Risk management is an integral part of Pöyry’s business management and internal control framework. The aim of our risk management is to enable the achievement of the Company’s strategic and financial objectives and targets in a controlled manner.
1. Risk management framework
1.1Policy and instructions
The Board has approved a Risk Management Policy for the Group, which defines the objectives, principles, operating procedures, organisation and responsibilities of risk management and the reporting and follow-up procedures. Based on the Policy, more detailed Risk Management Instructions have been issued for the day-to-day business. These instructions mainly concern projects, the core business of Pöyry.
The President and CEO of the Company organises risk management of the Group with the assistance of the Group Executive Committee (GEC) and a specific member of the GEC in charge of risk management. The President and CEO approves risk management instructions and guidelines based on the Risk Management Policy, follows monthly the major risks of the business lines, and oversees the development of risk management systems and practices of the Group. The GEC conducts the Group level ERM process (see section “Process” below) and consolidates the Group and business line level results for a report to the Audit Committee and Board.
The primary responsibility for managing risks rests with the business, where risks also primarily accrue. The Presidents of the business lines are responsible for organising risk management in their business line following the Group’s risk management guidelines and procedures. The business line President reports the major risks and overall risk status of the business line as part of the monthly business reporting. In addition, a separate follow-up report is prepared on the most significant project risks.
The Audit Committee monitors the efficiency of the Group’s risk management systems. In addition, the Audit Committee reviews regularly in its meetings the major risks of the Group as well as the ERM reports, and reports on these to the Board.
The Board oversees risk management and reviews the risk management processes of the Group with the assistance of the Audit Committee, and approves the risk management principles of the Company. The ERM reports and most relevant Group level risks are reported regularly to the Board.
Pöyry’s risk management consists of a co-ordinated set of activities to identify, evaluate, treat and control all major risk areas of the Group in a systematic and proactive manner.
1.3.1 ERM (Enterprise risk management) Process
A uniform group-wide ERM (Enterprise Risk Management) process is conducted annually in connection with the strategy process. In this process, each business line makes the short-term and long-term risk assessment independently. An overall Group level risk review and assessment is made by the Group Executive Committee. The business lines are responsible for treating their risks by taking appropriate actions. These actions typically include mitigating, transferring or absorbing risks, or a combination of these actions. The development of the actions is followed regularly in the organisation.
Risks are addressed in the ERM process according to the following main risk categories:
- External risks
- Internal risks
- Strategic risks
- Operational risks
- Financial risks
1.3.2 Project Risk Management process
During 2012-2013, the General Project Management Guidelines of Pöyry were defined and documented. The guidelines consist of a description of Pöyry’s approach to project management as well as a description of key project management processes of Pöyry. Project risk management is one of the defined processes. These guidelines will be the foundation of Pöyry’s project management. They will be published within Pöyry during 2013.
The newly developed Project Management Guidelines are supported by Pöyry’s Project Management Training Programme, which has been created side by side with the process development. Excellence in project management means quality services and good risk and opportunity management.
Risk management of projects and assignments is an integral part of Pöyry’s day-to-day risk management and a key task of every project manager.
A systematic risk management process is defined for projects, according to the project’s size, complexity and contract model.
The project risk management process is followed throughout the project lifecycle, starting in the prospect and proposal phase and continuing as a regular and systematic process until the closing of the project.
Both project risk management and the ERM process follow one generic risk management process:
2. Description of risks
Typical risks related to Pöyry’s business operations are described in this section. The description is not intended to be comprehensive and our operations are subject to other risks as well. The most significant risks and uncertainties identified during the financial year are described in the Board of Director’s Report.
2.1 External risks
The economic uncertainties continue and the risk of recession particularly in the European market persists. This risk can create uncertainty and delays in clients’ decision making. Should the risk materialise, it could create serious problems for clients in arranging financing for investments and could have an adverse impact on Pöyry’s net sales and profitability. The Group aims to reduce its vulnerability to market risks and business cycles by a balanced portfolio of assignments by clients in different industries, markets and geographical areas as well as through sub-contracting and flexible employment arrangements. The implementation of global engineering centres has also made resource allocation more flexible. In economic downturns Pöyry’s order stock, the activity level of employees and professional charging rates may decline, which would have a negative impact on Pöyry’s revenues and financial position.
The consulting and engineering business is characterised by keen global and local competition. The economic uncertainty has continued and intensive competition in certain sectors and markets prevails. Competition from non-traditional players has also significantly increased in some sectors.
