Risk management framework and objectives
The Group Risk Policy provides a risk management framework for Fortum, the purpose of which is to support business in managing risks effectively and to ensure compliance with relevant regulations. The Group Risk Policy includes an overview of Fortum’s risk management systems consisting of the general principles of risk management, the main features of the risk management process and responsibilities for managing and controlling risks within the Group.
The risk management systems have been designed to support Fortum’s Board of Directors, Audit and Risk Committee, Fortum’s Executive Management as well as the operative business in fulfilling their duties in relation to risk management. The objectives of the risk management systems are to:
- support Fortum’s business divisions and corporate functions (Fortum) in managing risks effectively and to ensure compliance with relevant regulations,
- support business divisions in strategy execution,
- support business divisions in achieving agreed targets within acceptable risk levels so that the Group’s ability to meet financial commitments is not compromised,
- ensure the understanding of the Group’s material risks and uncertainties, and
- support the prevention of accidents that can have a severe effect on the health and safety of employees or third parties, and incidents that can have a material impact on Fortum’s assets, reputation or the environment.
Risk management organisation
Fortum’s Board of Directors approves the Group Risk Policy, and the President and CEO approves Fortum, excluding Uniper, risk management instructions covering commodity market risks, counterparty credit risks, and operational risks, as well as instructions for compliance management, EHS management, treasury and the governance framework for cyber and information security risks; all of which are aligned with the Group Risk Policy. Fortum’s Divisions and Corporate Functions issue risk manuals and guidelines, as needed, which detail how the Group Risk Policy and relevant risk management instructions are implemented within their organisations. Uniper is a separate listed company operating under German law and regulations with its own risk management systems, including risk policies which define the risk management organisation principles, processes and responsibilities. Uniper does therefore not directly apply the risk management systems applicable to Fortum’s other Divisions and Corporate Functions. The risk management systems of Uniper, including the key risk management principles and processes, are materially in line with those of the rest of Fortum Group. The target is to further align the risk management systems in the future. For more information about Uniper’s risk management systems, please see Uniper’s annual report.
The main principle is that risks are managed at source, meaning that each Division and Corporate Function Head, as well as Uniper’s Management Board, is responsible for managing risks that arise within their business operations.
Fortum’s Audit and Risk Committee (ARC) is responsible for monitoring the efficiency of the company’s risk management systems, and for annually reviewing the Group Risk Policy and the Group’s material risks and uncertainties. Corporate Risk Management, a function headed by the Chief Risk Officer (CRO), provides instructions, methods and tools which support the Divisions and Corporate Functions, excluding Uniper, in running an efficient risk management process. Corporate Risk Management is responsible for assessing and reporting on the maturity of risk management in Divisions and Corporate Functions and for providing independent monitoring and reporting of the Group’s material risk exposures to Fortum Executive Management (FEM), the ARC and the Board of Directors. Risk control functions and controllers in the business monitor and report risks to the CRO.
Uniper, a separate listed company operating under German law and regulations, is consolidated to Fortum’s balance sheet and income statement, and reported as a separate segment. Four out of the six shareholder representatives on the Supervisory Board are from Fortum. Fortum also has a representative in Uniper’s Audit and Risk Committee. Any changes to the risk management systems, which are considered to be material within the governance framework of Uniper, are reviewed by the Audit and Risk Committee of Uniper and informed to the Supervisory Board of Uniper.
The main features of the Internal Control and Risk Management Systems
The internal control and risk management systems relating to financial reporting are designed to provide reasonable assurance regarding the reliability of financial reporting and aim at ensuring compliance with the applicable laws and regulations.
Internal controls in relation to financial reporting
Fortum’s internal control framework is based on the main elements of the framework introduced by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). The controls including financial reporting controls, have been defined based on the main risks in the process. Internal controls are one of the key elements of the Compliance Programme in Fortum, which also covers business ethics and regulatory compliance.
Fortum has decentralised organisational model, and a substantial degree of authority and responsibility has been delegated to the divisions in the form of control responsibilities. Fortum’s control governance applies the so-called “Three lines of defense” model as illustrated in the graphic.
Uniper’s internal control system
In addition to the Code of Conduct and the policies, the corresponding requirements and procedures for the internal control system (ICS) are defined in a consistent Group-wide framework. Uniper’s ICS is based on the globally recognized COSO (The Committee of Sponsoring Organizations of the Treadway Commission) framework and pursues, among other things, compliance with applicable laws and regulations. The goal is to create a control environment for business processes and control activities at an operational process level. These general standards, rules, and structures refer, inter alia, to "Compliance with legal and tax regulations" or "Tone at the top".