Corporate Governance

Principles

The SSH Group comprises SSH Communications Security Corp (SSH) and its subsidiaries. SSH Communications Security Corp is registered in Helsinki, Finland and is a publicly listed company. Its subsidiaries are SSH Communications Security, Inc. (US) and SSH Operations Ltd that operates in Finland, UK, and Germany.

SSH abides by its Articles of Association, as well as principles of sound corporate governance and high ethical standards in its governance and decision-making. The company complies with the Finnish Companies Act and securities market legislation, the rules of NASDAQ OMX Helsinki (former Helsinki Stock Exchange), and the joint recommendations of NASDAQ OMX Helsinki, the Helsinki Chamber of Commerce, and the Confederation of Finnish Industries regarding corporate governance of publicly listed companies.

Shareholders' Meeting

The ultimate decision-making power at SSH is vested in the shareholders' meeting. The Annual General Meeting is held within six months of the completion of the company's fiscal year, at a time decided by the Board. The shareholder's meeting decides the number of members of the Board of Directors, and appoints the members. Additionally, under the Finnish Companies Act, the Annual General Meeting has the authority to amend the company's Articles of Association, adopt the financial statements, approve the amount of dividend, and to select the company's auditors. Each SSH share conveys one vote at the shareholder's meeting.

Board of Directors

In accordance with the company's Articles of Association, the Annual General Meeting appoints three to eight members to the Board of Directors. Their term of office ends with the closing of the next Annual General Meeting following their appointment. The Board has a quorum when more than half of its members are present. The company's Articles of Association do not restrict the members' terms in office or present any specific selection criteria for the members. The Board elects a chairperson from among its members.

SSH's Board of Directors is responsible for the company's strategic policies, and the appropriate organization of business operations and administration. The Board of Directors acts in the company's interests at all times. In addition to the tasks and responsibilities provided by the Finnish Companies Act and the company’s Articles of Association, in accordance with its agenda, SSH's Board of Directors:

confirms the company's long-term goals and strategy
approves the company's action plan, budget and financial plan, as well as monitors their implementation
decides on large, single investments of strategic importance such as company and business acquisitions and divestments
approves proposed strategically important product development projects
appoints the CEO and determines his or her remuneration
decides on bonus and incentive schemes for senior management
confirms the company's risk management and reporting procedures
determines the company's dividend policy and is responsible for the development of shareholder value
confirms the company's values.

Board Composition

The Annual General Meeting held on 4 March 2009 elected Juho Lipsanen (chairman), Tomi Laamanen, Pyry Lautsuo, Juha Mikkonen and Tatu Ylönen as members of the Board of Directors.

Members of the Board of Directors

The majority of the Board members have no dependence on the company. Tomi Laamanen, Pyry Lautsuo, and Juho Lipsanen are deemed to be independent Board members. Not independent of the company are the Board members Juha Mikkonen and Tatu Ylönen. Juha Mikkonen is the Chairman of the board of directors of Assetman Oy, an investment firm that holds more than 10 percent of the total number of the SSH shares. Tatu Ylönen owns, directly and indirectly through his company Tatu Ylönen Oy, more than 50 percent of the total number of SSH shares.

Board Responsibilities

The Board works to a predetermined agenda. The themes to be considered in future meetings, and the Board's agenda, are planned at the start of each new term of office. During the spring, the agenda is focused on outlining strategic policies and updating the corporate strategy. In the autumn, the focus is on tactical matters, and in November the budget for the following year is approved. Meetings in the early spring focus on preparations for the Annual General Meeting.

The members of the Board receive regular updates on the company's business and financial performance. In the Board meetings, the CEO, the Chairman of the Board or another person appointed by the CEO, presents business to be considered to the Board. Each Board meeting considers a progress report provided by the CEO in line with the standard agenda. All Board meetings also monitor sales performance, market development and the company's financial performance. The company's General Counsel acts as secretary to the Board.

The SSH Board of Directors convened 16 times in 2008. The average attendance rate of Board members was 99 percent.

The Board evaluates its operations and processes to increase efficiency and quality. An internal self-evaluation is conducted once a year.

Committees of the Board of Directors

In a corporation, the proper functioning of the administrative and control systems requires that the work of the Board of Directors be organized as effectively as possible. The preparation of matters for which the Board of Directors is responsible can be made more effective through setting up committees comprising Board members. The Board of Directors will then make its final decisions based on the recommendations of the committees. SSH's Board of Directors has appointed an Audit Committee and a Remuneration Committee, but owing to the restricted scope of the company's activities, it had not deemed necessary to establish a separate appointment committee.

