Internal control system and risk management

The purpose of this section is to provide shareholders and other parties with a description of internal control system and main principles of risk management and control procedures at Outokumpu. 

Internal control and risk management

According to the Finnish Limited Liability Companies Act and the Finnish Corporate Governance Code, the Board of Directors is responsible for ensuring that the company’s internal controls are appropriately organized. The purpose of this section is to provide shareholders and other parties with a description of how the internal control and risk management of financial reporting is organized in Outokumpu. As a listed company, the Group has to comply with a variety of regulations. To ensure that all the stated requirements are met, Outokumpu has introduced principles for financial reporting and internal control and deployed them throughout the company’s organization.

Control environment

The foundation of Outokumpu’s control environment is the business culture established within the Group and its associated methods of operation. The basis for the company’s compliance and control routines is provided by Group policies and principles, which define the way in which Outokumpu’s organization operates. These policies and principles include, for example, the Corporate Responsibility Policy and Ethics Statement. The Outokumpu Code of Conduct describes the Group’s basic values and offers standardized, practical guidelines for managers and employees to follow. Furthermore, the Internal Control Policy, the Approval Policy, and the Identity and Access Management Policy define many of the principles related to the system of internal controls.

The performance management as well as the risk management and internal control process are key management activities in enabling an efficient control environment. Throughout the Group’s operations, the planning activities and the setting of both operational and financial targets are executed in accordance with Outokumpu’s overall business targets. Management follow-up of related achievements and risks is carried out through regular management reporting and meeting routines.

The Internal Control function oversees and develops Outokumpu’s system of internal controls and tests the established controls. The function is also responsible for Group-wide governance, risk and compliance coordination. With the lead of the Internal Control function, Outokumpu has continued to further develop and implement global, aligned and consistent risk management and internal control process, which will improve assurance for the Group to reach its key targets. In the course of 2021, implementation of the new risk and control management process started and the effort is expected to continue during 2022. Furthermore, a review of segregation of duties management was carried out. Certain improvement actions, e.g. related to emergency access management (EAM) process, were carried out during the year, and a roadmap for further improvements in the coming years was defined.

Risk management

Outokumpu operates in accordance with the risk management policy approved by the company’s Board of Directors. The policy defines the objectives, approaches, and areas of responsibility in the Group’s risk management activities. Supporting Outokumpu’s strategy, the aim of risk management is to identify, evaluate, mitigate, control and report risks from shareholders and other stakeholders’ point of view such as customers, employees, financiers, suppliers and regulators.

Risk management organization

The Board of Directors carries ultimate responsibility for risk management within Outokumpu. The CEO and members of the Leadership Team are responsible for defining and implementing risk management procedures, and for ensuring that risks are both properly addressed and considered in strategic and business planning.

Outokumpu’s Risk Management Steering Group, led by the CFO, is the governing body for risk management in Outokumpu. Other steering groups led by CFO, such as Financial Risk Steering Group for financial risk management and Energy Risk Steering Group for energy risk management, contribute to company’s overall risk management as well.

The Business areas and Group functions are responsible for identifying, evaluating and managing the risks connected with their own operations. The Risk Management Steering Group and the Board of Directors review the key risks and actions to be taken to manage these risks on a regular basis. The Treasury function supports the implementation of Outokumpu’s risk management policy, facilitates and coordinates risk management activities, and prepares quarterly risk reports for management, the Board Audit Committee and Auditors.

Risk management and internal control procedures

Outokumpu has defined risk as anything that could have an adverse impact on achieving the Group’s objectives. Risks can, therefore, be threats, uncertainties, or lost opportunities connected with current or future operations. Outokumpu’s appetite for risk and risk tolerance are defined regularly in relation to earnings, cash flows, and capital structure. The risk and control management process is an integral part of the overall management processes and is divided into following stages: 1) risk identification; 2) evaluation and prioritization; 3) mitigation actions and control activities, and 4) monitoring and reporting. The process in Outokumpu is two-fold consisting of risk management and linked to this, control activities and control testing. The same process is applied in different levels of the Group’s organization.

