Risk management framework and objectives
The Group Risk Policy provides a risk management framework for Fortum, the purpose of which is to support business in managing risks effectively and to ensure compliance with relevant regulations. The Group Risk Policy describes the main features of Fortum’s risk management systems which consists of principles, processes and responsibilities for managing risks which, if materialise, may have a material negative impact on Fortum’s current or future business operations, reputation, employees, the environment or third parties.
The risk management systems have been designed to support Fortum’s Board of Directors, Audit and Risk Committee, Fortum’s Leadership Team as well as the operative business in fulfilling their duties in relation to risk management. The objectives of the risk management systems are to:
- Support Fortum’s Board of Directors and Fortum Leadership Team (FLT) in the development of the Group strategy;
- Support Fortum in strategy execution;
- Support Fortum in achieving agreed targets within the defined risk appetite so that Fortum’s ability to meet financial commitments and maintain a strong investment grade rating of at least BBB is not compromised;
- Ensure the understanding of Fortum’s material risks and uncertainties, and
- Support the prevention of accidents, incidents and adverse impacts of Fortum’s operations on employees or third parties (including health and safety, human and labour rights), the environment, Fortum’s assets or reputation.
Risk management organisation
Fortum’s Board of Directors approves the Group Risk Policy, and the President and CEO approves Fortum’s risk management instructions including an instruction for enterprise risk management which sets minimum requirements for managing risks in all categories. In addition, there are specific risk instructions covering commodity market risks, counterparty and credit risks and liquidity risks applicable for all of Fortum. Fortum’s Business Units and Enabling Functions issue risk manuals and guidelines, as needed, which detail how the Group Risk Policy and relevant risk management instructions are implemented within their organisations.
Risk governance
The main principle is that risks are managed at source, meaning that each manager is responsible for managing risks that arise within their business operations. For each risk, risk owners are assigned to ensure that appropriate mitigation actions are taken to respond to the risk.
Fortum’s Audit and Risk Committee (ARC) is responsible for monitoring the efficiency of the company’s risk management systems, and for annually reviewing the Group Risk Policy and the Group’s material risks and uncertainties. Corporate Risk, an independent control function headed by the Vice President, Risk reporting to the CFO, provides instructions, methods and tools which support the business in running an efficient risk management process. Corporate Risk is responsible for assessing and reporting on the maturity of risk management in the organisation and for monitoring and reporting of Fortum’s material risk exposures to FLT Risk Committee, FLT, the ARC and the Board of Directors.
Principle of continuous improvement
The risk management framework is developed in accordance with the principle of continuous improvement, aiming at an optimised and continuously developing risk management process. The maturity level of risk management in the organisation is evaluated annually, and Corporate Risk determines goals for the development of risk management based on the results of the assessment.
In accordance with Fortum's values, the importance of risk management is raised by increasing the personnel's risk awareness and highlighting the positive features of risk-aware decision-making. Risk management at Fortum is continuously supporting and improving the application of Fortum’s values in decision-making.
Risk management process
Fortum's risk management process consists of four main sub-processes; identification, assessment, response and control. The risk management process is linked to strategy and capital allocation, target setting and long-term forecasting and is an integrated part of operational and business management including investment processes and project management.
The risk management process is designed to support effective risk management and to ensure that risks are regularly monitored and followed-up. Identification is regularly carried out according to a structured process which includes analysis of root causes of the risk and consequences if the risk materialises. Risks are assessed in terms of impact and likelihood. Impact is assessed not only in monetary terms in relation to forecasted earnings and / or cash flows, but also in terms of impact to health and safety, the environment and Fortum’s reputation, where relevant. Risk responses can be to accept, avoid, mitigate or transfer the risk. Risk control processes and procedures, which include validating, monitoring, aggregating and reporting risks, are designed to ensure compliance with relevant external regulations and recommendations, as well as with internal policies, instructions, manuals and guidelines. This includes controls to ensure that risk exposures remain within approved risk appetite thresholds, limits and mandates which are defined for financial risks. These risk appetite thresholds includes liquidity, market, and credit risk thresholds as well as balance sheet metrics.