Risk management framework and objectives
The Group Risk Policy provides a risk management framework for Fortum, the purpose of which is to support business in managing risks effectively and to ensure compliance with relevant regulations. The Group Risk Policy includes an overview of Fortum’s risk management systems consisting of the general principles of risk management, the main features of the risk management process and responsibilities for managing and controlling risks within the Group.
The risk management systems have been designed to support Fortum’s Board of Directors, Audit and Risk Committee, Fortum’s Executive Management as well as the operative business in fulfilling their duties in relation to risk management. The objectives of the risk management systems are to:
- support Fortum Executive Management (FEM) in the development of the strategy,
- support business in strategy execution,
- support business in achieving agreed targets within acceptable risk levels so that the Group’s ability to meet financial commitments is not compromised,
- ensure the understanding of the Group’s material risks and uncertainties , and
- the prevention of accidents that can have a severe effect on the health and safety of employees or third parties, and incidents that can have a material impact on Fortum’s assets, reputation or the environment.
Risk management organisation
Fortum’s Board of Directors approves the Group Risk Policy and the President and CEO approves Fortum, excluding Uniper, risk instructions covering commodity market risks, counterparty credit risks, and operational risks as well as instructions for compliance management, EHS management, treasury and the governance framework for cyber and information security risks all of which are aligned with the Group Risk Policy. Fortum’s Divisions and Corporate Functions, issue risk manuals and guidelines as needed which detail how the Group Risk Policy and relevant risk instructions are implemented within their organisations.
Uniper remains a separate listed company operating under German law and regulations with its own risk management systems including a set of risk policies which define the risk management organisation principles, processes and responsibilities for managing risks. Uniper does therefore not directly apply the risk management systems applicable to Fortum’s other Divisions and Corporate Functions. The risk management systems of Uniper including the key risk management principles and processes are materially in line with those of the rest of Fortum. The target is to further align the risk management systems going forward. For more information about Uniper’s risk management systems, please see Uniper’s annual report.
The main principle is that risks are managed at source meaning that each Division and Corporate Function Head, as well as Uniper’s Management Board, is responsible for managing risks that arise within their business operations.
Governance processes in Uniper
Fortum’s governance model, including responsibilities and operational structures, works as described in this statement. Uniper shares Fortum’s view on how to prudently steer business activities and on the governance process, although its current steering models and governance processes do not directly have Fortum’s practices as their basis. Hence, Uniper’s current governance framework, policies and processes are not exactly the same as described in this statement. Thus descriptions on governance and controls processes in this document do not include Uniper.
The main features of the Internal Control and Risk Management Systems
The internal control and risk management systems relating to financial reporting are designed to provide reasonable assurance regarding the reliability of financial reporting and aim at ensuring compliance with the applicable laws and regulations.
Internal controls in relation to financial reporting
Fortum’s internal control framework is based on the main elements of the framework introduced by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). The controls including financial reporting controls, have been defined based on the main risks in the process. Internal controls are one of the key elements of the Compliance Programme in Fortum, which also covers business ethics and regulatory compliance.
Fortum has decentralised organisational model, and a substantial degree of authority and responsibility has been delegated to the divisions in the form of control responsibilities. Fortum’s control governance applies the so-called “Three lines of defense” model as illustrated in the graphic.