Risk management and control


The purpose of internal control and risk management is to ensure that the company’s operations are effective, that financial and other information is reliable, and that the company complies with the relevant regulations and operating principles. The Board of Directors, assisted by the Audit Committee, is responsible for monitoring and assessing the effectiveness of the company’s internal control and risk management systems. Internal audit assists the Board of Directors with its monitoring responsibility by ensuring that the group’s control measures have been planned and set up effectively.

Internal control system

The company has developed and implemented a comprehensive internal control system that covers business and financial reporting processes. UPM’s internal control framework is based on the internal control framework issued by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). The framework was originally published in 1992 and it is internationally recognised guidance for designing, implementing and conducting internal control, and assessing its effectiveness. 

The five components of UPM’s internal control system are:

  1. Control environment
  2. Risk assessment
  3. Control activities
  4. Information and communication
  5. Monitoring activities

UPM’s system of internal control can be described with the lines of defense model, which is reflected in UPM’s risk management and control processes.

Lines of defense in UPM’s risk management and internal control


Risk management process

UPM’s risk management process includes the following phases:

  1. Risk identification and assessment
  2. Development of risk management strategies
  3. Design and implementation of risk management procedures
  4. Monitoring of risk management performance
  5. Continuous improvement of risk management capabilities

The company’s annual risk management process is linked to the company’s long-term planning process (LTP) as presented in the illustration below. 

Annual risk management cycle


Internal audit’s purpose

Internal audit supports the management in its responsibilities for

  • Ensuring that governance processes are appropriate 
  • Improving efficiency and effectiveness of the operations 
  • Reducing the risk of asset losses
  • Ensuring the reliability of financial information and business reporting
  • Ensuring compliance with laws, regulations and contracts
  • Improving information security
  • Preventing misconduct
  • Managing ethical issues 

Further information on the company’s internal control, risk management and internal audit is available under respective sections.