The objective of risk management at the company
The objective of Risk Management is to secure profitable performance of the Enento Group and to ensure the continuity of the business by executing risk management in a cost-effective and systematic manner in the different functions of the company. Risk management is part of the company’s strategic and operative planning, daily decision-making process and internal control.
Main principles for organizing risk management
The company complies with a policy approved by the company’s Board of Directors for the management of risks. Risk Management covers all activities that are related to the objectives being achievable and consistent with the strategy, to the identification, measuring, assessment, processing, reporting and control of risks and to the reaction to risks.
Main features of risk management process
In conjunction with the strategy process and annual planning, the company’s CEO and members of the management group evaluate the business risks which may prevent or endanger the achieving of the group’s strategic and result objectives. The units provide risk assessments of their own operations for the support of the strategy process. The directors of the units have to provide assessments of the risks of their own area of responsibility and present action plans for the management of risks. Changes taking place in the strategic and operative risks are discussed in the management group.
The company’s CEO reports the identified risks as well as planned and implemented actions for the risk mitigation to the Audit Committee and the Board of Directors. In accordance with the recommendation 26 of the Finnish Corporate Governance Code, the company shall disclose the major risks and uncertainties that the board is aware of and the principles along which risk management is organised. The Audit Committee shall assure that the Corporate Governance Statement published by the company shall contain an appropriate description of the main features of the internal control and risk management systems in relation to the financial reporting process.
The report by the Board of Directors contains an evaluation of the major risks and uncertainties. In addition, the interim reports and financial statements releases describe major short-term risks and uncertainties related to the business operations.
General description of internal control and operational principles
Internal control is carried out by the Board of Directors, management and the company’s entire personnel so that it can reasonably be asserted that:
- The operations are functioning, efficient and in compliance with the strategy.
- The financial reporting and information given to the management is reliable, sufficient, and timely.
- Applicable laws and regulations as well as the company’s internal instructions and ethical values are complied with at Asiakastieto.
The company’s internal control contain the following structural elements:
- Instructions and principles set by the Board of Directors for internal control, risk management and administration.
- The implementation and application of instructions and principles under the supervision of the management.
- Control of the efficiency and functionality of operations as well as the reliability of the financial and management reporting by the financial department.
- The company’s risk management process, the purpose of which is to identify, assess and reduce risks threatening the achievement of objectives.
- Compliance processes, the purpose of which is to ensure that all applicable laws, regulations, internal instructions and ethical values are complied with common ethical values and strong internal control culture amongst all employees.
Key risks and uncertainties
The company is exposed to a number of risks and uncertainties related to, among other factors, the market conditions, the company’s industry, the company’s strategy, business operations of the company and financial risks. The materialisation of any such risks could have a material adverse effect on the company’s business, financial condition, results of operations and future prospects.
Market and strategic risks
Demand for the company’s products and services depends on the transaction volumes of its customers which, in turn, are sensitive to changes in general economic conditions. Demand tends to follow general levels of economic activity and commercial transaction volumes, and slow economic growth, which has prevailed in Finland in recent years, generally result in lower levels of demand for the company’s products and services.
The company operates in a number of product and service markets that is competitive and subject to evolving customer needs. Information services are becoming more readily available, principally due to the greater availability of public data, the expansion of the Internet and the emergence of new service providers, which may increase competition on the market. The greater availability of data could also facilitate developing certain services, such as analytical services, in-house by the company’s customers.
Competitive tenders by the company’s customers and overall customer cost-consciousness may cause some downward pricing pressure in the company’s markets. In addition, price pressure by the company’s competitors could negatively affect the company’s margins and results of operations and could also harm its ability to obtain new customers on favourable terms.
The Group’s largest customer in Finland accounted for approximately 7,6 % (in Sweden 9,0 %) of the Group’s invoicing in 2018, while the 10 largest customers accounted for approximately 31,8 % (in Sweden 47,4 %) and 40 largest customers accounted for approximately 51,3 % (in Sweden 76,9 %) of the invoicing respectively. The loss of one or several of its largest customers could have an adverse effect on the company.
