Bouwinvest has organised Risk Management according to the three lines of defence model. The roles and high-level risk responsibilities are described for each of the lines.
First line: Line management
This line of defence is formed by the line management. Line management’s first responsibility as risk owners is to manage the risks faced by Bouwinvest and its clients and to take adequate measures to control these risks. This involves system controls, documented process descriptions, procedures, segregation of duties, authorisations, reconciliations and review by line management. The first line of defence focuses on the following levels of risk management:
Strategic: At strategic level (new products, markets, organisation and HR policy), the Executive Board of Directors is the owner of the (first-line) risk management.
Tactical: Fund and mandate plans represent the tactical extrapolation of the strategic policy. Middle management is responsible for managing the tactical risks within the frameworks of the policy drawn up for this specific risk. Middle management also comprises the board members if and when they act in line with their hierarchical role.
Operational: At operational level, each employee is responsible for implementation within the applicable processes and procedures, including risk assessment and the corresponding internal controls. They use Risk and Control Self-Assessments (RCSAs) to assess whether the applicable processes and procedures are still managing the risks adequately and efficiently.
With respect to strategic risks, for which the Executive Board of Directors itself is part of the first line, the Supervisory Board (or in case of funds/mandates, the Shareholders) provides oversight of the functioning of the first, second and third lines of defence.
Second line: Risk and Compliance
The second line of defence consists of the Risk Management and Compliance departments. They are responsible for the design, implementation and effectiveness of risk management within the organisation and the monitoring of the first line of defence. It does this by setting policies to identify, measure, manage and monitor risks on an ongoing basis, and by facilitating and monitoring operational management’s implementation of these processes. Furthermore, the second line monitors compliance with risk limits, the adequacy of internal controls, correctness and completeness of reporting, compliance with laws and regulations, and the timely mitigation of issues. They also advise the Executive Board of Directors on the integrated risk management for each of the identified scopes (Fund, mandate and the management organisation), help identify known and emerging issues, provide risk management frameworks and train and guide personnel.
Third line: Internal Audit
The third line of defence within Bouwinvest consists of Internal Audit, which is responsible for the evaluation of the adequacy and effectiveness of the internal control system and other elements of governance, including outsourced activities. Internal Audit also monitors the design and implementation of the Risk Management policy, by making recommendations and confirming that these recommendations are followed up. Internal Audit monitors both first-line and second-line risk management.