Description of internal control procedures and the main features of risk management systems

Group’s financial reporting

Kesko’s management model

Kesko's financial reporting and planning are based on the Kesko Group management model. The Group units’ financial results are reported and analysed internally within the Group on a monthly basis and disclosed quarterly in interim reports, the half year financial report and the financial statements release. Financial forecasts are updated quarterly, in addition to which significant changes are taken into account in the monthly performance forecasts. The Group’s and its units’ strategies and related long-term financial plans are updated annually.

Kesko Group's management model

Roles and responsibilities

Kesko Group’s financial reporting and its supervision are organised on three levels. Businesses analyse and report their figures to the divisions, which then report the division-specific figures to Group Accounting. Analyses and controls for ensuring the accuracy of reporting are used on each of the three reporting levels.

The accuracy of reporting is ensured with automated and manual controls at every reporting level. The implementation of the analyses and controls is supervised on a monthly basis at company, business, division and Group levels.

Planning and performance reporting

The Group's financial development and achievement of financial objectives are monitored by financial reporting covering the entire Group. Monthly performance reporting includes actual Group, division and business specific results, changes compared to the previous year, comparison with forecasts, and forecasts for the next 12 months. The Group’s short-term financial planning is based on annual budgeting and quarterly updated forecasts extending over the following 12 to 15 months. The key financial indicators are sales performance for growth and comparable operating profit and comparable return on capital employed for profitability, monitored by monthly internal reporting. Information on the Group’s financial situation is provided in interim reports, a half year financial report and the financial statements release. The Group’s sales figures are published monthly.

Performance reporting to the Group’s top management

Performance reporting to the Group’s top management comprises monthly reports on the Group’s, divisions’, businesses’ and subsidiaries’ sales, profits and capital employed, as well as the Group's financial items, cash flows and balance sheet position. The businesses are primarily responsible for financial reporting and the accuracy of figures. The controlling function of each division analyses the whole division’s figures for which the division's financial management is responsible. The Group is responsible for the whole Group’s figures. The key items in the income statement, capital employed and balance sheet are analysed monthly at business, division and Group level, based on a documented division of duties and predefined reports. This makes real-time information on the financial situation constantly available and enables real-time responses to possible flaws. Performance reporting to management also includes Group-level monitoring of sales on a weekly, monthly and quarterly basis.

Public performance reporting

Public performance reporting comprises interim reports, a half year financial report, the financial statements release, the annual financial statements, and monthly sales reports. The same principles and control methods are applied to public performance reporting as to monthly performance reporting. The Audit Committee reviews the interim report, the half year financial report and the financial statements and gives a recommendation on their reviewing to the Board of Directors. The Board approves the interim report, the half year financial report and the financial statements before they are published.

Key actions in 2017

In 2017, the Group’s legal structure in Finland was simplified by merging the Kesko Corporation subsidiaries Kesko Food Ltd, K-citymarket Oy and Kespro Ltd into Kesko Corporation. The integration of businesses acquired in 2016 – Onninen Oy, Suomen Lähikauppa and Oy Autocarrera Ab – into Kesko’s common financial management systems continued. By the end of the year, 409 Siwa and Valintatalo stores of Suomen Lähikauppa had been converted into K-stores. In connection with the conversion in 2016 and 2017, the stores adopted Kesko Group’s information systems and were connected to the Group’s centralised financial management. By the end of the financial period, 243 K-Markets had been transferred to retailers.

Key actions in 2018

The harmonisation of the financial management processes of Group companies in Finland will continue in 2018, and common financial management systems will be adopted in all Finnish companies during the year. The remaining stores acquired with Suomen Lähikauppa will be transferred from Kesko to retailers during the first half of 2018. The Group will prepare for the IFRS16 (Leases) standard, which will come into effect on 1 January 2019, by creating a common lease agreement management and lease accounting system for the Group’s leases as part of the financial management systems.

Accounting policies and financial management IT systems

Kesko Group complies with International Financial Reporting Standards (IFRS) approved for adoption by the European Union. The accounting policies applied by the Group have been compiled into an accounting manual, updated as the standards are amended. The manual contains guidelines for separate companies and the parent company, as well as guidelines for the preparation of the consolidated financial statements.

Kesko Group’s financial management information is generated from division-specific enterprise resource planning systems via a centralised and controlled shared interface into the Group’s centralised consolidation system to produce the Group’s key financial reports. The key systems used in the production of financial information have been certified and secured by back-up systems, and they are controlled and checked regularly to ensure reliability and continuity.

Internal control

Internal control is an integral part of management and of ensuring the achievement of business objectives. Through efficient internal control, deviations from objectives can be prevented or detected as early as possible, so that corrective measures can be taken. Internal control tools include, for example, policies and principles, work instructions, approval authorisations, manual and automatic controls integrated in information systems, monitoring reports and inspections or audits.

The objective of internal control in Kesko Group is to ensure the profitability, efficiency, continuity and freedom from disruptions of operations, the reliability of financial and operational reporting both externally and internally, compliance with laws and agreements and Kesko’s values and operating principles, as well as safeguarding assets, expertise and information.

