Risk management

The objective of risk management is to continuously obtain information about, assess, and manage the possibilities, threats, and risks that relate to Administer’s operations so that the company can realise its objectives and ensure the continuity of its operations without disruption.

The objectives, principles, organisation, responsibilities, and practices of Administer’s risk management are described in the principles of risk management. Risk management is part of the internal control and a significant component in monitoring and ensuring the continuity of operations. The Board of Directors and the senior management of the company monitor the performance of the risk management process.

Sharing of risk management responsibilities

In accordance with the Finnish Companies Act, the Board of Directors is to see to the governance of the company and ensure the appropriate organisation of its operations. In addition, the Board shall monitor and assess the efficiency of the internal control and the risk management system. The Board approves the principles concerning internal control and risk management as well as any changes to these principles. The Board also manages any significant risks and uncertainties that relate to the company’s operations.

The CEO, in cooperation with the management team, is responsible for establishing the principles concerning risk management and ensuring that risk management is implemented methodically and appropriately. The CEO ensures that the company’s risk management process is comprehensive and assesses the implementation of the risk management process. The CEO reports risk management related findings to the Board of Directors. The members of the management team are responsible for planning, implementing, and monitoring the risk management practices in their own areas of responsibility.

The principles of risk management

The company regularly tracks changes in risks and their effects on the business operations. The company continuously and methodically applies risk management practices according to the risk management process to ensure the continuity of operations. The manager in charge of the development of business continuity supervises the annual processing of known risks and potential new risks as per the areas of responsibility of the management team members. These risks are assessed based on their probability and effects on the business operations and the data protection of the staff, and the company records the measures that can be taken to reduce these risks.

Administer’s subsidiaries have their own practices to reduce risks so that they can ensure the continuity of their operations and the quality and validity of their services. According to the requirements of the company’s various business activities, the continuity and recovery capabilities of the subsidiaries’ operations will be tested and audited in different risk scenarios each year.

The business risks will also be examined when drafting customer and partner agreements. The objective is to acknowledge the potential risks and uncertainties concerning the agreement and to agree on the ways in which the risks are shared if they materialise.

Risks and uncertainties

The company has identified the most significant risks and divided them into ten categories. The risks are described and itemised in more detail in the subsidiary-specific risk mappings and matrices, in which each risk has been assessed based on its probability, severity of consequence and impact on personal data. The description of each risk includes the measures that will be taken to reduce its impact. The company has also created various risk scenarios and action plans based on the identified risks.

Administer has identified the most significant risks as follows:

risks concerning macroeconomics
risks related to the market environment
risks related to the organising of business operations
IT system related risks
personnel related risks
data protection related risks
risks concerning the quality of service
legal risks
financial risks
risks concerning misconduct