Annual report 2016

Other Corporate Governance

Internal control

Internal control is an important part of Posti Group’s corporate governance. Posti Group’s Board of Directors, management and other personnel all take part in internal control processes. Internal control is not a separate process, but it is integrated into the company's day-to-day operations. Internal control covers all of Posti Groups processes, policies and organizational structures that help to ensure that the Group, Business Groups and –Units are achieving their objectives. This is accomplished when:

  • business operations are run efficiently
  • assets are managed responsibly and cost-effectively
  • financial reporting is organized reliably
  • business conduct is ethical, and in compliance with the laws, regulations and internal policies

Overall responsibility for arranging internal control lies with the Board of Directors of Posti Group Corporation. The CEO is responsible for creating the control environment and for internal control follow-up. Additionally, the heads of the Business Groups, Units and Corporate Functions are responsible for organizing internal control within their area of responsibility. The operational managers within the organization act as the first line of defense in managing process risks. In practice majority of risk identification and mitigation is done by this level, and it thus has a great importance when implementing internal control.

The first line is supported by internal monitoring and oversight functions (such as financial control, quality, risk management, compliance, and legal). At the Group level, internal control relies on Posti’s values and ethical guidelines, the Group’s code of conduct and operating principles, and the functional organization, which also allow efficient monitoring in different parts of the Group. One of the core monitoring mechanisms is the follow-up of financial targets and financial supervision, which are based on monthly reporting. In addition to actuals it includes updated forecasts for the whole financial year and for the next 12 rolling months.

Risk management

The Group's risk management, based on the principles of Enterprise Risk Management (ERM), covers all Group operations and forms an integral element of Posti’s management and strategy processes. Its aim is to secure and improve business profitability and the achievement of strategic goals by reducing the likelihood of risk occurrence and the impact thereof, and by supporting the exploitation of business opportunities. Risk is the possibility that an event will occur in Posti and adversely affect the achievement of objectives. A business opportunity, in turn, is defined as an event whose effective utilization will positively affect the achievement of objectives.

Risk identification, analysis, and the planning of risk management measures is carried out once a year as part of the Group's strategy process. The status of the risk profile and management measures is, in addition, updated regularly once a year and whenever significant risks are identified or the profiles of major risks undergo material changes. The Group's risk portfolio is compared against the risk-bearing capacity based on a financial model developed within the Group.

Risk management’s responsibilities

Posti’s Board of Directors approves the Group’s risk management policy and principles. The CEO and the CFO are responsible for the planning and efficient implementation of overall risk management processes. The Group’s Executive Board and the Board of Directors’ Audit Committee regularly monitor the development and functionality of risk management processes and the whole made up of the most important risks with regard to the Group’s risk-bearing capacity. The Audit Committee assesses the coverage and functionality of risk management.

The Business Audit unit assesses the coverage and functionality of the Group’s risk management and provides support in risk identification.

Risk owners

Risks are managed where they are created. The management of the Group’s business groups and units and of Group functions defined as critical is responsible for risk management as part of strategic and operative management in its operations as well as in outsourced functions for which it is responsible. The management is also responsible for ensuring that the whole made up of the most important risks remains within the risk-bearing capacity. A Risk Champion has been appointed in all business groups, their business units and the most important Group functions. In addition, every employee at Posti is responsible for taking risks into consideration in his/her work and for reporting detected risks to his/her supervisor.

Risk management support

Group Finance administers currency and other financial risks in a centralized manner based on financing guidelines confirmed by the Board of Directors and secures the availability of equity financing and debt financing under competitive terms. It supports the business groups in financing-related arrangements and takes care of external funding in a centralized manner. It is also responsible for financial assets management and hedging measures.

The Group’s Chief Risk and Security Officer supports risk management policy implementation, coordinates key risk consolidation and develops risk management tools and operating methods. He reports to the General Counsel, who reports to the CEO. The Chief Risk and Security Officer also reports to the CFO in a matrix with regards to Enterprise Risk Management.

The risk management unit supports Group units in the management of operational risks related to corporate security.

Posti Group’s comprehensive risk management policy is available at

Internal audit

The Group’s internal audit produces independent assessment, assurance and consultation services required by Corporate Governance, which are used to analyze the Group’s business functions and their processes and the efficiency of management, risk management, supervision, reporting and administration. Its goal is to help identify development targets through which the efficiency, predictability, productivity and compliance of business can be improved.

Internal audit supports the Board of Directors and Group management, which are responsible for organizing internal control, in their supervisory duty. It also assists the management and organization in the planning and development of internal control.

The Business Audit unit, which is responsible for internal audit, reports administratively to the CFO, and with regard to audit operations to the CEO and the Audit Committee. Planning, co-ordination, reporting and follow-up are all carried out using the unit’s own resources. The unit’s own resources and external resources are used in the realization of the audit.

Insider administration

As of July 3, 2016, in its insider administration, Posti adheres to Regulation (EU) No 596/2014 of the European Parliament and of the Council (market abuse regulation, MAR).

At Posti, insider information refers to information that could have a material impact on the value of Posti's listed bonds and that should therefore be disclosed in a stock exchange release.


The authorized public accountancy firm PricewaterhouseCoopers Oy (PwC) was re-elected as Posti Group Corporation’s auditor until the next Annual General Meeting, with Authorized Public Accountant Merja Lindh as the principal auditor.

The auditor was remunerated for audit services during 2016 by EUR 494,000. In addition, non-audit services were purchased in 2016 with EUR 355,000 from the auditor.