Main features of the internal control and risk management systems

The internal control and risk management systems related to financial reporting are designed to provide adequate assurance regarding the reliability of financial reporting, and they aim to ensure compliance with the applicable laws and regulations.  The primary responsibility for defining the operating principles and arranging control rests with the company’s Board of Directors.

Internal control

Internal control involves the strategic and realistic planning of operations and finances, the monitoring and continuous evaluation of operations, and responding to deviations. Internal control encompasses all the company’s policies and practices that aim to ensure the effectiveness, economic efficiency and profitability of operations. Internal control is ultimately a matter of risk prevention and high-quality management.

The key concern is that the internal control system and the risk management functions it includes function well, and that the overall purpose of internal control is fulfilled – namely, the achievement of the objectives and goals that have been set for the company’s operations. The Board of Directors has also approved this operating principle.

Other purposes of internal control are to ensure that:

• decision-making by the company’s management is based on correct, adequate and reliable information
• the company’s operations are in line with the company’s corporate principles and its Code of Conduct
• the company’s operations are in accordance with the law, official regulations and the decisions of the company’s bodies
• resources are used efficiently, while assets are safeguarded.

Internal control is an integral part of the company’s daily activities, covering all levels and processes. Internal control does not merely constitute financial control, although reliable financial reporting plays a key part. It equally concerns the appropriate and balanced distribution of tasks. This means that every employee’s input must contribute to the achievement of the goals set for the company and its internal control.

Ponsse is committed to carrying out its business sustainably and responsibly. Responsibility is based on the company’s core values: we truly care; we work for our customers; we are true to our word; and we are eager to develop ourselves. The Code of Conduct consists of guidelines related to Ponsse’s business environment, employees, partners, and society. These factors are also addressed in internal control. Employees are encouraged to report any suspicions of rule violations or unethical activities. Ponsse deploys a whistleblowing system through which employees and external stakeholders may anonymously report any misconduct or suspicion thereof. A team appointed by the company’s Board of Directors investigates all reported cases, and reports any identified shortcomings to the Management Team or the Board of Directors if necessary.

As a support function for management, internal audit assesses not only internal control and risk management but also good corporate governance. The company has appointed an internal auditor who defines the annual focus areas of internal audit with the Board of Directors. Internal audit reports the audit findings regularly to the Board of Directors.

Distribution of responsibilities

The control environment forms the basis of internal control. The control environment includes the operating instructions that guide Ponsse Group’s operations, such as governance principles, the Code of Conduct, and required policies such as the company’s disclosure policy. Simply put, internal control in Ponsse Group means ensuring that each person and governance body carries out their tasks professionally, diligently and in a timely manner and complies with given instructions and approved practices. It is a risk if employees of the company are unaware of the control environment. The primary responsibility for internal control therefore rests with the company’s management, which actively monitors the effectiveness of internal control by way of an internal audit.

The management of the company, or a party specifically designated with the responsibility, ensures open and timely communication so that the Board of Directors has access to sufficient and up-to-date information for decision-making.  The reliability of financial reporting, in particular, is ensured by organising the distribution of tasks and responsibilities efficiently.   Each responsible party must be aware of guidelines and comply with them. Reliable financial reporting also involves auditing, which ultimately ensures the accuracy and completeness of financial information. The aforementioned applies to Ponsse Group as a whole, not only to the parent company’s management.

The President and CEO, the members of the Management Team and the directors of the company’s subsidiaries are responsible for ensuring that the accounting and administration of their respective areas of responsibility comply with the applicable laws and the company’s guidelines.

Risk management

Risk management means procedures that are part of internal control and included in the management system that help identify and assess any uncertainties associated with Ponsse Group’s operations, mitigate risks and seize opportunities. Risk management is vital to ensuring and safeguarding the company’s operating conditions and performance. Risks that might, if realised, have a material financial impact or lead to non-compliance are reported to the Board of Directors.

A risk is any potential event or chain of events that manifests itself as uncertainty with regard to achieving the company’s objectives, or that threatens the continuity of business operations. A deviation from the set goal, i.e. the realisation of the risk, may be negative, but could also be positive. In other words, risks can be both threats and opportunities. Risks and opportunities are an inevitable part of business, and profitable business performance often requires thoughtful risk-taking and bold seizing of opportunities. Although risks cannot be avoided entirely, it is possible to reduce the likelihood and impact of their materialisation and prepare for the potential realisation of harmful risks. As a result, risk management is part of normal, day-to-day business operations.

