Internal control, risk management and internal audit

The principles of internal control are confirmed by the Board. The company uses external consultants for internal audit. In addition, the company hired in November 2009 an internal resource who is responsible for the organisation and development of the internal audit. The Group’s management and the subsidiaries’ boards are in charge of day-to-day business management and administrative control.

Internal control
The Board of Directors is responsible for organising and maintaining adequate and effective internal control performed by the senior and executive management as well as all other personnel within the Group, and as assisted by third-party experts when relevant. Internal control refers to aspects involved in management and activities aimed at:
• achieving set targets;
• using resources in an efficient and economical way;
• managing risks sufficiently;
• getting reliable and accurate financial and operational information without undue delays;
• complying with external and internal laws and regulations; and
• securing systems and key operations, as well as ensuring business continuity.

Internal control and risk management related to financial reporting at the Group level are performed in a coordinated way by a function independent of the business areas. Each subsidiary’s executive management is responsible for the implementation of internal control and risk management to the agreed Group principles and guidelines. Major commitments or transactions are subject to Group-level decision-making procedures and limits on exercising implementation of power. The segregation of duties is targeted in all areas considered significant, and any conflicts of interest are avoided where possible. In order to ensure that all shareholders’ rights are taken into account, subsidiaries must report and obtain approval of any related party transaction below EUR 100,000 from the Company’s Board; further, any related party transaction exceeding EUR 100,000 has to be accepted by the Board of Ruukki Group Plc.

Risk management
The Board of Directors of the Company decides on the goals and organisation of risk management. The purpose of risk management is to identify the threats and opportunities affecting strategy implementation and to help achieve the targets set in the strategy by ensuring that risks are proportional to the risk-bearing capacity.
The business segments, and the Group’s subsidiaries within the segments, are primarily responsible for their risk-taking, financial performance and compliance with the principles of internal control and risk management policies. The business units have the right to take risk management decisions within the approved decision-making authorisations.
The Board of Directors makes decisions on hedging of market, foreign exchange and commodities price risks.

Risk management is organised at three levels:

Group level	Segment level	Each business/entity level
General risk management policies. Internal and external audit. Certain group level insurances in place.	Risk management implemented according to group policies. The specific natures related to the segment taken into account. Segment management comments on business development and risks included in the monthly management reporting packages. Maintenance of entity and process level risk and control documentation will be monitored by the Segment management.	Risk management implemented according to group and segment policies. Subsidiary management comments on business development and risks included in the monthly management reporting package. Key risks and controls as well as risk ownerships on entity level and in key business and support processes identified and documented and documentation maintained by defined process owners. Maintenance of entity and process level risk and control documentation will be monitored by the Segment management and the Group Internal Audit.

Internal audit
Internal Auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the Group. It assists the Group in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization's risk management, control, and governance processes. Internal audit mandate covers the whole of the Group companies.
The Internal Auditing activity is established by the Group Board of Directors, and its responsibilities are defined by the Audit Committee as a part of their oversight function.
Internal Audit works according to a written charter approved by the Group Board of Directors.

The internal control and risk management needs and their implementation are developed as the company and its operations evolve. Development projects will be launched when necessary.

Risks and uncertainties in Q1/2010 Interim_Report (p. 15) (PDF)
Risks and uncertainties in annual report 2009 (p. 25 and 84) (PDF)
Risks and uncertainties in Q3/2009 interim report (p. 18) (PDF)
Risks and uncertainties in Q2/2009 interim report (p. 18) (PDF)
Risks and uncertainties in Q1/2009 interim report (p. 15) (PDF)
Risks and uncertainties in annual report 2008 (p. 29 and 69) (PDF)

 

Corporate Governance Code recommendations:

Recommendation 45: The company shall define the operating principles of internal control.		Complied
Recommendation 46: The company shall describe the major risks and uncertainties that the board is aware of and the principles along which risk management is organised.		Complied Major risks and uncertainties and changes in these are published at least on a quarterly basis in connection with interim reports and when necessary in addition to these.
Recommendation 47: The company shall describe the manner in which the internal audit function of the company is organised.		Complied Internal audit function is outsourced to a third-party expert organisation chosen by the Company’s Board.