Tomi Laamanen acts as the chairman and Pyry Lautsuo acts as a member of the Audit Committee. As the CEO, CFO, and the auditor participate in the committee meetings, the Board has deemed two Board members to be sufficient in the Committee. The Committee convenes a minimum of twice a year, and the Board has confirmed the principal responsibilities of the Audit Committee to be as follows:

monitoring the financial performance of the company
monitoring the financial reporting (financial statements, interim reports)
assessing the sufficiency and due form of internal administration and risk management
ensuring compliance with laws and regulations
preparing the appointment of an auditor
communicating with the auditor, studying the auditing plan and the auditor's report.

The Remuneration Committee plans compensation and reward schemes for the management and the employees. Juho Lipsanen acts as the chairman and Juha Mikkonen and Tatu Ylönen act as members of the committee.

Both committees of the Board of Directors convened twice in 2008, and the average attendance rate of the committee members was 100 per cent.

CEO

SSH's Board of Directors appoints the CEO and decides the terms of his or her service contract. The CEO is in charge of the company's operative management in accordance with the Finnish Companies Act and the instructions and authority provided by the Board of Directors.

Since November 17, 2008, the company's CEO has been Jari Mielonen.

More information about Jari Mielonen

The CEO's retirement age and determination of pension comply with standard rules under the Employees' Pension Act. The period of notice for the CEO is six months. Severance payment is equivalent to twelve months' salary.

Group Management Team

The Group Management Team supports the CEO in managing and developing SSH Group. The members in the Group Management Team are the CEO and representatives chosen from the management of the company.

The members of the Group Management Team are:

Jari Mielonen, President and CEO
Tero Harjula, Executive Vice President
Mikko Karvinen, Executive Vice President, CFO
Jouni Leinonen, Executive Vice President
Pekka Rauhala, Executive Vice President, General Counsel

More information on the Management Team is available here.

Salaries and remuneration

The shareholders' meeting confirms annually in advance the emoluments payable to the members of the Board of Directors. The Board of Directors confirms the salary and other benefits of the CEO, and also determines the salaries and benefits payable to senior management.

Forms of remuneration for SSH's senior management and CEO involve a performance-related bonus and option schemes. The company has no other remuneration practices, nor does it have any differing pension arrangements for the CEO or other senior management.

The bonus scheme for SSH's senior management is based on the company's net sales and the trend in net sales, company profitability and personal qualitative and quantitative targets. The average weighting of the key financial indicators represents 70 percent of the overall target. The targets for the company's senior management are fixed for one year at a time.

The Board of Directors

Tomi Laamanen EUR 1,400/month
Pyry Lautsuo EUR 1,400/month
Juho Lipsanen EUR 1,400/month
Juha Mikkonen EUR 1,400/month
Tatu Ylönen (no salary or remuneration)

CEO

Share-based commitment and incentive system of CEO is available here.
CEO's salary and other benefits in 2008 were EUR 367,220.

The numbers of shares and stock options held by the members of the Board of Directors, CEO, and members of the Group Management Team are available here.

Insiders

SSH has established its own insider guidelines that comply with the Guidelines of Insiders approved for public companies by the Nasdaq OMX Nordic Exchange, Helsinki (prev. Helsinki Stock Exchange). The company maintains a public insider register of the public permanent insiders and the persons closely associated with the said permanent insiders' share and stock option holdings in the SIRE system of the Finnish Central Securities Depository Ltd. The public insider register and the principles regulating trading by insiders are available at the company's website and the company's headquarters.

The public permanent insiders of the company are members of the Board, CEO, members of the Group Management Team, and the auditors.
The company maintains also a company-specific insider register of persons who by virtue of their position regularly receive insider information or could have an opportunity to gain access to insider information through the nature of their work and who are not in the public insider Register. These persons include the assistants to executive management, product management, financial administration, and management of information services. In addition, any external legal consultants used by SSH belong to the company-specific insider register.

Insiders belonging to the public or company specific insider register are not allowed to trade in securities issued by the company for a period of 21 days prior to the announcement of an interim report and the financial statement bulletin (closed window).

The said permanent insiders are allowed to trade in securities issued by the company without a prior approval of the company's General Counsel only for a period of 21 days after the announcement of the interim report and the financial statement bulletin of the company (open window).

