RISK MANAGEMENT
Risk management is an integral part of Pöyry’s business management and internal control framework. The aim of our risk management is to enable the achievement of the Company’s strategic and financial objectives and targets in a controlled manner.
Risk management framework
Policy and instructions
The Board has issued for the Group a Risk Management Policy, which defines the objectives, principles, operating procedures, organisation and responsibilities of risk management and the reporting and follow-up procedures. Based on the Policy, more detailed Risk Management Instructions have been issued for the day-to-day business. These instructions mainly concern projects, the core business of Pöyry.
Organisation
The President and CEO of the Company organises risk management of the Group with the assistance of the Group Executive Committee (GEC) and a specific member of the GEC in charge of risk management. The GEC issues risk management instructions and guidelines based on the Group’s Risk Management Policy, follows monthly the major risks of the business groups, and oversees the development of risk management systems and practices of the Group. The GEC’s Risk & Compliance Subcommittee reviews all major projects, which are subject to GEC or Board approval. The GEC conducts the Group level ERM process (see section “Process” below) and consolidates the Group and business group level results for a report to the Audit Committee and Board.
The primary responsibility for managing risks rests with the business groups, where risks also primarily accrue. The Business Group Presidents organise risk management in their business group following the Group’s risk management guidelines and procedures. The Business Group’s President reports the major risks and overall risk status of the business group to the GEC as part of the monthly business reporting. In addition, a separate follow-up report is prepared on the most significant project risks.
The Audit Committee monitors the efficiency of the Group’s risk management systems. In addition, the Audit Committee reviews regularly in its meetings the major risks of the Group as well as the ERM reports, and reports on these to the Board.
The Board oversees risk management and reviews the risk management processes of the Group with the assistance of the Audit Committee, and approves the risk management principles of the Company. The ERM reports and most relevant Group level risks are reported regularly to the Board.
Process
Pöyry’s risk management consists of a co-ordinated set of activities to identify, evaluate, treat and control all major risk areas of the Group in a systematic and proactive manner.
ERM (Enterprise risk management) Process
A uniform group-wide ERM (Enterprise Risk Management) process is conducted annually in connection with the strategy process. In this process, each business group and business area makes the short-term and long-term risk assessment independently. An overall Group level risk review and assessment is made by the Group Executive Committee. The business groups are responsible for treating their risks by taking appropriate actions. These actions typically include mitigating, transferring or absorbing risks, or a combination of these actions. The development of the actions is followed regularly in the organisation.
Risks are addressed in the ERM process according to the following main risk categories:
- External risks
- Internal risks
- Strategic risks
- Operational risks
- Financial risks
Project Risk Management process
Risk management of projects and assignments is an integral part of Pöyry’s day-to-day risk management.
Since the beginning of 2011 global project risk management processes have been rolled out in the Pöyry Group. Project risk management process is supported by two web based tools that are used according to the complexity and level of risk of the project.
The project risk management process is followed throughout the project lifecycle, starting in the proposal phase and continuing as a regular and systematic process until the closing of the project.
Both project risk management and the ERM process follow one generic risk management process:
Description of risks
Typical risks related to Pöyry’s business operations are described in the following. The description is not intended to be comprehensive and our operations are subject also to other risks. The most significant risks and uncertainties identified during the financial year are described in the Board of Director’s Report.
External risks
Markets
The uncertainties in the financial markets continue and the risk of an economic downturn or financial crises is still relevant. This risk can create uncertainty and delays in clients’ decision making. Should the risk materialise, it could create serious problems for clients in arranging financing for investments and could have an adverse impact on Pöyry’s net sales and profitability. The Group aims to reduce its vulnerability to market risks and business cycles by a balanced portfolio of assignments by clients in different industries, markets and geographical areas as well as through sub-contracting and flexible employment arrangements. The implementation of global engineering centres also has made resource allocation more flexible. In economic downturns Pöyry’s order stock, the activity level of employees and professional charging rates may decline, which would have a negative impact on Pöyry’s revenues and financial position.
Competition
The consulting and engineering business is characterised by keen global competition. The economic uncertainty has continued intensified competition in certain sectors and markets. Competition from non-traditional players has also significantly increased in some sectors.
