9. Internal control and risk management

9.1 Internal control and risk management principles

Fingrid’s internal control is a permanent component of the company’s operations and deals with all those operating methods and procedures whose objective it is to ensure

• effective and profitable operations that are in line with the company’s strategy,
• the reliability and integrity of the company’s financial and management information,
• that the company’s assets are protected,
• that applicable legislation, guidelines, regulations, agreements and the company’s own governance and operating guidelines are complied with, and
• a high standard of risk management.

Risk management is planned as a whole with the objective of comprehensively identifying, assessing, monitoring and safeguarding the company’s operations, the environment, personnel and assets from various threats and risks. Due to the nature of the company’s basic mission, risks are also assessed from the perspective of society in general.

Continuity management is a part of risk management. Its objective is to improve the organisation’s capacity to prepare and to react in the best possible way should risks occur, and to ensure the continuity of operations in such situations.

Further information on internal control, risk management and the foremost risks
and factors of uncertainty is available on the company’s website at www.fingrid.fi and in the Board of Directors’ annual review.

9.2 Arrangement of internal control and risk management and distribution of responsibility

9.2.1 Board of Directors

The company’s Board is responsible for organising internal control and risk management, and it approves the principles of internal control and risk management on an annual basis. The Board defines the company’s strategic risks and related management procedures as part of the company’s strategy and action plan, and monitors their implementation. The Board decides on the operating model for the company’s internal audit. The Board regularly receives internal audit and financial audit reports as well as a status update at least once a year on the strategic risks and continuity threats relating to the company’s operations and their management and realisation.

9.2.2 Line management and other organisation

Assisted by the executive management group, the President & CEO is responsible for executing and steering the company’s governance, decision-making procedures, control and risk management, and for the assessment of strategic risks and continuity threats at the company level, and their related risk management.

The heads of functions are responsible for the practical implementation of the governance, decision-making procedures, controls and risk-management for their areas of responsibility, as well as for the reporting of deviations and the sufficiency of more detailed guidelines. Directors appointed in charge of the threats to continuity management are responsible for drawing up and maintaining continuity management plans and guidelines, and for arranging sufficient training and practice.

The CFO is responsible for arranging procedures, controls and monitoring at the company level as required by the harmonised operating methods of internal control and risk management. The company’s general counsel is responsible for assuring the legality and regulation compliance of internal guidelines, as well as for the procedures these require. Each Fingrid employee is obligated to identify and report any risks or control deficiencies she or he observes and to carry out the agreed risk management procedures.

9.3 Arrangement of control and risk management related to the financial reporting process

The internal control systems relating to the financial reporting process are part of a more extensive overall system of Fingrid’s internal control.

9.3.1 Control environment of financial reporting process

The Group comprises the parent company Fingrid Oyj and its wholly owned subsidiaries Finextra Oy and Fingrid Datahub Oy. The associated companies are eSett Oy (holding 33.3%) and Nord Pool AS (holding 18.8%). The Group has no joint ventures.

The financial administration of the company is responsible for the Group’s centralised financial reporting and for the internal control and risk management of financial reporting. The executive management group and those with budget responsibility as well as the heads of units and functions receive a monthly report of the financial situation. These reports include information on the proceeds, costs and capital investments in the relevant area of responsibility. In addition to financial accounting reports, the reporting covers comprehensive reports which contain business information. These are produced by means of cost accounting and the financial control system.

The interpretation and application of the standards governing financial statements are centralised at the Group’s financial administration, which monitors the accounting standards (IFRS, FAS), maintains an account scheme, draws up internal guidelines for the financial statements, and is responsible for the financial reporting process. The process is documented and it specifies how, when and on what schedule the month-end accounts are drawn up.

Fingrid draws up the consolidated financial statements and interim reports in accordance with IFRS reporting standards accepted by the European Union and in accordance with the Finnish Securities Market Act. The annual review and the financial statements of the Finnish companies included in the Group are prepared in accordance with the Finnish Accounting Act as well as the guidelines and statements of the Finnish Accounting Standards Board.

The internal control and risk management systems and procedures related to the financial reporting processes, described in more detail below, have been devised so as to make sure that financial reporting by the company is reliable, coherent and timely and that the financial reports published provide an essentially true and fair view of Fingrid's finances.

9.3.2 Roles and responsibilities of the financial reporting process

Fingrid’s Board of Directors is primarily responsible for the specification of the principles for internal control and risk management related to financial reporting, and the Board makes sure that these principles are followed in the company. The Board reviews and accepts the interim reports, annual review and financial statement. The audit committee assists the Board in this by monitoring the efficiency of internal control, internal audit and risk management systems of the company.

The finance department of the Group is responsible for developing the financial reporting process through means such as monitoring the development needs of controls related to financial reporting, by supervising the sufficiency and efficiency of these controls, and by making sure that external reporting is correct and up to date and that the regulations pertaining to reporting are followed.

The company’s financial auditor and internal auditor carry out inspections relating to financial reporting in accordance with the plan approved by the board.

9.3.3 Risk management, control procedures and monitoring of the financial reporting process

Controls pertaining to risk management are set throughout the Group, at all levels and units of the Group. Examples of the controls include internal guidelines, acceptance procedures and authorisations, cross-checking with cost accounting, matching, verifications, assessment of operative efficiency, securing of assets, and differentiation of tasks. The financial administration of the Group is responsible for the control structures relating to the financial reporting process.

The control of the budgeting process is based on the budgeting guidelines, with the financial administration of the Group being responsible for their specification, centralised maintenance, and for monitoring compliance with them. The principles are applied uniformly throughout the Group, and there is a common reporting system in use.

The monthly financial reporting to the executive management group together with the related analyses constitute the primary control and monitoring process in securing the efficiency and purposefulness of the functions and the accuracy of financial reporting. The analyses compare the realised proceed and cost components with the budget and to the previous year, and the budget is compared to the quarterly forecast. The monitoring of cash flow and capital investments is part of this process.

Verification of the accuracy of monthly reporting employs the company’s financial control system, which the controllers and heads of units of the company can use to find essential errors and deviations. The accuracy of financial reporting is also ensured through good data security and data protection.  The goal is to avoid risky work combinations wherever possible. User rights are checked regularly, and user rights are determined by the position of a person in the organisation. Backups are taken regularly of the databases used in the financial control system and accounting system. The company has a data security manager who is responsible for the management and development of data networks and data security, as well as for providing personnel with guidance concerning data security matters.

Controls for the financial reporting processes are developed as part of internal control. Personnel is given training in how to monitor the correctness of the information produced by the financial reporting process of the company, concerning cost allocation, posting, acceptance procedures for invoices and receipts, as well as for budgeting and actual result follow-up.

The company’s auditor and internal auditor carry out regular inspections on the functionality of controls concerning the financial reporting process and on the accuracy of information.