Request demo
Request demo
Request demo

Internal administration, risk management and internal auditing

Risk management

Risk management aims to ensure that the company's strategic and operational targets are reached and operations safeguarded.

Risk management principles

Risk management is based on the risk management policy approved by the Board of Directors. We define a risk as an external or internal uncertainty factor that, if realised, would either positively or negatively affect our potential to achieve our strategic and financial targets. We seek to forecast, identify, evaluate, and control significant strategic, operative, financial, and accident risks. The Board of Directors defines the Group’s risk appetite and risk tolerance through its decisions and monitors the sufficiency and effectiveness of the Group’s risk management.

 

Responsibilities

The CEO is responsible for the implementation of risk management. The CFO holds, primarily, responsibility for managing financial risks and coordinates the implementation of risk management processes, and reports risks to the CEO, the Executive Management Team, and the Board of Directors. The Executive Management Team members are responsible for executing the risk management policy in their own areas. General Counsel is responsible for contractual and legal risk management and reports risks to the CEO and CFO. Every employee is responsible for identifying any risks relating to their own work and bringing them to the attention of their supervisor.

SSH Communications Security's largest risks

The largest risks that might affect the profitability of the company have been updated and are listed below:

  • Cybercrime, including, e.g., ransomware
  • Delays in product development and closing new business as well as phasing of new business cases
  • Ability to execute the strategy
  • Ability to retain and recruit key personnel
  • Maintaining the ability to innovate and develop the product portfolio, including intellectual property rights (IPR)
  • IPR litigation and utilization of the patent portfolio
  • A large portion of the company revenue is invoiced in USD currency, and possible significant fluctuation in USD currency rates during the year could have unpredictable effects on profitability. The company decides on hedging of USD-based contracts case by case.
  • Uncertainty in the macroeconomic environment, which can affect both the company's operational costs and financial expenses, as well as customer decision-making and product demand. Factors causing uncertainty include, for example, high inflation and increased market interest rates, a global pandemic, or an international conflict such as war.

Other risks, which are currently either unknown or considered immaterial to the company may, however, become material in the future.

Principles and organization of risk management of SSH Communications Security can be read from company´s webpage: www.ssh.com.

Internal auditing

Because of the relatively small size of the company, SSH Communications Security has no separate internal audit organization.

Internal control seeks to ensure that the Group’s operations are efficient and profitable, that reporting is reliable, and that the Group’s operating principles and applicable legislation and regulations are observed.

The Board of Directors is responsible for ensuring that the Group’s internal controls and risk management are adequate and appropriately organized for the company’s business operations. The Board supervises the CEO to ensure that he or she handles the company’s business operations and administration in accordance with the guidelines and instructions issued by the Board of Directors. To ensure adequate risk management, the Board of Directors discusses the Group’s business and financial reports, as well as any substantial changes that have occurred in the company’s business. The Board also assesses the adequacy and appropriateness of internal controls and risk management.

The CEO is responsible for the practical organization of internal controls. Among other duties, he or she ensures that the company’s accounting practices comply with the law and is handled in a reliable manner. The Group’s directors and managers are responsible for internal controls within their own areas of responsibility.

The Board is responsible for ensuring that the Group has defined guidelines and practices on internal control and that internal controlling is effective and monitored. The Board also confirms the risk management and reporting procedures, and supervises the adequacy, appropriateness and efficiency of the company’s management processes.

The CEO, assisted by other executive management, is responsible for the organization of accounting, administration and control mechanisms, and ensures that laws and regulations, company policies and board decisions are followed. Internal rules and guidelines have been published to support the company’s operations. It is also ensured that there is a process description of all key processes and that the different process interfaces are clearly defined and described. The purpose of defining the processes is to ensure that everyone in the organization knows how the company operates and how each employee´s work links into the company’s overall activities. Supervision and monitoring measures ensure compliance with rules, instructions and processes.

The company sets financial targets annually for budgeting and continuously monitors their implementation and fulfilment of these targets. The company’s organizational structure supports effective business planning, implementation and control.

Auditors

SSH Communications Security has one auditor, which must be a firm of authorized public accountants approved by Finland’s Central Chamber of Commerce. The Annual General Meeting elects the auditor for a term of office that runs until the end of the following Annual General Meeting.

The scope of the audit encompasses the Group’s accounting, administration, Financial Statements and Board of Directors’ Report for each accounting period. The Auditor makes regular reports to the Board of Directors and submits an Auditors’ Report to the Annual General Meeting. The Auditors’ Report contains a statement as to whether the Financial Statements and the Board of Directors’ Report give a true and fair view, as defined in the rules governing financial reporting, of the Group’s operative result and financial position, and as to whether the information contained in the Board of Directors’ Report is consistent with the Financial Statements. The auditor’s fee is paid annually on the basis of an invoice, in accordance with the Annual General Meeting’s decision.

SSH Communications Security's auditor is Ernst & Young Oy with Maria Onniselkä as principal auditor.

 

SSH is a leading defensive cybersecurity company that secures communications between humans, systems, and networks. We specialize in Zero Trust Privileged Access Controls and Quantum Safe Network Security. Our customers include a diverse range of enterprises, from multiple Fortune 500 companies to SMBs across various sectors such as Finance, Retail, Technology, Industrial, Healthcare, and Government. 25% of Fortune 100 companies rely on SSH’s solutions. Recent strategic focus has expanded SSH business to Defence, Critical Infrastructure Operators, Manufacturing OT Security and Public Safety.

Leonardo S.p.A invests 20.0 million EUR in SSH, becoming the largest shareholder of the company. SSH solutions form a Center of Excellence for Zero Trust privileged access management and quantum-safe network encryption in Leonardo - a global industrial group that creates multi-domain technological capabilities in the Aerospace, Defence and Security sector with 17.8 billion EUR revenue in 2024. SSH company’s shares (SSH1V) are listed on Nasdaq Helsinki.

 

Stay on top of the latest in cybersecurity

Be the first to know about SSH’s new solutions, product updates, new features, and other SSH news!

Thanks for submitting the form.

© Copyright SSH • 2025 • Legal