Annual Report 2015

Risk management

The main objective of Enterprise Risk Management (ERM) is to safeguard the achievement of Posti’s strategic and key targets from unexpected risks and to enhance Posti’s business opportunities and corporate image.

Posti’s senior management is strongly committed to the enhancement of ERM. The risk management policy is approved and owned by the Board of Directors of Posti Group Corporation.

ERM at Posti is developed in line with the methodology and best practices of COSO (The Committee of Sponsoring Organizations of the Treadway Commission) Enterprise Risk Management - Integrated Framework. In addition to COSO ERM, A Risk Management Standard published by FERMA (Federation of European Risk Management Associations) is acknowledged in Posti’s ERM development.

Risk management objectives

ERM is a part of Posti’s management system. It is directly related to and linked with the Posti strategy creation process, where its main objective is to provide assurance on how the enterprise’s business strategy will perform under different scenarios and events. Thus, ERM directly supports continuity of Posti’s business operations.

ERM is designed to identify events that could affect the company and its strategic performance. These events can be either positive or negative in impact. Opportunity is the possibility that an event will occur and positively affect the achievement of objectives. Risk is the possibility that an event will occur and adversely affect the achievement of objectives.

The fundamental goal of ERM is to provide reasonable assurance that the enterprise achieves its key objectives and strategy and is capable of optimizing its opportunities. The achievement of key objectives should not be done at any cost; the enterprise must compare its risk portfolio with its risk appetite and risk capacity on a regular basis to ensure that the portfolio is in balance. Risk appetite is the quantum of risk that the Group is willing to accept given its capabilities and the expectations of its stakeholders. Risk capacity is the maximum risk that the Group can bear in a fiscal year.

As ERM is aimed at supporting the achievement of an enterprise-wide view on opportunities and risks, it must also be comprehensive and holistically cover all types of risks across the enterprise and be embedded with all important business processes, all business areas and all levels in the organization. ERM’s ultimate goal is to optimize risk, return, growth and capital for the enterprise as a whole.

Roles and responsibilities

The Posti Group Corporation Board of Directors owns and approves Posti Enterprise Risk Management Policy. The Audit Committee oversees that ERM is implemented and works efficiently. The Audit Committee also reviews the Group-level risk portfolio twice a year. The Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) are responsible for organizing the design and efficient implementation of ERM processes. Posti’s Management Board approves Posti’s ERM approach and regularly reviews the implementation of ERM process as well as the Group-level risk portfolio.

ERM is an integral part of Posti’s management processes. Hence core implementation activities are taken care of by the line management of Business Groups, Business Groups/Units and country organizations. The line management is responsible for embedding ERM into strategic management, daily operations and business processes, including respective services operated by third parties. For example, Business Groups are responsible for defining what kinds of risks and changes in risk valuation are to be reported within line management and/or in the matrix from Business Units/Lines, country entities and third parties providing services for them.

Each Business Group, Business Unit/Line, country organization and named critical Group Function has a nominated Risk Champion who facilitates and drives the risk management activities in the organization. Business Units in this context also include independent units.

Critical Group Functions in this context include Group Finance, Group Treasury, ICT, Communications, Legal Affairs, Posti Kiinteistöt Ltd, HR, Sourcing and Corporate Risk Management. The criticality of Group Functions from the ERM perspective is evaluated on a regular basis by the Management Board and organizational coverage is adjusted accordingly.

Every Posti employee is responsible for managing risks related to their own work and for communicating identified key risks to the line management.

The Chief Risk and Security Officer (CRO) of Posti Group is in charge of supporting the implementation of the risk management policy, coordinating Group-level risk consolidation and developing ERM methodologies. The CRO reports to the General Counsel, who reports to the CFO. The Business Audit function assesses the coverage of risk management and provides support in risk identification.

Risk management process

The figure below illustrates the risk management process and the objectives of each process phase.

In addition to the corporate strategy process, the illustrated risk management procedures must also be applied to the following business decision processes: M&A including the outsourcing of activities, the development of new business operations, products and services, large capital investments, major changes in operations or the mode of operation, and other major programs and projects.

ERM as part of the corporate strategy process

The timing of key ERM activities is closely connected to other strategic and business planning actions as defined in Posti’s corporate strategy process.

ERM should be present as one of the first steps of the corporate strategy process, when the learning from the previous year is extracted and business environment trends and phenomena including strategic risks and opportunities are identified and analyzed systematically to understand the key drivers of the strategic environment.

On the Business Group level, as part of strategy formulation a more detailed risk management process is carried out as described above. Holistic risk analyses and communications, especially between Business Groups and Group Functions, must be carried out to ensure an adequate understanding regarding risks and corrective responses by risk owners.

ERM is also required to support the efficient implementation of strategy. For this reason, as instructed within the Group Strategy Process, Business Units/Lines, country organizations and Group Functions are required to formulate their own strategies and/or annual plans including the identification, analysis, and response to opportunities and risks. The organizations are expected to use the Group and Business Group Strategies as inputs for their own planning. In this process, the Group and Business Group level strategic objectives and risks are integrated in the annual action planning and target setting for the coming year.

Risks and controls are monitored and reported on a regular basis on all corporate levels.