Risk management framework and objectives
Kesko’s risk management framework is based on the international COSO ERM framework and the international SFS-ISO 31000 standard, and on the Corporate Governance Code issued by the Securities Market Association.
Key objectives of risk management at Kesko:
Risk management policy
Risk management in Kesko Group is guided by the risk management policy approved by Kesko's Board of Directors. The policy defines the objectives and principles, steering model, responsibilities and practices of risk management in Kesko Group.
Risk management governance model
Kesko’s Board of Directors guides the Group’s risk appetite, confirms the risk management policy, and processes the Group’s most significant risks and uncertainties at its meetings.
The President and CEO is in charge of Kesko Group’s risk management. In this capacity, the President and CEO is supported by the CFO, CRO and Group’s risk management function, as well as its Risk Management Steering Group, which reviews current matters related to risk management and prepares a draft of the Group’s risk management report.
Responsibility for the implementation of risk management lies with the management of business operations and common operations. The risk management unit coordinates the risk management process and is responsible for risk reporting, as well as identifying risks and determining management measures in cooperation with business operations and common operations. Each Kesko employee must know and manage the risks within their area of responsibility.
The purpose of the integrated risk management model is to ensure that Kesko’s risk management covers all key risk areas and that the comprehensive view of Kesko’s risks is accurate. Its purpose is also to ensure the analysis and distribution of material risk information between common functions and divisions, for example, and ensure the progress of risk management measures across organisational boundaries. The divisions are responsible for the managing business risks related to their operations. The management of risks that exceed divisional boundaries is based on risk area-specific assessments that produce information for the divisions and support Group-level decisions.
Risk classification and time dimensions of risk assessment
Strategic risks and opportunities at Kesko Group are identified and assessed as part of the strategy process. The likelihood and impact of strategic risks is assessed not only for the strategy period but also in the medium term (3-5 years) and long term (over 5 years).
The operational and financial risks related to achieving strategic targets are assessed in the short term (1-2 years), using loss scenarios, simulation and stress testing.
New or unforeseen emerging risks are systematically identified and evaluated in environment analysis and periodic risk assessments.
Risk appetite
Kesko’s risk appetite is driven by strategy, vision, values, risk tolerance and risk-bearing capacity. Risk tolerance and risk-bearing capacity are assessed and tested regularly based on selected key financial figures and indicators and loss scenarios.
Kesko’s risk appetite is divided into three categories depending on the risk assessed. Risk appetite is considered low in cases where it does not involve significant financial or business opportunities (e.g., risks related to personnel and customer safety). Risk appetite is considered moderate with risks where the Group can optimise the cost-efficiency of risk management (e.g., property risk and business disruption risks). High risk appetite is limited to risks that also involve significant opportunities. Risk appetite is also materially impacted by the likelihood of risk realisation and related financial impacts.
Kesko Group insurances
Arranging insurance cover is part of Kesko's risk management and it is guided by the insurance principles confirmed by Kesko's Risk Management Steering Group. The need for insurance cover is assessed taking account of Kesko's risk appetite. The risks that have a significant impact on Kesko's profit and liquidity are insured, whereas the need for insuring other risks is assessed on a risk basis. The purpose of insurance is acting as a means to balance the profit in case of unexpected damage. Risks can be knowingly left uninsured at own risk, if it is sensible and cost effective on the basis of risk assessment. The Group's risk management function is responsible for the Group-level insurance programs, related guidelines, their competitive tendering and insurance broker services.
Read also: Significant risks and uncertainties