(The risk management policy approved by Kesko Corporation’s Board of Directors on 1 February 2017)
This policy describes the objectives and principles, organisation, responsibilities and practices of risk management in Kesko Group. Furthermore, to support the implementation of the policy, more detailed guidelines for the various risk management areas are drawn up.
The risk management policy is based on the COSO ERM Framework, the SFS-ISO 31000 'Risk management - Principles and guidelines' standard and the Finnish Corporate Governance Code for listed companies.
Risk management, internal control, compliance programmes, the K Code of Conduct and Kesko’s values are a key element of Kesko's good corporate governance.
Risk management objectives
The objective of risk management is to ensure the implementation of Kesko’s strategy. The objective is achieved when the Group has
• the knowledge related to uncertainties, risks and opportunities concerning objectives and operations
• uniform and effective procedures for identifying, assessing and managing risks and their consequences
• risk appetite proportional to risk tolerance
• risk taking in balance with targeted benefits
• systematic risk reporting system.
Risk management principles
Risk management is a systematic process aimed to ensure a Group wide and appropriate risk identification, assessment, management and control. It is an integral part of Kesko's strategy process, decision making, day-to-day management and operation, as well as control and reporting procedures.
Kesko Group applies a business-oriented and comprehensive approach to risk assessment and management. This means that key risks are systematically identified, assessed, managed, monitored and reported as part of business operations at the Group, division and function levels in all operating countries.
Kesko's risk management is also a part of the risk management of the value chain of trade, carried out jointly with K-retailers, suppliers and service providers.
The following principles are applied to Kesko Group's risk management:
• We set our objectives taking business opportunities and risks into account.
• We take calculated and assessed risks in strategy selections, e.g. in expanding business operations, in strengthening market position, and in creating new business.
• We assess risks in terms of the size and probability of the impacts of their materialisation while taking account of financial aspects but also impacts on people, the environment and reputation.
• We avoid or reduce operational and damage/loss risks.
• We ensure safe shopping, data security and product safety for our customers.
• We create a safe working environment for employees.
• We minimise opportunities for crime or malpractice.
• We ensure the continuity of operations by safeguarding critical functions and the resources they require.
• We make preparations for the realisation of risks by crisis management, continuity and recovery plans, by training plan implementation, and by sufficient insurance coverage.
• We keep risk management costs and resources proportionate to achievable benefits.
• We provide information on risks and risk management to stakeholders in accordance with Kesko's corporate governance principles.
Risk definition and risk categories
By definition, risks are events or circumstances which can hinder or prevent the attainment of Kesko’s objectives, or due to which business opportunities can remain unexploited.
Kesko categorises risks into
• operational and
• financial risks.
Strategic risks are uncertainties related to changes in the operating environment and Kesko's ability to leverage these changes or to prepare for them. External risks are related to changes in the operating environment including, for example, the general economic situation, customers' consumption behaviour, competitors, legislation, technological development etc. Internal risks are related to, for example, the strategy choices made, changes in business operations and mergers and acquisitions. The time frame within which strategic risks and opportunities are assessed is three years, and the aim is to identify the business opportunities which can be exploited to attain the objectives by taking manageable risks, and on the other hand, to avoid those which involve unreasonably high risks. A failure to identify or exploit an opportunity is also a risk.
Operational risks are circumstances or damages which can prevent or hinder the attainment of objectives, or cause damage to people, property, business continuity, information or the environment. The aim is to avoid or reduce operational risks, provided however that the cost of controls is in a reasonable proportion to the scope of risk.
Financial risks are risks related to, for example, the availability and price of finance, changes in foreign exchange rates, investment activities, changes in production factor prices, counterparties and credit granting to customers. The management of financial risks is guided by the Group's finance policy, confirmed by Kesko's Board of Directors, as well as Kesko’s credit policy with division and company specific specifications.
Risk appetite and risk tolerance
Risk appetite is the maximum level of risk that Kesko is prepared to take at a certain time in pursuit of its objectives. Risk tolerance is the amount of financial resources (such as profit, cash flow, equity ratio) against which risk can be taken.
Kesko’s Board of Directors determines risk appetite and guides risk taking throughout the Group. Risk taking in relation to risk tolerance is monitored regularly. It is assessed especially in connection with the strategy discussion and when making decisions on business projects or capital expenditures significant for the Group. Indicators of cash flow from operating activities and the Group's solvency, for example, are used in the assessment.
The duties of Kesko's Board of Directors include ensuring the proper operation of the management system. In this role, the Board of Directors confirms the Group's risk management policy and considers the Group's most significant risks and uncertainties in its meetings.
The President and CEO manages Kesko Group's operations in accordance with the instructions and orders given by the Company’s Board of Directors and reports to the Board of Directors on the developments in the Company's business and financial situation. In risk management, the President and CEO is assisted by the Group's risk management function, as well as the GRC steering group (Governance, Risk & Compliance), which consists of key persons in the Group management and risk management. The Risk Management Steering Group, which includes the divisions’ representatives, especially monitors the implementation of risk related actions.
The managements of the business operations and the common functions are responsible for the execution of risk management. The risk management unit coordinates the risk management process and is responsible for risk reporting, and performs risk identification and management response determination jointly with the common functions. Every member of the Kesko personnel must know and manage the risks of their areas of responsibility.
Responsible persons appointed to the significant risks identified in risk assessment are in charge of the planning, execution and monitoring of risk management responses. The defined responses are included in operating plans and monitoring.
Risks are managed by using cost-effective and appropriate responses, which include:
• taking risks into account already when business operations and projects are planned
• reducing, sharing or transferring risks by changing operations, improving control, taking insurance or entering into agreements, for example
• removing risks by, for example, withdrawing from operations which involve too much risk
• preparing recovery plans in case a risk is realised
• risk acceptance without any special risk management responses.
Risks and management responses are reported in accordance with Kesko's reporting responsibilities. The divisions and the common functions report on risks and changes in risks to the Group's risk management function on a quarterly basis. The Group’s risk management function prepares a summary of the Group’s risks, which are considered by the GRC steering group, after which the Group’s risk map is discussed by the Group Management Board.
The Group's risk map, the most significant risks and uncertainties, as well as material changes in and responses to them are reported to the Kesko Board's Audit Committee in connection with the reviews of the interim reports and the financial statements. The Chair of the Audit Committee reports on risk management to the Board of Directors as part of the Audit Committee Report. Kesko's Board of Directors considers the most significant risks and the responses required to manage them, and assesses the efficiency and effectiveness of risk management. The most significant risks and uncertainties are reported to the market by the Board of Directors in the financial statements, and material changes in them in the interim reports.