Risk management is an integral part of management in Kesko
Kesko’s risk management is proactive and an integral part of day-to-day management. The objective of risk management is to support the implementation of Kesko’s strategy.
Risk management in Kesko Group is guided by the risk management policy confirmed by Kesko's Board of Directors. The policy defines the goals and principles, organisation, responsibilities and practices of risk management in Kesko Group. In the management of financial risks, the Group's treasury policy, confirmed by Kesko's Board of Directors, is observed.
In Kesko, a risk is defined as an event or circumstance
Risk management principles in Kesko Group:
The Group has a uniform model for risk assessment and risk reporting
Kesko Group applies a business-oriented and comprehensive approach to risk assessment and management. This means that key risks are identified, assessed, managed, monitored and reported as part of business operations at Group, division, company and function levels throughout the Group.
Kesko has a uniform risk assessment and reporting model. Risk identification is based on business objectives and opportunities and the defined risk appetite. Risks are prioritised on the basis of their significance by assessing their impacts in euros and the probability of their realisation. When assessing the impact of realisation, the impacts on reputation, the wellbeing of people and the environment are assessed in addition to the impacts in euros.
Risk identification and assessment play a key role in Kesko's strategy work and operations planning. In addition, risk assessments are made of significant projects related to capital expenditure, business arrangements or changes in operations. The risk assessments of divisions and common functions that include a risk map, risk management responses, responsible persons and schedules are reviewed regularly by the management of the respective division or common function.
Risks and risk management responses are reported in accordance with Kesko’s reporting responsibilities. The divisions and the common functions report on risks and changes in risks to the Group's risk management function. Risks are discussed by the risk management steering group, which includes representatives of the divisions and the common functions. On that basis, the Group’s risk management function prepares the Group’s risk report, which is reviewed by the Governance, Risk and Compliance (GRC) steering group, after which the Kesko's President and CEO approves the report.
The Group's risk map, the most significant risks and uncertainties, as well as material changes in and responses to them are reported to the Kesko Board's Audit Committee in connection with reviewing the interim reports, the half year financial report and the financial statements. The Audit Committee also evaluates the efficiency of Kesko’s risk management system. The Chairman of the Audit Committee reports on risk management to the Board of Directors as part of the Audit Committee Report.
Kesko's Board discusses Kesko Group’s most significant risks and uncertainties. The Board reports on the most significant risks and uncertainties to the market in the Report by the Board of Directors and on material changes in them in the half year financial report and the interim reports.
Arranging insurance cover is part of Kesko's risk management
Arranging insurance cover is part of Kesko's risk management and it is guided by the insurance principles confirmed by Kesko's Board of Directors. The need for insurance cover is assessed taking account of Kesko's risk capacity and appetite. The risks that have a significant impact on Kesko's profit and liquidity are insured, whereas the need for insuring other risks is assessed on a risk basis. The purpose of insurance is acting as a means to balance the profit in case of unexpected damage. Risks can be knowingly left uninsured at own risk, if it is sensible and cost effective on the basis of risk assessment. The Group's risk management function is responsible for the Group-level insurance programmes, related guidelines, their competitive tendering and brokerage services.
Risk management model and responsibilities
Kesko's Board of Directors confirms the Group's risk management policy and reviews the Group's most significant risks and uncertainties in its meetings.
The President and CEO manages Kesko Group's operations in accordance with the instructions and orders given by the Board of Directors and reports to the Board of Directors on the developments in the Company's business and financial situations. In risk management, the President and CEO is assisted by the Group's risk management function, as well as the GRC (Governance, Risk & Compliance) steering group, which consists of key persons from the Group management and risk management.
The management of the business operations and common functions are responsible for the execution of risk management. In each division, the finance director is responsible for the execution of risk management. The risk management unit coordinates the risk management process and is responsible for risk reporting and executes risk identification, the determination of risk management responses and their implementation jointly with the businesses and common functions. Every member of Kesko personnel must know and manage the risks in his/her area of responsibility.
Risk management responses in 2018
In 2018, key focus areas for risk management were the development of a cyber risk management and the implementation of related projects, as well as changes to insurance coverage based on Kesko’s analysed risk tolerance. Kesko’s business continuity planning was developed and updated continuity plans were tested in business continuity and crisis management exercises. In corporate security, improvement of the cost-efficiency of security technology and services continued through the concentration of purchases. Corporate security also strived to improve awareness of cyber security threats among personnel members through spam and malware attacks simulated by service partners. Information security training was organised for the whole personnel. A positive trend continued in terms of damage and there were no major individual instances of damage.
Focus areas for risk management in 2019
Focus areas for risk management include the systematisation of cyber risk management and its integration into the Group risk management steering model, enforcing risk management in operations outside Finland, and improving the efficiency of processes related to updates and changes to the Group’s insurance coverage. The management of regulatory risks will be improved by developing Kesko’s compliance operations with Group Legal Affairs. The development and assurance of the effectiveness of actions related to risk reduction and determination will continue. Measures to improve the cost-efficiency of security technology and services will continue through concentration of purchases. In addition, the corporate security unit actively takes part in the implementation of security arrangements on the new K-Kampus.