Risk Management Policy

Adopted by the Board of Directors of the Nordic Investment Bank

on 4 June 2024 with entry into force as of 7 June 2024
Adopted by Board of Directors
Entry into force 7 June 2024
Version and adoption date Version 15 adopted on 4 June 2024

Document ownership Risk Management Office

Implementation responsibility Risk Management Office
Control responsibility Risk Management Office

Review cycle At least annually

Replaced document Risk Management Policy of 1 April 2024
Table of Contents
1 SCOPE AND OBJECTIVE ........................................................................................................... 1
Risk management framework ................................................................................................ 1
Policy structure ...................................................................................................................... 2
2 KEY RISK MANAGEMENT PRINCIPLES .................................................................................... 3
Mission and strategy.............................................................................................................. 3
2.1.1 Introduction ..................................................................................................................... 3
2.1.2 Mission fulfilment ............................................................................................................ 3
2.1.3 Sustainability and climate risk ......................................................................................... 3
Risk-bearing capacity ............................................................................................................ 4
Risk appetite.......................................................................................................................... 5
Risk limits .............................................................................................................................. 5
Capital structure and management ........................................................................................ 6
2.5.1 Capital and liquidity adequacy......................................................................................... 6
2.5.2 Stress testing .................................................................................................................. 7
Model risk management ........................................................................................................ 7
Risk governance.................................................................................................................... 7
2.7.1 Risk culture ..................................................................................................................... 7
2.7.2 Three-lines-of-defence model ......................................................................................... 7
2.7.3 Roles and responsibilities................................................................................................ 8
3 RISK CATEGORIES .................................................................................................................. 11
General ............................................................................................................................... 11
Credit risk ............................................................................................................................ 11
3.2.1 Definition ....................................................................................................................... 11
3.2.2 Appetite for credit risk ................................................................................................... 11
3.2.3 Key responsibilities ....................................................................................................... 12
3.2.4 Credit risk management ................................................................................................ 13
Market risk ........................................................................................................................... 19
3.3.1 Definition ....................................................................................................................... 19
3.3.2 Appetite for market risk ................................................................................................. 19
3.3.3 Key responsibilities ....................................................................................................... 19
3.3.4 Market risk management ............................................................................................... 19
Liquidity risk......................................................................................................................... 22
3.4.1 Definition ....................................................................................................................... 22
3.4.2 Appetite for liquidity risk ................................................................................................ 22
3.4.3 Key responsibilities ....................................................................................................... 22
3.4.4 Liquidity risk management............................................................................................. 22
Operational risk ................................................................................................................... 24
3.5.1 Definition ....................................................................................................................... 24
3.5.2 Appetite for operational risk........................................................................................... 24
3.5.3 Key responsibilities ....................................................................................................... 24
3.5.4 Operational risk management ....................................................................................... 24
Compliance risk ................................................................................................................... 26
3.6.1 Definition ....................................................................................................................... 26
3.6.2 Appetite for compliance risk .......................................................................................... 26
3.6.3 Key responsibilities ....................................................................................................... 26
3.6.4 Compliance risk management ....................................................................................... 27
Definitions
Counterparty Entity with whom the Bank enters into business transactions

Refers to a single entity or group of entities which are legally and/or

financially consolidated or otherwise interdependent from a risk perspective

Credit exposure Total credit exposure is a sum of credit exposures in Lending and Treasury.

Lending credit exposure is a sum of loans outstanding (less specific

impairments but without a deduction of collateral) and commitments
(outstanding principle value of committed agreed but not disbursed loans).
Exposure from Lending Labelled Bonds is included in the Lending credit
exposure.

Treasury credit exposure consist of

• Bonds, money market instruments (outstanding principal value) and

cash (outstanding balance)
• Repos and reverse repos (fixed percentage of the principal value of
the transaction)
• Derivatives with CSA (fair value, net of collateral held/post)
• Derivatives without CSA (fair value + add-on for future fluctuations)

ICAAP Internal Capital Adequacy Assessment Process

MCC Mandate, Credit and Compliance Committee

Mid-Cap Mid-Cap corporate with an annual turnover of EUR 150-500 million

Risk-owner Entity ultimately responsible for the Bank’s claim. May be different from the
counterparty if the risk is transferred through a guarantee

RAS Risk Appetite Statement

SMC Small Mid-Cap corporate which is not a SME and has an annual turnover
of less than EUR 150 million

SME Small and Medium-sized Enterprise with less than 250 employees and an
annual turnover of less than EUR 50 million or a balance sheet less than
EUR 43 million
 RISK MANAGEMENT POLICY

1 SCOPE AND OBJECTIVE

Risk management framework

The Nordic Investment Bank’s (“NIB” or the “Bank”) risk management framework is designed to
manage the Bank’s risk-taking in the context of its mission and strategy, and taking into account its
risk-bearing capacity, willingness to take risks (risk appetite), and minimum quantitative
requirements for capital, leverage and liquidity.

The willingness to take risks is described in the Bank’s Risk Appetite Statement (“RAS”) with the
purpose of aligning the Bank’s risk-taking with the statutory requirements, strategic business
objectives and capital planning. The RAS provides a clear articulation of the high level principles for
the Bank’s risk-taking, risk mitigation and risk avoidance. The RAS is reflected in this Risk
Management Policy (“Policy”) which sets out the overall principles for the management of NIB’s
financial and non-financial risks as defined and categorised in the Bank’s risk taxonomy. The risk
taxonomy is based on a set of risk categories that are identified to have the most material impact on
NIB’s risk profile and solvency. Each risk in the taxonomy is further divided into sub-categories, as
seen relevant.

In addition to this Policy, the risk management framework consists of several more detailed risk
category specific policies, guidelines, procedures and internal controls. The framework is supported
by an effective risk measurement and limit system as well as risk data and systems. An adequate
risk governance structure and competent staff are other key elements of the Bank’s risk management
framework.

Figure 1. Hierarchical structure of the elements of Risk Management Framework.

1
 Policy structure
This Policy is divided into four main sections; scope and objective (Section 1), key risk management
principles (Section 2), risk category specific principles (Section 3), and risk limits (Appendices).

Section 2 describes the main aspects of the Bank’s mission and mandate framework, risk-bearing
capacity, risk appetite and risk limits (see Sections 2.1 - 2.4). It then continues to provide an overview
of the capital and liquidity adequacy assessments and stress testing (Section 2.5) and model risk
management (Section 2.6). Section 2.7 provides a description of the Bank’s risk governance.

Section 3 describes the risk management principles for credit, market, liquidity, operational and
compliance risks. Each section is structured as follows: (1) Definition of the risk; (2) Appetite for risk
taking; (3) Risk management roles and responsibilities (risk governance); (4) Risk management
principles including risk mitigation.

The maximum exposure limits for credit, market and liquidity risks are set in the appendices.

This document is made public on the Bank’s website www.nib.int. The appendices containing,
among others, maximum exposure limits are for internal use only.

2
2 KEY RISK MANAGEMENT PRINCIPLES

Mission and strategy

2.1.1 Introduction
NIB is the international financial institution (“IFI”) of the Nordic and Baltic countries. The Bank’s
mission is to promote sustainable growth of its member countries by providing financing to projects
that promote productivity growth and environmental benefits.

NIB adds value by providing long-term financing in the form of loans and guarantees as a
complement to other sources of financing. It may also take equity participations. The Bank’s
competitive advantage is its ability to obtain funding at a favourable cost in the international capital
markets, which enables longer-term lending on competitive terms to its clients. NIB’s funding
advantage builds on its strong shareholder base and sound financial profile, which has enabled the
Bank to maintain the highest possible credit rating (AAA/Aaa) from international rating agencies and
investor confidence in the Bank as a debt issuer.

2.1.2 Mission fulfilment

The Statutes provide that the purpose of the Bank is to make financing available in accordance with
sound banking principles and taking into account socio-economic considerations.

Mission fulfilment is a key consideration when determining the Bank’s willingness to take risk. For
the purpose of assessing its mission fulfilment, the Bank has translated the mission into operational
guidelines and principles and established a methodology for mandate rating. Each project
considered for financing from NIB undergoes a mandate rating whereby the expected contribution
to promoting productivity growth and environmental benefits is assessed. The assessment covers
both the potential impact of the project and the implementation risk, i.e. the probability that the impact
will not materialise. The mandate rating methodology and process is described in the Mandate
Rating Framework.

As a rule, a sufficient mandate rating is a prerequisite for financing from the Bank. In its annual
business plan, the Bank sets a target level for new loans achieving mandate ratings of ‘good’ and
‘excellent’1.

For assessing how well NIB’s lending projects have been implemented by borrowers and NIB’s
mandate criteria have been fulfilled, the Bank has established a Monitoring and Ex-Post Mandate
Assessment Framework.