With Pöyry’s Vision 2020 , Pöyry aims at differentiating itself from its competitors by becoming “the global thought leader in engineering balanced sustainability for a complex world”. Pöyry provides its clients with a full range of leading-edge sustainable solutions and services which best fulfil the clients’ needs. In order to further differentiate and reduce exposure to low cost competition, Pöyry will increasingly develop and offer packaged solutions, whilst also maintaining a diverse portfolio of services and products.
Internal risks
Strategic risks
Business development
Organic growth is an important part of Pöyry’s growth strategy. The key risks in achieving this strategic goal are potential lack of skilful sales resources, limited amount of suitable projects, and delays in clients’ decision making. According to the Vision 2020, a significant part of the organic growth is expected to derive from larger and complex projects. There is a limited number of these projects available in the market in the sectors where Pöyry operates, and the risk profile may be such that Pöyry would not decide to pursue them.
Part of Pöyry’s growth is expected to be derived from acquisitions. A risk in implementing this strategy is the lack of good, reasonably priced acquisition targets which would fit into Pöyry’s Vision 2020 and strategy. An additional risk related to acquisitions is the potential failure in managing the acquisition process. The Group has an Acquisition Policy, which defines the acquisition process with areas of responsibility and authorities. The GEC’s Mergers & Acquisitions Subcommittee reviews all acquisitions. Special attention is paid to post-acquisition business and integration plans and their implementation.
Pöyry brand
In 2006 the Group adopted a one-brand strategy. The risks related to Pöyry’s reputation and international recognition arising from the one-brand strategy are addressed by brand management guidelines. Furthermore, compliance with the Pöyry Operating Guidelines (see the following section) throughout the Group is an important mitigant to this risk.
Operational risks
Compliance with norms, procedures and instructions
Pöyry is an organisation of thousands of professionals operating in tens of countries around the world. In such an organisation, unlawful activities such as fraud, corruption and harassment, and other misconduct may expose a risk for us.
Pöyry takes strong measures to mitigate this risk. The Company’s Compliance Programme is an important part of this risk mitigation. The programme is based on the Pöyry Operating Guidelines, which contain the most important group wide policies, instruction and guidelines approved by the Board of Directors, the Group Executive Committee or the President and CEO.
The Pöyry Code of Conduct with its Compliance Guidelines is a foundation document of the Pöyry Operating Guidelines. The Code defines the standards of our ethical behaviour and reconfirms the zero tolerance for corruption, bribery, fraud and discrimination or harassment of any kind. The Code aims at ensuring that the Company conducts business according to the highest ethical standards.
The Code must be followed by all Pöyry employees and business partners. To help employees understand the Code, a web based e-training module is available to the whole Group with every employee having to annually complete the training. Furthermore, training, personal guidance, supervision, audits and other practical tools are used to reduce our exposure to these risks. In accordance with the Code, a Whistleblower Hotline is being implemented in Pöyry since 2011.
Besides the Code, the Company’s Internal Control Policy, Risk Management Policy and Instructions and the Authorities and Approval Matrix provide a framework for controls and risk management environment. The internal control framework is tailored to address the mitigation of compliance risks.
Projects and assignments
About fifteen (15) per cent of Pöyry’s business consists of consulting assignments such as management consulting, technical consulting and other similar advisory services. According to common practice in the consulting business, Pöyry aims to restrict inherent liability risks by using standard contract terms and insurances, and these assignments typically do not involve significant liability risks. If a particular risk area is identified in connection with such services, special mitigation actions are taken all the way up to discontinuing provision of such services.
Advisory services occasionally involve a risk related to receivables. Front-loaded and regular payment schedules are used to minimise such risks.
About eighty five (85) per cent of Pöyry’s business is derived from project services such as basic and detail engineering, procurement assistance, project and construction supervision, and project management and other site services. These projects are carried out on a fixed-price, ceiling-fee or time-charge basis. Fixed-price and ceiling-fee projects contain the risk of involving more professional work or time than estimated as a result of inaccurate time and cost estimates, performance delays, disputes about compensation for additional or changed services, inexperienced staff or other unexpected circumstances.
Quality management systems and project review processes are in use throughout the Group to avoid and mitigate such risks. Regular project reviews are conducted in major projects and projects which include risks. The work in progress, changed and additional work and receivables are assessed and recorded in the project accounting and risk management system.
