Risk management and control

The purpose of YIT’s risk management is to promote the achievement of the objectives set for YIT’s operations and ensure the continuity of operations.

Risk management at YIT is governed by the risk management policy approved by the Board of Directors. The risk management policy describes the main principles of risk management at YIT, the risk management model and the key risk management processes. The Board of Directors guides and supervises the planning and execution of risk management and approves the company’s risk-taking ability and risk appetite. YIT Corporation’s President and CEO has overall responsibility for risk management. The President and CEO is responsible for the organisation, monitoring and implementation of risk management as well as the development of the risk management strategy. Business and support functions are responsible for risk management practices for their own part.

Risk management is incorporated into all of the Group’s significant operating, reporting and management processes. Risk management planning, risk exposure assessment and risk analyses of the operating environment are part of the annual strategy and planning process. In addition, material changes in risks and risk exposure are reported and monitored on a monthly and quarterly basis in accordance with the Group’s governance and reporting practices.

YIT has categorised the risks that are significant to its operations into strategic, operational, project-related, financial and event risks.

YIT’s business is project-based, which is why risks related to project portfolios and individual projects are key to risk management. Project portfolio risk management is implemented in connection with, for example, annual planning, project selection and business reviews. The gate model is utilised in the risk management of individual projects; each gate includes a risk review. Risks in the implementation and maintenance stages are also managed with the help of harmonised project risk management principles and tools.

Detailed descriptions of the most significant short-term risks for YIT's business and the effects of these on risk management measures are described in the 2022 Annual Review

The main characteristics of the internal control and risk management systems related to the financial reporting process are presented in the Corporate Governance Statement

The objective of YIT’s internal control and risk management related to financial reporting is to ensure that the company’s financial reporting provides an accurate picture of YIT’s financial performance and position, as well as assurance that the company operates in accordance with internal guidelines and that YIT complies with the relevant laws and regulations as well as other obligations set out for listed companies. YIT’s consolidated financial statements are drawn up in accordance with the International Financial Reporting Standards (IFRS). A further objective of risk management is to support the achievement of the company’s strategic and business objectives by anticipating and managing potential threats and opportunities.

Main characteristics of internal control

YIT’s financial reporting, planning and control are based on the operating model specified by the Group, policies approved by the Board of Directors, and financial reporting manuals and instructions that need to be adhered to throughout the Group. In accordance with the operating model, the reporting and evaluation of financial results is performed at multiple levels of monitoring, performed by the Group’s businesses, the persons responsible for the finances for each company, and group functions. The lowest levels of monitoring are the project level and the unit level. The highest levels of monitoring are the company level, business segment level and group level.

Responsibilities for the performance and control of financial reporting have been assigned in accordance with YIT’s operating model to the businesses and the centralised group-level financial functions. The businesses are responsible for project-related financial reporting and the measurement of assets used in each business, for example. The centralised group-level financial functions engage in planning, guidance, training and coordination related to reporting, make key interpretations concerning accounting principles concerning financial reporting, and prepare financial reporting for review by YIT’s Audit Committee and Board of Directors.

Monthly financial reporting to business-level and group-level management is a key control process for monitoring the achievement of financial targets. This internal financial reporting is prepared in accordance with the same IFRS accounting principles used for external group reporting. Monthly repeated controls, including both automatic and manual controls, are used to ensure the accuracy of reporting. The business segments and group functions monitor and evaluate the monthly reported actual figures and projections. Self-developed projects and contracting projects constitute a key component of YIT’s financial reporting as a whole. Changes to the project portfolio are reported on a monthly basis, and any material changes are analysed on a project- specific basis as necessary. The project-level financial reporting performed by the businesses is supported and supervised by the centralised group-level Business Controlling function.

The strategies of the Group and its businesses are evaluated annually and updated as necessary. Annual plans based on the strategy and the budget for the next year are typically drawn up during the second half of the year. The strategy and annual plans are approved by YIT’s Board of Directors.

Risk management

The group-level investment, risk management and corporate security function coordinates and develops the systematic assessment of risks and opportunities as part of business planning and core decision-making processes. The function coordinates the assessment of risks and opportunities related to the business environment, operational activities, assets and financial position in order to limit unnecessary or excessive risk- taking. The business segments are responsible for the identification, assessment and management of risks in their respective areas of operation. Business-related risks and strategic risks are reported to the group management on a regular basis. The group management supervises and monitors the implementation of measures related to the risks. YIT’s Board of Directors regularly reviews the risk portfolio based on the group management’s assessment. More information on risk management principles is presented in the “Risks and risk management” section of the Annual Review.

The internal audit is part of YIT’s internal control system and framework. The internal audit is independent of other functions. It is an objective evaluation, assurance and consulting function intended to create added value for the company and provide recommendations for the further development of operations. The internal audit supports the Board of Directors and the management in the achievement of objectives by evaluating the appropriateness and effectiveness of the company’s risk management, control, management and administration processes.

The internal audit carries out independent inspections of businesses, group companies, processes and specifically selected targets to evaluate the effectiveness of internal control. The aim of the internal audit function is to ensure compliance with internal policies, guidelines and regulations.

The internal audit systematically evaluates the effectiveness of the aforementioned functions and issues recommendations for the development of operations, thereby helping the company achieve its objectives. The internal audit also supports the sharing of best practices within the group. Group companies can report potential misconduct to the company’s management through the internal audit function in addition to other reporting channels.

The internal audit operates under the supervision of the Audit Committee of the Board of Directors and reports the results of its auditing activities to the Audit Committee. The Audit Committee subsequently reports to the Board of Directors. A risk-based annual plan is drawn up annually for the internal audit and approved by the Audit Committee.

The internal audit focuses on identified business risks. The focus areas highlighted in the annual plan are reviewed on a quarterly basis. Administratively, the internal audit reports to the Corporate General Counsel. YIT has outsourced its internal audit to Deloitte Oy effective from 1 January 2022.

YIT's Code of Conduct - the way we operate in accordance with our shared values and rules, is a concrete expression of what compliance with our values means in our work with different stakeholders.

The Code of Conduct is not meant to be a detailed guide that provides an answer to every question, but rather a general guideline for compliance with our shared values, principles and rules.

The document includes the principles that guide our operations in relation to customers, employees, shareholders, business partners, competitors, society and the environment. You will also find information related to compliance with our business principles and reporting infringements.

Read more about Code of Conduct