Internal control is embedded in Posti's management system, with the aim of supporting execution of the group's strategy and regulatory compliance. It is part of the corporate culture, covering all levels and processes of the organization.
Posti Group Corporation's Board of Directors carries the overall responsibility for internal control. Responsibility for establishing the control environment, and monitoring internal control across the board, lies with the CEO. The management of the group companies and units is responsible for the implementation of the principles and operating methods of internal control as well as the utilization of the information produced by the control system in the respective organizations. Internal auditing is the responsibility of the Business Audit unit and statutory auditing is the responsibility the auditor appointed at the Annual General Meeting.
At the group level, the bases of internal control are Posti's values and ethical guidelines, the group's operating guidelines and principles, and the functional organization, which also enable effective monitoring in different parts of the group. The management of group companies and business units is responsible for the definition of control measures and assignment of responsibilities.
The monitoring of financial goals and financial control are based on monthly reporting, which includes actuals as well as updated forecasts for the entire fiscal year and for the following 12 months on a rolling basis.
Risk management activities which are based on Enterprise Risk Management (ERM) principles and which cover all of Posti's operations form an integral part of Posti's management and strategy processes. The objective of risk management activities is to secure and boost business performance and the achievement of strategic goals by minimizing the probability of risk occurrence and the potential impacts, and by promoting the effective use of business opportunities. A 'risk' is defined as any uncertainty that may prevent or hamper the Group from achieving its objectives. A 'business opportunity' is defined as an event which, if successfully exploited, will promote the achievement of objectives.
Risk identification, analysis, and management planning is carried out once a year as part of the Group's strategy process. The status of the risk profile and management measures are updated regularly once a year and whenever significant risks are identified or the profiles of major risks undergo material changes. The Group's risk portfolio is compared against the risk-bearing capacity based on a financial model developed within the Group.
Posti's Board of Directors approves the Group's risk management policy and principles, while the general risk management guidelines are approved by the Management Board. The President and CEO and the CFO are responsible for the planning and efficient implementation of enterprise risk management processes. On a regular basis, the Management Board and the Board Audit Committee monitor the development and effectiveness of risk management processes, as well as the Group's risk exposure concerning the key risks in relation to its risk-bearing capacity. The Audit Committee evaluates the scope and efficiency of risk management.
The Group's risk management steering group is the Posti Strategy Forum, which controls the risk management methods, processes, and reporting.
The Business Audit unit evaluates the scope and efficiency of risk management within the Group and provides support for risk identification.
Risks are managed at their point of origin. The management of the business groups and the units, and of critical Group functions, is responsible for risk management as part of strategic and operational management within their organization, including outsourced operations within their area of responsibility. They are also responsible for ensuring that the risk exposure concerning the key risks remain within the risk-bearing capacity. All business groups, business units, and key group functions have designated Risk Champions. In addition, all Posti employees are required to take risks into consideration in their own work and to report any risks observed to their supervisor.
Group financing manages currency and other financial risks in accordance with financial guidelines approved by the Board of Directors, and secures the availability of equity and debt capital on competitive terms. It supports the business groups in arrangements related to financing and centrally manages external funding. It is also responsible for financial assets management and for ensuring appropriate hedging measures.
The Group’s Chief Risk and Security Officer supports the implementation of the risk management policy, coordinates the consolidation of key risks, and develops risk management procedures and tools. The Chief Risk and Security Officer reports to the Director of the legal department, who in turn reports to group's CFO.
The Corporate Risk Management unit supports Group units in the management of operational risks related to corporate security.
Internal audit provides assessment, assurance, and consulting services, as required under good corporate governance principles, for analyzing the Group's businesses and their processes and the efficiency of the Group's management, risk management, control, reporting, and corporate governance. It aims to assist in identifying targets for development to boost business efficiency, predictability, profitability, and compliance.
Internal audit supports the Board of Directors and group management, who are responsible for internal control, in their supervisory duties. It also assists the management and organization in the planning and development of internal control.
The Business Audit unit, which is responsible for internal audit, reports administratively to the CFO, and with regard to audit operations to the CEO and the Audit Committee. Planning, co-ordination, reporting and follow-up are all carried out using the unit’s own resources. The unit’s own resources and external resources are used in the realisation of the audit.