Description of internal control procedures and the main features of risk management systems

Group’s financial reporting

Kesko’s management model

Kesko’s financial reporting and planning are based on Kesko Group’s management model. The Group units’ financial results are reported and analysed internally within the Group on a monthly basis and disclosed in quarterly interim reports, the half year financial report and the financial statements release. Financial forecasts are updated quarterly, in addition to which significant changes are taken into account in the monthly performance forecasts. The Group’s and its units’ strategies and related long-term financial plans are updated annually.

Kesko's management model

Roles and responsibilities

Kesko Group’s financial reporting and its supervision is organised in three levels. Businesses analyse and report their figures to the divisions, which then report the division-specific figures to Group Accounting. Analyses and controls for ensuring the accuracy of reporting are used at each reporting level.

The accuracy of reporting is ensured with automated and manual controls at every reporting level. The implementation of the analyses and controls is supervised on a monthly basis at the company, business, division and Group level.

Planning and performance reporting

The Group’s financial performance and the achievement of financial targets are monitored through Group-wide financial reporting. Monthly performance reporting includes actual Group, division and business specific results, changes compared to the previous year, comparison with forecasts, and forecasts for the next 12 months. The Group’s short-term financial planning is based on annual budgeting and quarterly updated forecasts extending over the following 12 to 15 months. The key financial indicator for growth is sales performance, while those for profitability are comparable operating profit and comparable return on capital employed, monitored by monthly internal reporting. Information on the Group’s financial situation is provided in interim reports, a half year financial report and the financial statements release. The Group’s sales figures are published each month.

Performance reporting to the Group’s top management

Performance reporting to the Group’s top management comprises monthly reports on the Group’s, divisions’, businesses’ and subsidiaries’ profits and capital employed, as well as the Group's balance sheet information. Each business is primarily responsible for the financial reporting and the accuracy of figures. The controlling function of each division analyses the whole division’s figures for which the division's financial management is responsible. The Group is responsible for the whole Group’s figures. The key items in the income statement, capital employed and balance sheet are analysed monthly at the business, division and Group level, based on a documented division of duties and predefined reports. This makes real-time information on the financial situation constantly available and enables real-time responses to possible flaws. Performance reporting to management also includes Group-level monitoring of sales on a weekly, monthly and quarterly basis.

Public performance reporting

Public performance reporting comprises interim reports, a half year financial report, the financial statements release, the annual financial statements and monthly sales reports. The same principles and control methods are applied to public performance reporting as to monthly performance reporting. The Audit Committee reviews the interim report, the half year financial report and the financial statements and gives a recommendation on their reviewing to the Board of Directors. The Board approves the interim report, the half year financial report and the financial statements before they are published.

Key actions in 2016

In 2016, the simplification of the Group’s legal structure continued and the focus was on the integration of the businesses of the acquired Onninen Oy, Suomen Lähikauppa and Ab AutoCarrera Oy. By the end of the year, 223 Siwa and Valintalo stores of Suomen Lähikauppa had been converted into K-Markets. In connection with the conversion, the stores adopted Kesko Group’s information systems and were connected to the Group’s centralised financial management.

During the year, Rautakesko Ltd and five other Finnish limited liability companies engaging in business operations were merged into Kesko Corporation and six real estate companies into their parent companies. The centralisation of the Group companies’ financial management routines to the Shared Service Centre continued in Finland, as VV-Auto Group Oy’s basic financial management processes were transferred to the Shared Service Centre.

Key actions in 2017

In 2017, the simplification of the Group’s legal structure in Finland will continue, as the pending mergers are completed. In addition, improving the efficiency of the Group companies’ financial management and conversion to electronic format will be continued in Finland.

Accounting policies and financial management IT systems

Kesko Group complies with the International Financial Reporting Standards (IFRSs) endorsed by the European Union. The accounting policies applied by the Group have been compiled in the accounting manual, updated as the standards are amended. The manual contains guidelines for separate companies and the parent company, as well as guidelines for the preparation of the consolidated financial statements.

Kesko Group’s financial management information is generated from division-specific enterprise resource planning systems via a centralised and controlled shared interface into the Group’s centralised consolidation system to produce the Group’s key financial reports. The key systems used in the production of financial information have been certified and secured by back-up systems, and they are controlled and checked regularly to ensure reliability and continuity.



Internal control

Internal control is an integral part of management and of ensuring the achievement of business objectives. Through efficient internal control, deviations from objectives can be prevented or detected as early as possible, so that corrective measures can be taken. The tools of internal control include policies and principles, work instructions, manual controls and automatic controls built into information systems, follow-up reports, inspections and audits, among other things.

The objective of internal control in Kesko Group is to ensure the profitability, efficiency, continuity and freedom from disruptions of operations, the reliability of financial and operational reporting both externally and internally, compliance with laws and agreements and Kesko’s values and operating principles, as well as safeguarding assets, expertise and information.

Roles and responsibilities in Kesko Group’s internal control

The planning of control measures begins with the definition of business objectives and the identification and assessment of the risks that threaten the objectives. The definition of objectives and the assessment of risks should take account of not only operational objectives, but also the requirements for compliance of operations with the law, and for the accuracy of the information used in decision-making and reporting. Control measures are targeted based on risks, and control measures are selected as appropriate so as to keep the risks under control.