Within Outokumpu, the process is monitored and controlled at different organizational levels. Regular risk updates are carried out to capture relevant information. Scheduled control activities are performed to provide reasonable assurance on the adherence to company policies and procedures. The monitoring of the outcome of risk evaluations, as well as the risk mitigation actions and control activities, ensure that accurate information is provided both internally – to business area management teams and members of the Leadership Team – and externally to relevant parties such as shareholders and other stakeholders.

Internal controls for financial reporting

Outokumpu’s control process for financial reporting is mainly based on the Internal Control Policy, Outokumpu Accounting Principles and the Approval Policy, as well as on the responsibility and authorization structure within the Group. Policies relating to financial reporting are usually owned and approved by the CFO. Financial reporting in Outokumpu is carried out in a harmonized way using a common chart of accounts and principles.

Financial reporting is prepared in accordance with International Financial Reporting Standards (IFRS). The Outokumpu Accounting Principles (OAP) are Outokumpu’s application guidance on IFRS. The aim of the OAP and other financial reporting policies and instructions is to ensure that uniform financial processes and reporting practices are used throughout the Group. Policies and instructions for financial reporting are reviewed on a regular basis and revised when necessary.

The financial statements of the parent company and stand-alone Finnish subsidiaries are prepared in accordance with generally accepted accounting principles in Finland, while foreign subsidiaries follow local accounting principles. Outokumpu also complies with the regulations regarding the financial reporting published by the Financial Supervisory Authority (FIN-FSA), Nasdaq Helsinki, and ESMA.

Identification and assessment of risks related to financial reporting

The risks related to the Group’s financial reporting are managed according to Outokumpu’s risk management policy and classified as operational risks that can arise as consequences of inadequate or failed internal processes, employee actions, systems, or other events such as misconduct or crime. The risks related to financial reporting are identified and typically assessed in risk workshops and in 2021 the assessments were conducted for most of the relevant parts of financial reporting process. Some of the identified risks and related controls were implemented in the new risk and control management system.

Control activities

In addition to the Board of Directors, finance management at all levels as well as the Boards of subsidiary companies are responsible for ensuring that the internal controls relating to financial reporting are in place. Outokumpu has centralized majority of its accounting and financial reporting in the global business service center, which enables the efficient execution of internal control activities.
The aim of control activities is to discover, prevent, and correct the potential errors and deviations in financial reporting. Control activities also aim to ensure that authorization structures are designed and implemented in such a way that incompatible tasks (e.g. one person performing a critical activity and also being responsible for controlling that activity) are segregated. Control activities consist of different kinds of measures and include reviews of financial reports by Group management and in business area management teams, the reconciliation of accounts, analyses of the logic behind reported figures, forecasts compared to actual reported figures, and analyses of the Group’s financial reporting processes, among others. A key component is the monitoring of monthly performance against financial and operational targets. These control activities take place at different levels of the organization.

The most important accounting items in Outokumpu are the valuation and reporting of inventories and other items requiring management judgment, such as provisions. Moreover, in difficult market situations, such as the COVID-19 pandemic, asset impairment calculations and the related sensitivity analyses are equally important. These items are carefully monitored and controlled on a regular basis, both within business areas and at the Group level.

Information technology and solutions play an important role in ensuring the appropriate structures for internal controls. The Group’s consolidation system provides timely and uniform financial and management reporting from the Group entities and an effective closing process within the whole Group. Outokumpu is also running a business transformation program to develop and improve business capabilities and to renew parts of its fragmented system environment. This will be achieved mainly by harmonizing and improving the Group’s core business processes and implementing supporting IT systems, with improved system-based controls embedded in processes.

The new ERP together with other related IT systems were successfully implemented for the Avesta site in 2021. Preparations for future rollouts are expected to continue in 2022. Furthermore, Outokumpu completed the implementation of its financial closing management system across the Group and enhanced related internal controls in the harmonized financial closing process. The new system improves transparency, has embedded process controls and drives both efficiency and reliability of the reporting process. In 2022, Outokumpu aims to further develop financial reporting process by increasing the coverage of internal controls, developing systems for consolidation of financial information, and increasing efficiencies and effectiveness in financial closing processes.

