To ensure a well-functioning and effective framework for governance, internal control, and risk management — in accordance with Finansinspektionen's Regulations on Governance, Risk Management, and Control (FFFS 2014:1) — Brocc has established a model based on the principle of three lines of defense. The model serves as a key tool for clarifying and structuring roles, responsibilities, and accountability related to decision-making, risk management, and internal control within the organization.
First Line of Defense
The first line of defense consists of Brocc's business units, which are responsible for operational risk management and control in day-to-day activities. Business units must ensure that well-defined processes and procedures are in place to identify, assess, manage, and report risks within their respective areas of responsibility.
Second Line of Defense
The second line of defense comprises the functions that monitor and control risks, primarily the Risk Control function and the Compliance function. These functions are organizationally and functionally independent of the first line. Their responsibilities include monitoring, reviewing, and supporting ongoing risk management, as well as ensuring that operations are conducted in accordance with applicable laws, regulations, and internal frameworks. They also develop and maintain risk management methodologies and frameworks, identify and monitor emerging risks, and promote a sound risk culture within the organization. The second line of defense reports to the CEO, the management team, and the Board of Directors.
Third Line of Defense
The third line of defense consists of the independent audit function, Internal Audit. This function is responsible for performing independent and objective reviews and assessments of both the first and second lines of defense, with the purpose of ensuring that governance, risk management, and internal control processes are effective and appropriate. Internal Audit reports directly to the Board of Directors.