Search

    Risk Management

    Risk management framework 

    The implementation of Posti's strategy and the production of services involve various risks and opportunities. Risk management is an essential part of Posti's management practices and is used to successfully identify, assess and manage risks, which supports Posti's success in implementing its strategy and achieving its business goals.

    The Group's Risk Management and Business Continuity Policy and Management System as well as the Internal Control Policy serve as a framework for Posti's risk management. The Risk Management and Business Continuity Policy describes Posti's risk management system, which includes the general principles of risk management, responsibilities, as well as risk and business continuity management processes. The Internal Control Policy describes internal control and the organization of its components as well as responsibilities in Posti Group. 

    Internal control 

    Internal control is part of Posti Group’s corporate governance, and it is embedded into the Group’s day-to-day operations. The main purpose is to provide reasonable assurance for the achievement of organizational objectives with regards to efficiency of operations, reliability of internal and external reporting, and compliance with applicable laws, regulations, and internal policies.  

    It helps the organization to understand the risks related to achieving the above-mentioned objectives and how to manage risks aligned with the risk appetite. Posti Group’s corporate culture, governance, and the approach to internal control create together the basis for the internal control process. Posti’s President and CEO is responsible for the organization of internal control within the Group. Heads of the Business Groups and Group Functions are responsible for organizing internal control within their area of responsibility. 

    The internal control in Posti Group is based on the Committee of Sponsoring Organizations’ (“COSO”) Internal Control framework. Following the international COSO framework, Posti’s internal control includes the following components: 

    1. Control environment 

    Posti’s Board of Directors establishes the governance structures needed to achieve the Group’s objectives, as well as the authorizations and responsibilities which facilitate the implementation of the Group’s objectives. The Group’s internal policies and guidelines establish the framework for internal control. Integrity, ethical values, and competence of Posti’s personnel are the foundation for Posti’s control environment. 

    2. Risk assessment 

    Internal control is based on systematic risk identification and assessment in accordance with the Posti Group Risk Management and Business Continuity Policy. The identification of internal and external risks is part of the risk assessment process. Assessment of risks for misconduct is also part of this process. 

    3. Control measures 

    Control measures are based on documented process descriptions and identified risks. Control measures are performed at all levels of the organization, and they are embedded in day-to-day activities. These include, among other activities, verifications, approvals, performance reviews, segregation of duties, controls on IT systems and access rights, as well as safeguarding Posti’s assets, including its brand. 

    4. Information and communication 

    Posti’s management ensures that internal control objectives and responsibilities are communicated to the personnel and that personnel are adequately trained on internal control matters. Internal control status and any control defects identified are timely and regularly reported according to the reporting lines to all relevant parties in the organization.  

    The CFO and the Group Internal Audit regularly report on the state and efficiency of internal control to the Audit, Risk and Sustainability Committee of the Board of Directors. 

    5. Monitoring 

    Posti’s internal control and its performance and efficiency over time are assessed via continuous monitoring process. Monitoring is performed as part of daily operations and management. In addition, separate evaluations ae performed by internal control and statutory auditors, as well as by quality system auditors. 

    Managers of Posti’s business and group support functions perform ongoing monitoring as part of their supervisory activities. They are responsible for organizing internal control within their area of responsibility so that that all required controls are designed, implemented and monitored, and relevant laws and regulations are complied with. The operational managers within the organization manage process risks and ensure that control measures are performed. The Group Compliance function supports business management with monitoring that relevant policies are complied with. The Group Finance function ensures that reporting (external and internal) related controls are designed, implemented and monitored. 

    The Board’s Audit, Risk and Sustainability Committee assures and assesses the adequacy and effectiveness of Posti’s internal control and risk management. The Group Internal Audit function performs regular audits of the Group’s legal entities, businesses, and support functions in accordance with its annual plan approved by the Audit, Risk and Sustainability Committee. In addition, Posti’s statutory auditor and other assurance providers, for example IT system- and quality auditors, conduct their evaluations of Group’s internal controls. 

    Risk management 

    The Group’s risk management is an integral part of Posti’s strategy and planning processes as well as other processes. The Group’s risks are assessed using probability and impact. Regular risk reviews are carried out to ensure the appropriateness and continuous development of risk management. Risk management is performed where the risks are. Heads of the Business Groups and Heads of Group Functions are responsible for identifying key risks and implementing sufficient controls based on the Group’s risk management policy.  The main principles of Posti's risk management are summarized: 

    • Part of the organization's management system: Risk management is integrated into Posti's management system and is an integral part of management, planning, and processes. Risk management extends not only to internal control, but also to strategy formulation, administration, operational activities, and business continuity planning. 

    • Systematic and up to date: Risks are systematically assessed, documented by responsible persons, and reviewed regularly. 

    • Transparency, inclusion, and consideration of cultural context: The risk management process takes into account all relevant stakeholders as well as human, social, and cultural factors, considering Posti's role in society. 

    • Enabling continuous development: Risk management analysis is used to develop the organization's capabilities and processes, promoting continuous renewal and resilience. 

    Posti's Board of Directors approves the Risk Management and Business Continuity Policy and the Internal Control Policy, and the President and CEO is responsible for ensuring that the principles and processes outlined in these policies are part of Posti's management, control and reporting process. Posti's Audit, Risk and Sustainability Committee monitors the adequacy and effectiveness of risk management and internal control. 

    Internal audit 

    Posti Group Internal Audit provides independent, risk-based assessment, assurance and advisory services designed to add value and improve Posti’s operations. It helps Posti to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control, and governance processes. Internal audits are conducted in accordance with Internal Audit’s rolling annual plan approved by the Board’s Audit, Risk and Sustainability Committee.

    Internal Audit also coordinates the monitoring of the corrective actions taken by the management, and reports on the monitoring results to Posti Leadership Team and the Audit, Risk and Sustainability Committee. Head of Posti Group Internal Audit reports administratively to the President and CEO and functionally to the Audit, Risk and Sustainability Committee. The function’s own resources and external resources are used in the execution of the audits.