Operational risks are defined as the negative effects resulting from inadequate or failed internal processes, people and systems or equipment, or from external events. The main objective of operational risk management is to reduce the risk of unwanted operational events by clearly documenting and automating processes and by ensuring a strict segregation of duties between decision-making and controlling functions. Quality, environmental and occupational health and safety management systems are tools for achieving this objective. Fortum's operational activies are 100% ISO 14001 certified. The coverage of OHSAS 18001 certification is 74%. Equipment and system risks are primarily managed within
maintenance investment planning, and there are contingency plans in place to ensure business continuity. Operational risks in production facilities (nuclear, hydro and heat plants) are mitigated by continuous maintenance, condition monitoring, and other operational improvements.
The Group Insurance Instructions defines the management of insurable operational risks. The objective of insurance management is to optimise loss prevention activities, self retentions and insurance coverage in a long-term cost-efficient manner. Fortum has established Group-wide insurance programmes for risks related to property damages, business interruption and liability exposures.
Operational events at hydro power generation facilities can lead to physical damages, business interruptions, and third-
party liabilities. A long-term programme is in place for improving the surveillance of the condition of dams and for securing the discharge capacity in extreme flood situations.
In Sweden, third-party liabilities from dam failures are strictly the plant owner's responsibility. Together with other hydro power producers, Fortum has a shared dam liability insurance programme in place that covers Swedish dam failure liabilities up to SEK 9,000 million.
Fortum owns the Loviisa nuclear power plant, and has minority interests in one Finnish and two Swedish nuclear power companies. At the Loviisa power plant, the assessment and improvement of nuclear safety is a continuous process performed under the supervision of the Radiation and Nuclear Safety Authority of Finland (STUK).
In Finland and Sweden, third-party liability relating to nuclear accidents is strictly the plant operator's responsibility and must be covered by insurance.
As the operator of the Loviisa power plant, Fortum has a statutory liability insurance policy of 600M SDR (Special Drawing Right). The same type of insurance policies are in place for the operators where Fortum has a minority interest. In Sweden, the limits are compliant with the national legislation.
Decisions have been made in both Finland and Sweden to renew the current nuclear liability legislation to align more with the Paris and Brussels convention. The new legislation is not likely to come into force during 2015 in Finland and Sweden. The changes in the new national legislation consist of a liability on plant operators covering damages up to EUR 700 million in Finland and up to EUR 1,200 million
per nuclear incident in Sweden. The liability should be covered by insurance or other form of financial guarantee, as well as a strict and unlimited liability for the plant operators in each respective country.
Under Finnish law, Fortum bears full legal and financial responsibility for the management and disposal of nuclear waste produced by the Loviisa power plant. In both Finland and Sweden, Fortum bears partial responsibility, proportionate to the output share, for the costs of the management and disposal of nuclear waste produced by co-owned nuclear power plants.
In both Finland and Sweden, the future costs of the final disposal of spent fuel, the management of low and intermediate-level radioactive waste and nuclear power plant decommissioning are provided for by a state-established fund to which nuclear power plant operators
make annual contributions.
Multi-layered containment systems and sophisticated safety protocols effectively isolate radioactive materials from the surrounding environment during the process of interim storage, packaging, transport, relocation and encasement of nuclear waste in the final storage repositories.
Operational events at distribution facilities can lead to physical damages, business interruptions, and third-party liabilities. Storms and other unexpected events can result in electricity outages that create costs in the form of repairs and customer compensations. Although outages are typically short, it is not possible to completely prevent long outages. There are extensive procedures in place to minimise the length and consequences of outages. After the divestments in Finland and Norway, Fortum is exposed to distributions risks only in Sweden.
The assessment of sustainability risks is also included in the assessment of business risks. The Corporate Sustainability function assesses the risks related to both Group and their own operations as part of the annual planning. The divisions assess the risks identified by the Corporate Sustainability function in their own annual planning and prepare for their control. Business divisions with ISO 14001 certification manage their environmental risks and their preparedness to operate in exceptional and emergency situations in compliance with the requirements of the standard. The same approach applies to risks management related to occupational health and safety and actions in emergency situations for operations with OHSAS 18001 certification.
Operating power and heat generation and distribution facilities involves the use, storage and transportation of fuels and materials that can have adverse effects on the environment. Operation and maintenance of the facilities expose the personnel to potential safety risks. The risks
involved with these activities and their supply chain are receiving increased attention. There is also a growing public awareness of sustainable development and the expectations on companies' responsible conduct.
Environmental, health and safety (EHS) risks as well as social risks related to Fortum's activities are regularly evaluated through internal and external audits and risk assessments, and corrective and preventive actions are launched when necessary. EHS related risks together with social risks arising in investments are systematically evaluated in accordance with Fortum's Investment Evaluation and Approval Procedure. Environmental risks and liabilities in relation to past actions have been assessed and necessary provisions made for future remedial costs.
Fortum actively explores opportunities in new technologies in a solar economy. Fortum is participating in technologies and
projects in solar and wave energy, and since 2013 Fortum has operated its first solar plant in India. New technologies, like bio-oil and solar, expose Fortum to new types of risks, such as IPR risks and viability of technologies. These, in combination with operating in new markets, add complexity.
IT and information security risks
Information security risks are managed centrally by the Corporate Security and IT functions. Business-specific IT risks are managed within the divisions and corporate units. Group IT instructions set procedures for reducing risks and managing IT and other information security incidents. The main objective is to ensure high availability and fast recovery of IT systems. Fortum's IT community identifies the IT-related operational risks that might threaten business continuity, and the mitigating actions are planned accordingly. Fortum IT is exposed to hardware and software risks including
cyber attacks, as is any other corporate function, however, taking into account the size and complexity of the business. The management of these risks is coordinated by Corporate IT, headed by the CIO, who also manages the IT architecture and strategy.