52 Corporate Governance Report
Loomis Annual Report 2017
The strategy is designed to identify strengths to build upon, weak- nesses that need to be addressed, and opportunities and threats that require action to be taken. It also takes into account the changes that may take place in Loomis’ external environment, such as new technology or changes to laws. Each assignment is assessed using criteria such as pro tability and security, where commercial opportunities must be weighed against possible risks. Even if a risk is accepted, it must be monitored continuously be- cause the external environment changes all the time. Signi cant business processes are documented and every risk associated with a speci c process is identi ed and de ned in a comprehensive risk register. The global risk management policy adopted by Loomis stipulates how the Group is to work actively with operational risk management in accordance with other established policies and the Company’s Code of Conduct. Loomis has the ambition to min- imize the operational risks but has, in addition to internal routines and procedures, an extensive insurance coverage.
The Board of Directors evaluates future business opportunities and risks and draws up a strategy for the Group. Group Manage- ment and the respective country management team are responsible for managing operational risk. Group Management has responsibil- ity for identifying, evaluating and managing risk, and for imple- menting and maintaining risk control systems in line with the poli- cies adopted by the Board. Each country/regional management team is responsible for ensuring that there is a process in their country aimed at promoting risk awareness. Branch managers and individuals in charge of risk management in each country are re- sponsible for ensuring that the risk management is an integral part of their local operations at all levels in the country’s organization. Reviews of business risk and risk assessment are routinely conduct- ed throughout the Group. Group Management, the audit committee and the Board are informed on an ongoing basis of signi cant risks and any risk control shortcomings. Refer to page 42 for more infor- mation on the Group’s risk management work.
Internal control system
Loomis has a well-established process aimed at ensuring a high lev- el of internal control and risk management. Loomis’ framework for internal control includes the following areas: 1. Control environ- ment, 2. Risk assessment 3. Control activities 4. Information and communication, and 5. Monitoring activity.
1. Control environment
The control environment forms the foundation for internal con- trol by creating the culture and the values based upon which Loomis operates. This part of the internal control structure in- cludes the organization’s core values and how authority and re- sponsibility structures are communicated and documented in governing documents such as internal policies and instructions. The Board has adopted a number of policies for areas of key im- portance for Loomis and these are evaluated and updated annual- ly or as needed. A number of the most signi cant governing docu- ments adopted by Loomis are brie y described below:
• Authorization matrix; contains a delegation of decision-mak- ing. The Loomis Group is a decentralized organisation where managers are given clear targets and the authority to make their own decisions and develop their operations close to the customers.
• Communication Policy; aims to ensure that the Company meets the requirements relating to the disclosure of information to the stock market.
• Competition Law Compliance Policy; aims to ensure that the Company acts in compliance with applicable competition laws.
• Customer Contract Policy; speci es criteria for the content of contracts and when customer contracts must be approved by the Board.
• Finance Policy; contains guidelines to ensure transparent, cohe- sive and accurate  nancial reporting, proactive risk management and constant improvement of the Company’s  nancial processes.
• Information Security Policy; provides a general framework aimed at ensuring that a reasonable level of information security is maintained in a number of key areas.
• Insider Policy; complements the current Swedish insider laws and European regulations regarding insider trading. The policy establishes routines for the management of insider information, the management of logbooks etc. and de nes when trading in  - nancial instruments issued by (or attributable to) Loomis AB is prohibited. The policy applies to all persons in discharging mana- gerial responsibilities at Loomis AB as well as certain other cate- gories of employees
• Internal Control Requirements; stipulate the important routines and control measures not included in other governing documents.
• Policy regarding prior approval of auditing and non-au- diting services; contains guidelines on approval of auditing services performed by Loomis’ external auditors as well as non-auditing services performed by the auditor in charge. The purpose of the policy is to ensure that the auditors are indepen- dent of Loomis.
• Purchase procedures; provide a general framework to achieve e cient routines for signi cant  xed asset purchases.
• Risk Management Policy; provides a framework for the gener- al structure for organizing, controlling and following up opera- tional risks, such as guidelines for the operational cash processing.
• Rutines relating to trade sanctions; contain a description of general trade sanctions, highlight high risk countries and provide general guidelines for how businesses are to be run to ensure that Loomis is in compliance with international and local laws and regulations regarding trade sanctions.
• The Code of Conduct and Anti-Bribery policy; aimed at ensuring that companies in the Group maintain and promote business practices with the highest possible ethical standards.
2. Risk assessment
The Group’s  nancial and risk departments are responsible for en- suring that every subsidiary has routines aimed at promoting risk awareness. Country Presidents and individuals responsible for risk management in each country are to ensure that risk management is an integral part of the local operations at all levels in the country.
The Group has a system for managing risks. The system is in- tegrated in the Group’s business planning and performance fol- low-up processes. The annual risk analysis and the resulting risk register are coordinated and maintained at the Group level. In ad- dition to this, business risk reviews and risk assessment are rou- tinely performed throughout the Group.
3. Control activities
Control activities include methods and activities to ensure compli- ance with adopted guidelines and policies, and the accuracy and reliability of internal and external  nancial reports. Examples of control activities within Loomis are:
•
Self-assessment: Each operating entity within the Group reg- ularly conducts a self-assessment of insight into and adherence to the Group’s requirements on internal control. The Group’s external auditors validate the completed self-assessment. In or- der for comparisons to be made between countries and for changes to be made in speci c countries, the results are compiled at the Group, regional and country levels. All reports are made available to each country management team, regional manage- ment, Group Management and the Audit Committee.