In practice, risk management means the procedures that are built into the management system, the purpose of which is to identify and assess the uncertainty associated with the Group’s operations and to prepare for risks and seize opportunities. Risk management is vital to ensuring and safeguarding the Company’s operating conditions and performance. Risk management is part of internal control, and so the implementation of internal control also promotes the implementation of risk management. Risk management should not be separated from internal control, since awareness of internal control practices is ultimately essential to risk prevention.

Ponsse Plc’s risk management practices are based on the company’s values and its strategic and financial goals. The company’s key strategic goals include social, financial and environmental responsibility in operations. The fulfilment of responsibilities is monitored regularly, and responsibility goals are monitored using key indicators. The company’s sustainability work is described in the annual sustainability report sublished together with the annual report. 

Risk management process

The overall purpose of risk management processes is to support the achievement of the goals set out in the company’s strategy, safeguard the continuity of the company’s financial development and business operations, and maintain and develop a comprehensive and pragmatic system for risk management and reporting. Risk management focuses on prevention: the aim of the process is to identify and assess key risks and prevent them from being realised.

Decisions on the actions required are made using assessments based on probabilities. Primary risk management measures include the avoidance, reduction, transfer and control of risks, as well as their controlled acceptance. The risk management process also includes the continuous assessment and monitoring of risks.

Key factors in effective risk management include

• the realistic assessment of risks
• the timely assessment of risks
•   awareness of risks – personnel must be aware of risk management principles to act in accordance with instructions and, above all, react as required by the situation
• comprehensiveness – risk management is part of every activity, while it plays a specifically significant role in processes that are vital for the company’s operations.

The special characteristics of different risk management processes vary, depending on the nature of risks. Risks are divided into four categories: strategic; operational; financial; and accidents. Strategic risk refers to the nature of business operations, the choice of strategy, and the risk associated with the implementation of the strategy. If realised, strategic risks can significantly weaken the company’s operating conditions. For example, strategic risks are associated with the prevailing competitive situation and regulations on companies’ activities, and they may be realised in conjunction with significant investments. In its revised risk management process, the company has placed more focus on risks and opportunities associated with the environment and social and financial responsibilities from the perspectives of strategic, operational, financing and accident risks.

Operational risks are associated with the company’s internal processes such as the company’s management, personnel, or business network. If realised, operational risks may reduce operational efficiency and thus the company’s results and profitability.

Financial risks include currency, interest, credit and liquidity risks, as well as capital management risks The goal of financial risk management is to protect Ponsse Group’s financial performance, cash flow, equity and liquidity against unfavourable financial market fluctuations. Financial risk management is centralised in the parent company’s financial unit. The Board of Directors confirms the company’s financial risk management policy, and the company’s CFO is responsible for its practical implementation with the financial unit.

Accident risks are a more tangible threat to the company’s operations than the aforementioned risk types. In the management and avoidance of accident risks, the main focus is on the identification of risks. Identified accident risks include occupational health and safety risks, environmental risks and risks of property damage. There is also a focus on prevention: accident risks have been prepared for through an extensive insurance scheme. In addition, the aim is to prevent accidents through a safety policy and guidelines, as well as safe working methods and tools. The company is very attentive to hazardous situations, and is quick to respond to them. Increased attention is now being paid to personnel safety matters. All accidents and near-miss incidents are recorded in the monitoring system, and necessary measures are taken to prevent any hazards. The company’s goal is an accident-free working environment. Accident risks are regularly assessed at the entire personnel level.

Organisation and the distribution of responsibilities

The main responsibility for the organisation of risk management rests with the company’s management. The Board of Directors defines and confirms the risk management policy and risk management principles, and it also assesses the fulfilment and effectiveness of processes. However, responsibilities are not only limited to the senior management: every individual employed by the Group is obligated to anticipate risks and prevent their realisation. At an individual level, risk management takes place by reporting any identified risks to supervisors.

The risk management process includes the systematic identification and assessment of function- and unit-specific risks, and ensuring they are reflected in the company’s risk management plan. Risk management is systematically implemented and monitored as part of daily activities. The company aims to improve the efficiency of its risk management by increasing awareness of its significance and supporting shared risk management projects of different functions.