Description of risks
Typical risks related to Pöyry’s business operations are described in this section. The description is not intended to be comprehensive and our operations are subject to other risks as well. The most significant risks and uncertainties identified during the financial year are described in the Board of Director’s Report.
RISK: The economic uncertainties and risks particularly in the European market persist. This risk can create uncertainty and delays in clients’ decision making. Should the risk materialise, it could create serious problems for clients in arranging financing for investments and could have an adverse impact on Pöyry’s net sales and profitability.
RISK MANAGEMENT APPROACH: The Group aims to reduce its vulnerability to market risks and business cycles by a balanced portfolio of assignments by clients in different industries, markets and geographical areas as well as through sub-contracting and flexible employment arrangements. The inter-company use of engineering services has also made resource allocation more flexible. In economic downturns Pöyry’s order stock, the activity level of employees and professional charging rates may decline, which would have a negative impact on Pöyry’s revenues and financial position.
RISK: Part of Pöyry’s net sales originates from emerging and developing countries, some of which face political and economic challenges. There is a risk that corresponding payment of invoices may be excessively delayed or that the Pöyry Group may experience credit losses. In project business, there is also a risk that clients withhold payments against alleged deficiencies in provided services, which may ultimately lead to excessively delayed payments or collection of receivables through legal proceedings.
RISK MANAGEMENT APPROACH: To manage the payment risk, the company maintains systematic processes to ensure appropriate contractual terms and for the follow-up and active collection of receivables.
RISK: The consulting and engineering business is characterised by keen global and local competition. The economic uncertainty has continued and intensive competition in certain sectors and markets prevails. Competition from non-traditional players has also significantly increased in some sectors.
RISK MANAGEMENT APPROACH: Pöyry aims to differentiate itself from its competitors by a strategic evolution which results in an improved ‘Global-Local’ interaction. This means applying Pöyry’s global expertise to serve clients in local markets. The interaction of the global and local dimensions is aimed to make Pöyry’s business stronger and Pöyry’s clients more successful. Pöyry further aims at differentiating itself from competition by its “SEPO” concept, which means service offering for the full investment life-cycle i.e. strategic advisory, engineering services, project implementation and operations support.
Strategic risks/ Business development
RISK: Organic growth is an important part of Pöyry’s strategy. The key risks in achieving this strategic goal are potential lack of skilful sales resources, limited amount of suitable projects, and delays in clients’ decision making. A significant part of the organic growth is expected to derive from larger and complex projects. There is a limited number of such projects available in the market in the sectors where Pöyry operates, and the risk profile may be such that Pöyry will not decide to pursue them.
RISK MANAGEMENT APPROACH: Pöyry has a specific focus on sales, both locally and in the global competence lines. In addition, there is a special task force of experts solely developing large and complex project opportunities.
Strategic risks/ Pöyry brand
RISK: Pöyry has a one-brand strategy. There is a risk that the actions or negligence of a Pöyry group entity, or a business partner, may harm the recognition of the Pöyry brand locally or more broadly
RISK MANAGEMENT APPROACH: Pöyry is recognised as a quality brand. We aim at maintaining the quality promise through ensuring a first class performance and delivery of our offering. The Project Management Guidelines of the company are an important element aimed at ensuring a quality performance and delivery. Besides the quality service delivery, the highest level of ethics and compliance is a mandatory part of everything we do at Pöyry. The company’s Code of Conduct and its implementation guidelines provide a clear and uncompromised framework for the requirements to every person working at or for Pöyry.
Operational risks/ Compliance
RISK: Pöyry has an extensive local office network covering over 40 countries and employing about 6,000 experts globally. The risk of corruption and fraud is elevated in some of the markets where the company operates.
RISK MANAGEMENT APPROACH: In order to mitigate many of the operational risks associated with such a diverse business, in 2012 Pöyry created a dedicated Compliance function led by the Chief Compliance Officer. The function provides objective oversight and its main activities are defining compliance policies, leading and developing the Compliance Programme and reporting on compliance related issues of significance to senior management. To ensure the independence and direct reporting route of the Chief Compliance Officer, as well as to ensure that the compliance risks are communicated to the top management effectively, the Chief Compliance Officer reports to the President and CEO and to the Audit Committee of the Board of Directors. Along with the Board of Directors and senior management, Compliance has an important role in building and maintaining an environment and culture of ethical conduct at Pöyry.
