Risk management framework
Policy and instructions
The Board has approved a Risk Management Policy for the Group, which defines the objectives, principles, operating procedures, organisation and responsibilities of risk management and the reporting and follow-up procedures. Based on the Policy, more detailed Risk Management Instructions have been issued for the day-to-day business. These instructions mainly concern projects, the core business of Pöyry.
The President and CEO of the Company organises risk management of the Group with the assistance of the Group Executive Committee (GEC) and a specific member of the GEC in charge of risk management. The President and CEO approves risk management instructions and guidelines based on the Risk Management Policy, follows monthly the major risks of the Business Lines, and oversees the development of risk management systems and practices of the Group. The GEC conducts the Group level ERM process (see section “Process” below) and consolidates the Group and Business Line level results for a report to the Audit Committee and Board.
The primary responsibility for managing risks rests with the business, where risks also primarily accrue. The Presidents of the Business Lines are responsible for organising risk management in their Business Line following the Group’s risk management guidelines and procedures. The Business Line President reports the major risks and overall risk status of the Business Line as part of the monthly business reporting. In addition, a separate follow-up report is prepared on the most significant project risks.
The Audit Committee monitors the efficiency of the Group’s risk management systems. In addition, the Audit Committee reviews regularly in its meetings the major risks of the Group as well as periodically the ERM reports, and reports on these to the Board.
The Board oversees risk management and reviews the risk management processes of the Group with the assistance of the Audit Committee, and approves the risk management principles of the Company. The most relevant Group level risks are reported regularly to the Board.
Pöyry’s risk management consists of a co-ordinated set of activities to identify, evaluate, treat and control all major risk areas of the Group in a systematic and proactive manner.
ERM (Enterprise Risk Management) Process
A uniform group-wide ERM (Enterprise Risk Management) process is conducted annually in connection with the strategy process. In this process, each Business Line makes the short-term and long-term risk assessment independently. An overall Group level risk review and assessment is made by the Group Executive Committee. The Business Lines are responsible for treating their risks by taking appropriate actions. These actions typically include mitigating, transferring or absorbing risks, or a combination of these actions. The development of the actions is followed regularly in the organisation.
Risks are addressed in the ERM process according to the following main risk categories:
- External risks
- Internal risks
- Strategic risks
- Operational risks
- Financial risks
Project Risk Management process
All projects in Pöyry are categorised and treated both in the sales and implementation phase of the project according to the category. Project approvals are also tied to the project category, together with some criteria which defines the approval level automatically.
Pöyry has defined and documented company specific general Project Management Guidelines which are part of Pöyry’s Operating Guidelines. The Project Management Guidelines were published within Pöyry in 2013. The guidelines consist of a description of Pöyry’s approach to project management as well as a description of key project management processes of Pöyry. Project risk management is one of the defined processes. These guidelines are the foundation of Pöyry’s project management and project risk management. .
The Project Management Guidelines are supported by Pöyry’s Project Management Training Programme, which has been created side by side with the process development. Excellence in project management means quality services and good risk and opportunity management.
Risk management of projects and assignments is an integral part of Pöyry’s day-to-day risk management and a key task of every project manager. Pöyry established a global Project Management Office (PMO) organisation in 2013. The group wide PMO organisation supports project managers in project management processes including among others the project risk management process and the monthly project review process.
A systematic risk management process is defined for projects, according to the project’s size, complexity and contract model. Two tailor-made risk assessment tools, one generic for all projects and one specifically aimed at large projects, have been created to support project risk management. The use of the tools is mandatory according to the Project Management Guidelines.
The project risk management process is followed throughout the project lifecycle, starting in the prospect and proposal phase and continuing as a regular and systematic process until the closing of the project.
Both the project risk management and ERM process follows one generic risk management process: