Corporate Governance

Risk management

Internal control policies are in line with the risk management process. The aim of risk management is to support strategy and the achievement of objectives by anticipating and responding to potential business threats and opportunities. Internal control and risk management related to financial reporting seek sufficient certainty as to the reliability of financial reporting, and that the financial statements have been prepared in accordance with the laws and regulations in force, the accounting principles (IFRS), and other requirements imposed on listed companies.

The internal control components are the control environment (COSO), risk assessment, supervisory functions, communication, and monitoring. The Board and the CEO have overall responsibility for the organization of internal control and risk management systems.

Overview of risk management

The Company’s Board has approved a risk management approach for the Company based on the ISO 31000 standard. The purpose of the Company’s risk management is according to the risk management model:

• To increase the organization’s risk awareness and proactive risk management
• To increase the competitiveness of the organization by reducing negative risks and increasing positive risks
• To ensure a sufficient level of risk management for the whole organization
• To manage risks as part of business activities and define responsibilities of risk management in the organization

Risk management is managed operationally by the risk manager. Risk management has its own steering group, whose purpose is to review the status of risk management on a quarterly basis and to guide the work of the organization. Risk management functions as a means of control and monitoring within the Company, as one of the components of internal control.

In accordance with the risk management model, risks at Company level and risks at each department level are assessed. In addition, risk assessments are targeted at different objects on the basis of compliance or risk criteria.

The Risk Management Policy is supported by internal risk management principles and guidelines for the implementation of risk management. The risk management model guides risk management in accordance with the annual clock and is based on the continuous improvement model.

Risk management is reported to different stakeholders according to pre-defined criteria. An annual plan is created for the following year in relation to the Annual Report and development feedback.

The Audit Committee regularly monitors and assesses the implementation of the Company’s risk management system. The Company’s operational management is responsible for the practical actions of risk management within the framework of the Risk Management Policy and principles.

Main features of the internal control and risk management systems pertaining to the financial reporting process

Financial reporting is carried out by Verkkokauppa.com’s CFO and finance department. The reporting is based on information provided by commercial and administrative processes and financial management systems. The financial reporting process is monitored by the Company’s financial department, including different guidelines, process descriptions, reconciliations, and analyses, to ensure the accuracy of the information used in reporting.

The results of financial reporting are monitored, and deviations from forecasts and from the previous year are analyzed on a regular basis. The analyses are used to identify possible errors in reporting and to provide materially correct information about the Company’s finances. The Company’s financial department is responsible for the efficiency and completeness of the internal control. The internal audit is responsible for evaluating financial reporting processes. Risks related to financial reporting are assessed in accordance with the Company’s risk management principles. The deficiencies identified in the internal audit and risk assessment are addressed according to the
risk classification.

Inspection activities

Overview of internal audit

The internal audit will enhance the performance of the supervisory responsibilities of Verkkokauppa.com’s Board. The objective of the internal audit is to contribute to ensuring that the Company operates efficiently and effectively, that information is up to date and reliable, and that policies and practices are followed.

Internal audits help an organization to achieve its objectives by assessing and examining its activities and monitoring compliance with guidelines.

The internal audit function provides recommendations for the development of systems and processes in its audit reports. The Board’s Audit Committee approves the annual internal audit plan, which selects audit targets in accordance with the Company’s strategic objectives, the assessed risks, the priorities defined by the Board and the Company’s executive management, and the rotation principle. The internal audit function reports to the Board’s Audit Committee. In addition, the CEO, the Management Team, and the management of the audited entity are informed of the results of the audit.

Audits are carried out by external partners. Before performing field work at the internal audit site, the internal audit collects pre-material and focuses on the information and materials relevant to the audit site. During the course of the field work, additional observations about the object of inspection are recorded.

The internal audit reports contain key findings, conclusions, and recommendations for the development of controls. The site management must establish an action plan to manage the identified risks and develop controls to address the deficiencies identified during the audit. The person responsible for the internal audit of the Company regularly follows the implementation of the action plan.

Verkkokauppa.com risk management policy (pdf)

Whistleblowing channel for reporting suspected violations

The Company has a reporting channel through which employees and other stakeholders can report suspicions of misuse or of policy breaches. If necessary, the channel can be used anonymously, and all reports made through the reporting channel become subject to internal investigation and are examined in accordance with the notification procedure.