Your browser does not allow storing cookies. We recommend enabling them.

Internal Administration, Risk Management and Internal Auditing

Risk Management

Risk management aims to ensure that company´s strategic and operational targets are reached and operations safeguarded.

Risk management principles

Our risk management is based on the risk management policy approved by the Board of Directors. We define a risk as an external or internal uncertainty factor that, if realised, would either positively or negatively affect our potential to achieve our strategic and financial targets.

We seek to forecast, identify, evaluate and control significant strategic, operative, financial and accident risks. The Board of Directors defines the Group’s risk appetite and risk tolerance through its decisions and monitors the sufficiency and effectiveness of the Group’s risk management.


The CEO is responsible for the implementation of risk management. The CFO holds primarily responsibility for managing financial risks and coordinates the implementation of risk management processes, and reports risks to the CEO, the Executive Management Team and the Board of Directors. The Executive Management Team members are responsible for executing the risk management policy in their own areas. General Counsel is responsible for contractual and legal risk management and reports risks to the CEO and CFO. Every employee is responsible for identifying any risks relating to their own work and bringing them to the attention of their supervisor.

SSH Communications Security´s largest risks

Largest risks that might impact the profitability of the company have remained by and large the same than in previous reporting period and are listed below. Other risks, which are currently either unknown or considered immaterial to SSH Communications Security may, however, become material in the future.

Largest risks:

  • continuing uncertainty of the macroeconomic environment
  • cybersecurity breaches, including but not limited to ransomware
  • delays on product development and closing new business
  • competitiveness of the product portfolio including intellectual property (IPR) litigation, especially in U.S. market
  • competitive dynamics in the industry
  • ability of the organization to scale up operations with the growth
  • large portion of the company revenue is invoiced in USD currency so possible large fluctuation in USD currency rates during 2016 could have unpredictable effects for profitability that are at the time difficult to estimate. Currently USD currency position is not hedged, and company decides hedging of USD based contracts case by case.

Utilization of the company´s patent portfolio may have significant positive and/or negative impacts.

Principles and organization of risk management of SSH Communications Security can be read from company´s webpage.

Internal Auditing

Because of the relatively small size of the company, SSH Communications Security has no separate internal audit organization. The continuous monitoring by the auditors in conjunction with the interim reports also aims to assess and develop the effectiveness of risk management, monitoring and administration processes, and to support the Board with its monitoring responsibility.


SSH Communications Security has one auditor, which must be a firm of authorised public accountants approved by Finland’s Central Chamber of Commerce. The Annual General Meeting elects the auditor for a term of office that runs until the end of the following Annual General Meeting.

The scope of the audit encompasses the Group’s accounting, administration, Financial Statements and Board of Directors’ Report for each accounting period. The Auditor makes regular reports to the Audit Committee and submits an Auditors’ Report to the Annual General Meeting. The Auditors’ Report contains a statement as to whether the Financial Statements and the Board of Directors’ Report give a true and fair view, as defined in the rules governing financial reporting, of the Group’s operative result and financial position, and as to whether the information contained in the Board of Directors’ Report is consistent with the Financial Statements. The auditor’s fee is paid annually on the basis of an invoice, in accordance with the Annual General Meeting’s decision.

SSH Communications Security's auditor is Ernst & Young Oy and Erkka Talvinko will act as the accountant with the main responsibility.


What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now