Risk management

Fortum’s Board of Directors approves the Group Risk Policy that defines the objective, main principles and responsibilities for risk management. The Group Risk Policy also includes a description of the main features of the risk management process applicable to all processes, including financial reporting at Fortum as well as the Group Risk Appetite Statement.

Annual Review 2023

Risk management framework and objectives

The Group Risk Policy provides a risk management framework for Fortum, the purpose of which is to support business in managing risks effectively and to ensure compliance with relevant regulations. The Group Risk Policy describes the main features of Fortum’s risk management systems which consists of principles, processes and responsibilities for managing risks which, if materialise, may have a material negative impact on Fortum’s current or future business operations, reputation, employees, the environment or third parties.

The risk management systems have been designed to support Fortum’s Board of Directors, Audit and Risk Committee, Fortum’s Leadership Team as well as the operative business in fulfilling their duties in relation to risk management. The objectives of the risk management systems are to:

  • Support Fortum’s Board of Directors and Fortum Leadership Team (FLT) in the development of the Group strategy;
  • Support Fortum in strategy execution;
  • Support Fortum in achieving agreed targets within the defined risk appetite so that Fortum’s ability to meet financial commitments and maintain a strong investment grade rating of at least BBB is not compromised;
  • Ensure the understanding of Fortum’s material risks and uncertainties, and
  • Support the prevention of accidents, incidents and adverse impacts of Fortum’s operations on employees or third parties (including health and safety, human and labour rights), the environment, Fortum’s assets or reputation.

Risk management organisation

Fortum’s Board of Directors approves the Group Risk Policy, and the President and CEO approves Fortum’s risk management instructions including an instruction for enterprise risk management which sets minimum requirements for managing risks in all categories. In addition, there are specific risk instructions covering commodity market risks, counterparty and credit risks and liquidity risks applicable for all of Fortum. Fortum’s Business Units and Enabling Functions issue risk manuals and guidelines, as needed, which detail how the Group Risk Policy and relevant risk management instructions are implemented within their organisations.

Risk governance

The main principle is that risks are managed at source, meaning that each manager is responsible for managing risks that arise within their business operations. For each risk, risk owners are assigned to ensure that appropriate mitigation actions are taken to respond to the risk.

Fortum’s Audit and Risk Committee (ARC) is responsible for monitoring the efficiency of the company’s risk management systems, and for annually reviewing the Group Risk Policy and the Group’s material risks and uncertainties. Corporate Risk, an independent control function headed by the Vice President, Risk reporting to the CFO, provides instructions, methods and tools which support the business in running an efficient risk management process. Corporate Risk is responsible for assessing and reporting on the maturity of risk management in the organisation and for monitoring and reporting of Fortum’s material risk exposures to FLT Risk Committee, FLT, the ARC and the Board of Directors.

Principle of continuous improvement

The risk management framework is developed in accordance with the principle of continuous improvement, aiming at an optimised and continuously developing risk management process. The maturity level of risk management in the organisation is evaluated annually, and Corporate Risk determines goals for the development of risk management based on the results of the assessment.

In accordance with Fortum's values, the importance of risk management is raised by increasing the personnel's risk awareness and highlighting the positive features of risk-aware decision-making. Risk management at Fortum is continuously supporting and improving the application of Fortum’s values in decision-making. 

Risk management process

Fortum's risk management process consists of four main sub-processes; identification, assessment, response and control. The risk management process is linked to strategy and capital allocation, target setting and long-term forecasting and is an integrated part of operational and business management including investment processes and project management.

The risk management process is designed to support effective risk management and to ensure that risks are regularly monitored and followed-up. Identification is regularly carried out according to a structured process which includes analysis of root causes of the risk and consequences if the risk materialises. Risks are assessed in terms of impact and likelihood. Impact is assessed not only in monetary terms in relation to forecasted earnings and / or cash flows, but also in terms of impact to health and safety, the environment and Fortum’s reputation, where relevant. Risk responses can be to accept, avoid, mitigate or transfer the risk. Risk control processes and procedures, which include validating, monitoring, aggregating and reporting risks, are designed to ensure compliance with relevant external regulations and recommendations, as well as with internal policies, instructions, manuals and guidelines. This includes controls to ensure that risk exposures remain within approved risk appetite thresholds, limits and mandates which are defined for financial risks. These risk appetite thresholds includes liquidity, market, and credit risk thresholds as well as balance sheet metrics.

