A person with a computer working in the office.
8/9/2021

Internal control and risk management

The purpose of internal control and risk management is to ensure that the company’s operations are effective, that financial and other information is reliable, and that the company complies with the relevant regulations and operating principles. The Board of Directors, assisted by the Audit Committee, is responsible for monitoring and assessing the effectiveness of the company’s internal control and risk management systems. Internal audit assists the Board of Directors with its monitoring responsibility by ensuring that the group’s control measures have been planned and set up effectively.

Kemira maintains an internal control system to ensure the effectiveness and efficiency of its operations, including the reliability of financial and operational reporting and compliance with the applicable regulations, policies and practices. Internal control is an integral part of all of Kemira’s operations and covers all levels of the Group. The entire Group personnel are responsible for internal control and managers monitor its effectiveness as part of operative management.

Kemira’s corporate values, Code of Conduct and Group level policies and procedures guide the corporate governance and internal control in the Group. The internal policies and the Kemira Code of Conduct have been communicated to all Group staff. The Group also provides training concerning the main policies for people who need to know the policies in question. The Code of Conduct is trained to all employees. Every employee has the right and duty to report any violations of the law, the Code of Conduct or Group policies.

The main components of internal control are the management and organizational culture, risk assessment, control activities, reporting and communication, as well as monitoring and auditing.

Kemira Group’s Internal Audit function provides independent appraisal and assurance for the review of operations within the Group in order to support the management and the Board of Directors in fulfilling their oversight responsibilities.

The purpose is to evaluate and contribute to the improvement of risk management, control and governance systems in the Group. The purpose, authority and responsibilities of the unit are defined in the Kemira Internal Audit Charter approved by the Audit Committee. Internal auditors have complete and unrestricted access to all Kemira activities.

Internal Audit is free to determine the scope of internal auditing, the ways of performing its work and communicating its results.

Internal Audit reports to the Audit Committee and administratively to the Group General Counsel. Internal Audit reports all of its observations to the responsible management and to the auditor. In addition, Internal Audit reports regularly the most essential and material observations to the Audit Committee in connection with the Audit Committee’s meetings. Furthermore, the Internal Audit has a direct and unrestricted access to discuss with the Chairman of the Audit Committee.

Kemira’s Board of Directors defines the main principles of risk management and approves the Group’s risk management policy. The business segments and functions are responsible for identifying, assessing and managing risks involved in their activities. The Group’s Risk Management function coordinates and supports risk management.

Kemira’s internal control system covers all Group operations, including financial reporting. The internal control activities are carried out in all organizational levels as part of the Group’s daily operations.

The following describes how Kemira’s internal control and risk control work in connection with the financial reporting process to ensure that the financial reports published by the Company give essentially correct information of the Company’s financial situation.

Roles and responsibilities

Kemira’s Board of Directors ensures that the Company has sufficient resources for risk management and control, and that the control has been arranged appropriately and that the financial statements provide correct and sufficient information of the Company. The Board of Directors is assisted by the Audit Committee in these tasks.

The Managing Director handles the Company’s everyday management in accordance with instructions and regulations from the Board of Directors. The Managing Director is responsible for the Company accounting being lawful and that assets are managed reliably.

The CFO is responsible for the general control system of financial reporting. The areas of responsibility between financial administration of the Group and the regions have been defined precisely. Group level financial functions support, monitor, instruct and offer training to the financial organizations of the regions. Group level financial functions are also responsible for the Group’s financial reporting and support segment controllers in analyzing business processes. Financial organization in the regions is responsible for the functionality of the accounting processes and correctness of figures in their region. Controlling in segments operates under the segments’ business management and analyzes and supports the business processes.

The Group’s IT function has a significant role both in financial reporting and internal control, as reporting and many control measures, such as process monitoring are based on IT solutions.

Risk management

The Group’s financial administration is responsible for managing risks related to financial reporting. The risks are identified, assessed and managed in connection with the Group’s general risk management process and separately as part of financial administration’s own operating processes. The Group’s financial administration assesses risks it has recognized related to financial reporting. The aim of the risk assessment is to identify and to assess the most significant threats affecting the financial reporting and to define to which function or process risks are related and how the risks would affect the Group’s financial reporting if those were to materialize. The Group’s financial administration and Risk Management are responsible for that the risks are reassessed regularly.

Financial reporting and control

The internal control and risk management systems pertaining to the financial reporting process have been designed so that sufficient certainty on the reliability of the financial reporting can be obtained and that the financial statements have been prepared in accordance with the applicable laws and regulations. Kemira complies with the international standards for financial statements (IFRS) which are applicable in the EU and other requirements of the listed companies. Kemira Group policies and procedures define in detail the processes and principles of accounting and financial reporting to be applied in all Group companies. The purpose of the policies and procedures is to ensure the reliability of financial reporting.