Pöyry aims to differentiate itself from its competitors by a strategic evolution which results in an improved ‘Global-Local’ interaction. This means applying Pöyry’s global expertise to serve clients in local markets. The interaction of the global and local dimensions is aimed to make Pöyry’s business stronger and Pöyry’s clients more successful.
2.2 Internal risks
2.2.1 Strategic risks
Organic growth is an important part of Pöyry’s strategy. The key risks in achieving this strategic goal are potential lack of skilful sales resources, limited amount of suitable projects, and delays in clients’ decision making. A significant part of the organic growth is expected to derive from larger and complex projects. There is a limited number of such projects available in the market in the sectors where Pöyry operates, and the risk profile may be such that Pöyry will not decide to pursue them.
Pöyry has a one-brand strategy. The risks related to Pöyry’s reputation and international recognition arising from the one-brand strategy are addressed by brand management guidelines. Furthermore, compliance with the Pöyry Operating Guidelines (see the following section) throughout the Group is an important mitigant to this risk.
2.2.2 Operational risks
Compliance with legislation, regulation, conventions and internal policy
Pöyry has an extensive local office network covering over 40 countries and employing about 6,500 experts globally. In order to mitigate many of the operational risks associated with such a diverse business, in 2012 Pöyry created a dedicated Compliance function led by the Chief Compliance Officer. The function provides objective oversight and its main activities are defining compliance policies, leading and developing the Compliance Programme and reporting on compliance related issues of significance to senior management. Along with the Board of Directors and senior management, Compliance has an important role in building and maintaining an environment and culture of ethical conduct at Pöyry.
The Compliance Programme is a key part of the risk mitigation and is based on the Pöyry Operating Guidelines, which contain the most important group wide policies, instruction and guidance, approved by the Board of Directors or, the President and CEO.
The Pöyry Code of Conduct with its Compliance Guidelines is a foundation document of the Pöyry Operating Guidelines. The Code defines the standards of our ethical behaviour and affirms the zero tolerance for corruption, bribery, fraud, anti-competitive practices, discrimination and harassment of any kind. The Code aims at ensuring that the Company conducts business according to the highest ethical standards and must be followed by all Pöyry employees and business partners. In order to enhance employees understanding of the Code, a web based e-training module is available to the whole Group with every employee having to complete the training annually. Furthermore, training, personal guidance, supervision, audits and other practical measures are used to manage our exposure to these risks. In 2012 Pöyry launched the "SpeakUp@Pöyry" service to enable employees to raise concerns anonymously.
Besides the Code, the Company’s Internal Control Policy, Risk Management Policy and Instructions and the Authorities and Approval Matrix provide a framework for controls and risk management environment. The internal control framework is tailored to address the prevention and mitigation of compliance risks.
Pöyry takes non-compliance issues seriously. The enforcement, remediation and discipline measures range from training and mentoring to dismissal, depending on the case.
Projects and assignments
About twenty five (25) per cent of Pöyry’s business consists of consulting assignments such as management consulting, technical consulting and other similar advisory services. According to common practice in the consulting business, Pöyry aims to restrict inherent liability risks by using standard contract terms and insurances, and these assignments typically do not involve significant liability risks. If a particular risk area is identified in connection with such services, special mitigation actions are taken all the way up to discontinuing provision of such services.
Advisory services occasionally involve a risk related to receivables. Front-loaded and regular payment schedules are used to minimise such risks.
About seventy five (75) per cent of Pöyry’s business is derived from project services such as basic and detail engineering, procurement assistance, project and construction supervision, and project management and other site services. These projects are carried out on a fixed-price, ceiling-fee or time-charge basis. Fixed-price and ceiling-fee projects contain the risk of involving more professional work or time than estimated as a result of inaccurate time and cost estimates, performance delays, disputes about compensation for additional or changed services, inexperienced staff or other unexpected circumstances.
During 2012 Pöyry’s project management processes were mapped, defined and documented according to PMI (Project Management Institute) standards. Over 100 experts globally from all business participated in this work. The defined processes form the backbone of the global quality management system with supporting best practice templates for various service types and local requirements.
Quality management systems and project review processes are in use throughout the Group to avoid and mitigate such risks. Regular project reviews are conducted in major projects and projects which include risks. The work in progress, changed and additional work and receivables are assessed and recorded in the project accounting and risk management system.
