Internal control system and risk management

The purpose of this section is to provide shareholders and other parties with a description of internal control system and main principles of risk management and control procedures at Outokumpu. 
Page last updated: 22 Sep 2023

According to the Finnish Limited Liability Companies Act and the Finnish Corporate Governance Code, the Board of Directors is responsible for ensuring that the company’s internal controls are appropriately organized. As a listed company, the Group has to comply with a variety of regulations. Furthermore, it is important to ensure that key operational and reporting targets are met. Outokumpu has developed a system of internal controls and implements it throughout the company. The main purpose of the internal control system is to provide management and the Board of Directors with reasonable assurance regarding the achievement of objectives relating to the Group’s operations, reporting and compliance. The internal control system consists of the Internal Control Policy and related instructions, common ways of working with clearly defined roles and responsibilities and IT system supported processes.

The risk management policy approved by the company’s Board of Directors defines the objectives, approaches, and areas of responsibility in the Group’s risk management activities. The risk management process consists of the following five core stages: 1) risk identification, 2) risk evaluation, 3) mitigation actions, 4) control activities, and 5) risk reporting. Read more about risks and opportunities in our Annual report.


Internal controls over financial reporting

Internal controlOutokumpu’s Internal Control Policy defines main roles, responsibilities, principles, and objectives for the Group’s internal control system. Outokumpu applies the COSO Internal Control – Integrated Framework (2013) as main guidance for the internal control system.

The Board of Directors is ultimately responsible for overseeing the system of internal controls and the CEO, supported by other members of executive management, is responsible for implementing and maintaining an efficient system of internal controls. Components of the system include control environment, risk assessment, control activities, information and communication as well as monitoring activities.

Outokumpu’s financial reporting follows International Financial Reporting Standards (IFRS) as adopted by the EU. The Outokumpu Accounting Principles are Outokumpu’s application guidance on IFRS. Outokumpu also complies with the regulations regarding financial reporting published by the Financial Supervisory Authority (FIN-FSA), Nasdaq Helsinki, and the European Securities and Markets Authority (ESMA). The objective of internal controls over financial reporting at Outokumpu is to provide reasonable assurance that the financial reporting and the preparation of financial statements are in accordance with applicable laws, regulations, and internal requirements.

Key policies relevant to internal controls
  • Approval Policy: Defines the relevant authorization levels and thresholds within the Outokumpu Group. Applies to the internal approval of contracts and other commitments made by the Business Areas and Group Functions of the Outokumpu Group.
  • Risk Management Policy: Describes the risk management principles and main rules followed by the Outokumpu Group.
  • Code of Conduct: Sets out the ethical standards and provides guidelines for a common way of working.
  • Internal Audit Charter: Describes the main principles and rules followed by the Outokumpu Group in relation to Internal Audit’s assignment and underlying values.
  • Internal Control Policy: Defines main roles, responsibilities, principles, and objectives for Outokumpu’s internal control system.
  • Treasury Policy: Defines objectives and main principles for Treasury as well as the distribution of related tasks and responsibilities within the Outokumpu Group.
  • Acceptable Use of IT Policy: Outlines the guidelines of constraints and practices that a user must agree to for access to Outokumpu’s network, the internet, and other resources.
  • Identity and Access Management Policy: Enables the right individuals to access the right resources at the right times for the right reasons.
  • Corporate Responsibility Policy and Ethics Statement: Aims to guarantee that companies work ethically, considering human rights as well as the social, economic and environmental impacts.
  • Outokumpu Accounting Principles (OAP): Sets out the accounting principles and disclosure requirements that must be followed by all legal companies and reporting units in reporting their financial information to the Group.

Control environment

The foundation of Outokumpu’s control environment consists of policies, standards, processes, and structures that provide the basis for the internal control system across the organization and define the ways in which Outokumpu operates. The performance management as well as the risk management and internal control process are key management activities in enabling an efficient control environment. Throughout the Group’s operations, the planning activities and the setting of compliance, operational and financial targets are executed in accordance with Outokumpu’s overall business targets. Management monitors related achievements. Risks or threats are handled through regular reporting and status review meetings.

Risk assessment

Risk assessment involves a dynamic and iterative process for identifying and evaluating risks to achieve predefined objectives and it provides the foundation for determining how risks will be managed.

The risks related to the financial reporting are managed according to Outokumpu’s risk management policy. The risks related to financial reporting are identified and evaluated in risk workshops or similar, addressing the risks for the most relevant parts of the financial reporting process.