2.1.3 Sustainability and climate risk

Sustainability is at the core of NIB’s mission and mandate and retains a high priority throughout the
Bank’s operations. The Bank believes that sustainability is fundamental for building prosperous and
well-functioning societies, and is inherent to successful businesses. NIB is committed to working
alongside its clients in their transformation and expansion of sustainable business models. Taking
environmental, social and governance (ESG) aspects into account is not only necessary, but also
consistent with sound business practices.

In line with these priorities, the Bank has a Sustainability Policy in place to improve the predictability,
transparency and accountability of its operations. The Sustainability Policy sets out the Bank’s
approach to sustainability and provides direction for how the Bank seeks to ensure that its clients
and the projects it finances are sustainable from the environmental, social and governance
perspectives and in compliance with applicable regulatory requirements and international best
practices. In each of its key (Lending and Treasury) operations, the Bank has implemented and

1 The mandate rating scale is Excellent/Good/Moderate/Marginal/Neutral and Negative.

3
made publicly available its principles and guidelines for integrating environmental, social and
governance aspects2.

The Bank recognises that adverse environmental and social impacts cannot be avoided in all
circumstances. In these cases, the Bank seeks for the negative impacts to be appropriately reduced,
mitigated or compensated for. Activities and counterparties that the Bank considers unacceptable
from a sustainability perspective – thus not eligible for NIB financing – are specified in the Exclusion
List as part of the Sustainability Policy.

NIB has defined its stance on climate risk management in the Risk Appetite Statement (see Section
2.3 below). Climate risk can conceptually be divided into physical risk and transition risk sub-
components. Physical risk refers to a financial impact from acute or chronic weather events (such
as droughts, floods, and storms, land pollution), while transition risk refers to a financial impact from
the process of adjusting to a lower-carbon economy that could be triggered by a change in climate-
related policies, technologies, or markets. Climate risk is part of the Bank’s overall risk management
framework and managed using similar risk management principles as described in this Policy.
Climate risk is considered, inter alia, during the annual ICAAP exercise.

Both first line business functions (Lending and Treasury) as well as the second line function (Risk &
Compliance department) have their roles in climate risk management in the three-lines-of-defence
model applied by NIB (see Section 2.7.2.)

NIB is committed to transparency and open dialogue with its stakeholders on sustainability issues in
terms of both risks and opportunities. Information on projects with potential significant adverse social
or environmental impacts is made public for comments (www.nib.int) in accordance with the Public
Information Policy.

Risk-bearing capacity
The Bank’s ability to take risks is dependent on its risk-bearing capacity. A key factor determining
the risk-bearing capacity is stable earnings allowing the build-up of a strong capital base to absorb
potential losses. The Risk Appetite Statement acknowledges the statutory requirement that the Bank
shall aim for a profit allowing for a reasonable return on the subscribed capital.
The Dividend Policy sets as a target a dividend pay-out ratio of the annual net profit over the long-
term. The annual dividend distribution is approved by the Board of Governors.
NIB’s capital consists of capital subscribed by the member countries and reserves accumulated
through internal profit generation.

Equity comprises the paid-in portion of the capital subscribed by the member countries and the
accumulated general and specific reserves;

• The General Credit Risk Fund is established to cover unidentified, exceptional credit losses.

• The Statutory Reserve is a general reserve, which according to the Statutes must equal 10%
of the subscribed capital before dividends can be paid.

Callable capital is capital subscribed by the member countries but not paid in. Callable capital is
made available by the member countries at the request of the Board of Directors if deemed
necessary for the fulfilment of the Bank’s debt obligations. To date no capital calls have been made.

2The Bank has also issued a Climate Strategy that contains emission reduction targets for the lending
portfolio.

4
For capital adequacy assessment purposes NIB uses the concept of adjusted common equity to
measure its loss-absorbing capacity. The concept builds on banking regulations and is derived by
deducting certain items from the accounting equity that are not immediately available to cover risks.

Risk appetite
The foundation for the Bank’s financial risk-taking is set in the Constituent Documents. The Statutes
require that financing is made available in accordance with sound banking principles, that adequate
security be obtained, unless sufficient security is considered to exist under the circumstances, and
that the Bank protects itself against the risk of exchange rate losses to the extent practicable.

NIB has established its Risk Appetite Statement with the goal to align its risk-taking with the statutory
requirements, strategic business objectives and capital planning. The RAS provides in written format
statements that guide the Bank’s risk taking and mitigation on more permanent basis, framing the
overall boundaries for risk tolerance and highlighting the need for high risk awareness. The
fundamentals of the RAS do not change annually but the RAS is still reviewed annually by Risk &
Compliance department to ensure that the RAS remains fit-for-purpose and is relevant due to
variation in the short-term business circumstances. The RAS is approved by the Board of Directors
and implemented through this Policy and other internal policies and procedures, monitoring metrics,
limit system and internal controls.

Given NIB’s mission, risk-taking is primarily in its core activity of lending. The Bank strives to be
responsive to the financing needs of its customers and the policy objectives of its member countries,
thereby maintaining its relevance for key stakeholders. In line with the Bank’s risk appetite, it
provides long-term financing to its customers through the cycles, and aims to continue financing
economically viable investment projects also during economic downturns. The Bank aims to maintain
a high quality of the loan portfolio.

The Bank’s risk appetite in its treasury operations is driven by the objective of enabling and
supporting lending operations, and maintaining a strong liquidity and funding position. Although
performance objectives are set for the treasury operations, the Bank applies a conservative risk
versus return approach in these activities. This is reflected i.a. in stricter creditworthiness eligibility
criteria for treasury counterparties as compared to lending counterparties.

Risk limits
The Bank’s risk-taking is operationalised in strategies and business plans as well as day-to-day
business activities and decisions. The risk limit framework provides a mechanism to limit the risk-
taking to an acceptable level.

NIB has implemented a four-layer risk limit framework where minimum requirements for the amount
of economic capital, leverage and liquidity have been set in the Statutes. The Principles for Capital
and Liquidity Management (“Principles”) - approved by the Board of Governors - provide further
details and calculation principles for the minimum requirements. The third layer cascades down the
minimum requirements in the Statutes and Principles, and provides limits for those risk categories
which are deemed material by the Board of Directors.3 Management Limits for Financial Risks,
approved by the President, are designed to help manage financial risks (credit, market and liquidity
risk) and supplement the limit framework and limit monitoring.

This Policy provides limits for credit, market and liquidity risks under the umbrella of the Statutes and
Principles (and RAS). It also provides minimum requirements for the statutory metrics; capital ratio,
leverage ratio and survival horizon (see Appendix A.3).

3 The Board of Directors has approved limits for market risks, for example.

5
The limits are changed from time to time depending on the available financial resources and changes
in the risk appetite. The risk limits in this Policy are approved by the Board of Directors. Limit
monitoring is conducted on regular basis and breaches are reported to the Board of Directors.

The risk category specific limits, risk governance structure and reporting is described in more detail
in Section 3.

Capital structure and management

2.5.1 Capital and liquidity adequacy
The Bank manages capital in accordance with statutory requirements, annual financial and business
plans approved by the Board of Directors, its risk position and macroeconomic circumstances. Due
to NIB’s legal status, national banking legislation does not apply to NIB, nor it is subject to direct
supervision of any supervisory authority. Similarly to other IFIs, NIB does not require a banking
licence for its operations. Thus, the overall requirement and basis for the Bank’s capital and liquidity
management originates from the Statutes, and not from legislation or supervisory/regulatory
guidance.

The Bank aims to maintain a strong capital and liquidity position in order to support the highest
possible credit rating by the rating agencies and to compare well with its peers.

The Bank’s internal capital adequacy assessment process (“ICAAP”) aims to ensure that the Bank
holds a sufficient amount of capital and liquidity to withstand its current and potential future risks,
including adverse macroeconomic conditions. The framework provides a holistic view on the level of
risks, the robustness of risk controls and the amount and quality of capital and liquidity needed to
support the strategic objectives of the Bank.

The Bank’s ICAAP covers all material risks identified in the risk identification process. Quantitative
risk metrics support the risk identification and assessment process.

The Bank monitors its capital and liquidity adequacy on an on-going basis and reports the position
to the Board of Directors regularly. In addition, at least annually the Bank conducts a more thorough
internal assessment of its capital and liquidity adequacy in line with its ICAAP methodology and
provides the outcomes of the assessment to the Board of Directors.

The capital requirement is assessed on a risk-by-risk basis. The assessment and conclusions build
on both the use of the Bank’s internal models and other available information. The scope and risk
coverage of the assessment is reviewed regularly. Capital is reserved for all material risks. The
resulting capital requirement is complemented by capital buffers. Capital buffers include
macroprudential buffers and additional management buffers (typically in the form of a stress test
buffer). The Bank’s overall capital requirement is determined by aggregating the risk area specific
capital requirements and the capital buffers. The overall capital requirement is measured against the
Bank’s available financial resources (adjusted common equity) to determine the Bank’s capital
adequacy.