The Board of Directors and the President and CEO are responsible for organising internal control. The management of each division, company and unit is responsible for taking care that efficient and effective control procedures are in place. The next year’s focus areas in risk management and control are discussed in annual risk management and control discussions with the Group and division managements. Every Kesko employee is obliged to comply with the K Code of Conduct and inform their supervisors of any grievances.

Kesko's common functions guide and support the divisions and subsidiaries with policies, principles and guidelines pertaining to their respective areas of responsibility. Kesko Group's internal audit function assesses and verifies the effectiveness and efficiency of Kesko's internal control, reports on it to the President and CEO and the Audit Committee of Kesko Corporations’ Board of Directors and assists management and the Kesko companies in the development of the internal control system. The Audit Committee of Kesko’s Board of Directors has confirmed the principles of Kesko’s internal control, which are based on good control principles widely accepted internationally (COSO 2013).

Risk management

Kesko’s risk management is proactive and an integral part of management and day-to-day activities. The goal of risk management is to ensure the implementation of Kesko’s strategy.

Risk management in Kesko Group is guided by the risk management policy approved by Kesko's Board of Directors. The policy defines the goals and principles, organisation, responsibilities and practices of risk management in Kesko Group. In the management of financial risks, the Group's finance policy, confirmed by Kesko's Board of Directors, is observed.

The managements of the business operations and the common functions are responsible for the execution of risk management. The finance director is responsible for the execution of risk management in each division. The risk management unit coordinates the risk management process and is responsible for risk reporting and executes risk identification, the determination of risk management responses and their implementation jointly with the businesses and the common functions. Kesko’s Internal Audit annually evaluates the efficiency of Kesko’s risk management system.

Risk management steering model

Kesko Group applies a business-oriented and comprehensive approach to risk assessment and risk management. This means that key risks are systematically identified, assessed, managed, monitored and reported as part of business operations at the Group, division, company and common function level in all operating countries.

Kesko has a uniform risk assessment and reporting model. Risk identification is based on business objectives and opportunities and the defined risk appetite. Risks are prioritised on the basis of their significance by assessing their impacts in euros and the probability of their realisation. When assessing the impact of realisation, the impacts on reputation, the wellbeing of people and the environment are assessed in addition to the impacts in euros.

In connection with the strategy process, the divisions assess the risks and opportunities concerning each strategy period. Near-future risks are identified and assessed on a quarterly basis. Risk assessment also covers the risks concerning the divisions’ subsidiaries and those related to significant projects.

The risk assessments of the divisions and the common functions, which include a risk map, risk management responses, responsible persons and schedules, are reviewed regularly by the respective division’s or common function’s management.

Risks and risk management responses are reported in accordance with Kesko’s reporting responsibilities. The divisions and the common functions report on risks and changes in risks to the Group’s risk management function on a quarterly basis. Risks are discussed by the risk management steering group, which includes representatives of the divisions and the common functions. On that basis, the Group’s risk management function prepares the Group’s risk report, which is reviewed by the Governance, Risk and Compliance (GRC) steering group, after which the CFO presents the risk report in the Group Management Board.

The Group's risk map, the most significant risks and uncertainties, as well as material changes in and responses to them are reported to the Kesko Board's Audit Committee in connection with reviewing the interim reports, the half year financial report and the financial statements. The Audit Committee also evaluates the efficiency of Kesko’s risk management system. The Audit Committee Chair reports on risk management to the Board as part of the Audit Committee report.

Kesko's Board discusses Kesko Group’s most significant risks and uncertainties. The Board reports on the most significant risks and uncertainties to the market in the financial statements and on material changes in them in the half year financial report and the interim reports.

Risk management responses in 2016

In spring 2016, Kesko’s risk management was centralised and reorganised with the aim to better integrate it into the strategy process and to enhance the execution of risk management throughout the organisation. The most significant development targets in risk management in 2016 were the harmonisation of the divisions’ and the common functions’ risk management processes, especially the definition of actions related to risk reduction and determination, as well as the enhancement of monitoring. In addition, the preparatory work for a cyber risk management model was begun and preparations for a bidding process for insurance cover based on Kesko’s risk tolerance were started. Using centralised purchasing power in the acquisition of security services and technology was continued. The risk management function actively participated in the risk management process of the completed acquisitions, as well as in the takeover and integration of the acquired companies’ risk management, corporate security and insurance solutions at the Group level. A positive trend continued in terms of damages and there were no major single damages.

Focus areas of risk management in 2017

The most important focus area in risk management is to support Kesko’s strategy by implementing strategy based risk management. The development and assurance of the effectiveness of actions related to risk reduction and determination will be continued. Other focus areas in risk management include the implementation of the cyber risk management model, the renewal and deployment of insurance cover on the basis of risk tolerance and risk appetite, as well as the development of the management model for Kesko’s crisis and exceptional situations and its updating to correspond to Kesko’s new organisation. In addition, the development of the Group’s common functions’ risk management process will continue and the implementation of the risk management process in the new country organisations of the building and technical trade is ensured. The improvement of cost efficiency will continue in terms of centralised purchasing.