Risk management and control

Risk management is an integral part of management in Kesko
Kesko’s risk management is proactive and an integral part of day-to-day management. The objective of risk management is to support the implementation of Kesko’s strategy.

Risk management in Kesko Group is guided by the risk management policy confirmed by Kesko's Board of Directors. The policy defines the goals and principles, organisation, responsibilities and practices of risk management in Kesko Group. In the management of financial risks, the Group's treasury policy, confirmed by Kesko's Board of Directors, is observed.

In Kesko, a risk is defined as an event or circumstance

  • that can hinder or prevent the attainment of Kesko's objectives, or
  • that can lead to a failure to exploit business opportunities.

Risk management principles in Kesko Group: 

  • We set our objectives taking account of related business opportunities and risks.
  • We take calculated and assessed risks within the limits set in strategy selections in, for example, expanding business operations, strengthening market position and creating new business.
  • We assess risks taking account of the scale of potential impacts the risk could have and the likelihood of the impacts to occur, while considering the impacts on people, the environment and reputation in addition to financial impacts.
  • We avoid or reduce operational and damage/loss risks.
  • We ensure shopping safety and data protection as well as product safety for our customers.
  • We create a safe working environment for our employees.
  • We minimise the opportunities for crime or malpractice.
  • We secure critical operations and the resources needed for them in order to ensure continuity.
  • We have crisis management, continuity and recovery plans, plan implementation testing and sufficient insurance cover in place to provide for the realisation of risks.
  • We keep risk management costs and resources in proportion to the obtainable benefits.
  • We provide information on risks and risk management to stakeholders in accordance with Kesko's corporate governance principles.

The Group has a uniform model for risk assessment and risk reporting

Kesko Group applies a business-oriented and comprehensive approach to risk assessment and management. This means that key risks are identified, assessed, managed, monitored and reported as part of business operations at Group, division, company and function levels throughout the Group.

Kesko has a uniform risk assessment and reporting model. Risk identification is based on business objectives and opportunities and the defined risk appetite. Risks are prioritised on the basis of their significance by assessing their impacts in euros and the probability of their realisation. When assessing the impact of realisation, the impacts on reputation, the wellbeing of people and the environment are assessed in addition to the impacts in euros.

Risk identification and assessment play a key role in Kesko's strategy work and operations planning. In addition, risk assessments are made of significant projects related to capital expenditure, business arrangements or changes in operations. The risk assessments of divisions and common functions that include a risk map, risk management responses, responsible persons and schedules are reviewed regularly by the management of the respective division or common function.

Risks and risk management responses are reported in accordance with Kesko’s reporting responsibilities. The divisions and the common functions report on risks and changes in risks to the Group's risk management function. Risks are discussed by the risk management steering group, which includes representatives of the divisions and the common functions. On that basis, the Group’s risk management function prepares the Group’s risk report, which is reviewed by the Governance, Risk and Compliance (GRC) steering group, after which the Kesko's President and CEO approves the report. 

The Group's risk map, the most significant risks and uncertainties, as well as material changes in and responses to them are reported to the Kesko Board's Audit Committee in connection with reviewing the interim reports, the half year financial report and the financial statements. The Audit Committee also evaluates the efficiency of Kesko’s risk management system. The Chairman of the Audit Committee reports on risk management to the Board of Directors as part of the Audit Committee Report.

Kesko's Board discusses Kesko Group’s most significant risks and uncertainties. The Board reports on the most significant risks and uncertainties to the market in the Report by the Board of Directors and on material changes in them in the half year financial report and the interim reports.

Arranging insurance cover is part of Kesko's risk management

Arranging insurance cover is part of Kesko's risk management and it is guided by the insurance principles confirmed by Kesko's Board of Directors. The need for insurance cover is assessed taking account of Kesko's risk capacity and appetite. The risks that have a significant impact on Kesko's profit and liquidity are insured, whereas the need for insuring other risks is assessed on a risk basis. The purpose of insurance is acting as a means to balance the profit in case of unexpected damage. Risks can be knowingly left uninsured at own risk, if it is sensible and cost effective on the basis of risk assessment. The Group's risk management function is responsible for the Group-level insurance programmes, related guidelines, their competitive tendering and brokerage services. 

Risk management model and responsibilities

Kesko's Board of Directors confirms the Group's risk management policy and reviews the Group's most significant risks and uncertainties in its meetings.

The President and CEO manages Kesko Group's operations in accordance with the instructions and orders given by the Board of Directors and reports to the Board of Directors on the developments in the Company's business and financial situations. In risk management, the President and CEO is assisted by the Group's risk management function, as well as the GRC (Governance, Risk & Compliance) steering group, which consists of key persons from the Group management and risk management.

The management of the business operations and common functions are responsible for the execution of risk management. In each division, the finance director is responsible for the execution of risk management. The risk management unit coordinates the risk management process and is responsible for risk reporting and executes risk identification, the determination of risk management responses and their implementation jointly with the businesses and common functions. Every member of Kesko personnel must know and manage the risks in his/her area of responsibility. 

Risk management responses in 2019 

Focus areas for risk management included the systematisation of cyber risk management and its integration into the Group’s risk management steering model, enforcing risk management in operations outside Finland, and improving the efficiency of processes related to updates and changes to the Group’s insurance coverage. Continuity management principles were updated and their implementation initiated. The improvement of the cost-efficiency of security technology and services continued through concentration of purchases. In addition, the corporate security unit actively took part in the implementation of security arrangements on the new K-Kampus headquarters.

Focus areas for risk management in 2020
Focus areas for risk management will include improving risk management coverage, further developing the steering model and increasing related cooperation with e.g. the IT organisation and the corporate responsibility function. The implementation of continuity management principles will continue and continuity management reporting will be developed. To ensure the effectiveness of insurance coverage, insurance services outside Finland will be harmonised. The improvement of the efficiency of security technology and services will continue through concentration of purchases, the development of the life cycle management of security and real estate systems, and the prevention of related cyber threats.

To top