Main features of risk management systems
Risk management principles
We have a systematic and structured approach to risk management. Key risks and opportunities are primarily identified against business targets either in business operations or as an integral part of strategy and financial planning. Risk management covers strategic, operational, financial, compliance and hazard risks. Key risks and opportunities are analyzed, managed and monitored as part of business performance management.
The principles documented in the Nokia Enterprise Risk Management Policy, which is approved by the Audit Committee of the Board, require risk management and its elements to be integrated into key processes. One of the core principles is that the business or function head is also the risk owner, although all employees are responsible for identifying, analyzing and managing risks, as appropriate, given their roles and duties. Our overall risk management concept is based on managing the key risks that would prevent us from meeting our objectives, rather than focusing on eliminating all risks. In addition to the principles defined in the Nokia Enterprise Risk Management Policy, other key policies reflect implementation of specific aspects of risk management.
Overseeing risk is an integral part of the Board’s deliberations. Key risks and opportunities are reviewed by the Group Leadership Team and the Board in order to create visibility on business risks as well as to enable prioritization of risk management activities. The Board’s Audit Committee is responsible for, among other matters, risk management relating to the financial reporting process and assisting the Board’s oversight of the risk management function. The Board’s role in overseeing risk includes risk analysis and assessment in connection with financial, strategy and business reviews, updates and decision-making proposals.
Description of internal control procedures in relation to the financial reporting process
The management is responsible for establishing and maintaining adequate internal control over Nokia’s financial reporting. Our internal control over financial reporting is designed to provide reasonable assurance to the management and the Board regarding the reliability of financial reporting and the preparation and fair presentation of published financial statements.
The management conducts a yearly assessment of Nokia’s internal controls over financial reporting in accordance with the Committee of Sponsoring Organizations framework (the “COSO framework”, 2013) and the Control Objectives for Information and Related Technology (COBIT) framework of internal controls. The assessment is performed based on a top-down risk assessment of our financial statements covering significant accounts, processes and locations, corporate-level controls and information systems’ general controls.
As part of its assessment the management has documented:
- the corporate-level controls, which create the “tone from the top” containing the Nokia values and Code of Conduct and which provide discipline and structure to decision-making processes and ways of working. Selected items from our operational mode and governance principles are separately documented as corporate-level controls;
- the significant processes:
- give a complete end-to-end view of all financial processes;
- identify key control points;
- identify involved organizations;
- ensure coverage for important accounts and financial statement assertions; and
- enable internal control management within Nokia;
- the control activities, which consist of policies and procedures to ensure the management’s directives are carried out and the related documentation is stored according to our document retention practices and local statutory requirements; and
- the information systems’ general controls to ensure that sufficient IT general controls, including change management, system development and computer operations, as well as access and authorizations, are in place.
Further, the management has also:
- assessed the design of the controls in place aimed at mitigating the financial reporting risks;
- tested operating effectiveness of all key controls; and
- evaluated all noted deficiencies in internal controls over financial reporting in the interim and as of year-end.
In 2021, Nokia has followed the procedures as described above and has reported on the progress and assessments to the management and to the Audit Committee of the Board on a quarterly basis.
Nokia has an internal audit function that acts as an independent appraisal function by examining and evaluating the adequacy and effectiveness of our system of internal control. Internal audit resides within the Chief Financial Officer’s organization and reports to the Audit Committee of the Board. The head of the internal audit function has direct access to the Audit Committee, without involvement of management. All authority of the internal audit function is derived from the Board of Directors. Internal audit aligns to the business by business group, regionally and by function.
Annually, an internal audit plan is developed with input from the management, key business risks, and external factors. This plan is approved by the Audit Committee of the Board. Audits are completed across the business focused on country level, customer level projects, IT system implementation, IT and physical security, operations processes and activities or at a Corporate function level. The results of each audit are reported to the management identifying issues, financial impact, if any, and the correcting actions to be completed. Quarterly, internal audit communicates the progress of the internal audit plan completion including the results of the closed audits.
Internal audit also works closely with our Ethics and Compliance office to review any financial concerns brought to light from various channels. In 2021, the internal audit plan was almost completed. However, a small number of audits were delayed due to Covid restrictions. The results of the completed reviews as well as approval to postpone the small number of audits were reported to the management and to the Audit Committee of the Board.