Internal control and risk management

1.1.9 Internal control and risk management

Fingrid’s internal control is a permanent component of the company’s operations and deals with all those operating methods and procedures whose objective it is to ensure

  • effective and profitable operations that are in line with the company’s strategy,
  • the reliability and integrity of the company’s financial and management information,
  • that the company’s assets are protected,
  • that applicable legislation, guidelines, regulations, agreements and the company’s own governance and operating guidelines are complied with, and
  • that the company’s risk management meets a high standard.

Risk management is planned as a whole with the objective of comprehensively identifying, assessing, monitoring and safeguarding the company’s operations, the environment, personnel and assets from various threats and risks. Due to the nature of the company’s basic mission, risks are also assessed from the perspective of society in general.

Continuity management is a part of risk management. Its objective is to improve the organisation’s capacity to prepare and to react in the best possible way should risks occur, and to ensure the continuity of operations in such situations.

Further information on internal control, risk management and the foremost risks and factors of uncertainty is available on the company's website at and in the Board of Directors' annual review.

Board of Directors

The company’s Board is responsible for organising internal control and risk management, and it approves the principles of internal control and risk management on an annual basis. The Board specifies the company’s strategic risks and related management procedures as part of the company’s strategy and action plan, and monitors their implementation. The Board decides on the operating model for the company’s internal audit. The Board regularly receives internal audit and financial audit reports as well as a status update at least once a year on the strategic risks and continuity threats relating to the company’s operations and their management and occurrence.

Line management and other organisation

Assisted by the executive management group, the CEO is responsible for executing and steering the company’s governance, decision-making procedures, control and risk management, and for the assessment of strategic risks and continuity threats at the company level, and their related risk management.

The heads of functions are responsible for the practical implementation of the governance, decision-making procedures, controls and risk management for their areas of responsibility, as well as for the reporting of deviations and the sufficiency of more detailed guidelines. Directors appointed in charge of the threats to continuity management are responsible for drawing up and maintaining continuity management plans and guidelines, and for arranging sufficient training and practice.

The CFO is responsible for arranging procedures, controls and monitoring at the company level as required by the harmonised operating methods of internal control and risk management. The company’s general counsel is responsible at the company level for assuring the legality and regulation compliance of essential contracts and internal guidelines, taking into account the company’s interests, as well as for the procedures these require. Each Fingrid employee is obligated to identify and report any risks or control deficiencies she or he observes and to carry out the agreed risk management procedures.

Internal auditor and auditor

The Board decides on the operating model for the company’s internal audit. The internal audit acts on the basis of plans processed by the Audit Committee and approved by the Board. Audit results are reported to the object of inspection, the CEO, the Audit Committee and the Board. Upon decision of the Board, an internal audit outsourced to an authorised public accounting company acts within the company. From an administrative perspective, the internal audit is subordinate to the company’s CEO. The internal audit provides a systematic approach to the assessment and development of the efficacy of the company’s risk management, monitoring, management and administrative processes and ensures their sufficiency and functionality as an independent party. The internal audit has the authority to carry out reviews and to access all information that is essential to the audit. The company’s internal audit carries out risk-based auditing on the company’s various processes.

An authorised public accounting company selected by the general meeting acts as auditor for the company. The company’s financial auditor inspects the accounting, financial statements and financial administration for each financial period and provides the general meeting with reports required by accounting legislation or otherwise stipulated in legislation. The financial auditor reports on his or her work, observations and recommendations for the Board and may also carry out other authorisation-related tasks commissioned by the Board or management.