Under circumstances where the company is preparing an event that may have a significant impact on the stock price, a project specific insider register is established. Also the project-specific insider register will be based on the insider guidelines of the Nasdaq OMX Nordic Exchange, Helsinki (prev. Helsinki Stock Exchange). Company's General Counsel is responsible for guidance and supervision of the insider matters.

Insider Register (updated once a month)

Internal Administration, Risk management and Internal Auditing

The aim of internal administration and risk management is to ensure efficient, appropriate operations, dependable financial information and compliance with regulations and internal processes. SSH's Board of Directors ensures that the company has defined principles of internal administration, and that the company monitors the effectiveness of the administration. The ultimate responsibility for the company's accounting and supervision lies with SSH's Board of Directors. The Board also approves SSH's risk management and reporting procedures and monitors the adequacy, appropriateness and efficiency of the company's administrative processes.

The CEO, assisted by other operative management, is responsible for the practical arrangements for accounting and administration mechanisms and for compliance with laws, regulations, company processes, and the Board's decisions. To support its operations, the company has a number of rules and guidelines. Process and quality work ensures that there is a description of all processes, and that the various process interfaces are properly defined and documented. Processes are also intended to ensure that everyone in the organization knows how the company works, and how the work of each individual is integrated into the company's operations. Supervisory actions ensure compliance with rules, guidelines, and processes.

The company sets annual financial targets in connection with the budget and constantly tracks target achievement. The company's organizational structure supports efficient planning, implementation, and monitoring of business operations. Balanced Scorecard measurements ensure that the targets are in balance.

Risk management is a part of SSH's internal administration. It aims to ensure that major risks affecting the company's business and operating environment are identified and monitored. Since the United States is the main market area, any risks including currency risks associated with that country are considered to be significant. Other major risks are related to product technology, competitor activities and profitability. Property, business interruption and liability risks are covered by insurance.

SSH's main market area is the United States. To reduce this market dependency risk, the company is actively seeking to expand operations in Europe. Sales operations are supported by the company's own legal unit, which, through continuous management of contracts, seeks to reduce the risks related to the company's business operations. SSH protects its copyrights and trademarks through sales agreements. The company has also an active patent policy to protect its technology. SSH encourages its employees to make and protect inventions.

SSH has a process in place whereby any network security risks found in the company's products are promptly reported to senior management. Corrections are made immediately and updates are supplied to customers without delay. The company's critical information systems are secured and operations can continue, even in the event of an external catastrophe. SSH actively uses its own products to protect the information system architecture. Encryption and strong authentication protect the company's confidential data communications from both internal and external threats.

Financial risk management is described separately in the financial statements section of the company's annual report. SSH provides no financing for its customers other than by granting normal payment periods. The company has a strong balance sheet and no significant long-term liabilities. Asset managers invest the company's cash reserves in accordance with a policy approved by the Board of Directors. Since most of SSH's invoicing takes place in US dollars, the company is hedged against exchange rate risks.

Because of the relatively small size of the company, SSH has no separate internal audit organization. The continuous monitoring by the auditors in conjunction with the interim reports also aims to assess and develop the effectiveness of risk management, monitoring and administration processes, and to support the Board with its monitoring responsibility.

Auditors

The company's auditors provide shareholders with a report, as required by law, in conjunction with the annual financial statements. The principal aim of the statutory audit is to verify that the financial statements give a true and fair view of the company's financial performance and situation for each fiscal year. In addition to the Auditor's report provided with the annual financial statements, the auditors report on their findings to the company's Board of Directors in connection with the interim reports.

In accordance with the Articles of Association, SSH has one Principal Auditor authorized by the Chamber of Commerce, and one Deputy Auditor. If a firm of Authorized Public Accountants is appointed as the principal auditor, there is no need to appoint a deputy auditor. The auditors are appointed at the Annual General Meeting. SSH's auditor is PricewaterhouseCoopers Oy with Henrik Sormunen APA as principal auditor.

In 2008, the auditor's fees were EUR 33,890 in the Group and EUR 33,390 in the parent company. Other fees charged by the firm of auditors were EUR 84,101 in the Group and EUR 29,304 in the parent company. Other fees were mostly related to tax advice.

Public Communications

SSH aims to give the markets a clear view of the company's operations and financial performance in accordance with the regulations on the disclosure obligation for publicly listed companies. The company prefers electronic forms of communication. All stock market releases, other investor information, and the latest company information are available at the SSH website.