Risk management is an integrated part of F-Secure's governance and management. The goal is to support the achievement of the Company's objectives and continuity of the operations by ensuring that the Company:
- Has comprehensive understanding of major risks, both opportunities and threats
- Takes proactive action to manage opportunities and threats
- Has systematic means to identify, analyze, evaluate and control risks
- Has clear understanding of roles and responsibilities regarding risk management
- Has systematic means to collect, analyze and learn from occurred risks
The foundation for risk management is defined in the Company's Risk Management Policy. It expresses the mandate and commitment for F-Secure Risk Management and the processes and practices that are in place to identify, communicate and manage material risks across the company. The policy also ensures that responsibilities have been appropriately delegated for Risk Management.
The Board of Directors is responsible for approval of the Risk Management Policy and determines the company's overall risk attitude. The Board of Directors and its Audit Committee are responsible for monitoring the company's top risks and related controls and the effective implementation of the policy. The Audit Committee annually conducts a top risk review and evaluates the effectiveness of the risk management system.
The CEO and the Leadership Team are accountable to the Board for approving the Company's risk management standards and ensuring they are applied in a constant manner across the organization.
Corporate Risk Management function provides and maintains a process to identify, analyze, evaluate and treat of risks. Risk assessments are conducted twice a year as part of the biannual company planning cycle. Company level risk profile is approved by the Leadership Team. Leadership Team conducts a company level risk review biannually in sync with the operational planning. The Board of Directors and its committees approve and monitor the reporting procedures, as well as the adequacy, appropriateness and effectiveness of the company's business and administrative processes.
Weekly and monthly financial reporting that covers the entire company is used to monitor how well financial targets are being met. The reports include actual figures, plans and up-to-date forecasts. The company has sought to manage the risks relating to its business operations by developing its operating processes and control systems. The Board has set certain appropriate authorization limits to the management, and if these limits are exceeded, the decisions shall be handled by the Board of Directors.
The invoicing is mainly in euros. In order to minimize the impact of the fluctuation of the exchange rates, the goal is to hedge the estimated cash flow of affected currencies. The Company does not provide financing outside the industry standard payment terms. Company's investment policy for cash reserves is conservative. Cash and cash equivalent are mainly invested in short-term funds and other low-risk investments.
During 2012, the most significant risks relate to the competitiveness of F-Secure's product portfolio in the changing market situation, the ability to protect the intellectual property (IPR) in F-Secure's solutions, risk exposure from increasing contractual liability requirements, regional development in new growth markets, sustainability of partner relationships, forming of new business areas, continuous change in the storage and content cloud services markets, and potential security threats targeted to these services.