Hazard risks

Updated 16.2.2022

Risks related to health, safety, and environmental hazards

Occupational health and safety systems, travel safety instructions, and crisis management guidelines are aimed at protecting Wärtsilä employees. Appropriate insurances are in place for the personnel, and to emphasise the importance of employee safety, the Board of Management has decided on a corporate level target of zero lost-time injuries, which is included in the company’s sustainability programme. 

Throughout the Covid-19 pandemic, a crisis response team has been working to ensure the continuity of Wärtsilä’s business and operations in a safe manner, focusing on employee safety, both in-house and while visiting customer sites, when travelling, and while working remotely.

Environmental management systems are in place to mitigate environmental hazard risks. Wärtsilä maintains a register of all properties used and gives guidelines for the purchase, sale, rental, and security of premises, and uses external advisors for environmental audits. None of Wärtsilä’s major facilities are located in natural disaster areas. Catastrophic peril related scenarios are identified and, where necessary, exposures are mitigated by, for example, elevating sites above the flood risk level or by constructing flood dikes. Business impact analyses and continuity plans have been made for the main sites to address property and business interruption risks.

Cyber and information security related risks

Wärtsilä has an internal organisation dedicated to the effective management of cyber security risks across Wärtsilä’s portfolio. This organisation, in cooperation with Wärtsilä’s businesses, delivers cyber security operational support. It also provides the associated governance, risk management, and assurance required to support and enable safe and secure internal operations, while ensuring that the businesses’ customer offerings are aligned with the relevant current and future regulations and applicable standards.

The Wärtsilä cyber security governance model is closely aligned with overall business risk management and supports the businesses and support functions in identifying and prioritising their respective cyber security risks. The cyber security team works with physical security colleagues across Wärtsilä to ensure the effective and coordinated delivery of holistic security solutions for both the cyber and physical domains.

Information security risks related to Wärtsilä’s internal operations are continually identified, analysed, and evaluated. The attendant mitigation activities are executed across Wärtsilä’s networks, endpoints, systems, and services. The 24/7 Wärtsilä Security Operations Center continually monitors the perimeter to internal systems and closely observes the external threat exposure level, whilst providing a coordinated response to identified information security incidents, as and when they may occur.

The effective mitigation of risks associated with cyber security hygiene throughout Wärtsilä is continually and progressively reinforced through coordinated and complementary cyber security training, awareness initiatives, and extensive communications. This involves all Wärtsilä businesses and corporate functions.
Wärtsilä has identified the need to mitigate the cyber security risks associated with its supply chain. The company is addressing this need through a comprehensive risk-based third party risk management programme, involving both increased opportunities for the remote and objective assessment of suppliers, as well as the continuous monitoring of supply chain cyber security risk.

It should be noted that Wärtsilä’s energy storage business has obtained the cyber security certification IEC62443, thus meeting the typical requirement for the energy industry.

Privacy and data protection risks

The EU’s General Data Protection Regulation (GDPR) sets out the general framework for Wärtsilä’s data protection, which is applied both inside and outside the European Economic Area. Wärtsilä is a global company with operations in 68 countries, and efforts are made to comply with local laws and regulations.

Wärtsilä has global privacy notices to inform its personnel, customers, vendors, other stakeholders, and interest groups about the processing of personal data. Data protection implementation is supported by, and aligned with, group-wide privacy policies and processes. Wärtsilä ensures an adequate level of employee data protection competencies with mandatory GDPR training, tailored training and awareness sessions for specific employee groups, and comprehensive guidance materials. 

Wärtsilä applies a risk-based approach to privacy and data protection and continues to take further actions to strengthen privacy and data protection implementation in order to mitigate risks by accountability, privacy by design, data minimisation and transparency.

A data transfer tool has been developed and implemented to allow the secure transfer of data with customers. Wärtsilä continues to invest in the development of data protection platforms to support data protection management and implementation.

Insurances

The risks that Wärtsilä is unable to influence through its own efforts are transferred, whenever possible, to insurance companies. Wärtsilä uses appropriate insurance policies to cover indemnity risks related to its personnel, assets, and business interruptions, including supplier triggered interruptions, as well as third-party and product liability. Wärtsilä has its own captive insurance company, Vulcan Insurance PCC Ltd for insuring Wärtsilä’s own risks. For insurance technical reasons, the company is located on the island of Guernsey. Vulcan Insurance PCC Ltd’s results are consolidated into the corporation’s books and are subject to normal taxation in Finland.