Risk management and control

Risk management is an integral part of management in Kesko

Kesko’s risk management is proactive and an integral part of management and day-to-day activities. The goal of risk management is to ensure the delivery of customer promises, profit performance, dividend paying capacity, shareholder value, the realisation of responsible operating practices and the continuity of business operations in Kesko Group.

The risk management policy confirmed by the Board guides risk management in Kesko Group. The policy is based on the COSO ERM Framework and the SFS-ISO 31000 risk management standard. The policy defines the goals, principles, practices, organisation and responsibilities of risk management. Kesko divides risks into strategic, operational and financial risks.

In Kesko, a risk is defined as an event or circumstance

  • that can hinder or prevent the attainment of Kesko's objectives, or
  • that can lead to a failure to exploit business opportunities.

Risk management principles in Kesko Group: 

  • We set our objectives taking account of related business opportunities and risks. We take calculated and assessed risks within the limits set in strategy selections in, for example, expanding business operations, strengthening market position and creating new business.
  • When assessing risks, we consider the impacts on people, the environment and reputation in addition to financial impacts.
  • We avoid or reduce operational and damage/loss risks.
  • We ensure a safe shopping environment and product safety for our customers.
  • We create a safe working environment for our employees.
  • We minimise the opportunities for crime or malpractice.
  • We secure critical operations and the resources needed by them in order to ensure continuity.
  • We have crisis management, continuity and recovery plans, plan implementation testing and sufficient insurance cover in place to prevent the realisation of risks.
  • We maintain risk management costs and resources in proportion to the obtainable benefits.
  • We provide information on risks and risk management to stakeholders in accordance with Kesko's corporate governance principles. 

The Group has a uniform model for risk assessment and risk reporting

Kesko Group applies a business-oriented and comprehensive approach to risk assessment and risk management. This means that key risks are systematically identified, assessed, managed, monitored and reported as part of business operations at the Group, division, company and unit level in all operating countries. Risk identification and assessment play a key role in Kesko's strategy work and rolling planning. In addition, risk assessments are made of significant projects related to capital expenditures or changes in operations.

Kesko has a uniform risk assessment and reporting model. Risk identification is based on business objectives and opportunities and the defined risk appetite. Risks are prioritised on the basis of their significance by assessing their impacts in euros and probability of their realisation. When assessing the impact of realisation, the impacts on reputation, the wellbeing of people and the environment are assessed in addition to the impacts in euros. Responsible persons are assigned to the planning, execution and monitoring of risk management responses. When responses are determined it is taken into account that all risks cannot or need not be managed. The determined responses are included in operating plans and follow-ups.

Arranging insurance cover is part of Kesko's risk management

Arranging insurance cover is part of Kesko's risk management and it is guided by incurance principles confirmed by Kesko's Board. The objective in insuring is to ensure that the Group's personnel, assets, business operations and liabilities have appropriate and economical insurance cover, while taking account of legislative requirements and the Group's risks and risk tolerance at any time. The Group's risk management function is responsible for the Group-level insurance programmes, their competitive tendering and brokerage services as part of the Group's damage/loss risk management.

Responsibilities and roles in risk management

The managements of business divisions and common functions are responsible for the implementation of risk management. Each division has appointed a management board member, usually the finance director, to be responsible for coordinating risk management and security and providing guidelines in each respective division, and reporting on risk management responses. In addition, divisions have risk managers and security managers, who are responsible for the development and control of risk management and security in the division in cooperation with the business management and support functions.

The Group's risk management function controls and coordinates the development of the common risk management and security procedures, the adoption of best practices in the Group, and is responsible for risk reporting to the Group's management and the Board's Audit Committee. Based on the divisions' and the common functions' risk analyses, the Group's risk management function prepares the Group's risk map presenting the most significant risks and their management.

The Group's risk map, the most significant risks and uncertainties, as well as any material changes in and responses to them are reported to the Kesko Board's Audit Committee in connection with the review of interim reports and the financial statements. The Audit Committee's Chair reports on risk management to the Board as part of the Audit Committee’s report. The Audit Committee also evaluates the effectiveness of Kesko’s risk management system. The most significant risks and uncertainties are reported to the market by the Board in the financial statements and any material changes in them in interim reports.

The management of financial risks is based on the Group's finance policy, confirmed by Kesko's Board. The Group Treasury is centrally responsible for arranging funding, for liquidity management, debt investor relations and the management of financial risks.

Internal Audit assesses the effectiveness of the Group's risk management annually and reports on it to the Kesko Board's Audit Committee.

Kesko Group's risk management organisation

Risk management responses in 2015

In Kesko’s risk management process, the assessment of impacts of risk realisation in euro terms was developed. Kesko participated in an international peer review on the level of risk management. The risk management, legal affairs and internal audit functions continued organising Value Discussions about Kesko’s responsible operating practices. During the year, the adoption of online training tools on safety was continued and the purchasing of security services across division boundaries was enhanced. User right management was enhanced and data security was improved in Kesko's various SAP environments. A positive trend continued in terms of damages and there were no major single damages.

Focus areas of risk management in 2016

The risk management function will continue working in close cooperation with division parent companies and the common functions in order to ensure the adoption of responsible operating practices, to prevent malpractice, and to develop risk management related to personal safety, business continuity, data security and data protection. One of the most important focus areas is the risk management related to the ongoing acquisitions. Security operations will focus on expanding the use of electronic tools and e-learning programmes. The data security of SAP and other systems will be developed. Jointly with the divisions, the risk management function will organise crisis exercises and training sessions on safety and security. The aim is to expand Group-level insurance programmes further. In addition, the response programme for 2016 is aimed at achieving cost efficiency in risk management responses through, for example, centralised purchasing of services and security technology.

To top