Main Features of internal Control and Risk Management Processes Related to Financial Reporting Processes

 

Risk Management

The purpose of risk management is to secure positive development of earnings of the Company and the continuation of the business by implementing risk management cost effectively and systematically throughout the different businesses.

Risk management is part of the Company's strategic and operative planning, daily decision making process and internal control system. Business objectives, risks and risk management operations are combined through risk management as one chain of events.

Main Principles of Organizing Risk Management

Company adheres to the risk management policy approved by the Board.

Risk management contains all actions, which are connected to setting up targets, identification of risks, measurement, review, handling, reporting, follow-up, monitoring and reacting to risks.

The aim of risk management of the Company is to:

• systematically and thoroughly identify and assess all major risks, which threaten the achievement of objectives, including risks related to business operations, property, agreements, competence, currencies, financing and strategy;
• optimize business opportunities and secure continuation of business;
• recognize and identify uncertainties and subsequently develop the prediction of risks and measures needed to manage risks;
• take only calculated and assessed risks with respect to e.g. expanding the business, increase market share and creating new businesses;
• avoid or minimize liability risks;
• ensure the safety of products, solutions and services;
• establish a safe working environment for the employees;
• minimize possibilities for unhealthy occurrences, crimes or misconduct by operating procedures, control and supervision; inform interest groups of risks and risk management; and
• be cost effective.

The aim of risk management is not to:

• exclude all risks at their entirety;
• adopt unnecessary control and management procedures; or
• take bureaucratic processes and procedures into use.
  
  

Main Features of the Risk Management Process

In connection with the strategy process and bi-annual planning the Corporate Executive Board reviews business risks, which could endanger the achievement of strategic or profit targets. The businesses produce risk assessment reports for each business to support the strategy process. Strategic and operative risks are monitored through monthly reporting by businesses. Businesses must produce assessments of risks in their designated areas of responsibilities and provide action plans to manage risks as well as to report measures taken including the stage and effectiveness of such measures.

CEO reports all identified risks as well as all planned and effected measures to control the risks to the Board of Directors.

General Description of Internal Control and Operational Procedures

Internal control is a process applied by the Board of Directors, management and all levels of personnel in the Group to ensure that management has reasonable assurance that

1. operations are effective, efficient and aligned with strategy,
2. financial reporting and management information is reliable, complete and timely made, and
3. the Group is in compliance with applicable laws and regulations as well as the Company's internal policies and ethical values including sustainability.

The first category addresses the basic business objectives, including performance and profitability goals, strategy, implementation of objectives and actions and safeguarding resources. The second category relates to the preparation of reliable published financial statements, including interim reports and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly. The third deals with complying with those laws and regulations to which the Company is subject to.

EB's internal control framework consists of:

• the internal control, risk management and corporate governance policies and principles set by the Board of Directors;
• management overseeing the implementation and application of the policies and principles;
• finance function, internal controller and business controllers monitoring the efficiency and effectiveness of the operations and reliability of the financial and management reporting;
• enterprise risk management process identifying, assessing and mitigating risks threatening the realization of the Company's objectives;
• compliance procedures making sure that all applicable laws, regulations, internal policies and ethical values (including sustainability) are adhered to;
• effective control environment at all organisational levels including control activities tailored for each process and creating group minimum requirements for business and geographical areas;
• shared ethical values and strong internal control culture among all employees; and
• internal audit assignments reviewing the effectiveness of the internal controls as needed.
  
  

Risks and Controls in Core Business Processes

Risk management procedures are in place for business processes in the form of defined control points:

• Relevant process risks are identified;
• Common control points/group minimum requirement control points are identified;
• Common control points are implemented in business processes;
• Additional control points can be determined as needed at business or functional levels.

Control activities are the policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the Company's objectives. Control activities are set throughout the organization, at all levels and in all functions. They include various range of activities including but not limited to approvals, authorizations, verifications, reviews of operating performance, security of assets and segregation of duties.

Internal Controls over Financial Reporting

The Group's external financial reporting process, internal control and risk management systems are briefly described in this section. The main focus is on financial accounting and related controls.

Financial Reporting Organization

The Company's team for external financial reporting is based in Finland. In addition to the Group's financial reporting the Group's shared accounting functions consist of financing, currency hedging, investments, external debt management and transfer pricing.

