Risk Management



The identification and management of risk is critical to the protection of the clients’ and other stakeholders’ interests. Mash operates within a three-layered line of defense model and a comprehensive risk framework that ensures risks are controlled in a prudent manner, minimizing the probability of unexpected losses and threats to the reputation.

Mash applies state-of-the-art corporate risk management models and methodologies as part of its strategic planning, business development and daily operations.

The aim of Mash’s risk management process is to limit the total risk exposure of the company to an acceptable level while optimising the risk/return ratio. Due to the nature of Mash’s business, particular emphasis is placed on analysing and managing credit risk and on managing total risk exposure. Advanced risk metrics are used in analysis to form an accurate company risk profile.

The company management and the Board of Directors monitor risk exposure

The Group Board of Directors is accountable for setting the level of risk it deems adequate within the duty of care the shareholders have bestowed on it, for the whole group as well as for the individual subsidiaries.

The Risk & Compliance Committee of the Board translates the defined risk appetite into risk parameters and limits within which the business has to be managed. It also oversees the efficient application of the internal control mechanisms and processes. The Board of Directors nominated three of its directors to the Risk & Compliance Committee, all particularly well qualified in finance, accounting and risk analysis, as they have held position as bankers or leading consultants in risk management.

Business management and ultimately the CEO are responsible for setting up and continuously improving the internal mechanisms in line with the nature of risks, their complexity, their magnitude and the regulatory challenges the business might encounter. Each manager bears responsibility for identifying, monitoring and managing the risks related to their functions in line with the Risk & Compliance Committee defined parameters. Effective policies, processes and procedures, as well as appropriate proprietary tools have been established within 2017. 

Group Risk Management Framework

risk management framework

Risk Management Structure

Proper risk management is a working combination of identification, analysis, management, control and supervision of risk, along with the continuous documentation of activities for audit and quality control purposes. The principles for the identification, analysis and management of the main risk areas are linked to the properties of each risk, whereas the control and supervision of each risk is linked to the organization, authorization, supervision and responsibilities.

Risk Management is an integral part of the strategic and operational management framework of Mash Group. The risk management is structured based on the separation of responsibilities and duties as described in the “Three lines of defence” table below.

Mash Group – Three Lines of Defence in Risk Management

3 lines of defence

The following risk management decision-making structure illustrates the Group’s risk management organisation.

Risk Management Structure

risk management structure

Board of Directors
The Board of Directors of the company is responsible towards the company’s owners (the annual shareholders’ meeting) and regulatory authorities for the entire business of the company. Risk management falls under the responsibility of the Board. The Board has the principal responsibility to ensure that regulations, good corporate governance and sound business practices are followed in all of the Group’s business operations. The Board also sets guidelines and limits for risk management.

The CEO is responsible for daily operations being carried out in accordance with the instructions and directives issued by the Board of Directors. The Board appoints and discharges the CEO and oversees the CEO’s actions.

The CEO may only take actions which are unusual or sizable considering the size and nature of the company’s business with the permission of the Board. The CEO is responsible for making sure that the accounting methods employed by the company are legal and that financial matters are managed in a reliable way.

In the company’s risk management, the operational management led by the CEO is responsible for the daily operations and activities in the company, without the right to make decisions about risk levels. The operational management has the right to view but not decide upon internal controls and documentation, and is responsible for implementing daily risk management.

Risk Management
Risk management is operated by the Risk Management Team, led by the company’s Risk Manager. Decisions regarding risk management and changes to it are prepared by the Risk Management Team, which puts them forward to the Risk Committee appointed by the Board. The Risk Management Team regularly monitors and assesses whether the company’s risk guidelines and instructions are suitable and effective, and assesses what measures need to be taken to address potential deficiencies. Any decisions are made by the Risk Committee or the company’s Board of Directors.

Risk Control
The Risk Control function shall analyse and report without delay to the Risk Committee, the Risk Management Team and the company’s operative management and internal audit any significant deviations from set guidelines or limits which may lead to significant changes in the company’s internal risk level. Reporting is done according to an agreed process and is documented in a way that facilitates the control and audit of analysis results.

Internal Audit
An internal auditor, who is independent of the operational functions in the company, regularly assesses internal processes, decisions and controls, and reports any findings, along with improvement suggestions, directly to the company’s Board of Directors. Internal audit services may also be provided by a third-party provider (audit company), which is independent of the company’s external auditors.

The company’s external auditors audit the entire business, with complete insight into reporting, decisions made and documentation. The auditors are responsible to the company’s shareholders and regulatory authorities. The external audit is carried out on a continuous basis (i.e. process audit) and for the company’s annual review.

Important notice

To the extent that any of the information on this part of the website relates to past performance, it should be noted that past performance is not a reliable indicator of future results.