Risk management and internal control

The management of Sanoma Group and its businesses is based on a clear organisational structure, well-defined areas of authority and responsibility, common planning and reporting systems as well as policies and guidelines.

Roles and responsibilities of different administrative bodies in risk management and internal control are explained in the table below.

Risk management Internal control
Board of Directors – approval of Risk Management Policy
– overseeing the effectiveness of risk management
– aligning the strategic objectives and risk appetite of the company
– approval of Internal Controls Policy
Audit Committee – reviews and monitors the implementation of the policy and the risk management process – reviews the reliability, effectiveness and compliance with Sanoma’s Corporate Governance Framework of internal control systems
– monitors matters related to statutory audit and internal audit
President and CEO – defining risk management strategies and procedures
– setting priorities for risk management
– sets the ground for the internal control environment by executing policies and standards
– EMT supports the President and CEO in his/her oversight role and in assuring compliance
Audit and Assurance function – coordinates the risk management process
– produces risk reports
– evaluates and provide recommendations for improvement on risk management
– supports the President and CEO in ensuring the compliance of financial reporting with Group requirements by, for example, evaluating and providing recommendations for improvement on internal control
– compiles reports on internal control to the Board of Directors, Audit Committee and/or the President and CEO and the EMT
SBUs – aligning the risk management guidelines, procedures and strategies with the Group
– identifying, measuring, reporting and managing risks
– ensuring that Sanoma policies and standards are implemented and followed in their business
– reflecting possible local requirements in the implementation

Information on the most significant risks that could have a negative impact on Sanoma’s business, performance, or financial status are described here.

Risk management

The main objective of the risk management of Sanoma is to identify and manage essential risks related to the execution of the Group’s strategy and operations. The Risk Management Policy defines Group-wide risk management principles, objectives and responsibilities.

Risk management is integrated in Sanoma’s management, strategic planning and internal control system, and covers all risk categories at Group, SBU and entity levels. The risk management process includes the following phases:

  1. Setting strategic, operational, reporting and compliance objectives on the Group, SBU and business levels
  2. Identification and assessment of risks affecting the achievement of objectives by using a risk framework
  3. Defining risk management activities for key risks
  4. Implementation of risk management activities (e.g. asset allocation, control activities, insuring, hedging or
    divestitures)
  5. Monitoring the performance and efficiency of the risk management
  6. Continuous improvement of the risk management processes, performance and capabilities
  7. Reporting of updated risk assessment results with related ongoing or planned mitigation actions to the Audit Committee and further to the Board of Directors twice a year. The reporting includes identification and assessment of key risks and summary of risk management activities for each SBU, business, and selected subsidiaries. The reporting shall be linked as much as possible to the quarterly reporting and strategic planning processes.

Internal controls

Sanoma’s Internal Control Policy defines the internal control process applied in the Group. Internal controls are in line with the Corporate Governance Framework, and aim to assure that all Group policies and standards are up to date, communicated and implemented.

Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations.

The process includes objective setting, control design and implementation, operating effectiveness testing, monitoring and continuous improvement, and reporting.

Internal controls consist of entity-level, process-level and IT controls. Entity-level controls are applied on all levels of Sanoma (i.e. Group, SBU and entity) and can relate to more than one process. The Code of Conduct, Group policies and guidelines and their active implementation are examples of entity-level control activities.

Process-level control activities are designed to mitigate risks relating to certain key processes. Examples of such processes are purchase-to-pay and payroll processes. Automated or manual reconciliations and approvals of transactions are typical process-level controls.

IT controls are embedded within IT processes that provide a reliable operating environment and support the effective operation of application controls. Controls that prevent inappropriate and unauthorised use of the system and controls over the effective acquisition are examples of IT controls.

The operation of controls is monitored to ensure that they are implemented as designed, and that they operate effectively. The monitoring is performed as a management self-assessment, assessment of an independent party/internal audit or a combination of those.

Monitoring of financial reporting process

The financial reporting process is based on the Group Reporting Manual. Combined with the other Group reporting guidelines and additional instructions, it defines Sanoma Group’s accounting principles and policies.

The Group Finance and Control function is part of the Parent Company and prepares control point guidelines for transactions and periodic controls for the SBUs. The guidelines are approved by the President and CEO. Periodic controls are linked to monthly and annual reporting processes and include reconciliations and analyses to ensure the accuracy of financial reporting. The control activities seek to ensure that potential deviations and errors are prevented, discovered and corrected both at the Parent Company and the SBU level. Internal control systems cover the whole financial reporting process.

The Group’s financial performance is monitored on a monthly basis, using a Group-wide financial planning and reporting system, which includes actualised income statements, balance sheets, cash flow statements and key performance indicators, as well as estimates for the current financial year. Furthermore, business reviews between Group and SBU management are held at least quarterly. In addition to the SBUs’ financial performance, e.g. the operating environment, future expectations, and business development are discussed in the reviews. The business reviews also have a role in the process of ensuring the functioning of the continuous risk assessment and internal control systems.