Our project managers play key role in project risk management. Our project managers are responsible for managing and controlling their projects from bid preparation to final acceptance. Training is provided to project managers in all essential spheres of their activities. A global training programme is created for project managers and other project staff based on Pöyry’s Project Management Processes. training is done according to PMI (Project Management Institute, www.pmi.org) Project management training is divided into three levels, levels 2 and 3 aiming at the PMI certificate for Pöyry’s project managers.
Specific supervision mechanisms are in place both for larger and riskier projects. Support functions, such as Legal and Finance have dedicated resources supporting project managers.
Part of Pöyry’s business is derived from contracting type projects such as engineering, procurement and construction (EPC) projects and operation and maintenance (O&M) service projects. EPC projects typically contain the project management, engineering, procurement, construction, erection, commissioning, start-up and testing of the plant. O&M projects consist of the running of the plants for the client including maintenance work.
Large and complex projects, including engineering, procurement and construction management services (EPCM) projects, as well as EPC and O&M projects, are a focus area of Pöyry
Pöyry’s Large Projects Competence Center leads the marketing and selling and implementation of those projects. The Large Projects Competence Center consists of a team of specialists in core areas of project work and of experienced project directors.
Separate risk management policies and instructions have been issued for EPC and O&M projects with detailed instructions regarding risk evaluation and control mechanisms and regular project audits at site. A Supervisory Board must be in place for all EPC and other large and complex projects. Specialist resources are trained and recruited to strengthen existing competences in EPC projects.
In about one third of Pöyry’s assignments the client is from the public sector or is an institutional investor. It is characteristic of these service contracts that liabilities cannot always be limited according to the Group’s policies. As a rule, public-sector assignments are awarded according to public procurement, which involves the risk of tough price competition. In addition, public-sector decision-making involves the risk that the decision concerning the use of public funds for a specific project may be changed, delayed or cancelled, when political decision-makers are replaced. Due to the particular risks relating to public sector projects, separate project and risk management guidelines and procedures have been defined for the business units which are engaged in this business. Special instructions have been issued and e-learning module created for personnel involved with projects for, or financed by, International Financial Institutions (IFIs).
A fair amount of projects is conducted in co-operation with subcontractors, in consortiums or with other co-operation partners. Partner risks relating to the performance, compliance or financial standing of the partner can involve risk for Pöyry. Performance related liability risks are transferred with contractual back-to-back arrangements to each respective co-operation partner to the extent possible. In addition, the Group’s risk management instructions require checking of the co-operation partners’ financial status and professional quality standards, and our Code of Conduct requires our partners to follow the principles of our Code.
Specific instructions on retaining third parties as business partners, including due diligence, confirmation and approvals, must be followed throughout the Group.
Professional services provided to clients involve liability risks. These risks may relate to a failure to deliver services in accordance with agreed professional standards, to calculation and similar errors and to performance delays. To mitigate such risks, special emphasis has been placed on the quality management and control systems in projects, and on limitation of professional liability in contracts. The Group’s Legal function provides regular training for Project Managers on proposal and contract management, including liability and legal risk management.
In order to cover professional and general liability risks, the Group has a global liability insurance programme. The risk with liability insurances is the availability and pricing of such cover. Furthermore, certain professional risks are not covered under liability insurances.
Pöyry’s business success depends on its professional staff. The availability of qualified professionals in various locations around the world is an important factor for the growth and profitability of the business. Pöyry’s reputation and interesting career opportunities attract professionals interested in a global career in a company aspiring to be a trendsetter in its own field of business. Group-wide HR processes are being developed continuously and there is an increasing emphasis on offering a compelling employee value proposition.
Efficiency of Pöyry’s operations is largely dependent on the use and continuous improvements of information and communication technology systems. Malfunctioning or unavailability of the systems as well as loss, corruption or leakage of data can negatively affect the operations of the Group. Inability or major delays in implementing improvements or new systems can negatively affect the efficiency of Pöyry’s operations.
Pöyry has an appropriate IT organisation, processes and controls in place in order to mitigate these risk, including redundancy, back-ups and disaster recovery plans, and appropriate malware protection, encryption technologies and network security controls. In addition Pöyry is managing its IT development and implementation projects through a central portfolio and has appropriate IT project management processes in place, including risk management.
At the end of 2012, Pöyry entered into a service agreement with a major global IT infrastructure service provider in order to harmonise and standardise Pöyry's global IT-processes and IT-service delivery model. The new service model and structure will improve significantly Pöyry's IT infrastructure reliability and efficiency and will also reduce IT related risks.
2.2.3 Financial risks
The financial risks are described in the Notes to the Financial Statements, section Other.