Internal control is part of Posti’s corporate governance, and the entire personnel take part in internal control processes. Thus, internal control is not a separate process, but it is integrated into the company’s day-to-day operations. Internal control covers all of Posti’s processes, policies and organizational structure.
Overall responsibility for seeing that internal control is arranged lies with the Board of Directors of Posti. The President and CEO is responsible for implementing the control environment and for internal control follow-up. Additionally, the heads of the Business Groups, Units and Corporate Functions are responsible for implementation of internal controls within their area of responsibility. Group level functions, like Finance & Control, Compliance and Legal, contribute to assurance of internal controls and their implementation.
Additionally, Group level processes like financial reporting and risk management have an important role in internal control. At the Group level, internal control relies on Posti’s values and ethical guidelines, the Group’s code of conduct and operating principles, and the functional organization, which also allow efficient monitoring in different parts of the Group. One of the core monitoring mechanisms is the follow-up of financial targets and financial supervision, which are based on monthly reporting. In addition to actuals it includes updated forecasts for the whole financial year and for the next 12 rolling months.
The Group’s risk management, based on the principles of Enterprise Risk Management (ERM), covers all Group operations and forms an element of Posti’s management and strategy processes. Risk identification, analysis, and the planning of risk management measures is carried out continuously in the different units and consolidated twice a year as part of the Group’s strategy and financial planning processes. As part of the consolidation the risk profile and mitigations are updated twice a year or whenever significant risks are identified or the profiles of major risks change materially. The Group’s risk portfolio assessed using EUR cost impact and probability and hence the risk-bearing capacity can be assessed. Taken the increased importance of cyber security and other data related risks in Posti Group’s operations and risk portfolio, the Company has recently increased its focus and competences within the area.
The management of the Group’s business groups and units, operational units and of Group functions is responsible for risk management as part of strategic and operative management in its operations as well as in outsourced functions for which it is responsible. In addition, every employee at Posti is responsible for taking risks into consideration in his/ her work and for reporting detected risks to his/her supervisor.
Board of Directors owns and approves Posti’s Enterprise Risk Management Policy and reviews Posti’s essential risks and risk management system at least once a year. Audit Committee is responsible for monitoring and evaluating the adequateness and efficiency of risk management and reviews Posti’s risks. President and CEO and Chief Financial Officer (CFO) oversee that the principles and processes of risk management are embedded in Posti’s management system and control and reporting processes. The Leadership Team oversees that the principles and processes of risk management are embedded in Posti’s strategic and operational management. The Internal Audit unit assesses the coverage and functionality of the Group’s risk management and provides support in risk identification.
The Group’s internal audit produces independent assessment, assurance and consultation services, which are used to analyze the Group’s business functions and their processes and the efficiency of management, risk management, supervision, reporting and administration. Its goal is to help identify development targets through which the efficiency, predictability, productivity and compliance of business can be improved.
Internal audit supports the Board of Directors and Group management, which are responsible for organizing internal control, in their supervisory duty.
The Internal Audit unit reports administratively to the Chief Financial Officer and functionally to the Audit Committee. The unit’s own resources and external resources are used in the execution of the audits.