Risk management

Fortum’s Board of Directors approves the Group Risk Policy that defines the objective, main principles and division of responsibilities for risk management. The Group Risk Policy also includes a description of the main features of the risk management process which is applicable to all processes including financial reporting. Comprehensive information about risks and risk management is available in Financial Statements and Operating and Financial Review, as well as in Corporate Governance Statement that are part of Fortum's annual reporting entity.

Annual Review 2022

Risk management framework and objectives

The Group Risk Policy provides a risk management framework for Fortum, the purpose of which is to support business in managing risks effectively and to ensure compliance with relevant regulations. The Group Risk Policy describes the main features of Fortum’s risk management systems which consists of principles, processes and responsibilities for managing risks which, if materialise, may have a material negative impact on Fortum’s current or future business operations, reputation, employees, the environment or third parties.

The risk management systems have been designed to support Fortum’s Board of Directors, Audit and Risk Committee, Fortum’s Executive Management as well as the operative business in fulfilling their duties in relation to risk management. The objectives of the risk management systems are to:

Support Fortum’s Board of Directors and Fortum Executive Management (FEM) in the development of the Group strategy,
Support business in strategy execution,
Support business in achieving agreed targets within acceptable risk levels so that Fortum’s ability to meet financial commitments is not compromised,
Ensure the understanding of Fortum’s material risks and uncertainties,
Support the prevention of accidents that can have a severe effect on the health and safety of employees or third parties, and incidents that can have a material impact on Fortum’s assets, reputation or the environment.

Risk management organisation

Fortum’s Board of Directors approves the Group Risk Policy, and the President and CEO approves Fortum’s risk management instructions including an instruction for enterprise risk management which sets minimum requirements for managing risks in all categories. In addition, there are specific risk instructions covering commodity market risks, counterparty and credit risks and liquidity risks applicable for all of Fortum. Fortum’s Divisions and Corporate Functions issue risk manuals and guidelines, as needed, which detail how the Group Risk Policy and relevant risk management instructions are implemented within their organisations.

Risk Governance

The main principle is that risks are managed at source, meaning that each manager is responsible for managing risks that arise within their business operations. For each risk, risk owners are assigned to ensure that appropriate mitigation actions are taken to respond to the risk.

Fortum’s Audit and Risk Committee (ARC) is responsible for monitoring the efficiency of the company’s risk management systems, and for annually reviewing the Group Risk Policy and the Group’s material risks and uncertainties. Corporate Risk, an independent control function headed by the Chief Risk Officer (CRO) reporting to the CFO, provides instructions, methods and tools which support the business in running an efficient risk management process. Corporate Risk is responsible for assessing and reporting on the maturity of risk management in the organisation and for monitoring and reporting of Fortum’s material risk exposures to FEM, the ARC and the Board of Directors.

The main features of the Internal Control and Risk Management Systems at Fortum

The internal control and risk management systems relating to financial reporting are designed to provide reasonable assurance regarding the reliability of financial reporting, and they aim at ensuring compliance with the applicable laws and regulations.

Risk management systems

Fortum’s Board of Directors approves the Group Risk Policy that defines the objective, main principles and responsibilities for risk management. The Group Risk Policy also includes a description of the main features of the risk management process applicable to all processes, including financial reporting at Fortum.

Internal controls in relation to financial reporting

Fortum’s internal control framework is based on the main elements of the framework introduced by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). The controls, including financial reporting controls have been defined based on the main risks in the process. Internal controls are one of the key elements of the Compliance Programme in Fortum, which also covers business ethics and regulatory compliance.

Financial reporting framework in Fortum

Control environment

The standards, processes and structures in internal control are set through Group policies, Group instructions and the Fortum internal control framework. Fortum’s internal control framework is designed to support operational effectiveness and efficiency, reliable financial reporting, and compliance with applicable laws, regulations and policies. The internal control framework defines the key controls and the minimum requirements for the key processes. Corporate Accounting is responsible for the overall control structure of the financial reporting process. Fortum Controllers’ manual defines the instructions and guidelines relating to financial reporting.

Fortum has a decentralised organisational model, and a substantial degree of authority and responsibility has been delegated to the divisions in the form of control responsibilities. Fortum’s control governance applies the so-called “Three Lines of Defense” model.

Fortum's control governance

Financial risk management at Fortum

Fortum's financial reports and presentations

Go to the archive