Documents

Read more about risks and risk management in Financials 2023

(PDF, 5.96 MB)
Download Download

The main features of the Internal Control and Risk Management Systems at Fortum

The internal control and risk management systems relating to financial reporting are designed to provide reasonable assurance regarding the reliability of financial reporting, and they aim at ensuring compliance with the applicable laws and regulations.

Risk management systems

Fortum’s Board of Directors approves the Group Risk Policy that defines the objective, main principles and responsibilities for risk management. The Group Risk Policy also includes a description of the main features of the risk management process applicable to all processes, including financial reporting at Fortum.

Internal controls in relation to financial reporting

Fortum’s internal control framework is based on the main elements of the framework introduced by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). The controls, including financial reporting controls, have been defined based on the main risks in the process. Internal controls are one of the key elements of the Compliance Programme in Fortum, which also covers business
ethics and regulatory compliance.

Control environment

The standards, processes and structures in internal control are set through Group policies, Group instructions and the Fortum internal control framework. Fortum’s internal control framework is designed to support operational effectiveness and efficiency, reliable financial reporting, and compliance with applicable laws, regulations and policies. The internal control framework defines the key controls and the minimum requirements for the key processes. Group Accounting is responsible for the overall control structure of the financial reporting process.

Fortum Controllers’ manual defines the instructions and guidelines relating to financial reporting. Fortum has a decentralised organisational model, and a substantial degree of authority and responsibility has been delegated to the business units in the form of control responsibilities. Fortum’s control governance applies the so-called “Three Lines” model.

Risk assessment

Risks are regularly identified and analysed as part of the risk management process. Risks that might, if realised, have a material financial impact or lead to non-compliance, are reported to the Audit and Risk Committee at least on an annual basis.

Control activities

Control activities are applied in the processes and, from the financial reporting perspective, they ensure that errors or deviations are prevented or detected and corrected.

The Group Accounting unit together with the Record-to-Report internal process team determine the control requirements covering the financial reporting process. Business units define their controls based on these requirements. Responsibilities are assigned for the control activities and for ensuring that the control coverage is in accordance with the requirements. The stream leader of the Record-to-Report ensures the consistency of the control requirements and assessment in the organisation.

Control requirements for the financial reporting process include controls regarding the initiation, recognition, measurement, approval, accounting and reporting of financial transactions as well as disclosure of financial information. The general IT controls support the financial reporting controls in areas such as access control and back-up management.

Responsibilities are assigned to finance functions to ensure that analyses of the business performance, including e.g. volumes, revenue, costs, working capital, and asset valuations are performed in accordance with the control requirements.

Information and communication

The Controllers’ manual includes the Fortum Accounting manual, Investment manual and reporting instructions, and also other instructions relating to financial reporting. Regular core controllers’ meetings, headed by the Vice President, Group Accounting, steer the finance function. Finance Network meetings are held regularly to inform about upcoming changes in IFRS, new accounting policies, changes in sustainability reporting and other reporting requirements.

Monitoring and follow-up

Financial performance and key risks and uncertainties related to business operations are reported monthly to the Fortum Leadership Team.

The results of internal control maturity assessments and identified improvement actions are reported to the Fortum Leadership Team and to the Audit and Risk Committee on an annual basis. Internal control design and operating effectiveness are also assessed as part of the audits carried out by Internal Audit. Audit results, including corrective actions and their status, are regularly reported to the management and to the Audit and Risk Committee.

Fortum as an investment

Financial risk management at Fortum

Read more
Reports and presentations

Fortum's financial reports and presentations

Go to the archive