to test the models’ reliability.

Estimated loss ratio shall allow for a future economic contraction. Given limited data from economic contractions, the bank has incorporated substantial safety margins in its estimates to ensure conservative estimates when calculating capital requirements.

The three above-mentioned parameters (PD, EAD and LGD) underlie the group’s portfolio classification and statistical calculation of expected loss (EL) and need for economic capital and regulatory capital.

Counterparty risk

Counterparty risk in derivatives trading is managed through ISDA and CSA contracts set up with financial institutions that are the bank’s largest counterparties. ISDA contracts regulate settlements between financial counterparties. The CSA contracts limit maximum exposure through market evaluation of the portfolio and margin calls when the change in portfolio value exceeds the maximum agreed limit or threshold amount. The bank will continue to enter CSA contracts with financial counterparties to manage counterparty risk. See note 12 for a further description of these contracts.

Counterparty risk for customers is hedged through use of cash depots or other collateral which, at all times, have to exceed the market value of the customer’s portfolio. Specific procedures have been established for calling for further collateral or to close positions if market values exceed 80 per cent of the collateral.

Market risk

Market risk is a generic term for the risk of loss and reduction of future incomes as a result of changes in observable rates or prices of financial instruments. Market risk arises at SpareBank 1 SMN mainly in connection with the bank’s investments in bonds, CDs and shares, including funding. SpareBank 1 has outsourced customer trading in fixed income and foreign currency instruments to SpareBank 1 Markets. This customer activity, and SpareBank 1 Markets’ use of the bank’s balance sheet, also affect the bank’s market risk.

Market risk is managed through limits for investments in shares, bonds and positions in the fixed income and currency markets. The group’s strategy for market risk lays the basis for management reporting, control and follow-up of compliance with limits and guidelines.

The group defines limits on exposure to market risk with a basis in stress tests employed in Finanstilsynet's (Financial Supervisory Authority of Norway) models. Limits are reviewed at least once a year and adopted yearly by the bank’s board of directors. Compliance with the limits is monitored by Risk Management, and exposures relative to the adopted limits are reported monthly.

Interest rate risk is the risk of loss due to changes in interest rates in financial markets. The risk on all interest rate positions can be viewed in terms of the change in value of interest rate instruments resulting from a rate change of 1 percentage point across the entire interest rate curve on all balance sheet items. The group utilises analyses showing the effect of this change for various maturity bands, with separate limits applying to interest rate exposure within each maturity band and across all maturity bands as a whole, including EVE and NII for interest rate risk in the banking book. Interest rate lock-ins on the group’s instruments are essentially short, and the group’s interest rate risk is low to moderate.

Spread risk is the risk of loss as a result of changes in market value/fair value of bonds due to general changes in credit spreads. The bond portfolio is managed based on an evaluation of the individual issuers. In addition, the bank has a separate limit for overall spread risk and for the business lines. The bank calculates spread risk based on Finanstilsynet’s module for market and credit risk. The loss potential for the individual credit exposure is calculated with a basis in rating and duration.

Exchange rate risk is the risk of loss resulting from exchange rate movements. The group measures exchange rate risk on the basis of net positions in the various currencies. Limits on exchange rate risk are expressed in limits for the maximum aggregate foreign exchange position in individual currencies.

Equity risk is the risk of loss on positions as a result of changes in share prices. Limits are set for the various portfolios as well as limits for total equity risk. Shares in subsidiaries and shares forming part of a consolidated or strategic assessment are not included.

Liquidity risk

Liquidity risk is the risk that the group will be unable to refinance its debt or unable to finance increases in its assets.

The bank’s most important source of finance is customer deposits. At end-2023 the group’s ratio of deposits to loans was 56 per cent, including loans sold to SpareBank 1 Boligkreditt and SpareBank 1 Næringskreditt, compared with 58 per cent at end-2022 (group figures).

The bank reduces its liquidity risk by diversifying funding across a variety of markets, funding sources, maturities and instruments, and by employing long-term funding. Excessive concentration of maturities heightens vulnerability with regard to refinancing. The group seeks to mitigate such risk by applying defined limits.

