Risk management and internal control
The purpose of Puuilo’s Enterprise Risk Management Policy is to define the framework, processes, governance and responsibilities of risk management in Puuilo.
The primary objective of risk management in Puuilo is to support the company’s strategy execution, continuity of operations and realization of business objectives by anticipating any risks involved in the company’s operations and managing them in a proactive manner. Enterprise risk management emphasizes the role of corporate culture and is an integrated part of operations, planning and decision-making in Puuilo.
Puuilo’s objectives in risk management are to:
Puuilo’s risks are divided into the following main categories: strategic risks, operational risks, financial risks and compliance risks.
Strategic risks are uncertainties mainly related to the operating environment and Puuilo’s ability to leverage changes in the operating environment or to prepare for them. These may include general economic situation, competitors, legislation, or technological development. Strategic risks may relate to both financial and non-financial objectives. Appropriate risk treatment is implemented so that the chosen strategy is within the company’s risk tolerance.
Operational risks are circumstances or events, which can prevent or hinder the attainment of objectives or cause damage to people, property, business, information or any other operations of the company.
Financial risks are risks related to Puuilo’s financial position. These include risks concerning the availability and cost of financing, changes in foreign exchange rates, and investments.
Compliance risks are risks related to exposure to legal penalties, financial forfeiture and material loss an organization faces when it fails to act in accordance with industry laws and regulations or internal policies.
The overview of the roles and responsibilities of the most relevant bodies with regards to risk management are described in the following sub-sections.
Board of Directors
The Board of Directors monitors and is responsible for ensuring that the Puuilo’s risk management process functions are comprehensive. The Board defines the risk appetite and tolerance, according to the current conditions. The Board of Directors is also responsible for approving enterprise risk management related company policies.
Operative management of the company is responsible for achieving the set objectives and controlling, managing and mitigating risks that threaten them. The operative management is also responsible for the risk management work, and for ensuring the performance of the risk management process and the availability of sufficient resources.
Chief Financial Officer
Chief Financial Officer is responsible for instructions and advice to the operations and functions concerning enterprise risk management, and for monitoring the practical implementation of the process. Risk management assessments are coordinated by the CFO, which supports the management, operative business functions and other supportive functions in the risk management work. CFO reports key risks to the Board of Directors on a yearly basis.
The company's internal control focuses on operations and processes that are relevant to the company's business and financial reporting in a risk-based manner.
The company's Board of Directors has approved the operating principles of internal control, which determine the objectives for internal control based on internationally known principles. Internal control seeks to provide reasonable assurance that internal control procedures are adequate to either prevent or detect anomalies, errors, or misstatements in the company's business, financial reporting, or compliance with applicable laws and regulations, and to take corrective action when they are identified.
The company's internal control includes, among other things, key policies, processes, operating methods, control measures and the monitoring of controls, in which the company's Board of Directors, the President and CEO, other management and all employees participate in accordance with their role. The company does not currently have a separate internal audit function. Annual monitoring of internal control in the form of self-assessment of controls, including reporting of results to the Board of Directors and responsibility for implementing measures of the internal audit type, is organized in the company's financial administration. The Board annually assesses the need to establish an independent internal audit function. If there is a need for internal audit measures, the Board may use internal or external resources to perform separate internal audits.
The company has a whistleblowing channel for employees to report suspected misconduct.