Introduction
In parallel with operational risk management developments
in the financial industry, internal control and
non-financial risk management1 have evolved in ING
Bank (hereafter ING) over the last two decades. In
2014, ING designed a standardised Enterprise Risk
Management (ERM) approach, with the first line of
defence2 of the bank taking clear ownership of risk,
risk mitigating control measures as well as testing
(the effectiveness) of controls. Risk management and
control testing processes are being revised and
upgraded to a coherent global approach, focusing on
all non-financial risk areas including compliance,
operational, legal, fraud, financial reporting, IT and
cyber security risks. This allows for a sustainable
non-financial risk management approach in a
digitised and heavily regulated environment.
This article will start with a brief history of the
evolution of internal control and operational risk
management in the banking industry to allow for a
better understanding of said evolution. Subsequently,
it discusses how ING has reinforced its internal
control framework and non-financial risk management
processes by introducing the ERM approach,
which has been implemented globally throughout the
bank’s business lines, branches and subsidiaries.