The bank’s finance division is responsible for the group’s financing and liquidity management. Compliance with limits is monitored by Risk Management which reports monthly to the board of directors, but breached limits can be reported on an ongoing basis. The group manages its liquidity on an overall basis by assigning responsibility for funding both the bank and the subsidiaries to the finance division.

Governance is based in the group’s overall liquidity strategy which is reviewed and adopted by the board at least once each year. The liquidity strategy reflects the group’s moderate risk profile. As a part of the strategy, emergency plans have been drawn up both for the group and the SpareBank 1 Alliance to handle the liquidity situation in periods of turbulent capital markets. These take into account periods of both bank-specific and system-related crisis scenarios as well as a combination of the two.

The bank shall have a holding of liquid assets sufficient to cover a minimum of 12 months’ ordinary operation without access to external funding and to withstand a house price fall of 30 per cent. The bank shall in addition have an adequate liquidity buffer consisting of assets that meet the LCR requirements, and which in volume at all times ensures that the bank is above the minimum requirement. Access to funding has been satisfactory in 2023.

Government requirements and investor’s preferences will pull in the direction of green investments ahead. The group has issued green bonds worth NOK 22.46bn and its objective is to increase the share of loans that qualify for green bonds.

The group’s liquidity situation as of 31 December 2023 is considered satisfactory.

Operational risk

Operational risk can be defined as the risk of loss resulting from:

• People: Breaches of procedures/guidelines, inadequate competence, unclear policy, strategy or procedures, internal malpractices
• Systems: Failure of ICT or other systems
• External causes: Criminality, natural disaster, other external causes

Operational risk is a risk category that captures the great majority of costs associated with quality lapses in the group’s current activity.

Management of operational risk has acquired increased importance in the financial industry in recent years. Contributory factors are internationalisation, strong technological development and steadily growing demands from customers, public authorities and other interest groups. Many substantial loss events in the international financial industry have originated in failures in this risk area.

Identification, management and control of operational risk are an integral part of managerial responsibility at all levels of SpareBank 1 SMN. Managers’ most important aids in this work are professional insight and leadership skills along with action plans, control procedures and good follow-up systems. A systematic programme of risk assessments also contributes to increased knowledge and awareness of current needs for improvement in one’s own unit. Any weaknesses and improvements are reported to higher levels in the organisation.

SpareBank 1 SMN attaches importance to authorisation structures, good descriptions of procedures and clear definition of responsibilities in supply contracts between the respective divisions as elements in a framework for handling operational risk.

The management views the undertaking’s IT systems as central to operations, to accounting for and to the reporting of executed transactions, as well as to providing a basis for important estimates and calculations. The IT systems are mainly standardised, and their management and operation are largely outsourced to service suppliers.

Process and risk analyses are carried out in all material areas of activity in the bank. In these analyses a risk assessment is made at process level to obtain an overview of the largest operational risks related to the bank’s business and support processes.

Upon the introduction of new products, services, systems or processes a risk assessment and quality assurance are undertaken. A number of the bank’s specialist areas are involved in this process. They include risk management, compliance, legal affairs, data protection officer, AML and information security. This risk assessment contributes to keeping operational risk related to new products, services, systems and processes to an acceptable level.

The bank uses a Governance, Risk and Compliance (GRC) system as a tool to improve the monitoring of risk, events and areas for improvement. An important area is event registration where these are employed for learning and improvement purposes. A structured process has been established involving follow-up of events with the responsible areas. Personnel with quality responsibilities and specialist responsibilities are involved to identify the need for measures such as process improvements, procedural changes and training needs. The system is also an important tool for registering and following up on areas for improvement that are identified by controls performed by the first and second line, as well as areas for improvement pointed out in reviews by the internal auditor.

Operational losses are reported periodically to the board of directors. The board of directors receives each year from the internal audit and the statutory auditor an independent assessment of the group’s risk and of whether the internal control functions in an appropriate and adequate manner. The board of directors considers operational risk in the undertaking to be moderate, including the risk related to the accounting and reporting process.

For further information see the bank’s Pillar 3 reporting which is available at https://www.sparebank1.no/nb/smn/om-oss/investor/finansiell-info/kapitaldekning.html and the following notes:

Note 12: Maximum credit risk exposure
Note 13: Credit quality per class of financial assets
Note 14: Market risk related to interest rate risk
Note 15: Market risk related to currency exposure