The Compliance Programme is a key part of the risk mitigation and is based on the Pöyry Operating Guidelines, which contain the most important group wide policies, instruction and guidance, approved by the Board of Directors or, the President and CEO.
The Pöyry Code of Conduct with its Compliance Guidelines is a foundation document of the Pöyry Operating Guidelines. The Code defines the standards of our ethical behaviour and affirms the zero tolerance for corruption, bribery, fraud, anti-competitive practices, discrimination and harassment of any kind. The Code aims at ensuring that the Company conducts business according to the highest ethical standards and must be followed by all Pöyry employees and business partners. In order to enhance employees understanding of the Code, a web based eLearning module is available to the whole Group with every employee having to complete the training annually. Furthermore, training, personal guidance, supervision, audits and other practical measures are used to manage our exposure to these risks. In 2012 Pöyry launched the "SpeakUp@Pöyry" service to enable employees to raise concerns anonymously.
Besides the Code, the Company’s Internal Control Policy, Risk Management Policy and Instructions and the Authorities and Approval Policy provide a framework for controls and risk management environment. The internal control framework is tailored to address the prevention and mitigation of compliance risks.
Pöyry takes non-compliance issues seriously. The enforcement, remediation and discipline measures range from training and mentoring to dismissal, depending on the case.
Operational risks/ Projects and assignments
Consulting assignments. About twenty (20) per cent of Pöyry’s business consists of consulting assignments such as management consulting, technical consulting and other similar advisory services. According to common practice in the consulting business, Pöyry aims to restrict inherent liability risks by using standard contract terms and insurances, and these assignments typically do not involve significant liability risks. If a particular risk area is identified in connection with such services, special mitigation actions are taken all the way up to discontinuing provision of such services.
Advisory services occasionally involve a risk related to receivables. Front-loaded and regular payment schedules are used to minimise such risks.
Project services. About eighty (80) per cent of Pöyry’s business is derived from project services such as basic and detail engineering, procurement assistance, project and construction supervision, and project management and other site services. These projects are carried out on a fixed-price, ceiling-fee or time-charge basis. Fixed-price and ceiling-fee projects contain the risk of involving more professional work or time than estimated as a result of inaccurate time and cost estimates, performance delays, disputes about compensation for additional or changed services, inexperienced staff or other unexpected circumstances.
Contracting type projects. Part of Pöyry’s business is derived from contracting type projects such as engineering, procurement and construction (EPC) projects and operation and maintenance (O&M) service projects. EPC projects typically contain the project management, engineering, procurement, construction, erection, commissioning, start-up and testing of the plant. O&M projects consist of the running of the plants for the client including maintenance work.
Large and complex projects. Large and complex projects, including engineering, procurement and construction management services (EPCM) projects, as well as EPC and O&M projects, are a specific focus area of Pöyry. Pöyry’s Large Projects Competence Center leads the marketing, selling and implementation of those projects. The Large Projects Competence Center consists of a team of specialists in core areas of project work and of experienced project directors/managers.
Projects for public sector or institutional investor clients. In about one third of Pöyry’s assignments the client is from the public sector or is an institutional investor. It is characteristic of these service contracts that liabilities cannot always be limited according to the Group’s policies. As a rule, public-sector assignments are awarded according to public procurement, which involves the risk of tough price competition. In addition, public-sector decision-making involves the risk that the decision concerning the use of public funds for a specific project may be changed, delayed or cancelled, when political decision-makers are replaced. Due to the particular risks relating to public sector projects, separate project and risk management guidelines and procedures have been defined for the business units which are engaged in this business. Special instructions have been issued and e-learning module created for personnel involved with projects for, or financed by, International Financial Institutions (IFIs).
RISK MANAGEMENT APPROACH: All projects in Pöyry are categorised on risk basis. The project category determines the treatment of the project both in the sales and execution phase of the project. The categorisation is conducted in our CRM tool both before submitting a commercially binding proposal and signing a contract using a holistic assessment of the project risk. The resulting project category is the basis for the approval level as defined in our Authorities and Approval Policy.
In 2013 Pöyry launched a set of project management guidelines, describing the processes for project execution and taking into account the different needs for each project category. They have been derived from the PMI methodology adapted to the specific needs of the Pöyry businesses and service types. During 2014 these processes were also incorporated into the quality management systems of our main offices. They are supported by specifically defined tools and best practice templates for various service types.
