Internal Control and Risk Management

Risk management

The purpose of risk management is to secure positive development of earnings of the Company and the continuation of the business by implementing risk management cost-effectively and systematically throughout the different Business Segments and Enabling Functions.

Risk management is part of the Company´s strategic and operative planning, daily decision-making process and internal control system. Business objectives, risks and risk management operations are combined through risk management as one chain of events.

Main Principles of Organizing Risk Management

Company adheres to the risk management policy approved by the Board.

Risk management contains all actions, which are connected to setting up targets, identification of risks, measurement, review, handling, reporting, follow-up, monitoring and reacting to risks.

The Aim of Risk Management of the Company is to:

• systematically and thoroughly identify and assess all major risks, which threaten the achievement of objectives, including risks related to business operations, property, agreements, competence, security, currencies, financing and strategy;
• optimize business opportunities and secure continuation of business;
• recognize and identify uncertainties and subsequently develop the prediction of risks and measures needed to manage risks;
• take only calculated and assessed risks with respect to e.g. expanding the business, increasing market share and creating new businesses;
• avoid or minimize liability risks;
• ensure the safety of products, solutions and services;
• establish a safe working environment for the employees;
• minimize possibilities for unhealthy occurrences, crimes or misconduct by operating procedures, control and supervision;
• inform interest groups of risks and risk management; and
• be cost-effective in risk management.

The Aim of Risk Management is not to:

• exclude all risks in their entirety;
• adopt unnecessary control and management procedures; or
• take bureaucratic processes and procedures into use.

Main Principles of the Risk Management Process

In connection with the strategy process and annual planning the CEO reviews business risks which could endanger the achievement of strategic or financial targets. The risk assessments of the strategy process are produced in accordance with the group´s risk management process. Strategic and operative risks are monitored through monthly reporting by businesses in the Board of the Company. According to the risk management process, the Business Segments and Enabling Functions must produce assessments of risks in their designated areas of responsibilities and provide action plans to manage risks as well as to report on measures taken including the stage and effectiveness of such measures. These assessments and action plans are consolidated at the group level. The Company´s CLO is responsible for the risk management process and coordinates its appropriateness and compliance.

General Description of Internal Control and Operational Procedures

Internal control is a process applied by the Board of Directors, management and all levels of personnel in the Company to ensure that management has reasonable assurance that:

1. operations are effective, efficient, and aligned with strategy;
2. financial reporting and management information is reliable, complete and timely made; and
3. the Company is in compliance with applicable laws and regulations as well as the Company´s internal policies and ethical values including sustainability.

The first category addresses the basic business objectives, including performance and profitability goals, strategy, implementation of objectives and actions and safeguarding resources. The second category relates to the preparation of reliable published financial statements, including half year financial reports and Business Reviews, as well as condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly. The third category deals with complying with those laws and regulations to which the Company is subject to.

Internal Control Framework of the Company

Bittium´s internal control framework consists of:

• the internal control, risk management and corporate governance policies and principles set by the Company´s Board of Directors;
• management overseeing the implementation and application of the policies and principles;
• finance function and business controllers monitoring the efficiency and effectiveness of the operations and reliability of the financial and management reporting;
• enterprise risk management process identifying, assessing and mitigating risks threatening the realization of the Company´s objectives;
• monitoring possible agreements and other legal acts between the Company and its related parties;
• compliance procedures making sure that all applicable laws, regulations, internal policies and ethical values (including sustainability) are adhered to;
• effective control environment at all organizational levels including control activities tailored for defined processes and creating group minimum requirements for product and service areas as well as for geographical areas;
• shared ethical values and strong internal control culture among all employees; and
• internal audit assignments reviewing the effectiveness of the internal controls as needed.

Core Business Processes of Businesses and Enabling Functions

Risk management procedures of the Businesses and Enabling Functions are in place for business processes in the form of defined control points:

• relevant process risks are identified;
• common control points / Company´s minimum requirement control points are identified;
• common control points are implemented in processes; and
• additional control points can be determined as needed at business or functional levels.

Control activities are the policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the Company´s objectives. Control activities are set throughout the organization, at all levels and in all functions. They include various range of activities including but not limited to approvals, authorizations, verifications, reviews of operating performance, securing of assets and segregation of duties.

Internal Controls of Financial Reporting

The Company´s external financial reporting process, internal control and risk management systems are briefly described in this section. The main focus is on financial accounting and related controls.

