VR Group’s management is committed to effective risk management and its continuous development. VR Group’s risk management is guided by the risk management policy approved by VR-Group Plc’s Board of Directors. The policy defines the principles and objectives of risk management as well as the relevant responsibilities and operating procedures.
Responsibilities and duties related to risk management have been clearly defined. VR Group’s risk management is based on a three-line model in which the primary responsibility for the implementation of risk management lies with the business areas and the executive management in the first line. In the second line, the corporate services units lay out consistent operating practices and support business operations. In the third line, the internal audit function independently ensures the compliance of risk management. A separately appointed risk management group guides and supports the planning and implementation of risk management. The risk management group is chaired by VR Group’s CFO and its members include the Director of Finances, Director, Risk Management, the Vice President for the Internal Audit, the Senior Vice President, Strategy and Development, the General Counsel, the Senior Vice President, Human Resources and the Senior Vice President, Train Operations & Safety.
VR Group is prepared to take controlled risks within its risk-bearing capacity. However, in matters pertaining to safety, regulatory compliance and the reliability of reporting, the aim is to minimise risks. Risk acceptability criteria are defined by risk category in the risk management policy. VR Group has insurance that covers, for example, damage and liability risks arising from major accidents as well as the discontinuation of operations in respect of damage risks.
Risks are categorised as external, strategic and operational risks. External risks cannot be fully influenced or controlled, but it is important to identify them and take them into consideration in the Group’s operations. Strategic risks are related to strategic choices and the execution of strategy. They usually involve business opportunities, which means that controlled risks can be taken within the limits of the Group’s risk-bearing capacity. Operational risks are generally related to internal processes or controllable external factors and they also include damage risks. Operational risks are assessed at the business area level and unit level through processes.
The risk assessment process at the business area level and the Group level is an operating model integrated to business operations. It involves identifying, assessing, managing and monitoring risks that influence operations as part of the planning and development of operations. Information related to risks is documented in the Group’s risk register and its confidentiality is maintained. The effectiveness of risk management and the development of the risk management process are evaluated annually in connection with the Group’s risk assessment.