Internal control, internal audit and risk management

Profitable business requires that operations are monitored continuously and effectively. Metsä Group’s internal control covers all of Metsä Group’s business areas and Group Services. Internal control produces
transparency in the efficiency and appropriateness of internal operations as well as the reliability of financial reporting and compliance with valid laws and regulations.  The functionality of internal control, on the other hand, is evaluated by Metsä Group's internal audit. Internal control is carried out throughout the organisation. Internal control methods include internal guidelines and reporting systems that support control.

Metsä Group's operative management, Risk Management Director and internal audit are in charge of composing the principles mentioned above and the Board of Directors for ultimately ratifying them.

Internal control

In Metsä Group, internal control covers the control of financial and business operations from a risk-oriented perspective. Internal control is implemented by the Board of Directors, the Audit Committee and the operative management, as well as the entire personnel. Internal control refers to those management activities that seek to ensure:

  • achievement of the goals and objectives set for Metsä Group
  • economical, appropriate and efficient use of resources
  • management of operational risks
  • reliable and correct financial and other management information
  • adherence to external regulations and internal policies
  • adherence to appropriate procedures related to customer relationships
  • sufficient security of operations, information and property
  • arrangement of adequate and appropriate manual and IT systems to support operations.

Internal control is divided into: (i) proactive control, such as defining Metsä Group’s values and general operational and business principles,  as well as its goals and strategy; (ii) daily control, such as general control and follow-up with operational systems and work guidelines, related to operational steering; and (iii) subsequent control, such as different management evaluations and inspections, comparisons and verifications, the aim of which is to ensure that the goals are met and that the agreed operational and control principles are followed. Metsä Group’s corporate culture, governance and the approach to control together create the basis for the entire process of internal control.

Internal monitoring of the financial reporting process, credit control and authorisation rights

The financial organisations of the business areas and the Group are responsible for financial reporting. The units and business areas report their financial figures each month. Business area controllers check the monthly performance of units in each business area and report them further to the Group’s financial administration. Business area profitability development and business risks and opportunities are discussed monthly at the Metsä Group Executive Management Team meetings attended by the senior management of Metsä Group and of each business area, and at
financial management team meetings attended by the Group CFO and director of finance and the CFO of each business area, among others. The results are reported to the Board of Directors of Metsäliitto Cooperative each month. The results of the business areas are additionally reported to the Boards of Directors of their parent companies each month. Metsä Group’s Controllers’ Manual describes the reporting and control regulations and the reporting procedure in detail.

Credit control in Metsä Group is carried out by each business area in accordance with the Group credit control policy and the business area-specific credit control policy based on it. Credit control is carried out by the Group’s central credit control organisation in cooperation with the management of the business areas.

Authorisation rights concerning expenses, significant contracts and investments have been specified stepwise for different organisational levels, according to the decision-making order confirmed by the Board and the authority separately granted by the President and CEO and other management personnel.

Investment approval and follow-up are carried out by the business areas and the Group’s financial administration according to the decision-making order and investment policy approved by the Board of Directors. The most significant investments are prepared in cooperation with the Group’s technology
unit and, when the decision-making order so requires, they are separately reviewed by the Group’s Executive Management Team and approved by the parent company’s Board of Directors or the Board of Directors of the business area’s parent company. The technology unit ensures that the final reporting and
further monitoring of these projects are carried out in accordance with the investment policy.

Internal audit

Metsä Group’s internal audit assists the Board of Directors in performing its supervisory task by assessing the level of internal audit maintained in order to attain the targets of Metsä Group’s operation. In addition, the department supports the organisation by assessing and ensuring the functioning of the business processes, risk management, and management and administration systems. In its audit work, the internal audit function complies with the internal audit guideline ratified by the Board of Directors of Metsäliitto.

The internal audit unit operates under the supervision of the Group’s President and CEO and the Audit Committee. An internal audit action plan is prepared for one calendar year at a time. The audit focuses on areas that have particular significance for the risk assessed and the Group’s objectives at the time. The action plan will be reviewed with the management semi-annually, with regard to how up to date and appropriate it is.

