/ Investors / Corporate governance / Internal control, internal audit and risk management

Internal control, internal audit and risk management

Profitable business requires that operations are monitored continuously and effectively. Metsä Group’s internal control covers all of Metsä Group’s business areas and Group Services. Internal control produces transparency in the efficiency and appropriateness of internal operations as well as the reliability of financial reporting and compliance with valid laws and regulations. The functionality of internal control, on the other hand, is evaluated by Metsä Group's internal audit. Internal control is carried out throughout the organisation. Internal control methods include internal guidelines and reporting systems that support control.

Metsä Group's operative management, Risk Management Director and internal audit are in charge of composing the principles mentioned above and the Board of Directors for ultimately ratifying them.

Internal control

In Metsä Group, internal control covers the control of financial and business operations from a risk-oriented perspective. Internal control is implemented by the Board of Directors, the Audit Committee and the executive management, as well as the entire personnel. Internal control refers to those management activities that seek to ensure:

  • Metsä Group’s corporate social responsibility performance;
  • Achievement of the objectives set for Metsä Group and the economical, appropriate and efficient use of resources;'
  • Appropriate management of operational risks;
  • Reliable and correct financial and other management information;
  • Adherence to external regulations and internal policies;
  • Good practices in relations with external stakeholders (e.g. suppliers, customers, social actors);
  • Sufficient security of people, operations, information and property;
  • Arrangement of adequate and suitable manual and IT systems to support operations.

Internal control is divided into: (i) proactive control, such as defining Metsä Group’s values and general operational and business principles, as well as its goals and strategy; (ii) daily control, such as general control and follow-up with operational systems and work guidelines, related to operational steering; and (iii) subsequent control, such as different management evaluations and inspections, comparisons and verifications, the aim of which is to ensure that the goals are met and that the agreed operational and control principles are followed. Metsä Group’s corporate culture, governance and the approach to control together create the basis for the entire process of internal control.

Internal monitoring of the financial reporting process, credit control and authorisation rights

The financial organisations of the business areas and the Group are responsible for financial reporting. The units and business areas report their financial figures each month. Business area controllers check the monthly performance of units in each business area and report them further to the Group’s financial administration. Business area profitability development and business risks and opportunities are discussed monthly at the Metsä Group Executive Management Team meetings attended by the senior management of Metsä Group and of each business area, and at financial management team meetings attended by the Group CFO and director of finance and the CFO of each business area, among others. The results are reported to the Board of Directors of Metsäliitto Cooperative each month. The results of the business areas are additionally reported to the Boards of Directors of their parent companies each month. Metsä Group’s Controllers’ Manual describes the reporting and control regulations and the reporting procedure in detail.

Credit control in Metsä Group is carried out by each business area in accordance with the Group credit control policy and the business area-specific credit control policy based on it. Credit control is carried out by the Group’s central credit control organisation in cooperation with the management of the business areas.

Authorisation rights concerning expenses, significant contracts and investments have been specified stepwise for different organisational levels, according to the decision-making order confirmed by the Board and the authority separately granted by the President and CEO and other management personnel.

Investment approval and follow-up are carried out by the business areas and the Group’s financial administration according to the decision-making order and investment policy approved by the Board of Directors. The most significant investments are prepared in cooperation with the Group’s technology unit and, when the decision-making order so requires, they are separately reviewed by the Group’s Executive Management Team and approved by the parent company’s Board of Directors or the Board of Directors of the business area’s parent company. The technology unit ensures that the final reporting and further monitoring of these projects are carried out in accordance with the investment policy.

Internal audit

Internal audit is an independent and objective assessment, assurance and consulting activity designed to add value to Metsä Group and improve its operations. Internal audit assists the Board in its supervisory role and supports Metsä Group and its management in achieving the company’s objectives by providing a systematic approach to assessing and improving the effectiveness of risk management, control, governance and management processes.

Audit work is carried out in compliance with the internal audit guideline ratified by the Audit Committee. The internal audit function reports to the Audit Committee on operations and to the President and CEO on administration.

