Risk management principles
VMP’s risk management principles define the key principles and objectives of the group’s risk management. The risk management principles are based on the Finnish Corporate Governance Code for Listed Companies (2015). The objective of risk management is to ensure that the group’s targets are reached as well as the continuity of operations.
VMP’s risk management is part of the group’s ERP and is thus an integral part of the group’s management system. Risk management is carried out as a systematic, predictive and comprehensive process and it includes all group operations while taking into account all risk areas.
The planning and strategy process needs to include identifying risks that threaten targets and defining measures for managing them. VMP Group’s risk management consists of a risk management target state, a risk management process and its implementation, monitoring and reporting. Risk management needs to be developed continuously as part of VMP Group’s operations.
Risk readiness and risk tolerance
VMP Group may consciously take risks that can be managed and have reasonable effects upon their possible realization. Risk-taking should be based on the predictive identification and assessment of possible effects as well as the identification and comparison of benefits and disadvantages. Risk-taking shall not jeopardize the group’s targets or continuity in the long or short term.
Risk management process
VMP Group carries out risk management continuously and systematically according to a schedule-based process. The risk management process ensures that the risks threatening the group are identified, assessed and managed in a predictive way and that risk management is monitored. VMP Group’s risk management process includes the following stages, among others:
- Identifying and mapping risks
- Assessing risks
- Defining and implementing the management processes for identified risks
- Monitoring and reporting risks
VMP Group’s senior operative management and Board of Directors are in charge of monitoring the implementation of the risk management process.
Roles and responsibilities
Under the Finnish Limited Liability Companies Act, the duty of VMP’s Board of Directors is to see to the governance of the Company and ensure the appropriate organization of the Company’s operations. The Board of Directors is also tasked with monitoring and assessing the efficiency of the Company’s internal supervision and risk management system. The Board of Directors approves the principles of the Company’s internal supervision and risk management principles and their related changes and addresses significant risks and uncertainty factors related to the Company’s operations.
VMP’s CEO is in charge of creating the risk management principles, with the support of the Group’s management team. The CEO is responsible for overseeing the systematic and appropriate implementation of risk management in the group. The CEO reports to VMP Group’s Board of Directors on risk management.
The coordinator of risk management is in charge of maintaining and updating the group’s risk register and for risk reporting after risk assessments. The coordinator of risk management reports to the group’s CEO and management team.
Business functions, business units and franchise entrepreneurs are responsible for the risk management of their own area of responsibility by identifying and assessing the risks for their area of responsibility and defining risk management measures, which shall be monitored systematically.
Individual employees are responsible for actively identifying risks in their work as well as systematically considering risk management in their decision-making and operations. Employees must notify their superiors of any threats, risks, problems, shortcomings and suggestions for improvement immediately.
An external service provider for an internal evaluation objectively assesses the appropriateness, sufficiency an efficiency of VMP Group’s risk management process and provides development suggestions. An external service provider for an internal evaluation reports to the group’s executive operational management and the Board of Directors on risk management.
The group’s risks include business, operational and economic risks as well as risks of damage.
Business risks may include business development risks, business environment risks, market risks and legal risks.
Operative risks may include personnel risks, management risks, process risks, service risks, information security risks, growth-related risks and risks related to partners in cooperation.
Economic risks may include financing risks and credit risks.
Risks of damage may include personnel risks, risks of accident, facility security risks, occupational health risks and accidents.
Risk management is part of internal supervision. Internal supervision includes measures and procedures for ensuring that VMP’s goals and targets are achieved, the group’s resources used economically and efficiently, operational risks managed appropriately and that financial and other information is reliable and correct. In addition, internal supervision seeks to ensure operational continuity and that internal policies and processes and the demands, regulations and laws set by the operating environment are adhered to. Efficient internal supervision and risk management advance profitability and reaching targets and they are an integral part of the group’s good governance code.