The assessment of liquidity risk builds on various internal and regulatory metrics complemented by
qualitative analysis. The main quantitative metric used in the liquidity risk assessment is the survival
horizon, which measures how long the Bank would be able to fulfil its payment obligations in a severe
stress scenario. The resulting liquidity requirement is measured against available liquid assets
(liquidity buffer) to determine the Bank’s liquidity adequacy.

The ICAAP Guidelines describe the framework, assessment elements and the internal process in
more detail.

6
2.5.2 Stress testing
Stress testing is a forward-looking risk management tool supporting the Bank’s risk identification,
monitoring and reporting procedures, capital and liquidity adequacy assessments as well as capital
and liquidity planning. Stress testing, including sensitivity analysis and reverse stress testing, are
used for assessing the resilience of the Bank to different economic scenarios or event-based shocks.

The Bank conducts both solvency stress tests and liquidity stress tests to ensure that it is sufficiently
capitalised and holds adequate liquidity buffers to carry out its mission even in severe but plausible
scenarios. The design of the stress test methodology and the specification and severity of scenarios
test the Bank’s business model, risk profile as well as current and assumed future external
circumstances.

The stress testing outcomes are utilised in the Bank’s capital and liquidity adequacy assessments,
capital planning and risk management. Stress tests conducted for ICAAP purposes are conducted
concurrently with the ICAAP schedule.

The Stress Testing Guidelines provide methodological and practical details for the Bank’s stress
testing.

Model risk management

Model risk is defined as the potential for adverse consequences from decisions based on an
inappropriate, incorrect, misspecified or misused model. Model risk can lead to financial loss, poor
business and strategic decision-making, and/or reputational damage. Model risk can materialise in
risk measurement models, in valuation models or in other models that support decision-making.
There are also interactions and interdependencies between the models in use, highlighting the need
for proper model risk management.

Model risk is managed by careful and adequate model design, development, implementation,
documentation and validation practices. As a rule, there shall be adequate separation of duties
between those functions/units that develop models and the validation function. Independent model
validation function is a cornerstone of model risk management framework and its roles and
responsibilities shall be clearly defined.

Model risk management is an important part of the Bank’s overall risk management framework.
Under the umbrella of this Policy, NIB has issued a separate Model Risk Management Policy and
the related Guideline that provide detailed principles and governance for model risk management at
NIB.

Risk governance
2.7.1 Risk culture
Risk culture is one of the core elements in the Risk Appetite Statement. The Bank is committed to
promote a culture of integrity, high ethical standards and strong risk awareness. All individuals in the
Bank are expected to contribute to and promote a sound risk culture which helps to maintain a sound
internal control environment and improves the operation of the Bank’s risk management framework.
Clear governance structure, policies and procedures support the creation of a sound risk culture.

2.7.2 Three-lines-of-defence model

NIB follows the three-lines-of-defence model where the first line of defence consists of risk-taking
business functions. The first line business functions are responsible for managing the risks they incur
in conducting their activities and are accountable for decisions taken in that regard, and all other
decisions, within their business units. They are required to comply with the relevant internal policies,
regulations and procedures.

7
The second line (Risk & Compliance department) is organisationally separate from the business
functions it monitors and provides independent risk monitoring and control activities and conducts
independent evaluations and reporting to the senior management on the Bank’s risk profile and
solvency. The second line interacts with the first line functions in risk matters and is involved in
decision-making with the objective to ensure that risk considerations are properly taken into account.

The third line (Internal Audit) is an independent, objective assurance function with reporting lines to
the Board of Directors and the Control Committee. Internal Audit provides an independent
evaluation of the controls, risk management and governance processes.

2.7.3 Roles and responsibilities

The Board of Governors is the Bank's supreme decision-making body. The Board of Governors is
responsible for, among other things, matters concerning NIB's Statutes and subscribed capital. The
Board of Governors approves the annual report of the Board of Directors and the audited financial
statements of the Bank. The Board of Governors is composed of eight governors. The Minister
designated by it as its Governor represents each member country. For further information, please
see the Rules of Procedure of the Board of Governors.

The Control Committee and its Chairmanship is the Bank’s monitoring body. It monitors that the
operations of the Bank are conducted in accordance with the Statutes. The Committee shall also
monitor that NIB’s operations are conducted in accordance with the Principles for Capital and
Liquidity Management adopted by the BoG. The Chairmanship administer the responsibilities and
tasks of the full Committee, monitor the Bank’s financial position, risk levels, capital and liquidity
position and oversee the performance of the audit of the Bank’s financial statements, carried out by
the external auditors. The full Committee focuses on monitoring fulfilment of NIB’s purpose and in
particular its mandate and mission. For further information, please see the Rules of Procedure for
the Control Committee.

All the powers that are not exclusively vested in the Board of Governors are entrusted to the Board
of Directors. The Board of Directors has the overall responsibility of the Bank’s risk management
and oversees the implementation of the Bank’s risk management framework by approving risk
management policies, including maximum limits for exposure to the main types of risk, as well as by
approving the capital and liquidity adequacy assessment process and its outcomes. The Board of
Directors approves projects to be financed by the Bank and adopts policy decisions concerning the
operations of the Bank, in particular the general framework for financing, borrowing and treasury
operations and their management. For further information, please see the Rules of Procedure for
the Board of Directors.

The President is responsible for implementing the Bank’s risk management framework set by the
Board of Directors, for management of the Bank’s risk exposures, and for ensuring that the Bank’s
aggregate risk is consistent with its financial resources and willingness to take risk. The Board of
Directors has delegated some credit approval authority to the President for execution in the Mandate,
Credit and Compliance Committee.

The following committees assist and advise the President:

• The Executive Committee (ExCo) comprises the President and other senior management
representatives that the President has appointed as members. The Board of Directors
confirms the appointments. The committee is a body established to assist and advice the
President in general management and decision making concerning NIB, including following
up the financial results, business plan and strategy of the Bank. The committee is expected
to meet approximately twice a month. For further information, please see the Rules of
Procedure for the Executive Committee.

8
 • The Asset, Liability and Risk Committee (ALR) comprises (selected) members of the
ExCo and other senior staff that the President has appointed as members. The ALR is a body
established to monitor, analyse, discuss and guide the development and overall
management of NIB’s balance sheet, its risk and capital, funding and liquidity position,
covering both financial and non-financial risks, as well as to maintain and manage risk limits
with respect to the Bank’s risk appetite and risk bearing capacity. All decisions at the ALR
require majority support and, at the same time, the Chief Financial Officer as Chair of ALR
and the Chief Risk Officer (or their substitutes) both need to be supportive. The committee
meets approximately twelve (12) times a year. For further information, please see the Rules
of Procedure for the Asset, Liability and Risk Committee.

• The Mandate, Credit and Compliance Committee (MCC) comprises (selected) ExCo
members. The committee is responsible for management and decision making concerning
mandate, credit and related integrity and compliance matters (related to individual
counterparties in both Lending and Treasury operations), as well as the overall risk culture
of NIB. The committee is chaired by the President who exercises his executive powers
regarding lending operations through the MCC. Further, the committee reviews all credit
proposals submitted to the Board of Directors for approval. The committee usually meets
weekly. For further information, please see the Rules of Procedure for the Mandate, Credit
and Compliance Committee.

• The Business and Technology Committee (BTC) comprises senior staff and management
from different departments and units that the President has appointed as members. The
committee is chaired by the Head of IT & Business Services. BTC is a body established to
facilitate IT’s strategic direction and the digital transformation of NIB by prioritising, directing,
monitoring and governing NIB’s enterprise IT architecture, IT projects and development
initiatives. For further information, please see the Rules of Procedure for the Business and
Technology Committee.

In addition to the above mentioned advisory bodies to the President, the Bank has the following
permanent internal committees:

• The Business Integrity Council; the main task of the Council is to enhance awareness of
integrity and corruption risks among the Bank’s staff and stakeholders. The Council is chaired
by the Chief Compliance Officer (CCO).

• The Trust Fund Committee shall ensure that the purposes of the trust funds managed by NIB
are fulfilled in the most efficient way. The committee also approves the activity plan of the
trust funds and proposes allocations from a trust fund. The committee gives its
recommendations to the respective donor(s) for their final decision.

In the day-to-day operations, the Bank has established a segregation of duties between functions
that enter into business transactions with customers or otherwise expose the Bank to risk, and
functions in charge of risk assessment, risk measurement, monitoring and control;

• The business functions, Lending and Treasury, are responsible for implementing the Bank’s
business strategy and act as the first line of defence for the risks in their operations. Lending
is responsible for loan origination and mandate fulfilment in accordance with the Bank’s
willingness to take risk. Treasury provides support by executing the funding strategy and
managing the liquidity as well as balance sheet risks (asset and liability management). The
business functions carry out the day-to-day management (identification, assessment,
monitoring and internal reporting) of all risks assumed in their operations and ensure that an
adequate return is achieved for the risks taken. Both the Head of Lending and the Head of
Treasury & Finance report to the President.

