This policy describes the purpose and guidelines of Kesko Group’s (“Kesko”) risk management, as well as the related steering model and responsibilities.
Risk management is also described in Kesko’s information security, data protection, and treasury policies.
The risk management policy is based on the international COSO ERM framework and the international SFS-ISO 31000 standard (Risk management – Principles and Guidelines), and on the Corporate Governance Code issued by the Finnish Securities Market Association. Risk management, internal control, compliance programmes, the K Code of Conduct, and Kesko’s values are an integral part of corporate governance at Kesko.
Risk management supports the achievement of Kesko’s goals and the implementation of its strategy. The goal of risk management is for Kesko to have the following in place:
Risk management involves systematic operations to ensure comprehensive and relevant risk identification, assessment, management and monitoring across the Group. It is an integral part of Kesko’s strategy process, decision-making, day-to-day management and operations, as well as its control and reporting procedures.
Kesko Group applies a business-oriented and comprehensive approach to risk assessment and management. This means that key risks are systematically identified, assessed, managed, monitored and reported as part of business operations at the Group, division and function levels in all operating countries.
Kesko’s risk management is also part of risk management in the retail value chain, and is implemented in cooperation with K-retailers, suppliers and service providers.
The functionality and effectiveness of risk management is assessed by means of annual self-evaluations.
Risk management terminology
Risk refers to an event or circumstance that can hinder Kesko’s achievement of goals or prevent Kesko from achieving its goals, or because of which business opportunities can be left unexploited. A risk always involves uncertainty about the extent of its impacts or the time of its materialisation.
At Kesko, risks are divided into:
Risk appetite refers to the extent of risk that Kesko is prepared to take at any given time in its pursuit of its goals.
Risk-bearing capacity refers to the amount of financial resources (e.g. result, cash flow, equity ratio) against which risks can be taken.
The purpose of the risk management steering model is to ensure that Kesko’s risk management covers all key risk areas, and that the comprehensive view of Kesko’s risks is accurate. Its purpose is also to ensure the analysis and distribution of material risk information between e.g. common operations and divisions, as well as ensuring the progress of risk management measures across organisational boundaries. The divisions are responsible for the management of business risks related to their own operations. The management of risks that exceed divisional boundaries is based on risk area-specific assessments that produce information for the divisions and to support Group-level decisions.
Kesko’s Board of Directors guides the Group’s risk appetite, confirms the risk management policy, and processes the Group’s most significant risks and uncertainties at its meetings.
The President and CEO is in charge of Kesko Group’s risk management. In this capacity, the President and CEO is supported by the CFO and Group’s risk management function, as well as its Risk Management Steering Group, which reviews current matters related to risk management and prepares a draft of the Group’s risk management report.
Responsibility for the implementation of risk management lies with the management of business operations and common operations. The risk management unit coordinates the risk management process and is responsible for risk reporting, as well as identifying risks and determining management measures in cooperation with business operations and common operations. Each Kesko employee must know and manage the risks within their area of responsibility.
This policy covers the operations of Kesko companies in all operating countries. Kesko’s personnel must comply with the policy. Kesko’s divisions and units are responsible for implementing the policy and for ensuring sufficient resources in their operations. Kesko’s risk management and corporate security function is responsible for maintaining this policy, which is approved by Kesko’s Board of Directors.
Approved by Kesko’s Board of Directors on 17 December 2020. Enters into force on 1 January 2021.
Replaces the risk management policy approved by Kesko’s Board of Directors on 1 February 2017.