Risk management is an integral part of management in Kesko
Kesko’s risk management is proactive and an integral part of its management and day-today activities. The objective of risk management is to ensure the delivery of customer promises in the Kesko Group, profit performance, dividend payment capacity, shareholder value, the implementation of responsible operating practices and the continuity of operations. Efficient risk management is a competitive advantage for Kesko.
The risk management policy confirmed by the Board of Directors guides risk management in the Kesko Group. The policy is based on the COSO ERM Framework and the SFS-ISO risk management standard. The policy defines the objectives, principles, practices, organisation and responsibilities of risk management. Kesko divides risks into strategic, operational and financial risks.
In Kesko, a risk is defined as an event or circumstance
- that can hinder or prevent the attainment of Kesko's objectives, or
- that can lead to a failure to exploit business opportunities.
Risk management principles in the Kesko Group:
- We set our objectives taking account of related risks and opportunities. We take calculated and assessed risks within the limits set in strategy selections, e.g. in expanding business operations, in strengthening market position and in creating new business.
- When assessing risks, we consider the impacts on people, the environment and reputation in addition to financial impacts.
- We avoid or reduce operational and damage/loss risks.
- We ensure a safe shopping environment and product safety for our customers.
- We create a safe working environment for our employees.
- We minimise the opportunities for crime or malpractice.
- We have crisis management, continuity and recovery plans, plan implementation testing and sufficient insurance cover in place in case of any risks. We maintain risk management costs and resources in proportion to the obtainable benefits. We provide information on risks and risk management to stakeholders in accordance with Kesko's corporate governance principles.
The Group has a uniform risk assessment and reporting system
The Kesko Group applies a business-oriented and comprehensive approach to risk assessment and management. This means that key risks are systematically identified, assessed, managed, monitored and reported as part of business operations at the Group, division, company and unit levels in all operating countries. Risk identification and assessment play a key role in Kesko's strategy work and rolling planning. In addition, risk assessments are made of significant projects related to capital expenditures or changes in operations.
Kesko has a uniform risk assessment and reporting system. Risk identification is based on business objectives and opportunities and the defined risk appetite. Risks are prioritised on the basis of their significance by assessing the impact and probability of their realisation and the level of risk management. All risks cannot or need not be managed. When assessing the impact of realisation, the impacts on reputation, employees' wellbeing and the environment
are considered in addition financial impacts. Responsible persons are assigned to the planning, execution and monitoring of risk management responses. The defined responses are included in operating plans and monitoring.
Providing insurance cover is part of Kesko's risk management
Providing insurance cover is part of Kesko's risk management, and the policy confirmed by Kesko's Board defines the principles of providing insurance. The objective of insurance is to ensure that the Group's personnel, assets, business operations and liabilities have appropriate and economical insurance cover, while taking account of legislation and the
Group's risks and risk tolerance at any time. The Group's risk management function is responsible for the Group-level insurance programmes, their competitive tendering and brokerage services as part of the Group's damage/loss risk management.
Responsibilities and roles in risk management
The business division and Group function managements are responsible for risk management implementation. Each division has appointed a management board member, usually the finance director, to be responsible for coordinating risk management and security and providing guidelines in each respective division and reporting on risk management responses. In addition, divisions have risk managers and security managers, who are responsible for the
development and control of risk management and security in the division, in cooperation with the business management and support functions.
Kesko has a Group-level Risk Management Steering Group, which is chaired by the Group's President and CEO, and composed of the representatives of the management of the various divisions and Group functions.
The Group's risk management function controls and coordinates the development of joint risk management and security procedures, the adoption of best practices in the Group, and is responsible for risk reporting to the Group's management. Based on the divisions' and Group functions' risk analyses, the Group's risk management function
prepares quarterly the Group's risk map, presenting the most significant risks and their management.
The Group's risk map, the most significant risks and uncertainties, as well as changes in and responses to them are reported to the Kesko Board's Audit Committee in connection with handling the interim reports and the financial statements. The Audit Committee's Chair reports on risk management to the Board as part of the Audit Committee report. Kesko's Board discusses the most significant risks and the responses required to control them, and assesses the efficiency of risk management. The most significant risks and uncertainties are reported to the market by the Board in the financial statements, and changes in them in interim reports.
The management of financial risks is based on the Group's finance policy, confirmed by Kesko's Board. Group Treasury is centrally responsible for funding, liquidity management, debt investor relations and the management of financial risks.
The internal audit function assesses the efficiency of Kesko's risk management system annually and reports on it to the Kesko Board's Audit Committee.
Risk management responses in 2011
Kesko's risk management policy was updated in late 2011 to take account of the SFS-ISO 31000 'Risk management – Principles and guidelines' standard. Kesko has an established risk management process and no significant changes took place in it in 2011.
The risk management function was closely involved in the project for the introduction of the new chip&pin payment terminals. This included the assessment of the introduction project and the risks of use, and the definition of new operating systems.
For the purpose of improving occupational safety, leveraging the results of the extensive inquiry for assessing risks at
work carried out in 2009 was continued by assessing the identified risk factors in more detail and by determining location- or unit-specific responses to them.
With regard to damage/loss insurances, new forms of cooperation were sought and adopted jointly with business partners for the purpose of supporting proactive risk management work in Kesko. Competitive tendering of insurance broker services and the statutory workers' compensation insurance cover relating to Kesko's personnel in Finland was arranged.
Focus areas of risk management in 2012
As Kesko is strongly expanding its operating activities in Russia, local risk management resources will be increased and cooperation between the divisions as well as Group control will be added. Kesko’s risk management will continue to prevent damages and malpractice, to maintain and test continuity plans, and to provide cost-efficient insurance services. Competitive tendering for the Kesko Group's non-life insurances will be arranged early in the year.
The risk management function will continue working in close cooperation with other Group units, especially with the internal audit, legal affairs, human resources, accounting, treasury and IT functions in order to ensure the adoption of, for example, responsible operating practices, and to improve personnel safety and to develop risk management related to information security and data protection.