The objective of risk management in Fortum is to support the creation and execution of the Group strategy, to support the achievement of agreed business plans and to avoid unwanted operational events.
Involvement in the power and heat business exposes Fortum to several types of risks. The main sources of risk in the Nordic business are electricity prices and volumes, which in turn are affected by the weather in the Nordic region, the development of the global commodity markets and availability of power production. The Russian business is exposed to risks related to fuel, electricity and capacity prices and volumes, which are to a large extent subject to regulation, although the market is developing.
Fortum is continuously adapting its risk management capabilities to cope with prevailing market conditions, changing operations and the business environment. In the operational risk management area, the focus has been on improving the framework for internal controls and compliance risk management and integrating them to the opearional risk management framework. Implementation of newly established processes for vountry and partner assessments, including sustainability and human rights impact assessments, has also continued.
Group risk policy
Fortum's Board of Directors annually approves the Group Risk Policy, which defines the high-level objectives and principles, delegates responsibilities for risk management activities within the Group, and sets minimum requirements for risk management processes.
The CEO approves Group Risk Instructions covering commodity market risks, counterparty credit risks, currency, interest rate, liquidity and refinancing risks, and operational and compliance risks. The main principle is that risks are managed at source unless otherwise agreed by management. Corporate Treasury is responsible for managing the Group’s currency, interest rate, liquidity and refinancing risks as well as for insurance management. Corporate Credit is responsible for assessing and consolidating credit exposure, monitoring creditworthiness, and setting credit limits for the Group's largest counterparties. Corporate IT is responsible for managing IT information and security risks. There are also corporate functions dealing with risks related to human resources, laws and regulation, and sustainability.
Fortum’s Internal Audit is an independent and objective assurance function that is responsible for examining and evaluating the appropriateness and effectiveness of the Group’s management and corporate governance processes, internal control system, risk management, and operational processes. The Standards for the Professional Practice of Internal Audit form the basis for the work of Internal Audit.