Risks related to health, safety, and environmental hazards
Occupational health and safety systems, training programmes, travel health and security instructions, and crisis management guidelines are aimed at protecting Wärtsilä employees. Appropriate insurances are in place for the personnel. To emphasise the importance of employee safety, the Board of Management has decided on a corporate level target of zero lost-time injuries, which is included in the company’s sustainability programme.
Throughout the Covid-19 pandemic, global and local crisis response teams have been working to ensure the continuity of Wärtsilä’s business and operations in a safe manner, focusing on employee safety, both in-house and while visiting customer sites, when travelling, and while working remotely.
Environmental management systems are in place to mitigate environmental hazard risks. Wärtsilä maintains a register of all properties used and gives guidelines for the purchase, sale, rental, and security of premises, and uses external advisors for environmental audits.
Wärtsilä assumes a modest climate change impact risk on its main production and warehousing facilities not located in the natural disaster areas of extreme weather events, earthquakes, and wildfires. Catastrophic peril related scenarios are identified and, where necessary, risks are mitigated by, for example, elevating sites above the flood risk level or by constructing flood dikes. Business impact analyses and continuity plans have been made for the main sites to address property damage and business interruption risks. The recent heat waves in continental Europe have caused no major impact on the operability of the main production and warehousing facilities. When delivering customer projects in locations with possible extreme weather events, Wärtsilä pays very careful attention to the wellbeing of its employees and subcontractors, and plans operations accordingly.
Cyber and information security related risks
Wärtsilä has an internal organisation dedicated to the effective management of cyber security risks across Wärtsilä’s portfolio. This organisation, in cooperation with Wärtsilä’s businesses, delivers operational support for cyber security. It also provides the associated governance, risk management, and assurance required to support and enable safe and secure internal operations, while aiming to ensure that the businesses’ customer offerings are aligned with all relevant current and future regulations and applicable standards.
The Wärtsilä cyber security governance model is closely aligned with overall business risk management and supports the businesses and support functions in identifying and prioritising their respective cyber security risks. The cyber security team works with security colleagues across Wärtsilä to ensure the effective and coordinated delivery of holistic security solutions, for both the cyber and physical domains.
Information security risks related to Wärtsilä’s internal operations are continuously identified, analysed, and evaluated. The attendant mitigation activities are executed across Wärtsilä’s networks, endpoints, systems, and services. The 24/7 Wärtsilä Security Operations Center continuously monitors the perimeter to internal systems and closely observes the external threat exposure level, whilst providing a coordinated response to identified information security incidents, as and when they may occur.
The effective mitigation of risks associated with cyber security hygiene throughout Wärtsilä is continually and progressively reinforced through coordinated and complementary cyber security training, awareness initiatives, and extensive communications. This involves all Wärtsilä businesses and corporate functions.
Wärtsilä has identified the need to mitigate the cyber security risks associated with its supply chain. The company is addressing this need through a comprehensive risk-based third-party risk management programme, involving both increased opportunities for the remote and objective assessment of suppliers, as well as the continuous monitoring of supply chain cyber security risk.
It should be noted that Wärtsilä’s energy storage business has obtained IEC62443 cyber security certification, thus complying with typical energy industry requirements.
Privacy and data protection risks
The EU’s General Data Protection Regulation (GDPR) sets out the general framework for Wärtsilä’s data protection, which is applied both inside and outside the European Economic Area. Data protection implementation is supported by, and aligned with, Group-wide privacy policies and processes.
Wärtsilä applies a risk-based approach to privacy and data protection and continues to take further actions to strengthen privacy and data protection implementation to mitigate risks by accountability, privacy by design, data minimisation and transparency.
Wärtsilä continuously improves employee data protection awareness with mandatory data protection (GDPR) training, targeted trainings, communication activities as well as comprehensive guidance materials. The Privacy Week in January was an example of the awareness activities organised in 2022.
Wärtsilä continues to invest in the development of data protection platforms to support data protection management and implementation.
The risks that Wärtsilä is unable to influence through its own efforts are transferred, whenever possible, to insurance companies.
Wärtsilä uses appropriate insurance policies to cover indemnity risks related to its personnel, assets, and business interruptions, including supplier triggered interruptions, as well as third-party and product liability. Wärtsilä has its own captive insurance company, Vulcan Insurance PCC Ltd for insuring Wärtsilä’s own risks. For insurance technical reasons, the company is located on the island of Guernsey. Vulcan Insurance PCC Ltd’s results are consolidated into the corporation’s books and are subject to normal taxation in Finland.