Risk management framework and objectives
The Group Risk Policy provides a basis for the risk management framework for Fortum, the purpose of which is to support business in managing risks effectively and to ensure compliance with relevant regulations. The Group Risk Policy describes the main features of Fortum’s risk management systems which consists of principles, processes and responsibilities for managing risks which, if materialise, may have a material negative impact on Fortum’s current or future business operations, reputation, employees, the environment or third parties.
The risk management systems have been designed to support Fortum’s Board of Directors, Audit and Risk Committee, Fortum’s Leadership Team as well as the operative business in fulfilling their duties in relation to risk management. The objectives of the risk management systems are to:
- Support Fortum’s Board of Directors and Fortum Leadership Team (FLT) in the development of the Group strategy
- Support Fortum in strategy execution
- Support Fortum in achieving agreed targets within the defined risk appetite so that Fortum’s ability to meet financial commitments and maintain a strong investment grade rating of at least BBB is not compromised
- Ensure the understanding of Fortum’s material risks, opportunities and uncertainties
- Support the prevention of accidents, incidents and adverse impacts of Fortum’s operations on employees or third parties (including health and safety, human and labour rights), the environment, Fortum’s assets or reputation
Risk management organisation
Fortum’s Board of Directors approves the Group Risk Policy, and the President and CEO approves Fortum’s risk management instructions covering enterprise risks, commodity market risks, counterparty and credit risks and liquidity risks applicable for all of Fortum.
Fortum’s Business Units and Enabling Functions issue risk manuals and guidelines, as needed, which detail how the Group Risk Policy and relevant risk management instructions are implemented within their organisations.
Risk governance
The main principle is that risks are managed at source, meaning that each manager is responsible for managing risks that arise within their business operations. For each risk, risk owners are assigned to ensure that appropriate mitigation actions are taken to respond to the risk.
Fortum’s Audit and Risk Committee (ARC) is responsible for monitoring the efficiency of the company’s risk management systems, and for annually reviewing the Group Risk Policy and the Group’s material risks, opportunities and uncertainties. Corporate Risk, an independent control function headed by the Vice President, Risk reporting to the CFO, provides instructions, methods and tools which support the business in running an efficient risk management process. Corporate Risk is responsible for assessing and reporting on the maturity of risk management in the organisation and for monitoring and reporting of Fortum’s material risk exposures to FLT Risk Committee, FLT, the ARC and the Board of Directors.
Principle of continuous improvement
The risk management framework is developed in accordance with the principle of continuous improvement, aiming at an optimised and continuously developing risk management process. The maturity level of risk management in the organisation is evaluated annually, and Corporate Risk determines goals for the development of risk management based on the results of the assessment.
In accordance with Fortum's values, the importance of risk management is raised by increasing the personnel's risk awareness and highlighting the positive features of risk-aware decision-making.
Risk management process
Fortum's risk management process consists of four main sub-processes; identification, assessment, response and control. The risk management process is linked to strategy and capital allocation, target setting and long-term forecasting and is an integrated part of operational and business management including investment processes and project management.
The risk management process is designed to support effective risk management and to ensure that risks are regularly monitored and followed-up. Identification is regularly carried out according to a structured process which includes analysis of root causes of the risk and consequences if the risk materialises. Risks are assessed in terms of impact and likelihood. Impact is assessed not only in monetary terms in relation to forecasted earnings and/or cash flows, but also in terms of impact to health and safety, social, the environment and Fortum’s reputation, where relevant. Risk responses can be to accept, avoid, mitigate or transfer the risk. Risk control processes and procedures, which include validating, monitoring, aggregating and reporting risks, are designed to ensure compliance with relevant external regulations and recommendations, as well as with internal policies, instructions, manuals and guidelines. This includes controls to ensure that risk exposures remain within approved risk appetite thresholds, limits and mandates which are defined for financial risks. These risk appetite thresholds includes cash liquidity, commodity market, and credit risk thresholds as well as balance sheet metrics.
Internal control and risk management at Fortum
Internal control and risk management systems at Fortum cover the strategic, operational, financial and sustainability risks. They are designed to provide reasonable assurance on the quality and regulatory compliance of financial and sustainability reporting, and to ensure that Fortum complies with the applicable laws and regulations. Fortum’s internal control framework is based on the framework introduced by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Fortum’s risk management framework follows the principles of both the ISO 31 000 and the COSO ERM risk management standards.
Fortum’s values set the foundation for risk management and internal control. Fortum has a decentralised organisational model, and a substantial degree of authority and responsibility over risk management and internal control has been delegated to the business units. Fortum applies the “Three Lines” model, as illustrated in the graphic below.
Group Accounting is responsible for the overall control framework and internal controls methodology, and also co-ordinates and develops the monitoring process, as well as performing validation actions. Internal controls are reviewed each year to ensure that any changes in the risks, processes, systems, and organisational responsibilities are reflected in the design of the controls. Group Accounting supports the business units in the assessment and development.
Fortum has also defined five core governance processes to enable efficient governance in areas that have the most significant influence on the successful execution of Fortum’s strategy. The core governance processes are strategy and capital allocation, investment management, performance management, risk management, and talent management.
Fortum’s internal control system also covers controls over sustainability reporting.
Risk management related to financial reporting
Fortum’s Board of Directors approves the Group Risk Policy that defines the objective and the main principles and responsibilities for risk management. The Group Risk Policy also includes a description of the main features of the risk management process applicable to all processes, including financial reporting in Fortum.
Internal controls over financial reporting
Controls over financial reporting aim to ensure that financial reporting is relevant and faithfully represents the events during the reporting period, and that the financial reporting is compliant with applicable laws and regulations.
The standards, processes and structures of internal control are set through Group policies, Group instructions and the Fortum internal control framework. The guidelines and reporting instructions for finance processes include the Fortum Accounting manual and technical reporting instructions, as well as the Investment manual and reporting instructions. Finance Network meetings are held regularly to notify about upcoming changes in IFRS standards, new accounting policies, changes in sustainability reporting, and other reporting requirements.
Controls over financial reporting consist of general control requirements defined based on risk assessment and include controls regarding instructions, approval rules, validation and reconciliation, analysis, management reviews, and compliance checks. Each finance function defines their specific controls based on these general requirements. Controls and the Performance management core governance process cover, e.g., the analysis of the business performance, including e.g. volumes, revenue, costs, working capital, and asset valuations. The stream lead of the finance process ensures the consistency, and develops the general control requirements. The general IT controls support the financial reporting controls in areas such as access control, back-up and restore management.
Maturity assessment of the key controls is performed annually as a self-assessment, signed off by the respective VPs of the business units and verified with a validation process conducted by the stream lead of the finance process and Group Accounting being responsible for the overall internal controls framework. The results and identified improvement actions are reported to the Fortum Leadership Team and to the Audit and Risk Committee on an annual basis. Internal control design and operating effectiveness are also assessed as part of the audits carried out by Internal Audit.
