Risk management
VR’s management is committed to effective risk management and its continuous development. VR’s risk management is guided by the risk management policy approved by VR’s Board of Directors, as well as by other sector-specific guidelines for risks. The policy defines the principles and objectives of risk management as well as the relevant responsibilities and operating procedures. The effectiveness of risk management and the development of the risk management process are evaluated regularly in connection with the risk surveys.
VR’s risk management is based on a three-line model in which the primary responsibility for the implementation of risk management lies with the business areas and the executive management in the first line. In the second line, the common functions lay out consistent operating practices and support business operations. In the third line, the internal audit function independently ensures the compliance of risk management.
VR has a systematic method for the identification, assessment, management and continuous monitoring of business risks. The starting point for risk assessment is an annual Group-level risk survey that systematically identifies risks that threaten the achievement of objectives. Information related to risks is documented in a confidential risk register, and a summary of risks and their impacts and mitigation measures is regularly drawn up for VR Leadership Team and Board of Directors. The business units monitor the development of the most significant risks identified in risk assessment and the adequacy of management measures on a quarterly basis.
VR is prepared to take controlled risks within its risk-bearing capacity. However, in matters pertaining to safety, regulatory compliance and the reliability of reporting, the aim is to minimise risks. Risk acceptability criteria are defined on the basis of the magnitude of the residual risk in the policy that supports risk management. VR has insurance that covers, for example, damage and liability risks arising from major accidents as well as the discontinuation of operations in respect of damage risks.
In addition to its exposure to external factors such as general economic situation, VR’s operations are affected by a variety of strategic, operational and damage risks. Strategic risks are related to strategic choices and the execution of strategy. They usually involve business opportunities, which means that controlled risks can be taken within the limits of risk-bearing capacity. Operational risks are generally related to internal processes or controllable external factors and they also include damage risks.