Skip to main content

Main features of risk management systems

Risk management principles

We have a systematic and structured approach to risk management. Risk management covers strategic, operational, financial, compliance and hazard risks. The principles documented in the Nokia Enterprise Risk Management (ERM) Policy, which is approved by the Audit Committee of the Board, require risk management and its elements to be integrated into key processes:

  • ERM is an integral part of Nokia’s objective setting and key decision-making

Key risks and opportunities are primarily identified against business targets either in business operations or as an integral part of strategy and financial planning. Key risks are monitored as part of the management and business performance information flow. Our overall risk management concept is based on managing the key risks that would prevent us from meeting our objectives, rather than focusing on eliminating all risks.

  • ERM is an integral part of Nokia’s corporate governance

ERM accountability runs through the Company and is embedded into Nokia corporate governance. The Board of Directors and Group Leadership Team are committed to effective risk management as a core management capability that supports Nokia in achieving strategic, tactical and operational business objectives and in managing business performance. 

  • Risk ownership follows business ownership

Nokia ERM is aligned to the overall Nokia governance model, where Nokia’s businesses are accountable for meeting approved plans and targets as agreed within Nokia. Each business or function head is an owner of the risks in their respective responsibility area and is responsible for identifying and managing key risks and capturing opportunities. 

  • ERM is an area of continuous improvement

ERM is an area of continuous improvement for Nokia. The Chief Financial Officer, who also functions as the Chief Risk Officer, provides guidance and sponsors the development of ERM practices and ERM improvement.

In addition to the principles defined in the Nokia Enterprise Risk Management Policy, other key corporate level policies reflect the implementation of specific aspects of risk management.

Cybersecurity risk management

Nokia, along with its partners and contracted third parties, faces cybersecurity threats like ransomware, viruses, worms and other malicious software, unauthorized modifications, or illegal activities that may cause potential security risks and other harm to Nokia, its customers or consumers and other end-users of Nokia’s products and services. The dynamic nature of IT makes it challenging to fully mitigate these risks. Nokia’s joint ventures and other group companies may have limited ability to oversee such threats.

The cybersecurity incidents may lead to lengthy and costly incident response, remediation of the attack or breach and legal proceedings and fines imposed on us, as well as adverse effects to our reputation and brand value. Despite ongoing investments, preventing, detecting and containing cyber-attacks remain challenging. Additionally, the cost and operational consequences of implementing further information system protection measures, especially if prescribed by national authorities, could be significant. We may not be successful in implementing such measures in due time, which could lead to business disruptions and the implementation being more expensive, time-consuming and resource intensive. The regulatory framework around responding to and disclosing such events is in flux. We may not be able to comply with the regulations that must be implemented or such compliance may negatively impact our ability to deal with the underlying event.

We face a number of cybersecurity risks within our business. Although such risks have not materially affected us thus far, including our business strategy, results of operations, or financial condition, we have from time to time experienced threats to and breaches of our data and systems, including malware and computer virus attacks. We continue to address these challenges, but there is no guarantee against future attacks.

Nokia has well-established cybersecurity processes built into its overall security risk management framework. This integration is achieved through the implementation of a security program set on various processes, such as cybersecurity risk management, third-party security risk management, security incident management and disaster recovery.

The Chief Security Officer, who has the authority to establish and oversee the Nokia information security program, keeps Nokia’s executive leadership informed on program outcomes and highlights information security risks which may affect Nokia business and customers. Nokia’s executive leadership provides direction and support and has the responsibility to execute the program within their own domains. Key principles are communicated through the Nokia Information Security Policy, applicable also to third parties and collaborators and supported by topical Standard Operation Procedures and guidelines.

Nokia’s security ambition is reflected in the supplier selection processes, contracts and supplier (re)assessments ensuring effective security is in place in our supply chain and with our third-party partners. We are dedicated to adhering to applicable laws, regulations, contractual commitments, and industry best practices, including but not limited to ISO 27001, NIST SP 800 series, Cloud Security Alliance Control Matrix, and the Information Security Forum.

