Who is responsible for establishing and maintaining the internal controls to achieve the objectives of effective and efficient operations?

Internal control

The purpose of Internal control is to provide reasonable assurance that the company’s objectives are achieved. In order for the Company to be successful, it will develop and monitor its operations, processes and procedures. Through effective internal control, people can be guided to act in the right way and to detect emerging deviations from objectives as early as possible, in order to plan and implement corrective actions.

Control processes are presented in three categories. The first one relates to effectiveness, efficiency and transparency of operations on all levels in accordance with the Company’s strategy. The second one includes assuring complete, reliable, relevant and timely reporting. This includes the aim to ensure that financial reports published and all other financial information disclosed by the Company provide a fair view on the Company’s financial performance and position. The third category covers compliance with applicable laws, regulations, and Company policies and instructions.

The Board and the CEO are responsible for organising and maintain internal control. The CEO sets the ground for the internal control environment (“tone at the top”) by providing leadership and direction to the executive management, and by reviewing the way they manage and control the business. The CEO is responsible for managing the business and administration in accordance with the applicable laws and regulations, and the direction of the Board. The CEO is accountable for establishing sufficient internal control processes in the organisation. The CEO is assisted by the CFO and Purmo Group operative management in these duties. The business functions and the Group finance organisation are responsible for the financial reporting processes.

Internal control processes are established on all levels of the Company’s organisation and in all of its segments and functions. Control activities are designed and implemented based on risks. The Company has established Internal Control Operating Principles.

Internal control management process and annual cycle consists of the following interlinked components:

• Risk assessment and a plan for control testing
• Control testing, identification of gaps and a plan for corrective actions
• Follow-up of control gaps and related corrective actions as well as an update of control catalogues
• Reporting of the status and sufficiency of internal control processes

The Audit Committee monitors the effectiveness and efficiency of internal control and the correctness of internal and external reporting. The Audit Committee and the Board assess the financial reporting processes, monitor the financial situation of the Group, and review the interim and half-year reports and financial statements before their approval and publication.

Risk Management

The primary objective of risk management in the company is to support the implementation of the strategy, continuation of operations and realization of business objectives by anticipating any risks involved in the company’s operations and managing them in a proactive manner. Enterprise risk management emphasises the role of corporate culture and is an integrated part of operations, planning, and decision-making in Purmo Group. Risk is defined as an uncertain event, caused by external or internal factors, which may be either a threat or an opportunity. The Board has approved the Enterprise Risk Management Policy, which defines the framework, processes, governance and responsibilities of risk management in Purmo Group.

Purmo Group applies principles introduced in COSO Enterprise Risk Management – Integrating with Strategy and Performance – Framework. Risks that may affect the Company are categorized as strategic risks, operational risks, financial risks, and compliance risks.

The Board and the Audit Committee monitor and are responsible for ensuring that Purmo Group’s risk management process functions are comprehensive. The Board defines the risk appetite and tolerance, according to the current conditions. The Company’s operative management is responsible for achieving the set objectives and controlling, managing and mitigating risks that threaten them. The operative management is also responsible for the risk management work, and for ensuring the performance of the risk management process and the availability of sufficient resources.

The CFO is responsible for instructions and advice to the operations and functions concerning enterprise risk management, and for monitoring the practical implementation of the process. Risk management assessments are coordinated by the CFO together with Chief Risk Officer, who supports the management, operative business functions and other supportive functions in the risk management work. CFO reports key risks to the Board of Directors on an annual basis. The Board discusses Purmo Group’s most significant risks and uncertainties and reports them to the market annually in the Board’s Report. In addition, the Company describes the material short-term risks and uncertainties in half-yearly reports and interim reports.

In Purmo Group, the business functions are responsible for risks related to their operations and their identification, assessment and mitigation means. The Company’s internal audit is responsible for developing risk-based audit plan and conducting the audit procedures based on the plan. Internal audit reports as an independent function, directly to the Board and Audit Committee.

The Company’s risk management is based on a three-lines of defence model as follows:

• Company personnel manage risks as a part of their day-to-day business operations and decisions;
• the CFO instructs, facilitates, supports and develops risk management processes, together with the Chief Risk Officer and CEO; and
• the Board reviews the results of the risk management and concludes on the effectiveness of the risk management process.

The Company’s risk management process is based on the following components:

• Strategy process – the process of identifying, quantifying, and mitigating any risk that affects or is inherent in a company’s business strategy, strategic objectives, and strategy execution, and defining the risk appetite and tolerance;
• Business planning – the process in which annual risk assessments are made;
• Risk identification – Identification of risks against business plan objectives;
• Risk assessment – Assessment of identified risks with regards to impact, likelihood and current state of control;
• Risk mitigation – Management of key risks through risk mitigation plans at VAC level; and
• Risk reporting – Risk reporting to the Board of Directors. Risk reporting supports also annual process to report risks externally in the interim and half-yearly reports and the annual financial statements.

The methods and tools for these process steps are maintained by the Chief Risk Officer. The risk management process fosters an awareness of risk and control throughout the organization and supports informed decision-making.

Internal Audit

Internal Audit is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the Company. It assists the Company in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s governance, risk management and internal control. Internal Audit also assists the Board of Directors and senior management to fulfil their responsibility to create an effective and reliable control environment in the Company. The Company has an Internal Audit function where the fieldwork is outsourced.

The internal audit activity will govern itself by adherence to The Institute of Internal Auditors’ mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards).

At least annually, Internal Audit will prepare a risk-based internal audit plan for the review and approval of the Board. Input by senior management will be considered. The Internal Audit plan can, when considered feasible, reviewed and updated throughout the year to address the priorities and current circumstances of the Company. Internal Audit will communicate any material limitations to sufficiently carry out its duties to the senior management of the Company and the Audit Committee of the Board.

Internal Audit will prepare and issue a written report to the Audit Committee, CEO and CFO of all internal audit assignments. The internal audit report may include management’s response and corrective actions taken or to be taken in regard to the specific findings and recommendations. The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations.

Key findings of audits, progress with corrective actions and Internal Audit’s opinion about the Company’s internal control processes is reported to the Audit Committee at least once per year.