• The Risk & Compliance department independently controls the risk positions of the Bank.
It implements the Bank’s risk management related policies, guidelines and frameworks as

9
 approved by the Board of Directors and the President. The Risk & Compliance department
has the overall responsibility for identifying, measuring, assessing, monitoring and reporting
on risks across risk types and organisational units. The department is responsible for the
Bank’s risk models, tools, and policies,and maintains risk management frameworks (like
ICAAP, RAS and risk taxonomy). It also monitors credit, market, liquidity, and operational
risks on daily basis. The Compliance function belongs to the second line of defence and
oversees, coordinates and reports on matters relating to compliance and integrity risks. The
Chief Compliance Officer reports to the Chief Risk Officer (CRO), has a dotted reporting line
to the President and shall have unrestricted access to the Chair of the Board of Directors and
the Chair of the Control Committee.

• The Chief Risk Officer (CRO) heads the Risk & Compliance department and reports to the
President. The CRO is a member of the Executive Committee, the Mandate, Credit and
Compliance Committee, and the Asset, Liability and Risk Committee, with the role and
purpose to ensure that risk considerations are properly taken into account and is involved in
decision-making to influence and, when necessary, challenge decisions that give rise to
material risk. The CRO shall have unrestricted access to the Chair of the Board of Directors
and the Chair of the Control Committee. An important objective is to engage the senior
management, Board of Directors and the Control Committee on constructive dialogue on key
risk issues.

• The Legal department supports the business functions carrying the responsibility for
minimising and mitigating legal risks in all of the Bank’s operational, institutional and
administrative activities. The General Counsel reports to the President and is Secretary to
the Board of Governors, the Board of Directors and the Control Committee.

• Internal Audit provides an independent evaluation of the effectiveness of controls, risk

management and governance processes. The Head of Internal Audit reports to the Board of
Directors and the Control Committee and works administratively under the auspices of the
President.

10
3 RISK CATEGORIES

General
The Bank has identified a set of risk categories that cover both financial and non-financial risks and
create the basis for the Bank’s risk taxonomy. These risks are managed with the overall objective of
maintaining financial soundness and avoiding activities that could threaten the Bank’s reputation.

NIB operates according to sound banking principles, monitors banking regulations, supervisory
standards and industry practices, and takes them into account to the extent relevant for its business
model and complexity.

The Bank’s risk management framework comprises risk policies and procedures formulated for the
identification, measurement, assessment, monitoring and reporting of risks, including several layers
of limits set to manage the exposure to quantifiable risks. The Bank recognises that effective risk
management is based on a sound risk culture, which is characterised, among others, by a high level
of awareness concerning risk and risk management in the organisation. Regular training of staff in
risk related matters is part of the Bank’s risk management practices.

Credit risk
3.2.1 Definition
Credit risk is defined as the risk of loss resulting from the failure of the Bank’s borrower or other
counterparty to fulfil their contractual obligations and that collateral provided does not cover the
Bank’s claims.

3.2.2 Appetite for credit risk

To fulfil its mission, the Bank provides long-term loans and guarantees to customers in the member
and non-member countries. Thus, most of the credit risk arises in the Bank’s lending operations.

The Bank is also exposed to credit risk in its treasury activities, where credit risk derives from the
financial assets that the Bank uses for investing its liquidity, and from derivative instruments that are
used to manage foreign exchange and interest rate risks in the Bank’s funding and lending
transactions.

The Bank is subject to concentration risk due to its regional focus, where majority of the lending is
targeted to member countries, and due to its focus on limited range of customers, customer sectors
and segments. Yet, the overall target is to avoid excessive risk concentrations and to have an
appropriate diversification at the portfolio level.

The Bank aims to maintain a high quality loan portfolio, while acknowledging that some of its lending
involves greater risks. The Bank accepts limited credit risk in its Treasury operations arising from the
investments in the liquidity portfolio. The appetite for counterparty credit risk arising from the use of
derivatives is low.

The Board of Directors has established the following facilities in terms of lending volume:

11
 • SME facility for direct financing to small and medium-sized enterprises (SMEs) and small
mid-cap corporates (SMCs) in the member countries up to a total amount of EUR 250 million;
• Mid-Cap facility for direct financing to mid-cap corporates in the member countries up to EUR
500 million;
• Combined Corporate Bond Investment facility up to EUR 1 billion. Under this facility Lending
can invest into labelled bonds issued by corporates, financial institutions and municipalities
in the member countries. Under the facility Treasury can invest into corporate bonds and
commercial papers issued by corporates in member and non-member countries. The internal
nominal allocation for the Lending and Treasury sub-portfolios is decided at the MCC;
• Combined Senior non-preferred Financial Institution Bonds Investment facility up to EUR 1
billion. Under this facility Lending can invest into bonds issued by carefully selected financial
institutions in the member countries and Treasury can invest within its applicable limits and
approved counterparts. The internal nominal allocation for the Lending and Treasury sub-
portfolios is decided at the MCC;
• Lending Baltic Bond facility to invest in commercial papers and corporate bonds (incl. labelled
bonds if fufilling NIB criteria), and issued by Baltic corporates and financial institutions up to
EUR 150 million;
• Mezzanine facility up to EUR 150 million4;
• InvestEU facility up to EUR 994 million5. Under this facility Lending can finance projects that
meet the specific eligibility criteria for InvestEU loans and NIB credit criteria as in the Credit
Risk Policy, and subject to maintaining the EU guarantee ratio fixed as defined in the
Guarantee Agreement;
• Non-payment insurance facility up to EUR 750 million. Under this facility, Lending can
propose non-payment insurance transactions for credit risk mitigation purposes and subject
to the insurance policies.
The following facilities have been established in terms of economic capital:

• High Risk Lending Facility (HRL) for counterparties with a rating of PD14 or weaker, to finance
projects in member and non-member countries up to EUR 300 million in terms of economic
capital.
3.2.3 Key responsibilities
The Board of Directors approves the Credit Risk Policy, which sets out the key principles of the
Bank’s credit risk management and control. Based on regular reporting, the Board of Directors
oversees the development of the Bank’s credit risks, both at the counterparty and portfolio level.

The Board of Directors approves new loans and sets the limits for maximum credit risk exposure at
counterparty, business sector, country and business line level. The Board of Directors has authorised
the President to approve loans up to a defined amount in the Mandate, Credit and Compliance
Committee (MCC) as set out in the Rules of Procedure for the Mandate, Credit and Compliance
Committee. Treasury counterparties are approved by the MCC within the limits authorised by the
Board of Directors. The Board of Directors receives information on credit approvals made in the
MCC.

The Lending department is responsible for the loan and counterparty (borrower and/or risk-owner)
appraisal process. The Risk Management functions verify compliance with relevant internal policies
and guidelines and opine on proposed ratings. The appraisal process for new counterparties in

4No new transactions are executed under this facility.

5 The change to the facility size was approved by the Board of Directors on 14 December 2023 with entry into force as of
1 February 2024.

12
treasury operations is the responsibility of the Treasury function in cooperation with the Risk
Management functions. The credit risk monitoring process and related responsibilities are laid out in
the Credit Monitoring Guidelines.

The MCC decides on watch-listing of credits and on impairment provisioning. The handling of
distressed credits is described in the Guidelines for the Special Credit Operations.

The Risk & Compliance department provides independent oversight of credit risks at the portfolio
level. It monitors the level of credit risks in the Bank and reports on the level and development of
credit risk and the respective capital requirement to the Board of Directors regularly.

3.2.4 Credit risk management

NIB’s credit risk management aims at preserving the high credit quality of the Bank’s portfolios and
thereby protecting the Bank’s short- and long-term viability. The Bank’s credit risk management
builds on the principles of (1) appropriate risk diversification within the scope of the mission; (2)
thorough risk assessment at the credit appraisal stage; (3) risk-based pricing and risk mitigation; (4)
continuous risk monitoring at the individual counterparty level as well as portfolio level; (5) avoidance
of undesirable risks to the extent possible.

Risk indicators monitored are, among others, the development in risk class distribution in the lending
and treasury portfolios as well as large exposures to individual counterparties, sectors and countries.

3.2.4.1 Risk-sharing and outsourcing of credit risk management

Within Lending’s activities, the Bank provides direct financing to small and medium-sized enterprises
(SMEs) and small mid-cap corporates (SMCs) in the member countries. The Bank’s direct lending
to the SME/SMC segment is carried out in cooperation with a partner bank and includes outsourcing
of certain operations, such as the credit assessment process, as well as potential delegation of
authority to the partner bank. A thorough due diligence of the partner bank’s credit policies, credit
analysis, credit reporting and work-out process is undertaken to ensure fulfilment with NIB’s credit
policies, rating frameworks and other criteria.

