Internal control

Internal control is a process carried out by the Board of Directors and the executive management, in addition to other employees, to ensure efficiency of operations, which includes safeguarding assets and resources, and effectively monitoring and controlling the operations. OMX endeavors to maintain a high level of awareness of internal control issues through such activities as ensuring that responsibility and authorities are clearly defined and that employees have the competencies required for their specific positions. The annual planning process comprises the basis for the governance of the operations during which the objectives of the operations are determined and communicated to the organization. A central part of the internal control is the risk-management process ERM (Enterprise Risk Management) that has previously been established by OMX. OMX’s risk-management process is described in more detail under Risk management in the OMX Annual Report 2006, page 78. Control activities are integrated into the various processes of the operations and the aim is that these activities shall be adapted to the prevailing risk situation. For important areas, the Board prepares policies that serve as control documents describing the manner in which the internal control is to be designed. A number of functions and forums have been established whose duties include monitoring the effectiveness of the internal control. These functions are also significant communication channels that enable information to be efficiently distributed throughout the organization. The monitoring procedure of internal control is an ongoing process. All internal-control deficiencies that are uncovered shall be reported to the immediate manager, and serious matters shall be reported to the Executive Management Team and the Board. A formalized process for the ongoing evaluation of the internal control over financial reporting (ICR process) was implemented in 2006 based on the internal-control project initiated in 2005. This process includes risk identification, documentation of processes, identification of controls and assessments of how well processes and existing controls manage identified risks. OMX’s system of internal control is designed to manage rather than to eliminate the risk of failure in achieving business objectives and can provide only reasonable and not absolute assurance against material misstatements.

For the report on internal control regarding financial reporting, see OMX’s Code Reports 2006, page 42.
 

Internal audit

The Internal Audit unit is an independent function within OMX that systematically evaluates the adequacy and efficiency of internal control and risk management, and compliance with legal and statutory requirements in the entire Group. The Internal Audit unit reports directly to the Audit Committee. The operating principles for the Internal Audit unit are reviewed and approved annually by the Audit Committee and audits are carried out according to the Annual Plan approved by OMX’s Board of Directors. The Internal Audit unit is currently made up of three auditors, two of which have CISA certification. In carrying out its duties, the Internal Audit unit applies the internationally approved Standards for the Professional Practice of Internal Auditing published by The Institute of Internal Auditors (IIA) and the Information Systems Audit Control Association, as well as internal control frameworks such as COSO and COBIT.

Risk management
 

OMX’s risk management is an operationally integrated process that comprises both business operation and business support activities in the organization. The method applied is partly based on the international ERM standard (Enterprise Risk Management) in accordance with COSO (Committee of Sponsoring Organizations of the Treadway Commission), with the addition of standards and proprietary methods, including the areas of Security, Insurance and Internal Control. The risk management process is integrated with operating activities, which is in the strategic management and development work and directly related to the company’s operational planning and follow-up. The risk management work is a uniform and continuous process aimed at handling considerable risks to which OMX is exposed. The risk management process comprises identification, evaluation, action, control and reporting. Risk management pertains to various forms of risk prevention, damage limitation and risk-financed strategies to secure the Group’s objectives and most subsidiary goals in the various business areas and operational levels.
OMX’s risk-management process not only encompasses risks in daily business operations, but also risks that arise in conjunction with future-oriented strategic investments aimed at optimizing the company’s business opportunities.
The risk-management process, including control activities, is decentralized to the operations. This results in all business areas, including business support functions and Corporate Functions, working on the handling of financial risks and operative and strategic risks. Diversification is undertaken in the form of short- and long-term risks. The business reports identified and assessed risks periodically to GRMC, which presents risks in the Group’s risk forum, the Risk Steering Group. The CEO reports to the Board on OMX’s consolidated risks.

Internal Control report 2006.