The Board bears overall responsibility for organising risk management. It is organised into three lines of defence in order to split up the work and achieve satisfactory independence between decision-makers and supervisory and reporting functions. This is a recognised model, which is illustrated below:
The model also includes the external auditor and the Norwegian Gaming Authority in order to demonstrate the completeness of the structures that have been established to ensure independence between decision-makers and supervisory and reporting functions, and so that the fourth line of defence is also visible. The external auditor confirms to the owner, the Board, and the senior management team whether or not the company’s risk management within financial reporting is adequate. The Norwegian Gaming Authority is a directorate and supervisory authority that reports to the Ministry of Culture and Equality and administers and regulates private lotteries and state-regulated gaming in Norway. The Norwegian Gaming Authority conducts audits to ensure that the company’s gaming activities comply with the law and gaming regulations, ref. the Gaming Act, chapter 5.
The objectives of risk management and internal control are to ensure the quality of internal and external reporting, that operations are goal-oriented, efficient, and customer-oriented, and continuous improvements in quality. Norsk Tipping has established an integrated quality assurance system that consists of governance documents in the form of policies, guidelines, and procedures. The governance documents act as guidelines in areas where compliance is essential for the company. Compliance and goal achievement are systematically monitored through non-conformance reporting, self-evaluations, quality audits, and internal and external audits. The results of this monitoring are reported to the Board via the Audit Committee and provide a basis for the Board’s review of the company’s key risk areas and internal control. The company has established a crisis management system and regularly conducts exercises.
Risk management is an integral part of business activities. An updated risk picture is included as part of the monthly reporting to ensure that the Board and senior management team focus on important future issues that could impact the company’s goal attainment. Risk mitigation measures must be specified, and deadlines set for their implementation.
The company is constantly striving to ensure a good control environment is in place that will ensure that it operates in compliance with relevant laws, that it is based on healthy attitudes, that it has good internal routines and procedures, and that it is transparent. A set of values and management principles have been developed that are intended to build on the company’s social mission.
The company systematically evaluates whether or not the internal control is satisfactory in order to prevent and detect financial irregularities. Processes are regularly selected for evaluation based on an overarching risk assessment. Norsk Tipping has established routines for checking and monitoring the gaming activities of players and at sales agents. This is done both to ensure that the gaming activities are taking place within responsible limits and to protect the company against criminal activities.
Audit committee and internal audit function
Norsk Tipping has an audit committee, which is a subcommittee of Norsk Tipping’s board and is tasked with acting as a preparatory body for the Board with respect to the company’s financial reporting and control systems. Once a year, the external and internal auditors meet with the Audit Committee without anyone from the senior management team present.
The company has an internal audit function that reports to the Board via the Audit Committee. The purpose of the internal audit function is to help the Board and senior management team of Norsk Tipping practise good corporate governance.
Norsk Tipping is certified (PA1) in accordance with ISO/IEC 27001 and the World Lotteries Association Security Control Standard (WLA-SCS). Norsk Tipping is recertified in accordance with the standards on an annual basis. The standards focus on auditing whether or not a company’s information security management system is satisfactory and appropriate.
Norsk Tipping is certified in line with the responsible gaming standards of the European Lotteries and Toto Association (EL) and the World Lottery Association (WLA). The certification processes are carried out by an independent external auditor. The certificates are valid for 3 years at a time and require periodic audits in order to confirm that the company is meeting the standard’s requirements.