Risk management objectives and scope
Neste recognizes risk management as an integral part of sound management practice and an essential element of good corporate governance. Risk as an element of uncertainty (opportunity or threat) is an inevitable component of running the business. Systematic risk management practices are the means to ensure that Neste is successful in achieving the set strategic goals and business objectives and is able to maintain continuous operations in a changing business environment.
Neste’s risk management practices can be characterized by the following statements:
• The company emphasizes risk aware culture and proactive management of risks.
• Risk management is a continuous process that is subject to improvement to reflect changes in the external and internal environment.
• The purpose of risk management is to analyze and manage all opportunities and threats that the company may encounter. By exploiting opportunities and reducing threats, Neste gains a competitive advantage.
• Risks are managed as an integrated part of planning, decision making, and operational processes with a defined structure of roles and responsibilities.
• Sufficiency of risk treatment actions and controls is monitored systematically.
Risk management framework and principles
Framework and principles for risk management have been defined in the Neste Corporate risk management policy, which has been approved by the Board of Directors. The policy is supplemented by risk management principles, guidelines, and instructions for specific risk disciplines.
Neste’s risk management framework and processes are aligned with the internationally recognized best practices for risk management (COSO: Enterprise Risk Management – Integrating with Strategy and Performance; and ISO 31000:2009 standard).
In Neste’s risk model, risks are classified into external, strategic, and preventable risks that are more operational in nature.
• External risks are exposures that cannot be fully influenced or controlled by Neste. The main risk classes are changes in the external environment and risks in the extended enterprise.
• Strategic risks relate to strategic choices, strategy implementation, and risks in the planning and execution of major projects (e.g. refinery turnarounds). Strategic risks are not inherently undesirable as they typically contain both upside and downside risk potential.
• The third category of risks, preventable risks, consists of various risk classes that arise within the organization and are mostly controllable. In general, Neste does not gain strategic benefits from taking these risks.
Risk reporting aims at the transparent, consistent, and comprehensive communication of risk status in different areas. As a result of risk reporting, the Company’s risk profile can be compared with the defined risk appetite and it can be concluded whether additional risk treatment actions are needed.
Communication regarding the most important risk issues takes place along the strategic planning and performance management cycle.
Formal risk reporting is directed to the Business Unit and Function management teams, the Neste Executive Committee, the Audit Committee, and the Board of Directors. The Corporate risk management team is responsible for aggregating risk information for reporting to different internal and external audiences.