Risk management framework and objectives
Fortum’s Risk Management framework is described in the Group Risk Policy and supporting documents. The Group Risk Policy includes an overview of Fortum’s risk management systems consisting of the general principles of risk management and the main features of the risk management process. The objective of the risk management systems are to;
- support the development of the Group strategy,
- support strategy execution,
- support the achievement of agreed targets within acceptable risk levels so that the Group’s ability to meet financial commitments is not compromised,
- ensure the understanding of material risks and uncertainties affecting Fortum, and
- support the prevention of accidents that can have a severe effect on the health and safety of employees or third parties, and from incidents that can have a material impact on Fortum’s assets, reputation or the environment.
The main principle is that risks are managed at source meaning that each Division and Corporate Function Head is responsible for managing risks that arise within their business operations. However, in order to take advantage of synergies, certain risks are managed centrally. For example, Group Treasury is responsible for managing currency, interest rate, liquidity and refinancing risks and cyber and information security risks are managed by Corporate Security.
Fortum’s Board of Directors approves the Group Risk Policy and the CEO approves Group Risk Instructions covering commodity market risks, counterparty credit risks, and operational risks. Fortum also has other Group policies and instructions covering e.g. compliance, privacy, sustainability, treasury and cyber and information security risks which are aligned with the Group Risk Policy. There are risk mandates or limits defined for commodity market risks, counterparty credit risks and financial risks. Divisions and Corporate Functions issues risk manuals and guidelines as needed which detail how the Group Risk Instructions are implemented.
Fortum’s risk management process is designed to support the achievement of agreed targets by ensuring that risk management activities are consistent with the general principles of risk management and that risks are monitored and followed-up in a prudent manner. The main features of risk management process consist of event identification, risk assessment, risk response and risk control. Identification is regularly carried out according to a structured process and risks are assessed in terms of impact and likelihood according to a Group-common methodology.
Fortum’s Internal Audit is an independent and objective assurance function that is responsible for examining and evaluating the appropriateness and effectiveness of the Group’s management and corporate governance processes, internal control system, risk management, and operational processes. The Standards for the Professional Practice of Internal Audit form the basis for the work of Internal Audit.
Additional information about the risk management and risks in business operations is available in the Company's financial statements and corporate governance statements. Short term risks are described in the Company's interim reports.