The extent and coordination of auditing will be ensured with regular contact and flow of information between other internal control functions and auditors. Internal audit uses, if necessary, external outsourced services as temporary additional resources or to perform assessment tasks that require special expertise. In this case, the external service providers act under the supervision of the head of the internal audit.

A report is written for each audit and distributed to the Group’s President and CEO, the senior management of the affiliated group being audited and the management of the audited function or unit. The audit reports are submitted to the auditors for information and to the parties that are considered relevant based on the content of the report. The internal audit department composes a semi-annual summary report to the Audit Committee on the audits carried out, the most significant observations and the agreed measures. In addition, the semi-annual report states the most significant changes in carrying out the audits compared to the action plan and other main duties performed by the internal audit department, as well as any changes in resources. An annual report on the activity of the internal audit shall be composed for the Board of Directors.

Risk management

Risk management is an essential part of Metsä Group’s standard business planning and leadership. Risk management is part of daily decision-making, operational follow-up and internal control, and it promotes the objectives set by the company and ensures that they are met.

Linking business management efficiently with risk management is based on the operational principles confirmed by Metsäliitto Cooperative’s Board of Directors; the aim of the principles is to maintain risk management as a process that is well defined, understandable and sufficiently practical. Risks and their development are reported on a regular basis to the Board’s Audit Committee. Centralised risk management also takes care of the coordination and competitive bidding for Metsä Group’s insurance coverage.

The most crucial objective of risk management is to identify and evaluate those risks, threats and opportunities which may have an impact on the implementation of the strategy and on how short-term and long-term objectives are met. A separate risk review is also included in the most significant investment proposals.

The business areas regularly evaluate and monitor the risk environment and related changes as part of their annual and strategic planning. The risks identified and their means of control are reported to the company’s management, Audit Committee and the Board of Directors at least twice a year. Business risks also involve opportunities, and they can be utilized within the boundaries of the agreed risk limits. Conscious risk-taking decisions must always be based on an adequate evaluation of the risk-bearing capacity and the profit/loss potential, among other things.

Risk management responsibilities

Risk management responsibilities in Metsä Group are divided as follows:

  • The Board of Directors is responsible for Metsä Group’s risk management and confirms the company’s risk management policy.
  • The Audit Committee evaluates the adequacy of Metsä Group’s risk management and the essential risk areas and provides the Board of Directors with related proposals.
  • The President and CEO and the members of the Executive Management Team are responsible for the specification and adoption of the risk management principles. They are also responsible for ensuring that the risks are taken into account in the company’s planning processes and that risk reporting is adequate and appropriate.
  • The Group’s Risk Management Director is in charge of the development and coordination of the risk management process, the performance of risk assessment and the essential insurance decisions.
  • Business areas and services functions identify and evaluate the essential risks related to their own areas of responsibility in their planning processes, prepare for them, take necessary preventive action and report on the risks as agreed.

Risk management process

The essential elements of Metsä Group’s risk management include implementing a comprehensive corporate risk management process that supports the entire business, protecting property and ensuring business continuity, Metsä Group’s security and its continuous development, as well as crisis management and continuity and recovery plans. According to the risk management policy and principles, adequate risk management forms a necessary part of the preliminary review and implementation stages of projects which are financially or otherwise significant.

The tasks of risk management are to

  • ensure that all identified risks with an impact on personnel, customers, products, property, information assets, corporate image, corporate responsibility and operational capacity are controlled according to applicable laws and on the basis of best available information and financial aspects;
  • ensure that Metsä Group’s objectives are met;
  • fulfil the expectations of stakeholders;
  • protect property and ensure disruption-free business continuity;
  • optimise the profit/loss possibility ratio;
  • ensure the management of Metsä Group’s overall risk exposure and minimise the overall risks.

The most significant risks and uncertainties that Metsä Group is aware of are described in the report of the Board of Directors.

See also