Annual Report 2015

7 Other Corporate Governance

7.1 Internal control

Internal control is part of Posti’s management system and supports the implementation of the Group’s strategy and regulatory compliance. It is part of the corporate culture, covering all levels and processes of the organization.

Overall responsibility for arranging internal control lies with the Board of Directors of Posti Group Corporation. The CEO is responsible for creating the control environment and for internal control follow-up. The management of the Group’s companies and units is responsible for the implementation of the principles and policies of internal control and for utilizing information from the control system in its organizations. The Business Audit unit is responsible for internal audit and the auditor appointed by the Annual General Meeting for the statutory audit.

At the Group level, internal control relies on Posti’s values and ethical guidelines, the Group’s Code of Conduct and operating principles, and the functional organization, which also allow efficient monitoring in different parts of the Group. The management of the Group companies and units is responsible for defining control measures and assigning responsibilities.

The follow-up of financial targets and financial supervision are based on monthly reporting, which in addition to actuals includes updated forecasts for the whole financial year and for the next 12 rolling months.

7.2 Risk management

The Group's risk management, based on the principles of Enterprise Risk Management (ERM), covers all Group operations and forms an integral element of Posti’s management and strategy processes. Its aim is to secure and improve business profitability and the achievement of strategic goals by reducing the likelihood of risk occurrence and the impact thereof, and by supporting the exploitation of business opportunities. Risk is the possibility that an event will occur in Posti and adversely affect the achievement of objectives. A business opportunity, in turn, is defined as an event whose effective utilization will positively affect the achievement of objectives.

Risk identification, analysis, and the planning of risk management measures is carried out once a year as part of the Group's strategy process. The status of the risk profile and management measures is updated regularly once a year and whenever significant risks are identified or the profiles of major risks undergo material changes. The Group's risk portfolio is compared against the risk-bearing capacity based on a financial model developed within the Group.

Risk management’s responsibilities

Posti’s Board of Directors approves the Group’s risk management policy and principles. The Group’s Management Board approves risk management guidelines. The CEO and the CFO are responsible for the planning and efficient implementation of overall risk management processes. The Group’s Management Board and the Board of Directors’ Audit Committee regularly monitor the development and functionality of risk management processes and the whole made up of the most important risks with regard to the Group’s risk-bearing capacity. The Audit Committee assesses the coverage and functionality of risk management.

The Business Audit unit assesses the coverage and functionality of the Group’s risk management and provides support in risk identification.

Risk owners

Risks are managed where they are created. The management of the Group’s business groups and units and of Group functions defined as critical is responsible for risk management as part of strategic and operative management in its operations as well as in outsourced functions for which it is responsible. The management is also responsible for ensuring that the whole made up of the most important risks remains within the risk-bearing capacity. A Risk Champion has been appointed in all business groups, their business units and the most important Group functions. In addition, every employee at Posti is responsible for taking risks into consideration in his/her work and for reporting detected risks to his/her supervisor.

Risk management support

Group Finance administers currency and other financial risks in a centralized manner based on financing guidelines confirmed by the Board of Directors and secures the availability of equity financing and debt financing under competitive terms. It supports the business groups in financing-related arrangements and takes care of external funding in a centralized manner. It is also responsible for financial assets management and hedging measures.

The Group’s Chief Risk and Security Officer supports risk management policy implementation, coordinates key risk consolidation, and develops risk management tools and operating methods. He reports to the General Counsel, who reports to the CFO.

The risk management unit supports Group units in the management of operational risks related to corporate security.

Posti Group’s comprehensive risk management policy is available at www.posti.com/riskmanagement.

7.3 Internal audit

The Group’s internal audit produces independent assessment, securing and consultation services required by Corporate Governance, which are used to analyze the Group’s business functions and their processes and the efficiency of management, risk management, supervision, reporting and administration. Its goal is to help identify development targets through which the efficiency, predictability, productivity, and compliance of business can be improved.

Internal audit supports the Board of Directors and Group management, which are responsible for organizing internal control, in their supervisory duty. It also assists the management and organization in the planning and development of internal control.

The Business Audit unit, which is responsible for internal audit, reports administratively to the CFO, and with regard to audit operations to the CEO and the Audit Committee. Planning, co-ordination, reporting, and follow-up are all carried out using the unit’s own resources. The unit’s own resources and external resources are used in the realization of the audit.

7.4 Insiders

Posti has neither a public register of insiders nor any persons subject to the disclosure obligation because the company’s shares are not publicly listed. Posti’s company-specific insider register contains information on persons who by virtue of their position or tasks have regular access to insider information. Insider information means information that can have a material effect on the value of Posti’s bond and that consequently must be published in a stock exchange release.