Roles and responsibilities in Kesko Group’s internal control

The planning of control measures begins with the definition of business objectives and the identification and assessment of risks that threaten the objectives. The definition of objectives and the assessment of risks should take account of not only operational objectives, but also the requirements for compliance of operations with the law, and for the accuracy of the information used in decision-making and reporting. Control measures are targeted based on risks, and control measures are selected as appropriate so as to keep the risks under control.

The Board of Directors and the President and CEO are responsible for organising internal control. The management of each division, company and unit is responsible for ensuring that efficient and effective control procedures are in place. The next year’s focus areas in risk management and control are discussed in annual risk management and control discussions with the Group and division managements. Every Kesko employee is obliged to comply with the K Code of Conduct and inform their supervisors of any grievances.

Kesko's common functions guide and support the divisions and subsidiaries with policies, principles and guidelines pertaining to their respective areas of responsibility. Kesko Group's internal audit function assesses and verifies the effectiveness and efficiency of Kesko's internal control, reports on it to the President and CEO and the Audit Committee of Kesko Corporations’ Board of Directors, and assists management and Kesko companies in the development of the internal control system. The Audit Committee of Kesko’s Board of Directors has confirmed the principles of Kesko’s internal control, which are based on good control principles widely accepted internationally (COSO 2013).

Risk management

Kesko’s risk management is proactive and an integral part of day-to-day management. The objective of risk management is to support the implementation of Kesko’s strategy.

Risk management in Kesko Group is guided by the risk management policy confirmed by Kesko's Board of Directors. The policy defines the goals and principles, organisation, responsibilities and practices of risk management in Kesko Group. In the management of financial risks, the Group's treasury policy, confirmed by Kesko's Board of Directors, is observed.

The management of business operations and common functions are responsible for the execution of risk management. The finance director is responsible for the execution of risk management in each division. The risk management unit coordinates the risk management process and is responsible for risk reporting and executes risk identification, the determination of risk management responses and their implementation jointly with the businesses and common functions. Every member of Kesko personnel must know and manage the risks in their areas of responsibility. Kesko’s internal audit function has evaluated the efficiency of Kesko’s risk management system annually.

Risk management steering model

Kesko Group applies a business-oriented and comprehensive approach to risk assessment and management. This means that key risks are identified, assessed, managed, monitored and reported as part of business operations at Group, division, company and function levels throughout the Group.

Kesko has a uniform risk assessment and reporting model. Risk identification is based on business objectives and opportunities and the defined risk appetite. Risks are prioritised on the basis of their significance by assessing their impacts in euros and the probability of their realisation. When assessing the impact of realisation, the impacts on reputation, the wellbeing of people and the environment are assessed in addition to the impacts in euros.

Risk identification and assessment play a key role in Kesko's strategy work and operations planning. In addition, risk assessments are made of significant projects related to capital expenditure, business arrangements or changes in operations. The risk assessments of divisions and common functions that include a risk map, risk management responses, responsible persons and schedules are reviewed regularly by the respective division’s or common function’s management.

Risks and risk management responses are reported in accordance with Kesko’s reporting responsibilities. The divisions and the common functions report on risks and changes in risks to the Group's risk management function. Risks are discussed by the risk management steering group, which includes representatives of the divisions and the common functions. On that basis, the Group’s risk management function prepares the Group’s risk report, which is reviewed by the Governance, Risk and Compliance (GRC) steering group, after which the CFO presents the risk report in the Group Management Board. On that basis, the Group’s risk management function prepares a quarterly Group risk report, which is reviewed by the Governance, Risk and Compliance (GRC) steering group, after which the CFO presents the risk report to the Group Management Board.

The Group's risk map, the most significant risks and uncertainties, as well as material changes in and responses to them are reported to the Kesko Board's Audit Committee in connection with reviewing the interim reports, the half year financial report and the financial statements. The Audit Committee also evaluates the efficiency of Kesko’s risk management system. The Chairman of the Audit Committee reports on risk management to the Board of Directors as part of the Audit Committee Report.

Kesko's Board discusses Kesko Group’s most significant risks and uncertainties. The Board reports on the most significant risks and uncertainties to the market in the financial statements and on material changes in them in the half year financial report and the interim reports.

Risk management responses in 2017

In 2017, key focus areas for risk management were the development of a cyber risk management model and the launch of related projects, and changes to insurance coverage based on Kesko’s analysed risk tolerance. Kesko’s management model and process for crises and exceptional situations was updated to correspond to changes in the organisation. The new management model and process were tested in a crisis exercise towards the end of the year. In corporate security, the cost-efficiency of security technology and services was improved through concentration of purchases. A positive trend continued in terms of damage and there were no major individual instances of damage.

Focus areas of risk management in 2018

Focus areas for risk management include the implementation of the cyber risk management development project, improving continuity management, and finalising the changes to insurance coverage initiated in 2017. The management of regulatory risks will be improved by developing Kesko’s compliance function with Group Legal Affairs. The development and assurance of the effectiveness of actions related to risk reduction and determination will continue. Measures to improve the cost-efficiency of security technology and services will continue through concentration of purchases in all operating countries.