Kesko's Risk Management Policy

This policy describes the purpose and guidelines of the Kesko Group’s (“Kesko”) risk management policy, as well as the related steering model and responsibilities.

Risk management is also described in Kesko’s information security, data protection and financing policies.

The risk management policy is based on the international COSO ERM framework and the international SFS-ISO 31000 standard (Risk management – Principles and Guidelines), and on the Corporate Governance Code issued by the Securities Market Association. Risk management, internal control, compliance programs, the K Code of Conduct and Kesko’s values are an integral part of corporate governance at Kesko.

Objectives of risk management

Key objectives of risk management at Kesko:

• Support Board of Directors, Audit Committee and the CEO in their risk management and governance responsibilities.
• Support Group Management Board in identification of risks related to the Strategic objectives.
• Ensure the understanding of Group’s material risks and provide group management with high quality and timely risk information relevant to decision-making and risk mitigation.
• Support business in achieving agreed targets within acceptable risk levels.
• Ensure business operations resilience by integrating continuity and risk management processes.

Risk management at Kesko

Risk management involves systematic processes to ensure comprehensive and relevant risk identification, assessment, management and monitoring across the Group. It is an integral part of Kesko’s strategy process, decision-making, day-to-day management and operations, and its control and reporting procedures.

At Kesko, risks are assessed and managed comprehensively in a business-oriented manner. This means that key risks are identified, assessed, managed, monitored and reported systematically as part of business operations at the Group, division and function levels in all countries of operation.

Kesko’s risk management is also part of risk management in the retail value chain and is implemented in cooperation with K-retailers, suppliers and service providers.

The functionality and effectiveness of risk management are assessed through annual self-evaluations.

Risk classification and time dimensions of risk assessment

In the Kesko Group, risks are classified into strategic, operational and financial risks.

Strategic risks at Kesko Group are identified and assessed as part of the strategy process. The likelihood and impact of strategic risks is assessed not only for the strategy period but also in the medium term (3-5 years) and long term (over 5 years).

The operational and financial risks related to achieving strategic targets are assessed in the short term (1-2 years), using loss scenarios, simulation and stress testing.

New or unforeseen emerging risks are systematically identified and evaluated in environment analysis and periodic risk assessments.

Risk appetite

Kesko’s risk appetite is driven by strategy, vision, values, risk tolerance and risk-bearing capacity. Risk tolerance and risk-bearing capacity are assessed and tested regularly based on selected key financial figures and indicators and loss scenarios.

Kesko’s risk appetite is divided into three categories depending on the risk assessed. Risk appetite is considered low in cases where it does not involve significant financial or business opportunities (e.g., risks related to personnel and customer safety). Risk appetite is considered moderate with risks where the Group can optimise the cost-efficiency of risk management (e.g., property risk and business disruption risks). High risk appetite is limited to risks that also involve significant opportunities. Risk appetite is also materially impacted by the likelihood of realisation and related financial impacts.

Risk management steering model and responsibilities

The purpose of the risk management steering model is to ensure that Kesko’s risk management covers all key risk areas and that the comprehensive view of Kesko’s risks is accurate. Its purpose is also to ensure the analysis and distribution of material risk information between common functions and divisions, for example, and ensure the progress of risk management measures across organisational boundaries. The divisions are responsible for the managing business risks related to their operations. The management of risks that exceed divisional boundaries is based on risk area-specific assessments that produce information for the divisions and support Group-level decisions.

Kesko’s Board of Directors guides the Group’s risk appetite, confirms the risk management policy, and processes the Group’s most significant risks and uncertainties at its meetings.

The President and CEO is in charge of Kesko Group’s risk management. In this capacity, the President and CEO is supported by the CFO, CRO and Group’s risk management function, as well as its Risk Management Steering Group, which reviews current matters related to risk management and prepares a draft of the Group’s risk management report.

Responsibility for the implementation of risk management lies with the management of business operations and common operations. The risk management unit coordinates the risk management process and is responsible for risk reporting, as well as identifying risks and determining management measures in cooperation with business operations and common operations. Each Kesko employee must know and manage the risks within their area of responsibility.

This policy covers the operations of Kesko companies in all operating countries. Kesko’s personnel must comply with the policy. Kesko’s divisions and units are responsible for implementing the policy and for ensuring sufficient resources in their operations. Kesko’s risk management and corporate security function is responsible for maintaining this policy, which is approved by Kesko’s Board of Directors.

Enforcement