Main features of internal control and risk management processes related to financial reporting processes
The purpose of risk management is to secure positive development of earnings of the Company and the continuation of the business by implementing risk management cost-effectively and systematically throughout the different businesses.
Risk management is part of the Company's strategic and operative planning, daily decisionmaking process and internal control system. Business objectives, risks and risk management operations are combined through risk management as one chain of events.
Main principles of organizing risk management
Company adheres to the risk management policy approved by the Board.
Risk management contains all actions, which are connected to setting up targets, identification of risks, measurement, review, handling, reporting, follow-up, monitoring and reacting to risks.
The aim of risk management of the Company is to:
- systematically and thoroughly identify and assess all major risks, which threaten the achievement of objectives, including risks related to business operations, property, agreements, competence, currencies, financing and strategy;
- optimize business opportunities and secure continuation of business;
- recognize and identify uncertainties and subsequently develop the prediction of risks and measures needed to manage risks;
- take only calculated and assessed risks with respect to e.g. expanding the business, increasing market share and creating new businesses;
- avoid or minimize liability risks;
- ensure the safety of products, solutions and services;
- establish a safe working environment for the employees;
- minimize possibilities for unhealthy occurrences, crimes or misconduct by operating procedures, control and supervision;
- inform interest groups of risks and risk management; and
- be cost-effective in risk management.
The aim of risk management is not to:
- exclude all risks at their entirety;
- adopt unnecessary control and management procedures; or
- take bureaucratic processes and procedures into use.
Main principles of the risk management process
In connection with the strategy process and annual planning the CEO of the Company and Presidents of the Group's business segments review business risks which could endanger the achievement of strategic or profit targets. The businesses produce risk assessment reports for each business to support the strategy process. Strategic and operative risks are monitored through monthly reporting by businesses in the Segment Boards (see above section Business segments). Businesses must produce assessments of risks in their designated areas of responsibilities and provide action plans to manage risks as well as to report to the Segment Boards on measures taken including the stage and effectiveness of such measures.
The Company's CEO reports the identified risks concerning the Group as well as all planned and effected measures to control such risks to the Company's Board of Directors.
General description of internal control and operational procedures
Internal control is a process applied by the Board of Directors, management and all levels of personnel in the Group to ensure that management has reasonable assurance that
- operations are effective, efficient and aligned with strategy;
- financial reporting and management information is reliable, complete and timely made; and
- the Group is in compliance with applicable laws and regulations as well as the Company's internal policies and ethical values including sustainability.
The first category addresses the basic business objectives, including performance and profitability goals, strategy, implementation of objectives and actions and safeguarding resources. The second category relates to the preparation of reliable published financial statements, including interim reports and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly. The third deals with complying with those laws and regulations to which the Company is subject to.
Internal control framework of the company
Picture 1 Governance and internal control framework
EB's internal control framework consists of:
- the internal control, risk management and corporate governance policies and principles set by the Company's Board of Directors;
- management overseeing the implementation and application of the policies and principles;
- finance function and business controllers monitoring the efficiency and effectiveness of the operations and reliability of the financial and management reporting;
- enterprise risk management process identifying, assessing and mitigating risks threatening the realization of the Company's objectives;
- compliance procedures making sure that all applicable laws, regulations, internal policies and ethical values (including sustainability) are adhered to;
- effective control environment at all organisational levels including control activities tailored for defined processes and creating group minimum requirements for business and geographical areas;
- shared ethical values and strong internal control culture among all employees, and
- internal audit assignments reviewing the effectiveness of the internal controls as needed.
Picture 2 Key areas of the EB internal control framework in 2013.
Risks and controls in core business processes
Risk management procedures are in place for business processes in the form of defined control points:
- Relevant process risks are identified;
- Common control points/group minimum requirement control points are identified;
- Common control points are implemented in business processes;
- Additional control points can be determined as needed at business or functional levels.
Control activities are the policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the Company's objectives. Control activities are set throughout the organization, at all levels and in all functions. They include various range of activities including but not limited to approvals, authorizations, verifications, reviews of operating performance, security of assets and segregation of duties.
Internal controls over financial reporting
The Group's external financial reporting process, internal control and risk management systems are briefly described in this section. The main focus is on financial accounting and related controls.
Financial reporting organization
The Group's financial administration is organized so that both Business Segments have their own operative financial organization, and the financial management as well as central expert functions regarding accounting, taxation, financing, and asset management are centralized in the Group's parent company.
The financial management of the Business Segments is responsible for organizing the accounting, money transactions and other daily financial operations of the companies belonging to the segment as well as organizing the internal reporting that supports the segments' business. The financial management of the business segment controls and supervises the operation of the financial administration organizations of the segment companies, and it reports primarily to the President of the business segment but matrix-wise also to the CFO of the Group.