Financial Reporting Organization

The financial management of the Company is responsible for organizing the accounting, money transactions and other daily financial operations of the companies belonging to it as well as organizing the internal reporting that supports the business.

The tasks of the Company´s financial administration consist of, inter alia, monthly consolidation of the Group entity, preparation of quarterly financial reports and consolidated financial statements, management and investment of monetary assets of the Group, management of liabilities, protection against exchange risk, and transfer pricing. The finance function of the Company implements operative supervision under the CFO who reports any supervisory findings to the Audit Committee. The tasks and responsibilities of the accounting function of the parent company and each subsidiary are included in the job descriptions of the teams and employees.

Financial Reporting Systems

Consolidated financial statements are prepared by using the chosen consolidation tool. The accounting of the Group´s subsidiaries is done by using the local accounting systems from which the actual figures are reported either manually or by automatic transfer to the group consolidation system. The accounting system in use includes general ledger accounting, accounts payables and accounts receivables. Current assets and payroll accounting is organized through various programs or purchased as an outsourced service. Purchase invoices are circulated through electronic invoice processing system. Global forecasts and budgets are prepared by using the forecast and reporting program.

Internal Controls

The Company´s internal control mechanisms are based on policies, instructions, limited process descriptions, authorization matrix, financial reporting review meetings, and segregation of key accounting duties.

Compliance Procedures

Compliance processes are in place at all levels of the organization to ensure that all applicable laws, regulations, internal policies and ethical values, including environment sustainability, are adhered to. The management and businesses are responsible for following up developments in legislation and regulations in their respective areas and communicating them to the organization. The members of the Management Group are responsible for setting up adequate compliance controls and compliance related training in their units. CLO of the Company coordinates the appropriateness and compliance of the compliance processes.

Roles and Responsibilities Regarding Risk Management and Internal Control

The key roles and responsibilities regarding the Company´s internal control and risk management are defined as follows:

Board of Directors

The Board of Directors is ultimately responsible for the administration and the proper organization of the operations of the Company. According to good corporate governance, the Board also ensures that the Company has duly endorsed the corporate values applied to its operations. The Board approves the internal control, risk management and corporate governance policies. The Board establishes the risk-taking level and risk bearing capacity of the Company and re-evaluates them on a regular basis as part of the strategy and goal setting of the Company. The Board reports to the shareholders of the Company.

Audit Committee

Audit Committee is responsible for the following internal control related duties:

• to monitor the reporting process of financial statements;
• to supervise the financial reporting process;
• to monitor the efficiency of the company´s internal control, internal audit, if applicable, and risk management systems;
• to review the description of the main features of the internal control and risk management systems pertaining to the financial reporting process, which is included in the company´s corporate governance statement; and
• to monitor the statutory audit of the financial statements and consolidated financial statements.

More detailed descriptions how the Audit Committee is fulfilling its monitoring role are defined in the Committee´s annual plan. The Audit Committee reports to the Board of Directors of the Company.

Chief Executive Officer

The CEO is in charge of the day-to-day management of the Company in accordance with the instructions and orders given by the Board. The CEO sets the ground for the internal control environment by providing leadership and direction to senior managers and reviewing the way they are controlling the business. The CEO is in charge of the allocation of resources to the risk management work, review of risk management policies as well as defining the principles of operation and overall process. The CEO reports to the Board on risk management according to the Annual Clock.

Management Group

The members of the Management Group are responsible for internal control implementation in their responsibility areas. More specific internal control policies and procedures are established within the principles set by the Board and CEO. Additionally, the management of the subgroup and the Group Management are responsible for implementing risk management practices in planning cycle and daily operations, and ensure the adherence of:

• laws;
• regulations;
• internal policies; and
• ethical values

in their designated responsibility areas.

The CFO:

• ensures a setup of adequate control activities for Business Segments in cooperation with the Business Segment management;
• follows the adequacy and effectiveness of control activities; and
• ensures that external reporting is correct, timely and in compliance with regulations.

Finance function does not have a separate internal control function. CFO reports any supervisory findings to the Audit Committee.

The CLO ensures that the Group´s corporate governance practices comply with the law and that legal matters of the Group are handled appropriately, in particular the contractual risks relating to business operations.

The CLO is in charge of the Company´s risk management process and its continuous development. The CLO reports to the CEO and management group on risk management as part of the monthly reporting.

Internal Audit

The Company has no specific internal audit organization. This is taken into account in the content and scope of the annual audit plan. On the one hand, external auditing focuses on specific areas in turn to be audited, and on the other hand, on separately agreed priority areas.