Risk management

UPM regards risk management as a systematic and proactive means to analyse and manage the opportunities and threats related to its business operations. It also includes careful planning and evaluation of future projects and business environment in order to avoid risks. The operating principles, objectives, roles and responsibilities of the company's risk management are defined in the Risk Management Policy approved by the Board of Directors. The management of financial risks is based on the Group Treasury Policy, approved by the Board of Directors.

Risk management responsibilities

Risk management is an integral part of UPM’s management system as risk taking is a normal part of business operations. While executing strategies, UPM and its business areas, functions and manufacturing units are exposed to a number of risk and opportunities. Each business area, function and unit is responsible for identifying, measuring and managing of risks related to its own operations, and for reporting on risk exposures, risk management activities and results to its own management team and to the Risk Management function. The Risk Management function is independent from business areas and global functions except from Finance and Control function under which it operates.

UPM’s Risk Management function is responsible for:

• communicating and enforcing the Risk Management Policy and risk limits
• developing group-wide risk management procedures and guidelines
• measuring and monitoring risk management performance
• aggregating and reporting the risk management information collected from the business areas, functions and manufacturing units to the Risk Management Committee and the Audit Committee.

The Risk Management Committee, chaired by the CFO, is responsible for recommending risk tolerances and profile to the President and CEO and the Strategy Team. The Strategy Team is responsible for aligning risk management priorities, business and risk management strategies and policies.

The Board of Directors, assisted by the Audit Committee, monitors and assesses the effectiveness of the company’s risk management systems and oversees the assessment and management of risks related to the company’s strategy and operations. The Audit Committee oversees that risk management activities are aligned with the Risk Management Policy, and that risk assessments are used to guide internal audit and compliance activities.

Risk factors

At UPM, risk factors are classified as strategic risks, operational risks, financial risks and hazard risks. The main risk factors that can materially affect the company’s business, financial results and non-financial performance are presented in the Report of the Board of Directors on pages 133–137 of the Annual Report 2023. Near-term risks and uncertainties are described in the interim reports issued by the company quarterly. A description of the financial risks and financial risk management is available in the notes to the consolidated financial statements on pages 210–215 of the Annual Report 2023.

Risk management pertaining to financial reporting

The company’s risk management pertaining to financial reporting is also based on the Risk Management Policy approved by the Board of Directors, and on the principles, roles, responsibilities and risk management processes set out in the policy. Risk management pertaining to financial reporting is described in the Corporate Governance Statements issued by the company annually.