Risk management and internal control
Risk Management Principles
The central principle of risk management is continuous, systematic and pre-emptive action to identify risks, define the level of risk the Company accepts, evaluated and handle risks and, in the event of risk realisation, see to their effective management and administration so that the Company will meet its strategic and financial goals. Risk management includes risk identification, evaluation and risk contingency planning.
Identification and evaluation of risks
The Company’s strategic and operative goals are used as a basis for identifying risks. Risk analysis and evaluations are conducted as self-assessments. The probability of a risk materialising is assessed on scale of 1–5 as defined in the Company’s risk principles and the impacts of the realised risks are assessed on a scale of 1–5.
Risk management responsibilites and organising
The Company’s Board of Directors duty is to confirm the Company’s risk management principles and evaluate the adequacy and appropriateness of risk management. The CEO is responsible for the Company’s risk management and its organisation, allocating resources for the work and reviewing the risk management principles. The Group’s Management Team is responsible for the actualisation of risk management, operative risk monitoring and risk related actions.
The risk management process is based on the Company’s strategy and implementation of the Company’s operations. The probability and impact of the risks in the event of risk realisation is assessed, and an action plan regarding risks that are identified as significant is drafted. Possible actions are avoiding, accepting, limiting and dividing risks. The management determines necessary actions for setting the risk levels on a level corresponding the company’s risk appetite. Risk assessment is done continuously and detected material changes are reported to the Board of Directors.
The Company’s risk management is decentralised across units and corporate support functions that assign responsibility for risk management and which are in charge of identifying, managing and reporting risks. The business functions are responsible for identifying and assessing risks affecting their own area, proposing measures for risk management and reporting to the risk working group as instructed. Each employee is responsible for identifying any risks inherent in his or her duties or otherwise discovered and reporting them to his or her superior.
Financial risk management assessments are coordinated by the Group’s Finance function. It develops the Company’s financial risk management, supports the risk management of business operations and regularly reports to the Management Team and to the Board of Directors about the financial risks.
Risks and actions taken to manage them, are regularly reported to the Management Team. Strategic risks are handled annually together with the strategy. Risk review is assessed by the Board of Directors and the Management Team twice a year.
Central risks and risk management actions are reported yearly in the annual report and interim reports and on a case by case basis as necessary.
The Company divides risks into strategic, operative and financing risks as well as risks of injury or damage. The Company has divided these risks into own separate sub risks and they are assessed with a tool used in the Company and with the risk management process.
Internal control is an essential to the company’s performance assurance, critical component in the risk management and it enables creating and maintaining the company value. The purpose of internal control is to protect the company’s and its business units resources from misuse, ensure the appropriate authorisation of business transactions, support management of IT systems and ensure the reliability of financial reporting. The internal control is a process which enables minimizing the probability of mistakes related to accounting.
Internal control is foremost the responsibility of the persons acting in management positions in the Company. It is supported by the Group’s support functions, who draft guidelines concerning the entire Group and monitor risk management. A third level of internal control is made up of internal and external audit, which confirm that the first two levels of control function efficiently. The Company’s Board of Directors has established an Audit Committee, whose task is also internal control, audit and monitoring of risk management pursuant to its Rules of Procedure.
The Company does not have a separate corporate audit function, as internal control responsibilities have been divided inside the Company between different functions and areas as described below. The Board of Directors may use external consults to conduct separate audits related to control environment and operations.
The Board of Directors has ultimate responsibility for the administration and the proper organization of the company. The Board of Directors also ensures that the company duly endorses the corporate values applied to its operations, approves the internal control, risk management and corporate governance policies and can assign internal audit assignments to external service providers as needed.
The CEO is in charge of the day-to-day management of the company in accordance with the instructions and orders given by the Board of Directors. The CEO establishes the basis for internal control by providing leadership and direction to senior managers and supervising the way they control the business they are in charge of and by ensuring that the accounting practices of the company comply with the law and that financial matters are handled in a reliable manner.
The Management Team is responsible for creating internal control policies in different units of the organisation. The Company has divided the supervision of internal control and the persons responsible for them in the following way: sales control (the Company’s lawyer), personnel and payroll control (Chief People Officer) and financial process control (CFO).
The abovementioned parties help the units to create appropriate control practices. Furthermore, they steer Company’s internal (audit) control process and report on it to the Management and follows up the adequacy and effectiveness of control activities on the operative level.
The management of business units and functions are responsible for making sure that all units and employees under their responsibility comply with applicable laws, regulations and internal policies.
The Company’s control activities are designed to respond to the risk identified at different levels of the Company’s operations.