Collection, storage and use of data is subject to detailed regulation. Changes in the regulatory framework could require Asiakastieto to adapt its service offering or its strategy, resulted in increased costs, force the company to discontinue provision of certain products and services or prevent or delay the development of its activities.
The company’s business relies on data from external data providers, including government agencies and other public sources, customers and other sources. If one or more data provider were to cease making their data available for any reason or substantially increase the price of their data, the company’s ability to provide its products and services to its customers could be adversely affected.
The company believes that its continued success will be influenced by its ability to meet customers’ needs through the development of products and services that are easy to use and that seek to increase customers’ business process efficiency, offer cost savings, and facilitate better business decisions. The company may experience delays in developing new products and services and enhancements to existing products, due to technical challenges, difficulties with external IT development resources, acquiring data or regulatory requirements, in which case the company’s results could suffer.
The company has and will continue to undertake continuous investments in its technology infrastructure, including its hardware and software. If the company experiences any failures related to its technology investments, it may not achieve its expected revenue development, or may experience increased costs, and it could experience a competitive disadvantage in the marketplace, such as the inability to offer certain types of new products and services or to collect certain types of new data.
The secure and uninterrupted operation of the company’s networks and systems is critical to its business operations. Any unauthorised access, disclosure, loss or misuse of information may result in the company’s being in breach of data protection and related legislation, reputational harm, loss of revenue, claims or regulatory actions.
In addition, despite testing and data quality control, the products and services that the company develops as well as the operating systems or software used by the company may contain errors or defects. The company’s information technology networks and infrastructure could be vulnerable to damage or disruptions due to various reasons. In the event of such an incident, the company’s information technology infrastructure may not be operative, which could hamper its operations and result in contractual breaches, among other.
The company is exposed to a number of financial risks, including interest rate risks, credit risk and liquidity risk. The company’s financial risks and financial risk management is described in notes to the Financial Statements.
The objective of the internal control in the company is to ensure that business operations are efficient and profitable, financial reporting is reliable, and that applicable laws and regulation for the company’s business, as well as company’s internal instructions are followed. The specific objective of the internal controls over financial reporting is to ensure that interim reports, earnings releases and other financial reporting made available to the public, and financial statements and annual reports are reliable and are prepared in accordance with the accounting and reporting principles adopted by the company.
The Audit Committee of the company responsible for, according to its working order, monitoring of the financial statement preparation and financial reporting processes, and monitors the effectiveness of the company’s internal control and risk management processes.
CEO is operationally responsible for the organization of the internal control. It includes that the company has designed and implemented adequate internal control mechanisms as stipulated in the operating principles approved by the board. CEO, supported by the Management Team, is responsible to ensure that the company operates in accordance with the agreed and defined principles, follows laws and regulations, and reacts towards identified exceptions and takes adequate corrective actions.
An integral part of the internal control is the document indicating the company’s roles and delegation of authority, as defined by the Board (Delegation of Authority Summary). The guideline defines authorisations of the board, the CEO and other management team members. The guideline deals with the situations where authorisations may be required for annual accounts, budget, remuneration, investments, acquisitions, financing and one-off transactions. The company’s Code of Ethics is applicable for all the group employees. It has been published in the company’s intranet and is also introduced to all new employees.
The company does not have currently internal audit function. The Audit Committee of the Board shall, according to its working order, evaluate on a yearly basis whether such function should be established. The Audit Committee may use either internal or external resources to carry out specific internal audit assignments. The Group Finance of the company monitors adherence of the approval limits as defined in the Delegation of Authority guidelines.
Focus areas in 2019 for internal control development
Areas of focus for the internal control in 2019 were to continue development of Nordic processes and to improve and standardise controls in the entire group.