Risk management and control

Risk management is an integral part of management in Kesko
Kesko’s risk management is proactive and an integral part of day-to-day management. The objective of risk management is to support the implementation of Kesko’s strategy.

Risk management in Kesko Group is guided by the risk management policy confirmed by Kesko's Board of Directors. The policy defines the goals and principles, organisation, responsibilities and practices of risk management in Kesko Group. In the management of financial risks, the Group's treasury policy, confirmed by Kesko's Board of Directors, is observed.

In Kesko, a risk is defined as an event or circumstance

  • that can hinder or prevent the attainment of Kesko's objectives, or
  • that can lead to a failure to exploit business opportunities.

Risk management principles in Kesko Group: 

  • We set our objectives taking account of related business opportunities and risks.
  • We take calculated and assessed risks within the limits set in strategy selections in, for example, expanding business operations, strengthening market position and creating new business.
  • We assess risks taking account of the scale of potential impacts the risk could have and the likelihood of the impacts to occur, while considering the impacts on people, the environment and reputation in addition to financial impacts.
  • We avoid or reduce operational and damage/loss risks.
  • We ensure shopping safety and data protection as well as product safety for our customers.
  • We create a safe working environment for our employees.
  • We minimise the opportunities for crime or malpractice.
  • We secure critical operations and the resources needed for them in order to ensure continuity.
  • We have crisis management, continuity and recovery plans, plan implementation testing and sufficient insurance cover in place to provide for the realisation of risks.
  • We keep risk management costs and resources in proportion to the obtainable benefits.
  • We provide information on risks and risk management to stakeholders in accordance with Kesko's corporate governance principles.

The Group has a uniform model for risk assessment and risk reporting

Kesko Group applies a business-oriented and comprehensive approach to risk assessment and management. This means that key risks are identified, assessed, managed, monitored and reported as part of business operations at Group, division, company and function levels throughout the Group.

Kesko has a uniform risk assessment and reporting model. Risk identification is based on business objectives and opportunities and the defined risk appetite. Risks are prioritised on the basis of their significance by assessing their impacts in euros and the probability of their realisation. When assessing the impact of realisation, the impacts on reputation, the wellbeing of people and the environment are assessed in addition to the impacts in euros.

Risk identification and assessment play a key role in Kesko's strategy work and operations planning. In addition, risk assessments are made of significant projects related to capital expenditure, business arrangements or changes in operations. The risk assessments of divisions and common functions that include a risk map, risk management responses, responsible persons and schedules are reviewed regularly by the management of the respective division or common function.

Risks and risk management responses are reported in accordance with Kesko’s reporting responsibilities. The divisions and the common functions report on risks and changes in risks to the Group's risk management function. Risks are discussed by the risk management steering group, which includes representatives of the divisions and the common functions. On that basis, the Group’s risk management function prepares the Group’s risk report, which is reviewed by the Governance, Risk and Compliance (GRC) steering group, after which the CFO presents the risk report in the Group Management Board.

The Group's risk map, the most significant risks and uncertainties, as well as material changes in and responses to them are reported to the Kesko Board's Audit Committee in connection with reviewing the interim reports, the half year financial report and the financial statements. The Audit Committee also evaluates the efficiency of Kesko’s risk management system. The Chairman of the Audit Committee reports on risk management to the Board of Directors as part of the Audit Committee Report.

Kesko's Board discusses Kesko Group’s most significant risks and uncertainties. The Board reports on the most significant risks and uncertainties to the market in the financial statements and on material changes in them in the half year financial report and the interim reports.

Arranging insurance cover is part of Kesko's risk management

Arranging insurance cover is part of Kesko's risk management and it is guided by the insurance principles confirmed by Kesko's Board of Directors. The need for insurance cover is assessed taking account of Kesko's risk capacity and appetite. The risks that have a significant impact on Kesko's profit and liquidity are insured, whereas the need for insuring other risks is assessed on a risk basis. The purpose of insurance is acting as a means to balance the profit in case of unexpected damage. Risks can be knowingly left uninsured at own risk, if it is sensible and cost effective on the basis of risk assessment. The Group's risk management function is responsible for the Group-level insurance programmes, related guidelines, their competitive tendering and brokerage services. 

Risk management model and responsibilities

Kesko's Board of Directors confirms the Group's risk management policy and reviews the Group's most significant risks and uncertainties in its meetings.

The President and CEO manages Kesko Group's operations in accordance with the instructions and orders given by the Board of Directors and reports to the Board of Directors on the developments in the Company's business and financial situations. In risk management, the President and CEO is assisted by the Group's risk management function, as well as the GRC (Governance, Risk & Compliance) steering group, which consists of key persons from the Group management and risk management.

The management of the business operations and common functions are responsible for the execution of risk management. The risk management unit coordinates the risk management process and is responsible for risk reporting and executes risk identification, the determination of risk management responses and their implementation jointly with the businesses and common functions. Every member of Kesko personnel must know and manage the risks in their areas of responsibility.

 

Risk management responses in 2017 

In 2017, key focus areas for risk management were the development of a cyber risk management model and the launch of related projects, and changes to insurance coverage based on Kesko’s analysed risk tolerance. Kesko’s management model and process for crises and exceptional situations was updated to correspond to changes in the organisation. The new management model and process were tested in a crisis exercise towards the end of the year. In corporate security, the cost-efficiency of security technology and services was improved through concentration of purchases. A positive trend continued in terms of damage and there were no major individual instances of damage.

Focus areas for risk management in 2018

Focus areas for risk management include the implementation of the cyber risk management development project, improving continuity management, and finalising the changes to insurance coverage initiated in 2017. The management of regulatory risks will be improved by developing Kesko’s compliance function with Group Legal Affairs. The development and assurance of the effectiveness of actions related to risk reduction and determination will continue. Measures to improve the cost-efficiency of security technology and services will continue through concentration of purchases in all operating countries.

To top