>

Risk Management

Internal control

Internal control is part of Posti’s corporate governance, and it is integrated into the company’s day-to-day operations. Main objectives of internal control are to ensure compliance with laws and regulations of each country of operation, and to secure reliable and timely financial reporting. In addition, internal control intends to ensure that company processes are run efficiently, and that the assets are optimized and safeguarded.

The internal controls in Posti Group are based on the Committee of Sponsoring Organizations (“COSO”) internal control framework. COSO framework includes the following components:

  1. Control environment

Posti Board of Directors establishes governance structures, authorities and responsibilities which facilitate implementation of the Group’s objectives. The Group’s operating guidelines establish the tone of internal control: what is expected, and which procedures are to be followed to implement policies in practice.

  1. Risk assessment

Internal controls are defined based on risk identification and assessment. The risk identification and assessment are performed systematically in accordance with the Posti Group Risk Management Policy. The risks include strategic, operational, financial as well as compliance and environmental risks. Assessment of fraud risk is also part of this process.

  1. Control activities

Control activities are based on documented process descriptions, and key process risks. Control activities are performed at all levels of the organization. Activities include (among others) verifications, approvals, performance reviews, segregation of duties, controls on IT systems and access rights, and physical counts of assets. Some of the control activities are carried out automatically by the IT systems.

  1. Monitoring

Daily monitoring of control activities is part of the management activities and reviews. Internal audit provides assessments of effectiveness of the internal control system within the Group according to its risk-based annual audit plan. The effectiveness of financial reporting controls is reviewed by the external auditor.

  1. Information and communication

Internal control objectives and responsibilities are communicated to the personnel in charge of the control activities. Employees developing and monitoring internal controls or otherwise carrying out control activities as part of their work are also provided. Internal control status, and any control defects identified, are regularly reported to the management by the team responsible for the internal control coordination. The CFO and the Group internal audit report regularly on the state and efficiency of internal audit to the Audit, Risk and Sustainability Committee

Posti Group CEO is responsible for the establishment of an internal control system within the Group. Heads of the Business Groups and Group Functions are responsible for organizing proper internal control within their area of responsibility.

The operational managers within the organization act as the “first line of defense” in managing process risks and ensuring the control activities are performed. The first line is supported by internal monitoring and oversight functions (such as financial control, risk management, compliance and legal), which form the “second line of defense”. As the “third line of defense”, internal audit provides objective assessment of the effectiveness of the internal control system.

Risk management

The Group’s risk management is based on the principles of the ISO 31000:2018 standard, covers all Group operations and is an integral part of Posti’s strategy and planning processes and other processes. Risk identification, analysis and planning of treatment activities are carried out continuously as part of planning processes and decision-making. The Group’s risks are assessed using probability and impact. Regular risk reviews are carried out in order to ensure the appropriateness and continuous development of risk management.

Heads of the Business Groups and Heads of Group Functions are responsible for identifying key risks and implementing sufficient controls. Each employee is also responsible for reporting identified risks to his/her superior or other line management. There are specific instructions on reporting risks endangering safety, security, Posti’s business or customer relations or compliance issues.

The Board of Directors reviews Posti Group’s key risks, the risk management system as well as Posti’s level of risk appetite at least once a year. The Audit, Risk and Sustainability Committee is responsible for monitoring and evaluating the adequateness and efficiency of Posti’s risk management process as well as internal control systems, and for assessing Posti Group’s key risks in connection with the financial reporting. The Chief Executive Officer (CEO) and Group Chief Financial Officer (CFO) ensure that the principles and processes of Risk Management are embedded in Posti’s management system and control and reporting processes.

Internal audit

The Group’s internal audit produces independent assessment, assurance and consultation services, which are used to analyze the Group’s business functions and their processes and the efficiency of management, risk management, supervision, reporting and administration. Its goal is to help identify development targets through which the efficiency, predictability, productivity and compliance of business can be improved. Internal audit supports the Board of Directors and Group management in their supervisory duty. The Internal Audit unit reports administratively to the President and CEO and functionally to the Audit, Risk and Sustainability Committee. The unit’sown resources and external resources are used in the execution of the audits.