As part of these guidelines, thorough project risk management processes including regular risk assessments and project reviews have been implemented throughout the Group to avoid and mitigate such project related risks. The project review process is based on a standardised project reporting and involves business managers on all levels of the organisation. The risk assessment and risk review processes are performed using Pöyry’s standardised risk assessment tools. The outcome of the project reviews and risk assessment may have an immediate impact on financial reporting. Project managers are supported by dedicated finance and other resources in order to ensure the accuracy and compliance of the input for financial reporting.
Our project managers play key role in project risk management. The project managers are responsible for managing and controlling their projects from bid preparation to final acceptance. Training is provided to project managers in all essential spheres of their activities. A global training programme is created for project managers and other project staff based on Pöyry’s Project Management Processes.
Specific supervision mechanisms are in place both for larger and riskier projects. Support functions, such as Legal and Finance have dedicated resources supporting project managers.
Large projects, particularly the EPC projects, may require thorough and lengthy development work and therefore contain uncertainties related to financing, implementation concepts and the exact timing of project start-up – all of which are beyond Pöyry’s control. During the project execution phase, further risks may emerge. The company has stringent risk management processes in place by which such risks are identified and mitigated as much as possible at an early stage.
Separate risk management policies and instructions have been issued for EPC and O&M projects with detailed instructions regarding risk evaluation and control mechanisms and regular project audits at site. Specialist resources are trained and recruited to strengthen existing competences in EPC projects.
Operational risks/ Partners
RISK: A fair amount of projects is conducted in co-operation with subcontractors, in consortiums or with other co-operation partners. Partner risks relating to the performance, compliance or financial standing of the partner can involve risk for Pöyry.
RISK MANAGEMENT APPROACH: Performance related liability risks are transferred with contractual back-to-back arrangements to each respective co-operation partner to the extent possible. In addition, the Group’s risk management instructions require checking of the co-operation partners’ financial status and professional quality standards, and our Code of Conduct requires our partners to follow the principles of our Code of Conduct.
Specific instructions on retaining third parties as business partners, including due diligence, confirmation and approvals, must be followed throughout the Group.
Operational risks/ Liability
RISK: Professional services provided to clients involve liability risks. These risks may relate to a failure to deliver services in accordance with agreed professional standards, to calculation and similar errors and to performance delays.
RISK MANAGEMENT APPROACH: To mitigate such risks, special emphasis has been placed on the quality management and control systems in projects, and on limitation of professional liability in contracts. The Group’s Legal function provides regular training for Project Managers on proposal and contract management, including liability and legal risk management.
In order to cover professional and general liability risks, the Group has a global liability insurance programme. The risk with liability insurances is the availability and pricing of such cover. Furthermore, certain professional risks are not covered under liability insurances.
Operational risks/ Human resources
RISK: Pöyry’s business success depends on the skills of the company’s management and personnel, as well as on the ability of the company to retain its current management and personnel and, when necessary, recruit new skilled personnel. The availability of qualified professionals in various locations around the world is an important factor for the growth and profitability of the business.
RISK MANAGEMENT APPROACH: Pöyry’s reputation and interesting career opportunities attract professionals interested in a global career in a company aspiring to be a trendsetter in its own field of business. Group-wide HR processes are being developed continuously and there is an increasing emphasis on offering a compelling employee value proposition.
Operational risks/ Information technology
RISK: Efficiency of Pöyry’s operations is largely dependent on the use and continuous improvements of information and communication technology systems. Malfunctioning or unavailability of the systems as well as loss, corruption or leakage of data can negatively affect the operations of the Group. Inability or major delays in implementing improvements or new systems can negatively affect the efficiency of Pöyry’s operations.
RISK MANAGEMENT APPROACH: Pöyry has an appropriate IT organisation, processes and controls in place in order to mitigate these risks, including redundancy, back-ups and disaster recovery plans, and appropriate malware protection, encryption technologies and network security controls. In addition Pöyry is managing its IT development and implementation projects through a central portfolio and has appropriate IT project management processes in place, including risk management.
At the end of 2012, Pöyry entered into a service agreement with a major global IT infrastructure service provider in order to harmonise and standardise Pöyry's global IT-processes and IT-service delivery model. The service model and structure has improved significantly Pöyry's IT infrastructure reliability and efficiency and has also reduced IT related risks. Additionally Pöyry is finalising its global IT infrastructure transformation program including new global network and modernised collaboration tools.
In the end of 2014 Pöyry started a project to renew its legacy IT-systems with the new Business Management System.
The financial risks are described in the Notes to the Financial Statements, section Other.