Risks and internal control
Internal control principles
The Board of Directors of Orion has defined the Company’s principles for internal control in the Company. Management practices and management culture are based on compliance with the law and the Articles of Association, and with Orion’s values and ethical business practices. Internal control is part of normal steering and management of operations, as described in the management system, and it is supported by risk management, the audit and internal auditing. The aim of internal control is to ensure that operations are efficient and profitable, operational risks are adequately managed, laws and regulations are complied with and information is reliable. It is based on clear setting and monitoring of objectives, and effective and pragmatic risk management.
In practice, the management of each sub unit is responsible for its internal control, and each business unit or function organises internal control in its own unit or organisation in accordance with the principles in the policies and guidelines set at Group level. Key guidelines are included in the Group’s Corporate Governance Manual.
Risk management in the Orion Group
Purpose and operating model of risk management
The primary purpose of risk management is to identify, measure and manage the risks that may threaten the Company’s operations and the achievement of the set goals by using the available resources.
Risk management is an integral part of the day-to-day management processes and the Corporate Governance of the Orion Group. It relates to the Company’s responsibility structures and principles of operational control. Risk management complies with the principles of good governance and the recommendations and regulations issued to listed companies.
The practical implementation, development and follow-up of the risk management process is based on the model of the three lines of defense. Roles and responsibilities are broken down by line of defense as follows:
Principles of risk management
Risks are defined as factors that threaten the achievement of the set goals. Risks are measured according to their impact and the probability of them occurring. Risk management is a continuous process and is part of the Company’s strategy process, operational planning, day-to-day decision-making and monitoring of operations. Risk management is also part of the internal control system.
In their operations, Orion Group’s business divisions and functions carry out calculated risk-taking and the decisions are based on careful evaluation and consideration, for example regarding risk-taking and related returns.
The purpose of risk management is to systematically identify and evaluate risks and to manage them cost-effectively, thus:
- ensure that identified risks affecting personnel, customers, products, reputation, property, intellectual property and Company performance are managed as governed by the law and otherwise justified by the Company’s best knowledge and financial circumstances
- Meet stakeholder expectations (owners, customers, personnel, partners and society)
- ensure business continuity
Risk management is based on the Orion Group’s strategies and financial objectives. The aim is to identify, analyse and evaluate the risks threatening the implementation of the Company's strategy and achieving its objectives. Identified risks are responded so that the Company can be hedged against losses or opportunities related to potential risks can be utilized.
Classification of risks
The risk may be an internal or external event that jeopardized the Company’s ability to meet its stated goals. Risks are divided into the following main groups, which can be divided into subgroups, if necessary:
- Strategic risks
- Operational risks
- Financial risks
- Compliance risks
Reporting and communications
Orion’s efficient and uniform processes are based on the integrated enterprise resource planning system. For steering of operations, monthly financial reports are produced presenting actual results achieved, a comparison of actual results with targets, and a forecast of future development. Orion also uses numerous indicators in target setting and follow-up in various functions to aid supervision and steering of operations in accordance with the objectives set.
Risks and their means of management are monitored and reported in business divisions and in different functions according to processes determined internally and based on Group level principles and guidelines. Group level risks are reported to the CEO and the Executive Management Board as part of the annual planning and separately when required.
Reporting to the Board of Directors and the Audit Committee takes place at the times described in the annual plans of the Audit Committee and whenever the Board of Directors, the Audit Committee, CEO or internal audit sees specific reasons.
Assessment and review of the risk management
Orion Corporation’s Board of Directors is responsible for approving the risk management policy and supervises the management acting accordingly. It is the Board of Directors’ responsibility to monitor risk management and internal control in accordance with good governance.
The Board of Directors has delegated to the Audit Committee the authority to evaluate the business risks and their reporting as well as the coverage of risk management. If necessary, the Audit Committee will take the matters for the Board of Directors to decide and evaluate. The Audit Committee addresses issues related to risk management in accordance to the timetable of its charter and whenever the Board of Directors, the Audit Committee, the CEO of Orion Corporation or internal audit sees it for a particular reason.
CEO and president is responsible for risk management, the resources it requires and reporting to the Board of Directors and the Audit Committee in accordance with this policy, the established operating model and other specific requirements and appropriate practices. CEO delegates the practical implementation of risk management in accordance with the Company’s organizational structure to senior management representatives who are responsible for the operations in which the risks are.
For the purpose of the supervision and steering of operations, the Group has an internal audit function that functions administratively subordinate to the President and CEO of the parent company and reports in its work to the Audit Committee. Internal audit is responsible for regular independent assessment of the adequacy of risk management and the functionality of the risk management process. The plan of the implementation of this assessment is reviewed by the Audit Committee and approved by the Board of Directors as part of the annual plan of the internal audit.
Risk management is the responsibility of every Orion employee and must be a part of the normal daily work at all levels of the organisation, despite the fact that only the Group’s most significant risks are monitored by the Executive Management Board and the Board of Directors. Risk owners are responsible for dealing with the risks of their business areas on a regular basis. It is also the responsibility of the risk owners to impose a responsible person or persons who in practice are responsible for the management and reporting of the risks. These persons are responsible for their own areas in relation to the risk management process and the proper handling of risks.
In addition to the Company's own internal risk management, the Company's risks are also assessed by statutory auditing, which is responsible for verifying that the financial statements and the report of the Board of Directors provide accurate and sufficient information on the Group's results and financial position. In addition, the audit involves auditing the Company's accounting and administration. The auditor of the parent company coordinates the auditing of the Group's subsidiaries, together with the CEO and internal audit.