CACEIS Bank Spain SAU follows a risk management and control model based on three lines of defence.
The business functions or activities that take or generate risk constitute the first line of defence against risk. Assuming or generating risks on the first line of defence should conform to the defined limits. In keeping with its function, the first line of defence should have the means to identify, measure, treat and report the risks assumed.
The second line of defence is composed of the function of controlling and supervising the risks and the compliance function. This second line of defence oversees the effective control of risks and ensures that they are managed in accordance with the defined risks.
Internal audit, as the third line of defence, and as part of its task as the last control layer, regularly assesses whether the policies, methods and procedures are appropriate and checks that they have been effectively implemented.
The risk control function, the compliance function and the internal audit function are sufficiently separated and independent, from each other and from the other functions that they control or supervise, for the performance of their duties, and they have access to the board of directors and/or its committees through the heads thereof.
The Internal Control Model (ICM) of CACEIS Bank Spain SAU is aligned with the policies of the Santander Group, and it has been established to meet both external and internal requirements.
The Santander Group establishes a methodology for the documentation of processes, risks and controls of the relevant operations of the different units that make up the entity.
The ICM that has been established has the following characteristics:
- This is a model that involves the entire structure of the organization (with relevance in terms of control) through a direct model of the individually assigned responsibilities.
- A broad model has been documented. Consequently, in addition to processes related to generating financial information, it includes the procedures developed in each unit’s business and support areas that, although they do not have a direct impact on the accounting records, might cause possible losses or contingencies in the event of incidents, errors, regulatory breaches and/or fraud.
- It is dynamic: it evolves, constantly adapting to the reality of the Group’s support and business activities, identifying the risks that affect the fulfilment of the objectives and the mitigating controls.
- Includes a detailed description of the transactions, the evaluation criteria for the operation of the controls and the conclusions of the evaluation of the operation thereof.