The board has established a privacy policy which is published on NTÍ’s website. Privacy is part of the risk assessment for all contracts concluded by NTÍ, and processing agreements are concluded wherever personal data is processed. Great emphasis is placed on the security of personal data in information systems. PwC acts as the privacy officer on behalf of NTÍ.

The organisation of the work of the NTÍ is based on flexibility. The scope of operations varies greatly from year to year as the amount of manpower required at any given time is determined by the damage events. Generally 4-5 full-time staff are employed at the Institute, but when events take place, projects are either shed or people are hired to work temporarily.

The human resources policy was last approved by the board on 30. January 2025

The Board of Directors’ rules of procedure are generally reviewed annually and were last confirmed in January 2025. The rules stipulate, among other things, the qualifications of board members, their division of labor and their responsibilities. The rules also cover the roles and responsibilities of the board and CEO, the organization’s board representation, information provision to the board, meeting procedures, minutes and the board’s decision-making power. In addition to its policy-making role, the board monitors that NTÍ’s operations are in accordance with laws and regulations and monitors the organization’s accounting and allocation of funds. The board monitors the effectiveness of risk management, the effectiveness and efficiency of internal operations and contributes to the achievement of NTÍ’s goals.
The risk management policy is under constant review and the three largest risk factors in the operations are defined as; claims handling, portfolio management and actuarial risk. The risk management policy is in the spirit of COSO 2017 harmonized risk management, where, among other things, covers risk culture, strategy, project implementation risks, risk information and reporting, as well as requirements for internal control and risk measurement. It was last approved by the Board in February 2024.
The information security policy was last revised in January 2025 and is based, among other things, on the requirements of EIOPABos-20/600 regarding risks in the operation of information systems of regulated entities.
The Board approved NTÍ's revised environmental and climate policy in January 2025, which is intended, among other things, to ensure compliance with "Green Steps in State Administration" and support the state's emphasis on reducing greenhouse gas emissions. NTÍ does not have a specific policy on social responsibility, but the Board has set a policy on responsible investments in a policy document that was approved by the Board on June 7, 2024. There is also a guidance document with information on sustainability focuses in NTÍ's quality system, LBN-0557.
The Board of Directors has not established a policy on diversity in relation to the Board of Directors. The Board assumes that those who appoint the Board of Directors comply with applicable law at any time.
The Board of Directors holds joint meetings with the internal and external auditors and the Audit Committee on internal control and risk management. Both the Board of Directors and the Audit Committee meet at least once a year without the presence of the CEO of NTÍ. The Board of Directors’ assessment of its own work was last conducted in December 2024 and the Board of Directors considered that it had fulfilled its obligations under the law and operating rules and that its work had yielded the desired results. The Board of Directors’ self-assessment focused on assessing the organization and implementation of Board meetings, information provision to the Board, the roles, responsibilities and limits of authority of the Board of Directors and CEO, the effectiveness of the Board members and assessing the work of the Chairman of the Board and CEO.
The Audit Committee submits an annual report to the Board of Directors on its work and assesses its own work according to good practice for audit committees.

NTÍ is subject to supervision by the Central Bank of Iceland and has established a coordinated risk management system that covers all operational aspects of NTÍ. NTÍ’s risk management policy is based on the COSO guidelines, which stands for the Committee of Sponsoring Organizations of the Treadway Commission. NTÍ’s management system and organization are recorded in its quality system. Instructions for employees aim to ensure that everyone is responsible for the quality of their work, NTÍ’s services and information security. Internal control is built into NTÍ’s operating procedures and internal audits and risk analyses are carried out regularly. A service department employee presents the results of quality and security issues, internal audits and the status of improvement projects annually following internal audits and other audits to the board and audit committee.
NTÍ emphasizes a clear division of labor and responsibility. Monthly reporting on the asset management portfolio is an important part of providing information to NTÍ’s board. In addition, detailed reporting on the portfolio is carried out quarterly and annually, an own risk and solvency assessment is carried out in parallel with the annual report on the performance of the portfolio. NTÍ's CEO and investment specialist generally meet several times a year with the treasury management parties to discuss how investment management and supervision are carried out and to assess whether this is adequate.
The annual risk management report and other regular reviews aim to ensure transparency in the operations and to facilitate NTÍ's ability to detect and correct potential errors, monitor deviations and fluctuations in the operations and provide scope for action if risk factors or changes in the operating environment give cause.
NTÍ's liabilities for incurred losses and reinsurance cover are assessed regularly and ensure that they are in accordance with the institution's needs and obligations.
An external audit agreement was concluded with Deloitte in the autumn of 2023 for a period of five years for the period 2023-2027 based on a tender conducted by the National Audit Office. An internal audit agreement is in force for the period 2024 to 2027 with KPMG.