The Group has a uniform and comprehensive Enterprise Resources Planning (ERP) system that ensures fast and reliable access to data. Subsidiaries report their figures from the ERP system to the Group, using a uniform Group reporting system. The financial organizations of the Group, segments and regions check the correctness of the figures in the Group reporting system in accordance with the responsibility areas described above.

Proper control of financial administration, financial reporting and accounting processes is a basic requirement for the reliability of financial reporting. The Group financial administration has determined the appropriate control functions, the objectives of each control function and how the effectiveness of the control functions is monitored and checked based on a risk analysis it performs. The control functions are described in the above mentioned risk documentation and financial administration is responsible for their practical implementation.

Financial reporting control is performed either continuously as part of the transactions of the company’s monitoring processes such as purchasing and sales processes, or alternatively monthly or annually as part of the reporting process.

Communication

By well-functioning internal control environment Kemira aims at securing the timeliness, correctness and transparency of the company’s internal and external communication. The most essential guidelines and regulations concerning the financial reporting, internal control and risk management, such as the guidelines regarding the principles of preparation of the financial statements and financial reporting, are available to all employees in the group intranet. Kemira’s financial administration regularly arranges trainings regarding internal control and financial reporting as well as using the relevant tools.

Monitoring

The functionality of internal control, risk management and reporting systems is constantly monitored as part of daily management of the Company. Each segment, function and region is responsible for implementing internal control, its efficiency and reliability of reporting within their area of responsibility. The Group financial administration monitors the functionality and reliability of the financial reporting process and principles at Group level. The financial reporting processes are also monitored by the Internal Audit function.

Effective compliance with and systematic execution of Kemira’s risk management policy and principles proactively protect and help Kemira to reach the desired aggregate risk level and ensure the continuity of Kemira’s operations.

Risk management policy

The key principles of Kemira’s risk management are defined in the Kemira Group Risk Management Policy. In the policy, a risk is defined as a potential event or circumstance, which, if it materializes, may affect Kemira’s ability to meet its strategic and operational objectives. In addition, Kemira has Group guidelines and other policies in place that specify management objectives, responsibilities, and risk limits in greater detail.

Kemira Oyj’s risk management is based on the Finnish Corporate Governance Code, the Kemira Code of Conduct and the company’s values. The principles of Kemira’s risk management are also in compliance with international risk management frameworks and standards such as ISO 31000 (Risk Management – Principles and Guidelines).

In accordance with its risk management process, Kemira aims at systematic and proactive assessment and mitigation of risks, with the risks grouped under various risk categories. The objective of risk management is to contribute to ensuring Kemira’s long-term strategic development and to achieving Kemira’s strategic and operational targets by supporting decision making by taking uncertainty and its effects into account.

Kemira Oyj’s Board of Directors defines the key principles applied in risk management and has the overall oversight responsibility for risk management. The Audit Committee approves the Group’s risk management policy and has general supervision responsibility for risk management implementation at Kemira. The business segments and functions, and respective risk owners, are responsible for the risks involved in their activities and for the related risk management and mitigation. The Group’s Risk Management function is in charge of developing and coordinating the risk management process and risk management networks within the Group. Group Risk Management is also responsible for the group level risk summary based on input from the segments/functions and ensuring that the risks are discussed at the Management Board. Internal Audit is responsible for monitoring and evaluating the effectiveness of Kemira’s risk management system.

Risk management implementation

At Kemira, each business segment and function carry out risk management according to the risk management process set by Group Risk Management, and as described on a high level in Kemira’s Risk Management Policy. Risks are identified, analyzed, and evaluated in a consistent manner. Mitigation actions and/or contingency plans need to be clearly defined and implemented. Risk management systems and methodologies suitable for the specific risks, situations, and organizational needs are applied. The results of the risk management process are reported regularly both internally and as a part of Kemira Oyj’s external reporting.

Some of Kemira’s risk treatment measures are carried out centrally in order to generate cost benefits and ensure a sufficient level of protection. These include, for instance, hedging of treasury risks, as well as purchase and management of insurance programs to provide cover for liability, cargo, and property and business interruption risks.

About Kemira’s risks

Risk management is integrated in Kemira’s strategy process. Risks are assessed against defined strategic objectives of Kemira. Kemira’s key risks are described in the Financial Statements of the Annual Report. Despite proactive risk management efforts, there is always the possibility that some of the risks may materialize and significantly impact Kemira’s ability to achieve its targets.