Financing to SMEs/SMCs may be provided on the basis of risk-sharing (in the form of a guarantee
or other risk-sharing arrangement) or as direct loans originated and administered by the partner
bank. In any risk-sharing arrangement, a key principle is to minimize incentives for adverse selection
by the partner bank. In case of pro-rata risk sharing arrangement, NIB will generally not assume
more risk than the partner bank on any SME/SMC counterparty. In case of non-pro rata risk sharing
arrangements, NIB’s maximum exposure on a SME/SMC borrower is determined case by case.

Lending to the SME/SMC segment is further outlined in the Credit Risk Policy and the Credit
Enhancement Guidelines.

3.2.4.2 Credit exposure and concentration risk

The Bank strives to avoid excessive concentration in any single counterparty, industry sector or
country outside the member countries. The maximum credit exposure that the Bank is willing to take
is expressed in terms of exposure limits set by the Board of Directors (Appendix 1-9). Credit exposure
is the aggregate of lending and treasury exposure. The limits are measured by total credit exposure
and economic capital consumption against the Bank’s equity. The limits are reviewed at least
annually.

Counterparty limits
The Bank defines a single counterparty as a counterparty or group of counterparties that are legally
and/or financially consolidated or otherwise interdependent from a risk perspective. For exposure
limit purposes the Bank considers the entity where the risk resides, i.e. the risk-owner, as the

13
counterparty. The risk-owner is the entity that is ultimately responsible for the Bank’s claim and may
be different from the obligor if there is a risk transfer (see section 3.2.4.4 for eligibility). However,
each counterparty (borrower, third-party guarantor, non-payment insurance provider) shall fullfil the
minimum conditions for eligible counterparty risk ratings on a stand-alone basis, and as presented
in Appendix 1 and Appendix 2 to this Policy.

• Single counterparty limits: The maximum risk that the Bank is prepared to take on a single
counterparty is defined based on the creditworthiness of the counterparty as expressed by
the probability of default (PD). In addition, the exposure is limited based on the loss given
default (LGD) and the expected loss (EL) of the transaction(s) entered into with the
counterparty. The limits are scaled to the Bank’s equity and the counterparty’s equity.

Counterparty limits in the Bank’s lending operations apply to non-sovereign exposures

whereas in the treasury operations counterparty limits apply to both sovereign and non-
sovereign exposures. Please see the Counterparty limits, Appendix 1 and Appendix 2.

• Large exposure limits: The aggregate of large counterparty exposures is managed within
limits measured by total credit exposure and economic capital consumption and set in relation
to the Bank’s equity. Please see the Limits on large counterparty exposures, Appendix 4.

• High-risk exposure limit: The Bank strives to control risk concentrations in the weaker risk
classes. As such, total lending to counterparties in rating category PD14 6 and weaker may 2F2F2F2F

not exceed EUR 300 million in terms of economic capital. Please see the Limits on lending
to counterparties rated PD14 and weaker, Appendix 5.

As a rule, the Bank refrains from new lending to borrowers in the risk classes PD17-20 3.

Industry sector limits

The Bank aims to maintain a reasonably granular portfolio in terms of industry sector exposure.

Limits have been set on the maximum credit exposure to a single industry sector as well as on the
economic capital consumption of a sector. The limits have been set in relation to the Bank’s equity.
The Bank accepts higher exposure to the public sector and the financial sector, the latter in order to
accommodate the exposure from the Bank’s treasury operations, and the lending to financial
intermediaries, please see the Business sector limits, Appendix 5.

Country limits
Country limits apply for lending in non-member countries. These limits are based on the credit risk
rating of the sovereign and scaled to the Bank’s equity (see Appendix 3). Lending in member
countries is not subject to country limits. All Treasury exposure (in or outside member countries) is
subject to country limits.

3.2.4.3 Credit risk assessment

The counterparty’s debt servicing capacity is a key consideration for credit approval. The
assessment of a counterparty’s creditworthiness focuses on identifying the main financial risks and
business risks related to the counterparty. Based on the assessment, a risk rating indicating the
probability of default (PD) is assigned to the counterparty.

The Bank’s PD rating methodologies are laid out in the rating frameworks for corporates, financial
institutions, local and regional governments, and project finance. For sovereign counterparties the

6 Rating scale: PD1 to PD20 and D1,D2; PD1-10 correspond to investment grade ratings by S&P and Moody’s

14
Bank uses PD ratings derived from external ratings. Please see the Country Risk - Assignment,
monitoring and reporting process.

A separate expected loss (EL) rating is assigned at the transaction level. The EL rating factors in the
loss given default (LGD), i.e. the loss severity in the event of a counterparty default. The LGD
assignment process relies on models, which produce an LGD estimate based on the type of
counterparty and the characteristics of the transaction, such as guarantees, collateral, seniority of
the claim and other credit enhancing factors in the transaction. For further information, please see
the Rating Framework for Loss Given Default and the Rating Framework for Covered Bonds.

The Bank’s risk rating system comprises 20 classes to differentiate the risk of counterparty default
(Obligor Master Scale, Appendix 11) and the expected loss on a transaction (Transaction Master
Scale, Appendix 12). In addition, separate D classes apply for non-performing transactions. For
reference to external ratings, the internal scales are mapped to the ratings of Standard & Poor’s and
Moody’s.

The process of assigning PD and LGD ratings to lending counterparties is carried out by the Lending
department. The process of assigning PD and LGD ratings to treasury counterparties is carried out
by the Treasury function. The credit opinion provided by the Risk Management functions includes
an opinion on the PD and LGD. The risk ratings are approved by the Mandate, Credit and
Compliance Committee.

The Bank’s credit risk assessment includes the use of quantitative risk methodologies and models
as well as qualitative assessments based on expert judgement. The development of the analysis
tools is made in cooperation between the relevant business functions and the Risk & Compliance
department, under the oversight of senior management in steering committees. Periodic validation
of the tools is carried out and/or overseen by the Risk & Compliance department. Final approval for
production use of credit risk assessment tools is made by the Asset, Liability and Risk Committee.

3.2.4.4 Credit risk mitigation

Lending
The Statutes require that the Bank obtains adequate security for loans (and guarantees) granted,
unless sufficient security is considered to exist under the circumstances.

As a rule, the Bank finances maximum 50% of the total costs for a single project. Financing to small
and medium-sized enterprises, small mid-cap corporates and mid-cap corporates in the Bank’s
member countries can be extended up to 75% of the total project or financing need fulfilling NIB’s
mandate criteria.

The Bank lends and invests on senior unsecured or on secured basis. The level of credit
enhancement required in the Bank’s lending depends, among others, on the creditworthiness of the
counterparty and the tenor and repayment structure of the loan. For further information, please see
the Credit Risk Policy and the Credit Enhancement Guidelines.

The Bank may use third-party guarantees or non-payment insurance as a credit risk mitigation
technique. In each case, the eligibility for a risk transfer shall be assessed. Risk transfer refers to a
substitution procedure whereby the guarantor or the non-payment insurance provider of a
transaction is considered to be the counterparty from a credit risk perspective (risk-owner) instead
of the borrower.

The risk transfer to be eligible from a credit risk perspective, as a minimum, the legal conditions
between the Bank and the protection provider shall be legally enforceable, unconditional (i.e. the
Bank shall have direct control to use the protection), irrevocable during the lifetime of a loan, and the
legal conditions of the (guarantee or non-payment insurance) cannot be changed without the Bank’s
consent.

15
In third-party guarantees, and for the purposes of risk transfer, the risk coverage shall be complete,
i.e. it shall cover the obligations of a borrower in full. In case of a non-payment insurance, the
coverage may be a proportion to the initial exposure between the borrower and the Bank.

In all cases, the risk-owner shall be treated in the risk and capital management in proportion to the
risk covered. In case the risk-owner doesn’t cover the obligations of an obligor in full, the Bank
applies risk transfer only to exposure portions which are covered, so in capital management the
effective coverage ratio shall be used.7

For transactions where credit risk is mitigated via the non-payment insurance, there shall not be a
maturity mismatch nor currency mismatch between the maturity of the underlying transaction and
the maturity of the non-payment insurance.

Further details are provided in the Credit Enhancement Guidelines.

Units responsible for client relationships are responsible in the first place for ensuring that the Bank
is protected by sufficient credit enhancement. The Risk Management functions provide an opinion
on the proposed credit enhancements. The Mandate, Credit and Compliance Committee makes the
final decision on the required credit enhancements.

Treasury
In its treasury operations, the Bank uses netting and collateralisation to mitigate credit risk related to
derivatives and reverse repurchase agreements. The Bank undertakes swap transactions only with
counterparties that meet the required minimum counterparty credit rating and have executed an
International Swaps and Derivatives Association (ISDA) Master Agreement and signed a Credit
Support Annex (CSA). The ISDA master agreement allows for a single net settlement of all
transactions covered by the agreement in the event of a counterparty default or early termination of
the transactions. Under the CSA, the derivative positions are marked to market daily, and the
resulting exposures are collateralised by cash or government securities. Reverse repurchase
transactions are conducted on the terms of the Global Master Repurchase Agreement (GMRA).

