Wärtsilä, like any other company, is exposed to various risks through the normal course of its activities. No business can be conducted without accepting a certain level of risk, and any expected gains from business activities are to be assessed against the involved risks.
The purpose of risk management is to ensure that Wärtsilä is able to effectively execute its strategies and to reach its targets, in the short term as well as over the long run. The key is to identify those risks that have the potential to restrain the company from reaching its goals, and to determine whether such risks are at an acceptable level.
By definition, risk is the effect of uncertainty on objectives. An effect is a deviation from the expected -positive or negative; in other words, either a threat or an opportunity. Actions need to be taken to avoid, mitigate, transfer, or monitor identified risks, or to capture and utilise the opportunities. Wärtsilä's structured risk management process offers a set of reactive, proactive, protective, and preventive tools that are used not only to protect it against threats, but also to turn some of the risks into opportunities.
Risks can only be managed if they are identified and understood in advance, if risk treatment plans for managing them are made, and if a process of continuous follow-up is in place for the related controls. Therefore, risk management is a central part of Wärtsilä's strategic and operational management.
Risk management at Wärtsilä is a continuous process of analysing and managing all the opportunities and threats faced by the company in its efforts to achieve its goals, and to ensure the continuity of the business.
The basis for risk management is the lifecycle quality of Wärtsilä’s operations and products, and the continuous, systematic loss prevention efforts at all levels of the Group, not only as an integrated part of management systems, but as part of every employee’s daily work. In the long-term, this is the only means for reducing the overall risk related costs.
The risk management policy and process
Wärtsilä has a corporate level risk management policy which defines and formalises the Businesses’ risk management and reporting procedures. The document acts as a risk management guideline generating a common understanding over risk related concepts. It harmonises and structures the way of working with respect to risk management within the group in order to achieve a process whereby the risks identified are measurable and possible to consolidate. The policy brings consistency to risk management practice, and provides a structure for the organisation and Businesses to handle day-to-day risk management tasks in accordance with the agreed processes. It also provides a unified vocabulary to provide further guidance with respect to generic terms and definitions relating to risk management.
The Businesses are responsible for the risks and rewards, and thus managing risks is in the responsibility of Business Management teams and individual managers. The risk management process controls exposures to risk by using systematic mapping, assessment, treatment, reporting, monitoring and control of risks, including the reporting of residual risks. Wärtsilä’s risk management process is based upon the ISO 31000 Risk Management Guidelines and Principles, and the vocabulary of ISO 31000 has been adopted in order to streamline risk related communication within the Group.
The risk management process at Wärtsilä is embedded in Wärtsilä’s culture and practices, and has been tailored to fit the business functions and processes of the organisation. The process can be seen as a continuous loop consisting of the repetitive steps of context establishment, risk assessment, risk treatment, communication and consultation, and finally monitoring and review.
The Board of Directors and the Board of Management decide and set the guidelines on strategic matters. The Businesses are responsible for achieving their set strategic goals, and for mitigating and managing their risks. The Corporate Risk Management function is part of Group Treasury, which reports to the Chief Financial Officer. The function is responsible for the risk reporting process, and for conducting risk assessments with the Businesses and their underlying organisations. It co-ordinates all risk management activities within the Group, reviews the business risk profile, and cooperates with the Businesses in the implementation of risk mitigation work. It is also responsible for maintaining the Group risk management policy, and for describing the current way of working in relation to risk reporting. Furthermore, the Risk Management function develops and manages global and local insurance schemes for insurable risks. The Audit Committee reviews and assesses the adequacy of risk management, while the Internal Audit function is responsible for reviewing the risk management process on an annual basis.
Risk mitigation actions are decided in the normal course of business. At its meetings, the Board of Management conducts annual management reviews for each Business and certain main support functions, addressing also their risks and risk mitigation. The identified risks are labelled as either internal or external; they are quantified in euro, and their probabilities are estimated. The Group risk report is then prepared and presented to the Board of Directors.
Risk management is part of the Businesses’ management process and has been integrated into the Business Management teams’ agenda. The Businesses are accountable for organising and reporting on risk management from their underlying geographical business areas, business lines, organisations, and product centres. All follow-up actions are also the Businesses’ responsibility.
The relevant risks for Wärtsilä have been classified under four categories; strategic, operational, hazard, and financial risks. The potential loss expectancy is highest with strategic and operational risks and lowest with hazard and financial risks. The risks in most of the categories can have both upside and downside impacts. In this regard, hazard risks are an exception, since for them only a negative effect is possible.
Risk radars are used to map the main risks within the risk categories in the annual risk assessment workshops between the Businesses and the Corporate Risk Management function. During recent years, a similar risk mapping process has also been adopted by certain main support functions, such as HR and the Group Treasury. Business or function specific risk radars are generated for the use and evaluation of the Business Management teams, and are reviewed and updated by them on a regular basis. The Business specific radars are consolidated into a single Group Risk Radar, which is presented to the Board of Directors and the Audit Committee once a year. The purpose is to facilitate the discussion on risk and to give a quick overview of where priorities should lie in terms of risk management.