Internal audit draws up a six-monthly action plan which is approved by the Audit Committee. The audit work is risk-based and focuses on the Group’s activities and units that are considered to be key to achieving the objectives set for the operations. Internal audit, in cooperation with the audit function, ensures that the plans are coordinated to allow adequate coverage of audit work and to avoid duplication of work. Similarly, cooperation is carried out with other assurance functions within the Group, such as risk management, internal controls and compliance.

An audit report on the results of the audit is shared with the Group’s President and CEO, the CFO, the management of the audited entity and the persons in charge. The audit reports are provided to the auditor. Internal audit provides the Audit Committee with a six-monthly summary report on the audits carried out, the main findings and recommendations, and the management action plans and their implementation. The Chair of the Audit Committee and the Audit Director also meet regularly without the presence of management. An annual summary report of the internal audit activities is prepared for the Board of Directors.

Risk management

Risk management is an essential part of Metsä Group’s standard business planning and leadership. Risk management is part of daily decision-making, operational follow-up and internal control, and it promotes the objectives set by the company and ensures that they are met.

Linking business management efficiently with risk management is based on the operational principles confirmed by Metsäliitto Cooperative’s Board of Directors; the aim of the principles is to maintain risk management as a process that is well defined, understandable and sufficiently practical. Risks and their development are reported on a regular basis to the Board’s Audit Committee. Centralised risk management also takes care of the coordination and competitive bidding for Metsä Group’s insurance coverage.

The most crucial objective of risk management is to identify and evaluate those risks, threats and opportunities which may have an impact on the implementation of the strategy and on how short-term and long-term objectives are met. A separate risk review is also included in the most significant investment proposals.

The business areas regularly evaluate and monitor the risk environment and related changes as part of their annual and strategic planning. The risks identified and their means of control are reported to the company’s management, Audit Committee and the Board of Directors at least twice a year. Business risks also involve opportunities, and they can be utilized within the boundaries of the agreed risk limits. Conscious risk-taking decisions must always be based on an adequate evaluation of the risk-bearing capacity and the profit/loss potential, among other things.

Risk management responsibilities

Risk management responsibilities in Metsä Group are divided as follows:

  • The Board of Directors is responsible for Metsä Group’s risk management and confirms the company’s risk management policy.
  • The Audit Committee evaluates the adequacy of Metsä Group’s risk management and the essential risk areas and provides the Board of Directors with related proposals.
  • The President and CEO and the members of the Executive Management Team are responsible for the specification and adoption of the risk management principles. They are also responsible for ensuring that the risks are taken into account in the company’s planning processes and that risk reporting is adequate and appropriate.
  • The Group’s Risk Management Director is in charge of the development and coordination of the risk management process, the performance of risk assessment and the essential insurance decisions.
  • Business areas and services functions identify and evaluate the essential risks related to their own areas of responsibility in their planning processes, prepare for them, take necessary preventive action and report on the risks as agreed.

Risk management process

The essential elements of Metsä Group’s risk management include implementing a comprehensive corporate risk management process that supports the entire business, protecting property and ensuring business continuity, Metsä Group’s security and its continuous development, as well as crisis management and continuity and recovery plans. According to the risk management policy and principles, adequate risk management forms a necessary part of the preliminary review and implementation stages of projects which are financially or otherwise significant.

The tasks of risk management are to

  • Ensure that all identified risks with an impact on personnel, customers, products, property, information assets, corporate image, corporate responsibility and operational capacity are controlled according to applicable laws and on the basis of best available information and financial aspects;
  • Ensure that Metsä Group’s objectives are met;
  • Fulfil the expectations of stakeholders;
  • Protect property and ensure disruption-free business continuity;
  • Optimise the profit/loss possibility ratio;
  • Ensure the management of Metsä Group’s overall risk exposure and minimise the overall risks.

The most significant risks and uncertainties that Metsä Group is aware of are described in the report of the Board of Directors.

Internal control
Internal control