Our project managers play key role in project risk management. Our project managers are responsible for managing and controlling their projects from bid preparation to final acceptance. Training is provided to project managers in all essential spheres of their activities. A new group wide Pöyry Project Management training programme was started in 2011. The training is done according to PMI (Project Management Institute, www.pmi.org) Project management training is divided into three levels, levels 2 and 3 aiming at the PMI certificate for Pöyry’s project managers.
Specific supervision mechanisms are in place both for larger and riskier projects. Support functions, such as Legal and Finance have dedicated resources supporting project managers.
Part of Pöyry’s business is derived from contracting type projects such as engineering, procurement and construction (EPC) projects and operation and maintenance (O&M) service projects. EPC projects typically contain the project management, engineering, procurement, construction, erection, commissioning, start-up and testing of the plant. O&M projects consist of the running of the plants for the client including maintenance work.
According to Pöyry’s Vision 2020, large and complex projects, including engineering, procurement and construction management services (EPCM) projects, as well as EPC and O&M projects, are a focus area of Pöyry. In order to manage the risk in larger and complex projects, a specific Large Projects function has been established in the Group with specialists on all key areas of such projects. The Large Projects function has developed procedures and policies for large and complex projects and is in charge of overseeing the implementation of these projects.
Separate risk management policies and instructions have been issued for EPC and O&M projects with detailed instructions regarding risk evaluation and control mechanisms and regular project audits at site. A Supervisory Board must be in place for all EPC and other large and complex projects. Specialist resources are trained and recruited to strengthen existing competences in EPC projects.
In about one third of Pöyry’s assignments the client is from the public sector or is an institutional investor. It is characteristic of these service contracts that liabilities cannot always be limited according to the Group’s policies. As a rule, public-sector assignments are awarded according to public procurement, which involves the risk of tough price competition. In addition, public-sector decision-making involves the risk that the decision concerning the use of public funds for a specific project may be changed, delayed or cancelled, when political decision-makers are replaced. Due to the particular risks relating to public sector projects, separate project and risk management guidelines and procedures have been defined for the business units which are engaged in this business. Special instructions have been issued and e-learning module created for personnel involved with projects for, or financed by, International Financial Institutions (IFIs).
Partners
A fair amount of projects is conducted in co-operation with subcontractors, in consortiums or with other co-operation partners. Partner risks relating to the performance, compliance or financial standing of the partner can involve risk for Pöyry. Performance related liability risks are transferred with contractual back-to-back arrangements to each respective co-operation partner to the extent possible. In addition, the Group’s risk management instructions require checking of the co-operation partners’ financial status and professional quality standards, and our Code of Conduct requires our partners to follow the principles of our Code.
Specific instructions on retaining third parties as business partners, including due diligence, confirmation and approvals, must be followed throughout the Group.
Liability
Professional services provided to clients involve liability risks. These risks may relate to a failure to deliver services in accordance with agreed professional standards, to calculation and similar errors and to performance delays. To mitigate such risks, special emphasis has been placed on the quality management and control systems in projects, and on limitation of professional liability in contracts. The Group’s Legal function provides regular training for Project Managers on proposal and contract management, including liability and legal risk management.
In order to cover professional and general liability risks, the Group has a global liability insurance programme. The risk with liability insurances is the availability and pricing of such cover. Furthermore, certain professional risks are not covered under liability insurances.
Human resources
Pöyry’s business success depends on its professional staff. The availability of qualified professionals in various locations around the world is an important factor for the growth and profitability of the business. Pöyry’s reputation and interesting career opportunities attract professionals interested in a global career in a company aspiring to be a trendsetter in its own field of business. Group-wide HR processes are being developed continuously and there is an increasing emphasis on offering a compelling employee value proposition.
Information technology
Efficiency of Pöyry’s operations is largely dependent on the use and continuous improvements of information and communication technology systems. Malfunctioning or unavailability of the systems as well as loss, corruption or leakage of data can negatively affect the operations of the Group. Inability or major delays in implementing improvements or new systems can negatively affect the efficiency of Pöyry’s operations.
Pöyry has an appropriate IT organisation, processes and controls in place in order to mitigate these risks, including redundancy, back-ups and disaster recovery
plans, and appropriate malware protection, encryption technologies and network security controls. In addition Pöyry is managing its IT development and implementation projects through a central portfolio and has appropriate IT project management processes in place, including risk management.
Financial risks
The financial risks are described in the Notes to the Financial Statements, section Other.
