Risk Management

Internal Administration, Risk Management and Internal Auditing

Risk Management

Risk management aims to ensure that company´s strategic and operational targets are reached and operations safeguarded.

Risk management principles

Our risk management is based on the risk management policy approved by the Board of Directors. We define a risk as an external or internal uncertainty factor that, if realised, would either positively or negatively affect our potential to achieve our strategic and financial targets.

We seek to forecast, identify, evaluate and control significant strategic, operative, financial and accident risks. The Board of Directors defines the Group’s risk appetite and risk tolerance through its decisions and monitors the sufficiency and effectiveness of the Group’s risk management.


The CEO is responsible for the implementation of risk management. The CFO holds primarily responsibility for managing financial risks and coordinates the implementation of risk management processes, and reports risks to the CEO, the Group Management Team and the Board of Directors. The Group Management Team members are responsible for executing the risk management policy in their own areas. Every employee is responsible for identifying any risks relating to their own work and bringing them to the attention of their supervisor.

SSH Communications Security´s largest risk

Largest risks that might impact the profitability of the company are listed below. Other risks, which are currently either unknown or considered immaterial to SSH Communications Security may, however, become material in the future.

Largest risks:
  • continuing uncertainty of the macroeconomic environment
  • delays on product development and closing new business
  • competitiveness of the product portfolio including intellectual property
  • litigation, especially in the U.S. market
  • competitive dynamics in the industry
  • ability of the organization to scale up operations with the growth
  • large portion of the company revenue is invoiced in USD currency so possible large fluctuation in USD currency rates could have unpredictable effects for profitability that are at the time difficult to estimate. Currently USD currency position is not hedged, and company decides hedging of USD based contracts case by case.

Internal Control

Internal control seeks to ensure that the Group’s operations are efficient and profitable, that reporting is reliable, and that the Group’s operating principles and applicable legislation and regulations are observed.

The Board of Directors is responsible for ensuring that the Group’s internal controls and risk management are adequate and appropriately organized for the company’s business operations. The Board supervises the CEO to ensure that he or she handles the company’s business operations and administration in accordance with the guidelines and instructions issued by the Board of Directors. In order to ensure adequate risk management, the Board of Directors discusses the Group’s business and financial reports, as well as any substantial changes that have occurred in the company’s business. The Board also assesses the adequacy and appropriateness of internal controls and risk management.

The CEO is responsible for the practical organisation of internal controls. Among other duties, he or she ensures that the company’s accounting practices comply with the law and is handled in a reliable manner. The Group’s directors and managers are responsible for internal controls within their own areas of responsibility.

Internal Auditing

Because of the relatively small size of the company, SSH Communications Security has no separate internal audit organization. The continuous monitoring by the auditors in conjunction with the interim reports also aims to assess and develop the effectiveness of risk management, monitoring and administration processes, and to support the Board with its monitoring responsibility.


SSH Communications Security has one auditor, which must be a firm of authorised public accountants approved by Finland’s Central Chamber of Commerce. The Annual General Meeting elects the auditor for a term of office that runs until the end of the following Annual General Meeting.

The scope of the audit encompasses the Group’s accounting, administration, Financial Statements and Board of Directors’ Report for each accounting period. The Auditor makes regular reports to the Audit Committee and submits an Auditors’ Report to the Annual General Meeting. The Auditors’ Report contains a statement as to whether the Financial Statements and the Board of Directors’ Report give a true and fair view, as defined in the rules governing financial reporting, of the Group’s operative result and financial position, and as to whether the information contained in the Board of Directors’ Report is consistent with the Financial Statements. The auditor’s fee is paid annually on the basis of an invoice, in accordance with the Annual General Meeting’s decision.

Year 2013

SSH Communications Security's auditor is KPMG with Kirsi Jantunen as principal auditor.

In 2013, the auditor's fees were EUR 28,395 in the Group and EUR 20,000 in the parent company. Other fees charged by the firm of auditors were EUR 9,827 in the Group and EUR 9,827 in the parent company. Other fees were mostly related to tax advice.