Information and communication

Group-wide policies and principles are available to all Outokumpu employees. Instructions relating to financial reporting are communicated to all of the parties involved. The main communication channels employed are regular controller meetings, Outokumpu’s intranet, other easily accessible databases, and email. In the pandemic situation with remote work promoted, only a limited number of face-to-face controller meetings have been organized. Finance Leadership Team meetings are organized regularly to share information and discuss issues of topical interest to the Group.

Furthermore, Outokumpu has established Group Functions Board and steering groups (e.g. for risk management and compliance topics) in which financial reporting and internal control issues can be discussed and reviewed. These groups typically consist of senior members of management and substance experts. The aim of Outokumpu is to ensure that common financial processes and reporting practices are followed throughout the Group and that effective internal controls relating to financial reporting are established.

Monitoring activities

Both management in all Outokumpu companies and the accounting and controlling functions are responsible for the follow-up and monitoring of internal controls connected with financial reporting. Overall development and monitoring of the internal control process and platforms as well as control testing are performed by Group Internal Control function. The Internal Audit function monitors that an appropriate control environment exists across the Group. Risk management, Compliance function, and external auditors are also engaged in the follow-up of control activities. The findings of the follow-up procedures are reported to the Board Audit Committee and the Group Functions Board on a regular basis.

Internal audit

Internal Audit is an independent and objective assurance, control, and consulting function designated to add value, improve operations, and monitor and support the organization in the achievement of its objectives. Through a systematic, disciplined approach, Internal Audit determines whether governance and compliance processes, the internal control system, and the risk and control management process, as designed and represented by the Board of Directors and the Outokumpu Leadership Team, are effective and efficient.
With a strong commitment to integrity and accountability, Internal Audit provides value to the Board of Directors and senior management as an objective and direct source of information, insights and independent advice. Internal Audit monitors adherence to Group principles, policies and instructions, and leads investigations on fraudulent and noncompliant behaviors and activities. Internal Audit performs its function on behalf of and directly reports to the Board Audit Committee and to the executive management. The internal audit plan is approved by the Board Audit Committee. In addition, the function may carry out unscheduled audits when needed.

In 2021, Internal Audit performed five site or thematic audits. The results of the audits that were carried out, including their risk appraisals, are reported and distributed in writing. In view of the Outokumpu Code of Conduct and the Corporate Responsibility Policy, no issues of material risk for the Outokumpu Group were identified. The 2022 internal audit plan will focus on e.g. supply chain risk management and site audits.

Outokumpu encourages everyone to raise their concerns and there is a strict non-retaliation policy in place regarding the concerns raised in good faith. There are several ways to report alleged misconduct, including SpeakUp, an externally operated communication channel, that offers the option to report misconduct confidentially and anonymously, if allowed by the laws and regulations.
SpeakUp channel is available both internally on company intranet and for external stakeholders via the company webpage. 40 reports of alleged misconduct were recorded in 2021, and thereof 29 cases were reported via SpeakUp and 11 were recognized through other channels.

During the year internal audit process, investigations operating model as well as related tools and methodologies were developed to further improve efficiencies and effective ways of working as well as to prepare for the implementation of the EU Directive on whistleblower protection and consequent legislation.

Ethics and compliance

Outokumpu is strongly committed to the highest ethical standards and complies with the applicable laws and regulations of the countries in which it operates as well as with the agreements and commitments it has made. Outokumpu’s Code of Conduct sets out these ethical standards and provides guidelines for common ways of working with the aim of ensuring that all Outokumpu employees live up to Outokumpu’s ethical standards.

Outokumpu’s Legal and Compliance function is responsible for managing and continuously developing Outokumpu’s ethics and compliance program. Outokumpu’s ethics and compliance program is described in more detail in the Sustainability review. The Legal and Compliance function reports to the CEO and to the Outokumpu Leadership Team as well as directly to the Board Audit Committee on ethics and compliance related matters. Ethics and compliance related matters are also regularly handled in the Compliance Steering Group, consisting of the CEO, CFO, Head of HR, Head of Internal Controls and Internal Audit, Corporate General Counsel and Head of Compliance. The Compliance Steering Group met four times in 2021. A network of compliance contact persons and several data protection governance bodies support the implementation of the ethics and compliance program in the business areas and group functions.

Updated on March 4, 2022.