3.2.4.5 Credit risk monitoring and reporting

The Bank puts strong emphasis on continuous monitoring of the credit risk development in its lending
and treasury operations. Credit risk is monitored both at counterparty level, for relevant sectors and
at portfolio level. The primary responsibility for credit risk monitoring resides with the unit responsible
for the client relationship, i.e. Lending, Treasury and Special Credits. The reference document is
Credit Monitoring Guidelines. Risk & Compliance department is responsible for regular reporting to
the Board of Directors on the Bank’s risk position in relation to established limits.

3.2.4.5.1 Counterparty level

Lending exposures

All credit exposures are subject to continuous monitoring of contractual compliance and
events/signals that could potentially lead to or indicate a material change in risk. In addition,
a formalised annual follow-up (AFU) is conducted on individual basis for the entire loan
portfolio throughout the year. The AFU includes a follow-up of the policy and contractual
compliance as well as a credit and integrity risk reviews. The annual follow-ups are approved
in line with the Rules of Procedure for MCC and Delegation of Authority Concerning Decision
Related to Previously Granted Loans. The sector reviews are presented for the MCC
approval and reported to the Board of Directors.

7 If the risk-owner covers only a proportionate share of the principal, or accrued interest payments are not covered, the effective
coverage ratio shall be used in the economic capital calculation.

16
 Large exposures, defined as the 20 largest non-sovereign exposures and the 20 largest
economic capital consumers, are subject to more thorough analysis and are presented to the
MCC for approval. The same applies to high-risk counterparties defined as counterparties in
risk classes PD14-16 8 and watch-listed counterparties.
3F3F3F3F3F3F3F3F3F3F

Compliance with maximum single-counterparty limits for lending transactions is verified by

the Risk Management functions. Compliance with aggregate/portfolio limits in lending
operations is also monitored by the Risk Management functions. Exposure in excess of
maximum limits may occur e.g. due to downgrade of a counterparty rating. Limit breaches
are reported to the Board of Directors.

Treasury exposures

All exposures are subject to continuous monitoring of events/signals that could potentially
lead to or indicate a material change in risk. In each calendar year, the Treasury
counterparties are analysed and the risk class validated. Counterparties with a risk class
weaker than EL6 are prioritised. The annual follow-up is presented to the MCC for approval.

Compliance with maximum individual limits for new treasury counterparties is verified by the
Risk Management functions. Compliance with individual counterparty and aggregate/portfolio
limits in treasury operations is monitored on daily basis by the Risk Management functions.
Exposure in excess of maximum limits may occur e.g. due to downgrade of a counterparty
rating. Limit breaches are reported to senior management and the Asset, Liability and Risk
Committee, as well as to the Board of Directors if the maximum exposure limit is exceeded.

Watch-listed exposures

Following the identification of a seriously deteriorated debt repayment capacity and/or a

serious deterioration in the financial standing, the counterparty is placed on the watch-list and
becomes subject to specific watch-list monitoring. All loans, borrowers and Treasury
counterparties in risk class PD17 and/or EL17 5 or below shall be proposed for the watch-list.
Please see the Credit Risk Policy.

3.2.4.5.2 Portfolio level

Monitoring of the credit risk development at portfolio level is carried out regularly by Risk &
Compliance department, which is responsible for analysing and reporting the development to the
Asset, Liability and Risk Committee and the Board of Directors. The reporting includes, among
others, an analysis of the aggregate credit risk exposure, credit risk concentrations, changes in the
risk profile, exposure against portfolio risk limits and development of economic capital.

3.2.4.6 Risk-based pricing

The Statutes stipulate that the Bank shall operate according to sound banking principles and aim for
a profit allowing the formation of reserves and reasonable return on capital. Loans and guarantees
are priced to cover the Bank’s cost of funds, administration costs, the cost of the risk involved in the
transaction and the cost of capital employed. For loan pricing purposes the Bank uses a pricing tool
that enables calculation of the minimum earnings required on a loan in order to cover all lending
related costs and an appropriate return for the level of risk assumed. Internal credit risk ratings and
associated risk parameters, as well as the structure of the transaction are key input factors into the
pricing tool.

8 Rating scale: PD1 to PD20 and D1,D2; PD1-10 correspond to investment grade ratings by S&P and Moody’s

17
3.2.4.7 Expected credit losses & impairment of financial assets
The Bank makes timely recognition of, and provision for, expected credit losses (“ECL”) and the
impairment of financial assets and commitments in accordance with the International Financial
Reporting Standard (IFRS 9). The estimation of ECL takes into account a broad range of information,
including forward-looking macroeconomic factors. The main principles applied for calculating and
reporting provisions based on ECL are set out in the Expected Credit Loss Framework. ECL are
measured by allocating financial assets under scope into three categories (stages) at each reporting
date:

• Stage 1: Financial assets which are performing and for which no significant increase in credit
risk has been identified since initial recognition;

• Stage 2: Financial assets which are performing but for which a significant increase in credit
risk has been identified since initial recognition;

• Stage 3: Non-performing financial assets, as defined in the Non-Performing Exposures

Framework.

The MCC approves loss provisions from the ECL estimate – based on Macro-Financial scenarios
which feed into ECL model calculations and additional management overlay adjustments, if any –
and individual impairments. Risk & Compliance is responsible for generating the Macro-Financial
scenarios and the maintenance and development of the ECL model.

18
 Market risk
3.3.1 Definition
The Bank defines market risk as the risk of valuation loss or reduction in expected earnings stemming
from adverse fluctuations in exchange rates, interest rates, credit spreads or cross-currency basis
spreads.

3.3.2 Appetite for market risk

The Bank’s strategy is to obtain cost-efficient funding from diversified sources and provide lending
that is tailored to the needs of its customers. This gives rise to foreign exchange risk and structural
interest rate risk due to mismatches in the Bank’s assets and liabilities in terms of currency
composition, maturity profile and interest rate characteristics. Cross-currency basis risk stems from
the hedging techniques used by the Bank to mitigate the above risks. This risk is inherent in
transactions exchanging foreign currencies at a future point in time and is mainly driven by liquidity
supply and demand in those currencies.

The Bank’s securities portfolio held for liquidity purposes is exposed to interest rate risk and credit
spread risk. Credit spread risk refers to a potential decline in market value due to perceived change
in the credit quality of the issuers of the securities held in the portfolio.

The Bank accepts moderate interest rate and credit spread risk arising from the investments in the
liquidity portfolio. Interest rate risks arising from funding and lending activities are hedged with the
objective of protecting earnings and the economic value of assets and liabilities. Exposure to
currency risk is kept low and effectively mitigated by using derivatives to protect the Bank against
realised foreign exchange rate losses. The Bank allows exposure to currency basis risk arising from
the use of derivatives for hedging purposes. The Bank’s appetite for volatility risk is low.

3.3.3 Key responsibilities

The Board of Directors annually reviews and approves maximum limits for exposure to market risks.
The Board of Directors receives reports on the Bank’s market risk positions at its regular meetings.

The Asset, Liability and Risk (ALR) Committee oversees the activities that give rise to market risk
exposure and establishes operating guidelines including various levels of operational limits within
the maximum limits set by the Board of Directors. It also oversees market risk exposures as part of
the Bank’s overall risk picture.

The Bank’s day-to-day market risks are managed by Treasury.

The Risk Management functions provide independent oversight of all significant market risks,
supporting the ALR and Treasury with risk measurement, analysis, daily monitoring and reporting.

3.3.4 Market risk management

The Bank manages market risks by hedging against foreign exchange risk and interest rate risk with
the objective to protect its earnings and the economic value of its assets and liabilities. Foreign
exchange risk is practically fully hedged. Interest rate risk deriving from mismatches between funding
and lending is kept at a modest level. The Bank’s appetite for interest rate risk and credit spread risk
pertains to the earnings expectations set for the liquidity portfolio.

As part of its structured funding transactions, the Bank may use financial instruments linked to other
market risk factors than the above. A prerequisite is that such transactions are completely hedged
with derivatives and that the Bank is able to valuate and measure the risks involved in the derivatives.

19
The instruments that the Bank is authorised to use are laid out in Authorised Instruments in Treasury
Operations, Appendix 10.

According to the Statutes, the Bank may when specific need arises, acquire shares or other assets,
in support of its business or to protect its claims.

3.3.4.1 Foreign exchange risk

The Statutes require that the Bank shall, to the extent practicable, protect itself against the risk of
exchange rate losses. The Bank’s operating principle is to hedge foreign exchange risk by the use
of derivatives to convert its multi-currency borrowings into the primary lending currencies.
Investments in assets held for liquidity purposes are made in the primary lending currencies.
Generally, the Bank does not hedge its future net interest margin against movements in foreign
exchange rates.

