Risk management

Internal control and risk management related to financial reporting

Control functions and control environment 

The company has a controller function that reports to the CFO and is tasked with ensuring the accuracy of
monthly financial reporting. The CFO reports on the financial performance of the company and its divisions to Management, the Board of Directors, and the Board’s Audit Committee.

The company uses a reporting system that compiles subsidiaries’ reports into consolidated financial statements.
There are also written directives for completing the financial reports of subsidiaries. The company’s CFO monitors compliance with these instructions. The company also has the separate reporting facilities required for monitoring business operations and asset management.

The Group’s financial administration unit prepares the consolidated interim reports and consolidated Financial
Statements. This financial administration unit has centralised control over the Group’s funding and asset management, and is in charge of managing financial risks.

Internal control 

Internal control helps to ensure the reliability of the Digia Group’s financial reporting. Digia’s financial administration
unit provides guidance on financial reporting matters. The Group’s business is divided into areas of responsibility led by Senior Vice Presidents (SVPs) reporting to the CEO. Reporting and supervision are based on annual budgets that are reviewed monthly, on monthly income reporting, and on updates of the latest forecasts.

The SVPs report to the Group Management Team on development matters, strategic and annual planning, business and income monitoring, investments, potential acquisition targets and internal organisation matters
related to their areas of responsibility. Each area of responsibility also has its own management team.
Digia’s operational management and supervision adhere to the corporate governance system described above.

Digia has not yet established a separate function responsible for internal auditing. The need for an internal audit
function is regularly assessed. With the company’s current business volume, its legal and financial management functions are able to handle internal auditing tasks.diting tasks.

Risk management and major risks 

The The purpose of the company’s risk management process is to identify and manage risks in a way that enables the company to attain its strategic and financial targets. Risk management is a continuous process by which the major risks are identified, listed and assessed, the key persons in charge of risk management are appointed, and risks are prioritised according to an assessment scale that compares the effects and mutual significance of risks. Part of this process involves identifying, planning and implementing risk management measures, and then monitoring their impact.

The main operational risks monitored under Digia’s risk management are related to customers, personnel, deliveries, IT, data security and protection, immaterial rights, and goodwill.

The company manages customer risks by actively developing its customer portfolio structure and avoiding any potential risk positions.

Personnel risks are evaluated and managed using a quarterly performance review and development discussion process in which key personnel participate. To enhance personnel commitment, the company strives to systematically improve the efficiency of internal communications via regular personnel events and by increasing the management’s visibility. Two major personnelrelated risks are competence development and finding the correct expertise. These risks are systematically managed by developing our personnel’s competence and through continual recruitment management and subcontractor management.

Internal – and as required also external – audits of major projects and continuous services are conducted with
a view to enhancing project and service risk management and securing the success of customer deliveries.
The Group’s certified quality systems are evaluated regularly. Digia uses an ISO 9001-certified quality management system (Core Process Model), and the processes described in this system are utilised in all operations with a view to providing an optimal customer experience.

Audits are carried out to manage data security and protection risks, and the company also continually develops working models, practices and processes that promote data security and protection. Security training is organised
for all personnel. In 2020, we renewed our internal data security and data protection training package. This
training must be retaken every year, not only by Digia personnel but also by any subcontractors working on
Digia’s premises.

The Management Team is tasked with systematically managing risks associated with business integration,
shared operating models and best practices, as well as their integrated development. Typical risks in the
software business include the appropriate protection of the company’s own immaterial property rights (IPRs)
and violation of third parties’ IPRs. These are managed through extensive internal policies, standard contracts,
and appropriate supervision and analysis.

With respect to IFRS-compliant accounting policies, the Group actively monitors goodwill and its associated
impairment tests as a part of prudent and proactive risk management practices within financial management.

Digia has assessed the corporate liability risks associated with its own operations and business relations, and has
adequate and appropriate processes in place to predict and take precautions against these risks.

In addition to operational risks, the company is subject to financial risks. Digia Plc has centralised internal and
external financing and the management of financial risks within the finance function of the Group’s parent company. This function is responsible for the Group’s liquidity, the sufficiency of financing, and the management of
interest rate and currency risks. The Group is exposed to several financial risks in the normal course of business.
The Group’s risk management seeks to minimise the adverse effects of changes in financial markets on the
Group’s earnings. The primary types of financial risks are interest rate risk, credit risk, and funding risk. The general
principles of Digia’s risk management are approved by the Board of Directors, and the Group’s finance function
and business divisions are jointly responsible for their practical implementation..

Learn more about our risk management on our Annual Report >>