Digia’s risk management process is supported by centralised risk management software. Risks are classified as strategic, financial, operational and sustainability risks. The Audit Committee of the Board of Directors is responsible for supervising the implementation of risk management and assessing its effectiveness. Monitoring focuses on risks of material significance to the company that are classified as high risk. Digia’s Group Management Team is responsible for the appropriateness of risk management and overseeing operational activities. The owner of risk management is responsible for reporting on risks and their correct assessment.
The development of the risk status is reported to the Audit Committee twice a year and the Group Management Team monitors the risk status at its regular meetings. Reports cover the risk status, the impacts of significant risks and measures used to manage them, and the monitoring of objectives, including the specified indicators.
Implementing the growth strategy places demands on both the organisation and its management. The company’s ability to recruit, maintain and develop the correct competence – and also to correctly time the offering to meet demand – will play a vital role. In line with its strategy, Digia is also seeking growth through acquisitions. However, Digia cannot be certain of locating suitable companies for acquisition or of successfully integrating them.
Operational and cyclical risks largely involve short-term demand in the operating environment and remain in effect due to the uncertainty in the business climate. If demand sees a sharp fall, price levels might also decline. Although the pricing models used in the service business balance out cyclical business, products provided via SaaS (Software as a Service) involve longer-term revenue streams compared to the one-off payment of product licenses. In an inflationary environment, it is not certain how quickly and to what extent the rise in costs will be passed on to market prices.
Major customer projects – and fixed-price projects in particular – involve both business opportunities and risks. As customer projects increase in size, the risks associated with profitability management also grow, and there is a greater need to manage extensive contract and delivery packages. Large customer projects typically involve delivery-related sanctions whose materialisation always poses a risk. Risks related to customer receivables are also growing.
Data security and protection risks comprise a significant risk area in the company’s business operations. Organisations have more and more information that is critical to their operations. Threats to data security and protection, and their quality and quantity, have risen significantly in recent years. Data security and protection risks mainly concern technology and people. Significant risk factors include, for instance, risks in high-security projects and the subcontracting chain. Due to the nature of its operations, the company is also the target of hostile influence. The company identifies, manages and prevents both internal and external threats. The company implements a regular ISO 27001-certified risk management process based on best practices in handling data security and protection risks. Risks are identified and their impact and significance are analysed. The risk level is reduced with appropriate measures where possible. Operational response and the handling of potential threats have been planned, rehearsed and tested in practice. The company's employees are continuously trained, and data security and protection issues are actively communicated within the company and, if necessary, also to partners and customers. The company works in close cooperation with a variety of data security and protection authorities and networks. Physical security and personnel safety issues are managed using mechanisms similar to those employed in data security and data protection.
Sustainability risks consist of environmental, social and governance risks. Office work poses a rather low risk of environmental damage. The potential risks related to social responsibility that are monitored include experiences of overwork, occupational well-being, discrimination and unequal treatment. The monitoring of procurements, in turn, involves potential human rights risks such as the use of forced labour in the manufacture of equipment and the sourcing of raw materials. Administrative risks primarily concern the company's legality and ethical operations.