In compliance with the statutory requirement and the set risk appetite, limits for acceptable foreign
exchange risk are kept low compared to the Bank’s equity. Limits have been set to restrict the
overnight open positions, i.e. the net nominal value of assets and liabilities in each foreign currency.
Please see the Limits for Exchange Rate Risk, Appendix 8.

3.3.4.2 Cross-currency basis risk

Cross-currency basis risk is embedded in the currency swaps that the Bank uses to hedge foreign
exchange rate risk in future cash flows from its lending and borrowing and for liquidity management
purposes. Changes in the currency basis spreads affect the mark-to-market valuations of the swaps,
which in turn gives rise to volatility in the Bank’s comprehensive income. Cross-currency basis risk
is managed within the Bank’s economic capital framework, and reflected in the capital requirement
for market risk, to ensure that the capital requirement for cross-currency basis risk is aligned with
the established risk appetite. Counterparty credit risk inherent in the swaps is mitigated by collateral
agreements (CSAs) with the swap counterparties.

3.3.4.3 Interest rate risk

The Bank manages interest rate risk by using derivatives to convert fixed rate funding into floating
rate liabilities. Fixed rate lending that is not match-funded, is converted to floating rate receivables.
This portfolio hedging approach ensures that interest rate risk between lending and funding in each
currency remains low. The majority of the Bank’s interest rate risk stems from the portfolio of liquid
assets. The Bank does not hedge its future net interest margin against movements in interest rates.

The Bank measures and manages interest rate risk by estimating the sensitivity of the economic
value of its balance sheet to an interest rate shock. The sensitivity is measured by means of basis
point value (BPV) quantifying the impact of a one basis point parallel increase in interest rates on
the present value of interest-bearing assets and liabilities.

The Bank measures its structural net interest income risk by estimating the sensitivity of the
accumulated net interest income during the next twelve months to changes in the level of interest
rates.

Maximum limit has been set for the acceptable exposure to interest rate risk at an aggregate balance
sheet level. Individual BPV limits have been defined for EUR, USD and for the Nordic currencies,
whereas a combined limit applies for all other currencies. Please see the Limits for Interest Rate
Risk, Appendix 7.

20
3.3.4.4 Credit spread risk
The Bank manages its exposure to credit spread risk by calculating the sensitivity of its marketable
securities to credit spread movements. The sensitivity is measured by means of Credit Spread Basis
Point Value (Spread BPV) quantifying the impact of one basis point increase in credit spreads on
the present value of the assets.

Limits have been defined to restrict the decrease in asset value to acceptable levels in accordance
with the Bank’s risk appetite for its portfolio of marketable securities. The Bank has set an overall
limit for credit spread risk with specific sub-limits defined for various asset classes and portfolios.
Please see the Limits for Credit Spread Basis Point Value, Appendix 8

To ensure that the liquidity portfolio maintains its market value and liquidity even under severe
market conditions, the Bank has set limits to control the asset quality of the portfolio i.a. by defining
minimum requirements for counterparty ratings. Please see the Limits for the Liquidity Buffer,
Appendix 9.

21
 Liquidity risk
3.4.1 Definition
The Bank defines liquidity risk as the risk of incurring losses due to an inability to meet payment
obligations in a timely manner when they become due. The Bank categorises liquidity risk into
funding liquidity risk, which occurs when payment obligations cannot be fulfilled because of an
inability to obtain new funding, and market liquidity risk, which occurs when the Bank is unable to
sell or transform assets in the liquidity buffer into cash without significant losses.

3.4.2 Appetite for liquidity risk

The Bank’s business model is to obtain cost-efficient funding from the international capital markets
(liabilities) and to use these funds to provide long-term lending to its customers and to maintain a
liquidity portfolio (assets). Mismatches in the Bank’s assets and liabilities in terms of currency
composition, maturity profile and interest rate characteristics gives rise to liquidity risk.

The Bank accepts funding liquidity risk deriving from maturity mismatches between funding and
lending. Liquidity risk is mitigated by maintaining a robust liquidity portfolio where a large majority of
the assets are of high quality to support the Bank’s operations. Having a strong liquidity position
enables the Bank to carry out its core activities even under severely stressed market conditions
without access to new funding.

The Bank strives to diversify its borrowing in terms of currencies, maturities, instruments and investor
types in order to avoid excessive reliance on individual markets and funding sources. Market liquidity
risk tolerance is low and the risk is mitigated by maintaining a high quality and sufficiently short-term
liquidity buffer.

3.4.3 Key responsibilities

The Board of Directors approves the Liquidity Policy, which outlines the key principles for the Bank’s
liquidity management. The Board of Directors receives regular reports on the liquidity position and
the performance against approved limits and targets.

The President is responsible for ensuring that the Liquidity Policy is effectively implemented and for
establishing prudent liquidity risk management and control procedures. The President also approves
the methodology for liquidity stress testing. Furthermore, it is the President’s responsibility to inform
the Board of Directors in case the liquidity contingency plan is activated.

The liquidity position and adherence to exposure limits is managed by the Treasury function and
monitored by the Risk Management functions on a daily basis.

The Asset, Liability and Risk Committee oversees the development of the Bank’s funding and
liquidity position and decides on liquidity risk related matters in accordance with their respective
mandates.

3.4.4 Liquidity risk management

Key objectives for the Bank’s liquidity risk management are to ensure that the liquidity position is
strong enough to (1) enable the Bank to carry out its core activities for a defined period of time under
stressed market conditions without access to new funding; (2) secure the highest possible credit
rating by international rating agencies; (3) fulfil the liquidity coverage ratio (LCR) and net stable
funding ratio (NSFR) requirements as specified in the Capital Requirements Regulation of the
European Union.

22
Measuring the liquidity requirement
The liquidity requirement for various time horizons is determined based on analysis and stress
testing of future contractual cash flows. A key metric applied is the survival horizon, which measures
how long the Bank is able to fulfil its payment obligations in a severe stress scenario. The target
survival horizon is twelve months, which means that the Bank is able to meet its payment obligations
and continue its business operations without disruption for the coming twelve months under stressed
conditions. The minimum requirement is that the survival horizon must at all times exceed nine
months. The stress scenario includes, among others, the assumption of payment disruptions in the
loan portfolio, no access to market funding, early termination of all callable funding transactions and
severe decline of asset value in the liquidity buffer as laid out in the Framework for Liquidity Stress
Testing.

Liquidity buffer
To ensure sufficient liquidity in stressed financial conditions, the Bank holds a liquidity buffer. The
buffer comprises unencumbered cash, deposits and securities mainly denominated in EUR, USD
and the Nordic currencies. In order to ensure that the market value and liquidity of the buffer is
preserved during adverse market conditions, the Bank has set strict rules for the composition of the
buffer. As such, the buffer must include a minimum level of High Quality Liquid Assets as defined in
the EU capital requirement regulation and a minimum level of assets in the internal rating categories
corresponding to at least AA- by S&P and Aa3 by Moody’s (please see the Limits for the Liquidity
Buffer, Appendix 9). Furthermore, the buffer must comprise a certain level of assets eligible as repo
collateral in central banks. The Bank does not have direct access to central bank repo facilities.

The maturity profile of the liquidity buffer is structured to fulfil the Bank’s requirement that the
expected net cash outflow during the next three months must be covered by maturing investments
in the liquidity buffer.

Funding strategy
Diversification is a key objective of the Bank’s funding and liquidity management. The Bank strives
to diversify its borrowing in terms of currencies, maturities, instruments and investor types in order
to avoid excessive reliance on individual markets and funding sources. Through regular benchmark
issues, the Bank aims to secure broad market access. The annual funding plan is based on the
projected twelve-month liquidity requirement and the projected size of the liquidity buffer. The funding
plan is regularly adjusted to reflect changes in the liquidity requirement.

Liquidity recovery plan

As required by the Principles for Capital and Liquidity Management (approved by the Board of
Governors), NIB shall have contingency measures for liquidity adequacy to safeguard its viability.
Subsequently, the Bank has established Capital and Liquidity Recovery Plan that contains internal
procedures, predefined contingency measures and trigger levels of key indicators to activate the
plan. The Capital and Liquidity Recovery Plan is approved by the Board of Directors.

23
 Operational risk
3.5.1 Definition
The Bank defines operational risk as the risk of direct or indirect losses or damaged reputation due
to risk events attributable to technology, people, processes, procedures or physical arrangements
and or external events.

3.5.2 Appetite for operational risk

The Bank is exposed to operational risk in all its activities. This includes day-to-day activities of the
business functions (Lending and Treasury) as well as activities of the supporting functions (e.g. IT,
HR and other support functions). Operational risk is also inherently attached to the Bank’s products,
services and systems.