The tasks of the Group's parent company's financial administration consist of, inter alia, monthly consolidation of the Group entity, preparation of interim reports and consolidated financial statements, management and investment of monetary assets of the Group, management of liabilities, protection against exchange risk, and transfer pricing. The finance function of the Group's parent company implements operative supervision under the Group's CFO who reports any supervisory findings to the Finance and Audit Committee. The Group's parent company's financial administration and financial management of the Wireless Business Segment is located in Finland and the financial management of the Automotive Business Segment in Germany. The Group's subsidiaries in China, Germany and the USA have own accounting departments. Accounting functions in smaller subsidiaries in France and Japan are organized in external accounting offices or, as in Austria, in the accounting department of the German subsidiary. The tasks and responsibilities of the accounting function of the parent company and each subsidiary are included in the job descriptions of the teams and employees.
Financial reporting systems
Consolidated financial statements are prepared by using the chosen consolidation tool. The accounting of the Group's subsidiaries is done by using the local accounting systems from which the actual figures are reported either manually or by automatic transfer to the group consolidation system.
The accounting system in use includes general ledger accounting, accounts payables and accounts receivables. Current assets and payroll accounting is organized through various programs or purchased as an outsourced service. Purchase invoices are circulated through electronic invoice processing system. The same bank application is used in both Finland and Germany, the USA has a similar bank application.
Global forecasts and budgets are prepared by using the same forecast and reporting program maintained by the Group parent company. In some business segment companies, separate programs supporting internal reporting are in use.
The Group's internal control mechanisms are based on policies, instructions, limited process descriptions, authorization matrix, financial reporting review meetings, and segregation of key accounting duties.
Compliance procedures are in place at all levels of the organization to ensure that that all applicable laws, regulations, internal policies and ethical values including sustainability are adhered to. Group functions and businesses are responsible for following up developments in legislation and regulations in their respective areas and communicating them to the organization. Businesses and corporate function directors are responsible for setting up adequate compliance controls and compliance related training in their units.
Roles and Responsibilities Regarding Risk Management and Internal Control
The key roles and responsibilities regarding the Group's internal control and risk management are defined as follows:
Board of Directors
The Board of Directors is ultimately responsible for the administration and the proper organisation of the operations of the company. According to good corporate governance, the Board also ensures that the company has duly endorsed the corporate values applied to its operations. The Board approves the internal control, risk management and corporate governance policies. The Board establishes the risk-taking level and risk bearing capacity of the Company and re-evaluates them on a regular basis as part of the strategy and goal setting of the Company. The Board reports to the shareholders of the Company.
Audit and Financial Committee
Audit and Financial Committee is responsible for the following internal control related duties
- to monitor the reporting process of financial statements;
- to supervise the financial reporting process;
- to monitor the efficiency of the company's internal control, internal audit, if applicable, and risk management systems;
- to review the description of the main features of the internal control and risk management systems pertaining to the financial reporting process, which is included in the company's corporate governance statement; and
- to monitor the statutory audit of the financial statements and consolidated financial statements.
More detailed descriptions how Audit and Financial Committee is fulfilling its monitoring role are defined in Committee's annual plan. The Audit and Financial Committee reports to the Board of Directors of the Company.
Chief Executive Officer
CEO is in charge of the day-to-day management of the Company in accordance with the instructions and orders given by the Board. CEO sets the ground of the internal control environment by providing leadership and direction to senior managers and reviewing the way they are controlling the business. CEO is in charge of the risk management process of the Group and its continuous development, allocation of resources to the work, review of risk management policies as well as defining the principles of operation and overall process. CEO reports to the Board on risk management as part of the monthly reporting. The CEO and the management of the Group functions and the CEO's of the business segments, which operate under CEO, are responsible for the management of risks endangering the fulfillment of objectives set to the Company.
Chief Financial Officer
CFO ensures and controls that the Group's accounting and financial reporting practices comply with the law and that the financial reporting is reliable.
Chief Legal Officer
Chief Legal Officer ensures that the Group's corporate governance practices comply with the law and that legal matters of the Group are handled appropriately, in particular the contractual risks relating to business operations.
Segment Boards and management of business segments are responsible for internal control implementation in the business segments. More specific internal control policies and procedures are established within each segment within the principles set by the Group functions. Additionally, the management of business segments and the Group Management are responsible for implementing risk management practices in planning cycle and daily operations, and ensure the adherence of
- internal policies, and
- ethical values
in their designated responsibility areas. Some areas of risk management, in particular the management of financial risks and insurances, have been centralized for the purpose of scale advantage and for securing sufficient Group-level control.
Group's parent company's finance function is responsible for:
- ensuring a setup of adequate control activities for business segments in cooperation with the business management;
- operative follow-up of the adequacy and effectiveness of control activities; and
- ensuring that external reporting is correct, timely and in compliance with regulations.
Finance function does not have a separate internal control function. Group CFO reports any supervisory findings to the Finance and Audit Committee.
The Company has no specific internal audit organization. This is taken into account in the content and scope of the annual audit plan. On the one hand external auditing focuses on specific areas in turn to be audited, and on the other hand, on separately agreed priority areas.