Accounting functions for the parent company and Finnish subsidiaries are organized thru service center teams. General accounting is responsible for e.g. monthly closing procedures and accounts payable team invoice workflow management. Segregation of duties is embedded in the teams' job descriptions.

The Group's subsidiaries in China, Germany, Austria and USA have own accounting departments. Accounting functions in smaller subsidiaries in France and Japan are organized in the external accounting offices.

Financial Reporting Systems

Consolidated financial statements are prepared by using the chosen consolidation and reporting tool. Subsidiaries report actual figures on a monthly basis directly to the consolidation and reporting tool. Subsidiaries in Japan and France send the information in a pre-defined format directly to the group consolidation.

Main accounting system includes general ledger accounting, accounts paybles and accounts receivables. Purchase invoices are managed through electronic invoice processing system.

Internal Controls

The Group's internal control mechanisms are based on policies, instructions, limited process descriptions, authorization matrix, financial reporting review meetings and segregation of key accounting duties.

Compliance Procedures

Compliance procedures are in place at all levels of the organization to ensure that that all applicable laws, regulations, internal policies and ethical values including sustainability are adhered to. Legal function, businesses and corporate management are responsible for following up developments in legislation and regulations in their respective areas and communicating them to the organization. Businesses and corporate function directors are responsible for setting up adequate compliance controls and compliance related training in their units.

Roles and Responsibilities Regarding Risk Management and Internal Control

The key roles and responsibilities regarding the Group's internal control and risk management are defined as follows:

Board of Directors

The Board of Directors is ultimately responsible for the administration and the proper organisation of the operations of the company. According to good corporate governance, the Board also ensures that the company has duly endorsed the corporate values applied to its operations. The Board approves the internal control, risk management and corporate governance policies. The Board establishes the risk-taking level and risk bearing capacity of the Company and re-evaluates them on a regular basis as part of the strategy and goal setting of the Company. The Board reports to the shareholders of the Company.

Audit and Financial Committee

Audit and Financial Committee is responsible for the following internal control related duties

• to monitor the reporting process of financial statements;
• to supervise the financial reporting process;
• to monitor the efficiency of the company's internal control, internal audit, if applicable, and risk management systems;
• to review the description of the main features of the internal control and risk management systems pertaining to the financial reporting process, which is included in the company's corporate governance statement; and
• to monitor the statutory audit of the financial statements and consolidated financial statements.

More detailed descriptions how Audit and Financial Committee is fulfilling its monitoring role are defined in Committee's annual plan. The Audit and Financial Committee reports to the Board of Directors of the Company.

Chief Executive Officer

CEO is in charge of the day-to-day management of the Company in accordance with the instructions and orders given by the Board. CEO sets the ground of the internal control environment by providing leadership and direction to senior managers and reviewing the way they are controlling the business. CEO is in charge of the risk management process and its continuous development, allocation of resources to the work, review of risk management policies as well as defining the principles of operation and overall process. CEO reports to the Board on risk management as part of the monthly reporting. The Group's Corporate Executive Board, which operates under CEO, is responsible for the management of risks endangering the fulfillment of objectives set to the Company.

Chief Financial Officer

CFO ensures that the accounting practices of the Company comply with the law and that the financial matters are handled in a reliable manner.

Businesses and Line Management

Businesses and line management are responsible for internal control implementation in their respective responsibility areas. More specific internal control policies and procedures are established within each function. Additionally, the businesses and line management are responsible for implementing risk management practices in planning cycle and daily operations, and ensure the adherence of

• laws,
• regulations,
• internal policies, and
• ethical values

in their designated responsibility areas.

Finance Function

Group finance function is responsible for:

• helping units and functions to set up adequate control activities in cooperation with the business management;
• operative follow-up of the adequacy and effectiveness of control activities, and
• ensuring that external reporting is correct, timely and in compliance with regulations.

Finance function has a person who is in charge of internal control. This person reports to CFO.

Internal Audit

The Company has no specific internal audit organization. This is taken into account in the content and scope of the annual audit plan. On the one hand external auditing focuses on specific areas in turn to be audited, and on the other hand, on separately agreed priority areas.