Risks and internal control

Internal control principles

The Board of Directors of Orion has defined the Company’s principles for internal control in the Company. Management practices and management culture are based on compliance with the law and the Articles of Association, and with Orion’s values and ethical business practices. Internal control is part of normal steering and management of operations, as described in the management system, and it is supported by risk management, the audit and internal auditing. The aim of internal control is to ensure that operations are efficient and profitable, operational risks are adequately managed, laws and regulations are complied with and information is reliable. It is based on clear setting and monitoring of objectives, and effective and pragmatic risk management.

In practice, the management of each sub unit is responsible for its internal control, and each business unit or function organises internal control in its own unit or organisation in accordance with the principles in the policies and guidelines set at Group level. Key guidelines are included in the Group’s Corporate Governance Manual.

Risk management in the Orion Group

Risk management constitutes a significant part of the Orion Group’s corporate governance and is an integral part of the Company’s responsibility structure, operational control principles, and business operations. The aim is by all applicable means to identify, measure and manage the risks that might threaten the Company’s operations and the achievement of the objectives set for the Company, as well as to improve ability to acknowledge such known risks, which cannot be completely eliminated.

Risk management is not a separate function but embedded as a natural and normal process within day-to-day business and management. Overall risk management processes, practical actions and the definition of responsibilities are developed by means of regular risk identification approaches covering the following areas:

  • strategic risks, including research and development risks as well as such threats in the operational environment as may turn to business risks
  • operational risks, including sales and business risks, corporate security and information security risks as well as risks related to corporate responsibility, such as environmental and patient safety risks
  • potential risks of production and supply chain interruptions, the evaluation of their impacts, and continuity plans 
  • financial risks, including market, credit and liquidity risks

Operational risk management also includes project-specific risk management.

Control measures

For financial steering and reporting, the Group has a reporting system intended to provide the management sufficient and timely information to plan and manage the operations. Orion has Group-wide guidelines and supporting policies for financial steering and harmonising practices. The guidelines and the Company’s extensive enterprise resource planning system ensure uniformity in processes. The Group’s finance department handles financing, Group accounting and tax affairs centrally. In addition, finance personnel in subsidiaries, and the centralised Controller function ensure uniform practices in every country and business area.

Reporting and communications

Orion’s efficient and uniform processes are based on the integrated enterprise resource planning system. For steering of operations, monthly financial reports are produced presenting actual results achieved, a comparison of actual results with targets, and a forecast of future development. Orion also uses numerous indicators in target setting and follow-up in various functions to aid supervision and steering of operations in accordance with the objectives set.

Follow-up and auditing

The Audit Committee of the Board of Directors evaluates the effectiveness of the Company’s internal control and is responsible for evaluating the effectiveness of the internal reporting process. The external audit of the Group companies is carried out in accordance with the applicable laws and the Articles of Association.

The objective of the statutory audit is to verify that the financial statements and the report of the Board of Directors give a fair and adequate presentation of the results of the operations and the financial position of the Group. The audit also includes auditing of the Company’s accounting and administration. The designated auditor of the parent company's auditor co-ordinates the audit of the subsidiaries of the Group in co-operation with the President and CEO and the Internal Audit of the Group.

For the purpose of the supervision and steering of operations, the Group has an internal audit function that functions administratively subordinate to the President and CEO of the parent company and reports in its work to the Audit Committee. The central task of the internal audit is to examine and evaluate the effectiveness and credibility of the internal control and risk management of the companies and units belonging to the Group.