Risk management is an integral part of F-Secure's governance and management. The purpose of risk management is to help the company reach its objectives and to support the continuity of the company's operations by ensuring that the company:
- has a comprehensive understanding of major risks, opportunities, and threats
- proactively manages opportunities and threats
- has systematic methods to identify, analyze, evaluate, and control risks
- has a clear understanding of roles and responsibilities regarding risk management
- has systematic methods to collect, analyze, and learn from occurred risks
The foundation for risk management is defined in the Company's Risk Management Policy. It expresses the mandate and commitment for F-Secure Risk Management and the processes and practices that are in place to identify, report and manage material risks across the company. The policy also defines responsibilities related to Risk Management.
The Board of Directors is responsible for the approval of the Risk Management Policy and determines the company's overall attitude towards risks. The Board of Directors and its Audit Committee are responsible for monitoring the company's key risks and related controls and the effective implementation of the policy. The Audit Committee annually conducts a key risk review and evaluates the effectiveness of the risk management system.
The CEO and Leadership Team are accountable to the Board for approving the Company's risk management standards and ensuring that they are applied in a consistent manner across the organization.
The Corporate Risk Management function provides and maintains a process to identify, analyze, evaluate, and treat risks. Risk assessments are conducted twice a year as a part of the company operational planning. The Leadership Team conducts a company-level risk review biannually as part of the operational planning and approves the company-level risk profile. The Board of Directors and its committees approve and monitor the reporting procedures, as well as the adequacy, appropriateness, and effectiveness of the company's business and administrative processes.
Weekly and monthly financial reporting that covers the entire company is used to monitor how well financial targets are being met. The reports include actual figures, plans and up-to-date forecasts. The company has sought to manage the risks relating to its business operations by developing its operating processes and control systems. The Board has set certain appropriate authorization limits to the management, and if these limits are exceeded, the decisions shall be handled by the Board of Directors.
Invoicing is mainly handled in euros. In order to minimize the impact of fluctuation in exchange rates, the goal is to hedge the estimated cash flow of affected currencies. The company does not provide financing outside the industry's standard payment terms.
The company's investment policy for cash reserves was renewed in 2014. The Company's financial assets can be categorized in two groups: a) cash in bank accounts to ensure the everyday transactions /"working capital" and b) "excess cash" that is a strategic reserve for larger one-off cash needs like M&A cases. The Company's target is to keep "working capital cash" in banks as low as reasonable from the operational point of view. The excess cash is invested to reach higher return than money markets and therefore investments can stand more volatility. However, the main purpose is to ensure the value of investment, thus to support the shareholder value.
The most significant risks for F-Secure are related to the following factors: instability in the economic climate, changes in the competitive environment and customer demand affecting the volume of business and price levels, competitiveness of F-Secure's product portfolio in the changing market situation, the ability to protect the intellectual property (IPR) in F-Secure's solutions, risk exposure from increasing contractual liability requirements, regional development in new growth markets, sustainability of partner relationships, development of new business areas, continuous change in the storage and content cloud services markets, and potential security threats targeted at these services.