Risk management and control
The purpose of internal control and risk management is to ensure that the company’s operations are effective, that financial and other information is reliable, and that the company complies with the relevant regulations and operating principles. The Board of Directors, assisted by the Audit Committee, is responsible for monitoring and assessing the effectiveness of the company’s internal control and risk management systems. Internal audit assists the Board of Directors with its monitoring responsibility by ensuring that the group’s control measures have been planned and set up effectively.
Internal control system
The company has developed and implemented a comprehensive internal control system that covers business and financial reporting processes. UPM’s internal control framework is based on the internal control framework issued by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). The framework was originally published in 1992 and it is internationally recognised guidance for designing, implementing and conducting internal control, and assessing its effectiveness. During 2014, UPM transitioned to the updated COSO 2013 framework.
The five components of UPM’s internal control system are:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
UPM’s system of internal control can be described with the lines of defense model, which is reflected in UPM’s risk management and control processes.
Lines of defense in UPM’s risk management and internal control
Risk management process
UPM’s risk management process includes the following phases:
- Risk identification and assessment
- Development of risk management strategies
- Design and implementation of risk management procedures
- Monitoring of risk management performance
- Continuous improvement of risk management capabilities
The company’s annual risk management process is linked to the company’s long-term planning process (LTP) as presented in the illustration below.
Annual risk management cycle
Internal audit’s purpose
Internal audit supports the management in its responsibilities for
- Ensuring that governance processes are appropriate
- Improving efficiency and effectiveness of the operations
- Reducing the risk of asset losses
- Ensuring the reliability of financial information and business reporting
- Ensuring compliance with laws, regulations and contracts
- Improving information security
- Preventing misconduct
- Managing ethical issues
Further information on the company’s internal control, risk management and internal audit is available under respective sections.