As such, the Bank has no appetite for operational risk but recognises that all activities of the Bank
expose it to potential operational risk events. The Bank manages operational risk by promoting a
culture of integrity and high ethical standards and by maintaining strong risk awareness. Operational
risk is further mitigated by implementing a proper risk identification process and set of internal control
activities.

3.5.3 Key responsibilities

The Board of Directors approves the Operational Risk Policy, which sets out the key principles of
the Bank’s operational risk management and control. Based on regular reporting, the Board of
Directors oversees the Bank’s operational risks.

The President has the ultimate responsibility for ensuring that appropriate operational risk
management practices are in place and operating effectively in accordance with the Operational Risk
Policy and the standards set out in the Operational Risk Guideline.

In the day-to-day operations the three-lines-of-defence model ensures accountability and defines
the roles and responsibilities for operational risk management. The first line of defence are the
respective Bank functions, who own the risks in their operations. It is the responsibility of line
managers to ensure that operational risks are identified, communicated and understood, that
appropriate actions are taken to mitigate losses and that incidents are reported. The second line of
defence is the Risk & Compliance department, which is responsible for bank-wide monitoring and
reporting on events and actual losses to the Asset, Liability and Risk Committee and the Board of
Directors. The third line of defence is Internal Audit, which provides an independent evaluation of
the controls, risk management and governance processes.

3.5.4 Operational risk management

The Bank’s operational risk management focuses on proactive measures in order to ensure
adequate internal controls, business continuity, the accuracy of information used internally and
reported externally, a competent and well-informed staff and its adherence to established rules and
procedures as well as on security arrangements to protect the physical and IT infrastructure of the
Bank.

• For the purpose of managing operational risk, the Bank’s activities have been divided into a
set of core business processes and sub-processes with designated process owners. The
process owners are responsible for identifying, reporting and responding to risks inherent in
the processes.

• Data on events is collected in order to gain information on the type, cause, frequency and
interdependence of various risk events. Events reported are reviewed and categorised in
accordance with a risk taxonomy by Operational Risk & Security Control unit.

24
• Regular risk and control self-assessment is conducted for each core process. The process
owners and key personnel involved in the process, under the stewardship of Risk
Management, seek to detect potential risk exposures or threats to the efficient functioning of
the process and assess the adequacy of risk mitigation techniques used. Potential risks are
assessed according to the likelihood of occurrence and impact.

• New products and business initiatives as well as major changes to existing products are
processed carefully. Prior to launching a new product, all relevant risks are analysed and
processes and controls established to manage the risks involved. The Rules for New
Products and Process Approval shall be followed.

• Outsourcing requires thorough documentation of the activity to be outsourced and an

analysis of risks involved. The Bank seeks to maintain the operational risks related to
outsourced activities at the same level as if the activities were performed in-house.

• The Bank’s legal risks relate to inadequate or inefficient documentation, issues of legal
capacity, enforceability and the applicability of national laws and dispute resolution
mechanisms in the jurisdictions under which it operates. These risks are mitigated by Legal
through e.g. established procedures and legal advice, key clauses and the legal review of all
contractual documents and other binding documents of the Bank, irrespective of whether
they relate to the operational or the administrative activities of the Bank.

In its documentation of lending operations as well as in procurement contracts for the Bank’s
own purchases, the Bank uses key clauses developed over the years. For the documentation
of treasury transactions, the Bank relies on standardised documentation commonly accepted
in the market. Concerning borrowing, the Bank uses its own standard documentation
developed based upon the Bank’s Statutes and practise that has evolved over time.

• The Bank considers Information Technology (IT) as one of its key focus areas in order to
achieve operational excellence, reduce operational risk and reach a high level of cost
efficiency aligned with the Bank’s business strategy. The Bank aims at a high-quality IT
architecture that ensures performance stability and flexibility and which is adapted to the
transaction volumes of the Bank. The Business and Technology Committee is established to
facilitate IT’s strategic direction and the digital transformation of NIB by prioritising, directing,
monitoring and governing NIB’s enterprise IT architecture, IT projects and development
initiatives.

As the Bank’s operations are largely based on information processing, much emphasis is put
on information technology and cyber security. The overall purpose of the Bank’s
Information Security Policy is to ensure an uninterrupted, secure and undisturbed use of
information and communication systems. Information security covers all parts of the IT
environment, including hardware, software, networks, databases and IT services as well as
IT administration, IT management, IT operations and other IT-related work processes.

• NIB maintains a business continuity and crisis management capability that limits the impact
of incidents and disruptions through an efficient incident response process that ensures
prompt recovery. The Business Continuity Guideline sets out the purpose, guiding principles,
responsibilities and governance structure for NIB’s business continuity and crisis
management. The Crisis Management Plan is a predefined mechanism for responding to
and acting during a crisis or a prolonged disruption. The Security Policy sets out the
framework for security management to ensure that the Bank and staff can work in safe and
secured circumstances. The Operational Risk and Security Control unit is responsible for
maintaining the mentioned documents. All the business and support units are required to
maintain and develop their business continuity plans and related documentation and revise
it at least annually or always during material changes impacting to the unit.

25
 Compliance risk
3.6.1 Definition
Compliance risk is composed of integrity risk and operational compliance risk. These are defined as

• Integrity risk - the risk of legal or regulatory sanctions, material financial loss, or loss to
reputation that an entity may suffer as a result of its failure to comply with integrity related
laws, rules and standards;

• Operational compliance risk - the risk of legal or regulatory sanctions, material financial loss,
or loss to reputation that an entity may suffer as a result of a failure to comply with its internal
policies and controls.

3.6.2 Appetite for compliance risk

The Bank faces compliance risk in all its activities.

The Bank has no appetite for compliance risk. NIB is committed to follow best practices and market
standards in the areas of accountability, transparency and business ethics. The Bank has zero
tolerance for misconduct and corruption. This principle is also reflected in the Bank’s Risk Appetite
Statement, which promotes a culture of integrity and high ethical standards and requires all
individuals to comply with internal policies, regulations and procedures, and respect their spirit.

3.6.3 Key responsibilities

The Board of Directors is responsible for overseeing the compliance risk management in the Bank
based on regular reporting. The Board of Directors approves the Integrity and Compliance Policy,
the overarching framework on compliance risk.

The President is responsible for communicating and implementing the Compliance and Integrity
Policy and for ensuring that it is observed.

Members of senior management are responsible for the day-to-day management of compliance risk
and for ensuring that procedures and guidelines regarding the Bank’s integrity and ethical standards
are adhered to within their area of responsibility.

The Integrity and Compliance Office (“ICO”) oversees and coordinates matters relating to
compliance and integrity risks, including reputational risks and provides independent expert advice
to the Bank’s management and Board of Directors in compliance and integrity matters.

Allegations of prohibited practices, misconduct and complaints in relation to NIB financed projects
or counterparties and other activities of the Bank are investigated by ICO. The ICO reports its findings
of investigations of external parties to an independent Sanctions Panel for decisions on sanctions
(incl. debarments).

The Bank has Codes of Conduct for the Board of Directors and the President, the members of the
Control Committee and for the staff. The codes of conduct articulate the values, duties and
obligations as well as ethical standards that the Bank expects of its members of the governing bodies
and staff. The codes of conduct, the Prevention of Market Abuse Policy and the Rules on Handling
Inside Information and Market Soundings are intended to prevent conflicts of interest, to prohibit the
use of insider information, and to provide guidance for the handling of confidential information, and
disclosure of financial and business interests.

26
3.6.4 Compliance risk management
In the day-to-day operations the three lines of defence model defines the roles and responsibilities
for compliance and integrity risk in the Bank. The first line of defence lies with the respective Bank
departments and units, which are responsible for ensuring that compliance risks are identified,
understood and reported to the decision making bodies of the Bank and to ICO. The second line of
defence lies with ICO, which assesses and monitors the compliance and integrity risks and
coordinates its control activities with the Risk Management functions, as necessary. Internal Audit is
the third line of defence.

In managing compliance and integrity risks, the Bank places particular emphasis on preventing fraud
and corruption, money laundering and the financing of international terrorism as well as tax fraud
and tax evasion.

The principles related to managing integrity and reputational risks in connection with the Bank’s
operations are set out in the Integrity Due Diligence Policy. Comprehensive internal screening
procedures have been established to identify integrity and reputational risks relating to new
customers and counterparties. In respect of existing customers this is carried out in the annual follow-
up and more frequently when required.

Reports of alleged prohibited practices, misconduct and project-related non-compliance by NIB are
managed in accordance with the Investigations Policy, the Enforcement Policy and the Project
Accountability Policy. The Speaking Up and Whistle-blower Protection Policy encourages staff to
report prohibited practices, including fraud and corruption, and any other form of wrongdoing, and
provides whistle blowers with protection against retaliation. The Bank’s procedures are aligned with
the International Financial Institutions (IFI) Uniform Framework for Preventing and Combating Fraud
and Corruption, which the Bank has endorsed.

27