Nokia’s cybersecurity incidents are handled in the Security Incident Management Process, which covers all phases of incident response, including preparation, identification, containment, eradication, recovery and post-incident analysis. Each confirmed cybersecurity-related incident is assessed against a classification scheme (impact on confidentiality, integrity and availability of the related asset, urgency, and priority of the security incident). Significant cybersecurity incidents are elevated and managed by a cross-functional, executive management-level team, which is responsible for making the necessary decisions and prioritizing actions that can minimize the impact of the security incident to Nokia and its customers. Members from the CFO and Legal and Compliance teams are responsible for determining the materiality of the security incident and promptly informing the Audit Committee of the Board. The Nokia management team for assessing and managing cybersecurity threats includes members with training and experience in security risk management, security governance, cyber resilience, security incident management, information technology, cybersecurity legal and compliance requirements and disclosures. For an overview of the training and experience of the members of the Board and our assessment of their experience and skills related to cybersecurity, please see “Main corporate governance bodies of Nokia–Board of Directors”. 

Internal control over financial reporting

Management is responsible for establishing and maintaining adequate internal control over Nokia’s financial reporting. Our internal control over financial reporting is designed to provide reasonable assurance to management and the Board regarding the reliability of financial reporting and the preparation and fair presentation of published financial statements.

Management conducts a yearly assessment of Nokia’s internal controls over financial reporting in accordance with the Committee of Sponsoring Organizations framework (the “COSO framework”, 2013) and the Control Objectives for Information and Related Technology (COBIT) framework of internal controls. The assessment is performed based on a top-down risk assessment of our financial statements covering significant accounts, processes and locations, corporate-level controls and information systems’ general controls.

As part of its assessment, management has documented:

  • the corporate-level controls, which create the “tone from the top” containing the Nokia values and Code of Conduct and which provide discipline and structure to decision-making processes and ways of working. Selected items  from our operational mode and governance principles are separately documented as corporate-level controls;
  • the significant processes, which: 
    • give a complete end-to-end view of all financial processes; 
    • identify key control points; 
    • identify involved organizations;
    • ensure coverage for important accounts and financial statement assertions; and
    • enable internal control management within Nokia;
  • the control activities, which consist of policies and procedures to ensure management’s directives are carried out and the related documentation is stored according to our document retention practices and local statutory requirements; and
  • the information systems’ general controls to ensure that sufficient IT general controls, including change management, system development and computer operations, as well as access and authorizations, are in place.

Further, management has also:

  • assessed the design of the controls in place aimed at mitigating the financial reporting risks;
  • tested operating effectiveness of all key controls; and
  • evaluated all noted deficiencies in internal controls over financial reporting in the interim and as of year-end.

In the past year, Nokia has followed the procedures as described above and has reported on the progress and assessments to management and to the Audit Committee of the Board on a quarterly basis.

Internal audit

We have an internal audit function that examines and evaluates the adequacy and effectiveness of our system of internal control. Internal audit reports to the Audit Committee of the Board. The head of the internal audit function has direct access to the Audit Committee, without the involvement of management. The internal audit staffing levels and annual budget are approved by the Audit Committee. All authority of the internal audit function is derived from the Board. The internal audit aligns to the business by business group and function.

Annually, a risk-based internal audit plan is developed with input from management, taking into account key business risks and external factors. This plan is approved by the Audit Committee. Audits are completed across business groups and functions. The results of each audit are reported to management identifying issues, financial impact, if any, and the correcting actions to be completed. Quarterly, the internal audit function communicates the progress of the internal audit plan completion, including the results of the closed audits, to the Audit Committee. Any changes to the risk environment impacting the internal audit plan are presented to the Audit Committee for review and approval on a quarterly basis.

Internal audit also works closely with Internal Controls and Ethics and Compliance offices to review any financial and compliance concerns brought to light from various channels and, where relevant, works with Enterprise Risk Management to ensure priority risk areas are reviewed through audits.