Control activities

The objective of control activities is to prevent, discover, and correct potential errors and deviations. Control activities also aim to ensure that authorization structures are designed and implemented in such a way that incompatible tasks (e.g. one person performing a critical activity and being responsible for controlling that activity) are segregated. Control activities are performed at all levels of the organization, at various stages within business processes, and within the key technologies, e.g. ERP systems.

Control activities for the financial reporting consist of different kinds of measures and include reviews of financial reports by Group and business area management teams, the reconciliation of accounts, analyses of the logic behind reported figures, forecasts compared to reported figures, and analyses of the Group’s financial reporting processes, among others. A key component is the monitoring of monthly performance against financial and operational targets. These types of control activities take place at different levels of the organization.

Control activities highlights

  • During 2022, implementation of the digital platform for risk and control management continued by stabilizing the process and
    adding more units and functions into the scope.
  • Strengthening of segregation of duties management (SoD) continued in 2022 as per development roadmap by governance
    and process modelling and through the SoD risk identification. Furthermore, the SoD risk reporting development was started.
  • Outokumpu further developed its financial reporting process by increasing efficiencies and effectiveness in financial closing processes through process and timeline harmonization, documenting financial reporting related risks, and increasing the coverage of internal controls in the financial reporting process area.
  • Preparations for the next rollout of the new ERP system together with other related IT systems continued.

Information and communication

Group-wide policies and principles are available to all Outokumpu’s employees. Instructions relating to financial reporting are communicated to all of the parties involved. The main communication channels employed are regular controller meetings, Outokumpu’s intranet, other easily accessible databases, and email. Finance Leadership Team meetings are organized regularly to share information and discuss issues of topical interest to the Group.

Furthermore, Outokumpu has established Group Functions Board and steering groups in which financial reporting and internal control issues are discussed and reviewed. These groups typically consist of senior members of management and substance experts. Outokumpu’s objective is to ensure that common financial processes and reporting practices are followed throughout the Group and that effective internal controls relating to financial reporting are established.

Monitoring activities

The organization evaluates and communicates internal control deficiencies in a timely manner to the parties responsible for taking corrective action, including executive and senior management, and the Board of Directors, as appropriate. Both management in Outokumpu’s group companies and the accounting and controlling functions are responsible for the follow-up and monitoring of internal controls connected with financial reporting. Overall development and monitoring of the internal control process and platform, as well as control testing, are performed by the Group's internal control function. The internal audit function monitors that an appropriate control environment exists across the Group. Risk management, the compliance function, and Outokumpu’s auditors are also engaged in the review of control activities. The findings of the review procedures as well as maturity of the system of internal controls are reported to the Board Audit Committee and the Group Functions Board on a regular basis.


Internal audit

The mission of internal audit is to provide an independent and objective assurance, control, and consulting function designated to add value, improve operations, and monitor and support the organization in the achievement of its objectives.

Through a systematic, disciplined approach, internal audit determines whether governance and compliance processes, the internal control system, and the risk and control management process, as designed and represented by the Board of Directors and the Outokumpu Leadership Team, are effective and efficient.

Group internal audit, with the third-line roles in risk management, performs audits according to the audit plan approved by the Board Audit Committee. Internal audit monitors, together with the compliance function, adherence to Group principles, policies, and instructions, and leads investigations into fraudulent and noncompliant behaviors and activities.

Key activities in 2022

  • In 2022, internal audit performed nine audits, in line with the audit plan. The results of the audits as well as progress in related actions are reported to the relevant management, the Board Audit Committee, and the external auditor.
  • Total of 45 misconduct reports were recorded in 2022 (2021: 40), most of the reports leading to recommendations for management actions.

Ethics and compliance

Outokumpu is strongly committed to the highest ethical standards and complies with the applicable laws and regulations of the countries in which it operates as well as with the agreements and commitments it has made. Outokumpu’s Code of Conduct sets out these ethical standards and provides guidelines for common ways of working with the aim of ensuring that all Outokumpu employees live up to Outokumpu’s ethical standards.

Outokumpu’s legal and compliance function is responsible for managing and continuously developing Outokumpu’s group-wide ethics and compliance program. Outokumpu’s ethics and compliance program is described in more detail in the Sustainability review. The legal and compliance function reports to the CEO and to the Outokumpu Leadership Team as well as directly to the Board Audit Committee on ethics and compliance related matters.

Ethics and compliance related matters are also regularly handled in the Compliance Steering Group, consisting of the CEO, CFO, Head of HR, Head of Internal Controls and Internal Audit, General Counsel and Head of Compliance. The Compliance Steering Group met four times in 2022. In addition, a global network of compliance contact persons and several data protection governance bodies support the implementation of the ethics and compliance program in the business areas and group functions.