Risk management
Risk management framework and principles
Finnair operates in a global and highly competitive environment that is sensitive to economic fluctuations. In executing its strategy, Finnair and its operations are exposed to a broad range of risks and opportunities.
Risk management is an integral part of effective management practice to ensure that Finnair is successful in achieving its business objectives. Uncertainty (opportunity or threat) is an inevitable element in all decision-making, and thus an integral component of running the business.
Finnair’s Risk Management Framework has been defined and established to ensure the identification, evaluation and management of risks and uncertainties associated with the set objectives.
The framework is designed to take a corporate-wide portfolio view of risks. The risk management principles are summarised as follows:
Risk management extends beyond internal control to strategy-setting, governance, and measuring performance;
Risks are managed as an integrated part of strategic and operational planning, day-to-day decision making, and operational processes;
Three Lines of Defence model is applied as the primary governance principle to ensure that the segregation of duties is defined and established between risk management and risk control;
The performance and efficiency of Finnair’s risk management and internal control systems are subject to systematic monitoring.
Risk management policy and process add
The framework and principles for risk management have been defined in the Finnair Internal Control and Risk Management Policy, which has been approved by the Board of Directors. The policy is supplemented by other policies for managing risks in specific areas. Examples of other risk policies are Treasury Policy, Procurement Policy, Information Security Policy, Data Privacy Policy, Competition Policy, and Trade Sanction Policy.
The Finnair Risk Management Framework and principles are based on the internationally recognised best practices for risk management (COSO Enterprise Risk Management – Integrating with Strategy and Performance, and ISO 31000:2009 standard).
Risk identification and evaluation include the following phases:
- Identification of external and internal events affecting the achievement of objectives;
- Distinction between risks and opportunities;
- Analysis of identified risks;
- Integration (aggregation) of risks;
- Evaluation and prioritisation of risks based on their impact and likelihood.
Risk governance
1st Line of Defence
Business units and shared functions are responsible for setting the objectives and managing day-to-day performance. As risk owners, the business units and shared functions identify and evaluate risks and make risk-informed decisions. They manage risks by defining and implementing controls. Thus, they are responsible for conducting day-to-day control and risk management activities in accordance with Finnair’s Risk Management and Internal Control Frameworks.
As a part of the first line of defence, Finnair’s CEO and the Finnair Executive Board have the overall accountability for appropriate risk management practices.
2nd Line of Defence
Risk & Compliance provides expertise in risk assessment and risk management, and acts as a control function that is responsible for developing and maintaining the Risk Management Framework and Internal Control Framework as well as for continuously monitoring the implementation of the policies, rules, procedures and key controls within the frameworks. Risk & Compliance has a reporting line to the Audit Committee of the Board of Directors.
Outside the scope of the Risk & Compliance function is Finnair’s statutory Safety Management System, which is required by Finnair’s Air Operator’s Certificate and applicable Aviation Regulation and is subject to specific responsibility matrix and supervision prescribed by the supervisory authorities. Safety & Compliance acts as a control function with respect to the Safety Management System.
3rd Line of Defence
Internal Audit performs audits and provides the Audit Committee with an independent assessment of the overall effectiveness and maturity of the internal control and risk management systems.
Risk & Compliance
The primary governance principle is adherence to the Three Lines of Defence model, with a clear division of roles and responsibilities with respect to internal control and risk management. A proper Three Lines of Defence governance ensures that the segregation of duties is defined and established between risk management and risk control.
In the second line of defence, Risk & Compliance provides expertise in risk assessment and risk management, and acts as a control function that is responsible for developing and maintaining the Risk Management Framework and Internal Control Framework as well as for continuously monitoring the implementation of the policies, rules, procedures and key controls within the frameworks. Risk & Compliance has a reporting line to the Audit Committee of the Board of Directors.
Outside the scope of the Risk & Compliance function is Finnair’s statutory Safety Management System, which is required by Finnair’s Air Operator’s Certificate and applicable Aviation Regulation and is subject to specific responsibility matrix and supervision prescribed by the supervisory authorities. Safety & Compliance acts as a control function with respect to the Safety Management System.
Investor relations
Erkka Salonen
Head of Group Accounting,
Tax and Investor Relations
Tel. +358 9 818 5101
Emilia Rannanniemi
Senior Investor Relations Manager
Tel. +358 9 818 420
Follow us
Other sites
Terms and policies
© Finnair 2025