Internal control is embedded in Posti's management system, with the aim of supporting execution of the group's strategy and regulatory compliance. It is part of the corporate culture, covering all levels and processes of the organization.
Posti Group Corporation's Board of Directors carries the overall responsibility for internal control. Responsibility for establishing the control environment, and monitoring internal control across the board, lies with the CEO. The management of the group companies and units is responsible for the implementation of the principles and operating methods of internal control as well as the utilization of the information produced by the control system in the respective organizations. Internal auditing is the responsibility of the Business Audit unit and statutory auditing is the responsibility the auditor appointed at the Annual General Meeting.
At the group level, the bases of internal control are Posti's values and ethical guidelines, the group's operating guidelines and principles, and the functional organization, which also enable effective monitoring in different parts of the group. The management of group companies and business units is responsible for the definition of control measures and assignment of responsibilities.
The monitoring of financial goals and financial control are based on monthly reporting, which includes actuals as well as updated forecasts for the entire fiscal year and for the following 12 months on a rolling basis.
The Group's risk management, based on the principles of Enterprise Risk Management (ERM), covers all Group operations and forms an integral element of Posti's management and strategy processes. Its aim is to secure and improve business profitability and the achievement of strategic goals by reducing the likelihood of risk occurrence and the impact thereof, and by supporting the exploitation of business opportunities. Risk is the possibility that an event will occur in Posti and adversely affect the achievement of objectives. A business opportunity, in turn, is defined as an event whose effective utilization will positively affect the achievement of objectives.
Risk identification, analysis, and the planning of risk management measures is carried out once a year as part of the Group's strategy process. The status of the risk profile and management measures is, in addition, updated regularly once a year and whenever significant risks are identified or the profiles of major risks undergo material changes. The Group's risk portfolio is compared against the risk-bearing capacity based on a financial model developed within the Group.
Posti's Board of Directors approves the Group's risk management policy and principles. The CEO and the CFO are responsible for the planning and efficient implementation of overall risk management processes. The Group's Executive Board and the Board of Directors' Audit Committee regularly monitor the development and functionality of risk management processes and the whole made up of the most important risks with regard to the Group's risk-bearing capacity. The Audit Committee assesses the coverage and functionality of risk management.
The Business Audit unit assesses the coverage and functionality of the Group's risk management and provides support in risk identification.
Risks are managed where they are created. The management of the Group's business groups and units and of Group functions defined as critical is responsible for risk management as part of strategic and operative management in its operations as well as in outsourced functions for which it is responsible. The management is also responsible for ensuring that the whole made up of the most important risks remains within the risk-bearing capacity. A Risk Champion has been appointed in all business groups, their business units and the most important Group functions. In addition, every employee at Posti is responsible for taking risks into consideration in his/her work and for reporting detected risks to his/her supervisor.
Group Finance administers currency and other financial risks in a centralized manner based on financing guidelines confirmed by the Board of Directors and secures the availability of equity financing and debt financing under competitive terms. It supports the business groups in financing-related arrangements and takes care of external funding in a centralized manner. It is also responsible for financial assets management and hedging measures.
The Group's Chief Risk and Security Officer supports risk management policy implementation, coordinates key risk consolidation and develops risk management tools and operating methods. He reports to the General Counsel, who reports to the CFO. Chief Risk and Security Officer reports dotted-line to CFO with regards to Enterprise Risk Management.
The risk management unit supports Group units in the management of operational risks related to corporate security.
Internal audit provides assessment, assurance, and consulting services, as required under good corporate governance principles, for analyzing the Group's businesses and their processes and the efficiency of the Group's management, risk management, control, reporting, and corporate governance. It aims to assist in identifying targets for development to boost business efficiency, predictability, profitability, and compliance.
Internal audit supports the Board of Directors and group management, who are responsible for internal control, in their supervisory duties. It also assists the management and organization in the planning and development of internal control.
The Business Audit unit, which is responsible for internal audit, reports administratively to the CFO, and with regard to audit operations to the CEO and the Audit Committee. Planning, co-ordination, reporting and follow-up are all carried out using the unit’s own resources. The unit’s own resources and external resources are used in the realisation of the audit.