Risk Management Policy

1. Background and purpose

The purpose of this policy is to establish a systematic and integrated approach to risk management throughout the Sandvik Group. Effective Risk Management supports management efforts to identify, measure, respond to, monitor and report risks that in different ways may affect the achievement of Sandvik’s strategic, operational and financial objectives. Below procedures supports this policy and further detail how risks are managed at the Sandvik Group.

  • Enterprise Risk Management Procedure
  • Business Continuity Procedure
  • Crisis Management Procedure
  • Insurance Procedure
  • Financial Risk Management Policy
  • Loss Prevention Procedure

2. Definitions

Business Continuity Management A holistic management process that identifies potential threats to the organization and the impacts to business operations those threats, if realized, might cause. The business continuity management provides a framework for building organizational resilience and the capability for an effective response that safeguards the interest of its key stakeholders, reputation, brand and value-creating activities (ISO 22301:2012).
Business continuity plan Documented plan that guides the organization to respond, recover, resume, and restore to a pre-defined level of operation following a disruption (ISO 22301:2012).
Crisis An incident or emergency that threatens the viability of the business or, for other reasons, the normal organization cannot manage. It can happen unexpectedly or over time, but often demands immediate action. Could potentially be of major harm for the business with severe consequences financially, reputationally, to the environment or to people if not managed properly. Some examples can include, but are not limited to, a damaging fire, natural disaster situations, environmental accidents causing pollution, security threats, terrorist acts or pandemics in the surrounding business environment.
Entity Legal or reporting entity
Global Insurance Programs Means all insurance programs that are managed by Group Risk Management. A global insurance program is designed to, as far as different legal and regulatory requirements allow, provide global coverage for multinational businesses regardless of where the Subsidiary is domiciled.
Incident An event that has minor impact on everyday operations. No major harm to someone’s life or health, limited or no business impact. No serious loss of valuable information or property. It has limited reputational consequences.
Local Insurance Solutions Means local insurance covers and policies in each country standalone from the Global Insurance Programs. Local Insurance Solutions shall be maintained to fulfill local legal and regulatory requirements.
Loss Prevention Means all proactive measures taken to manage and mitigate Insurable risk.
Non-Life Insurance Means all insurances not related to life or pension1
Sandvik Enterprise Risk Management (ERM) Sandvik’s framework to manage risks related to the achievement of strategic, operational, and financial objectives.
Serious incident An incident causing permanent disability, fatality* or serious loss of time, serious damage to environment or business, loss of valuable information or property. A serious incident may cause major reputational consequences.
Subsidiary Means a company, corporation or other legal entity (a limited liability company or similar legal person) which is directly or indirectly controlled by Sandvik AB. For the purposes of this definition, the governance arrangements for any joint venture (with a non-Sandvik company) shall also comply with the terms of this policy, with allowance for variations due to the joint nature of the entity. Specific advice from the applicable General Counsel should be sought as regards any such joint ventures.

1) Life insurance and pension programs are primarily managed by HR and Group Compensation & Benefits.

3. Scope

This policy sets the minimum requirements related to risk management for the Sandvik Group.

4. Audience

This policy applies to all entities within the Sandvik Group

5. Policy statement

5.1 Enterprise Risk Management

Effective Enterprise Risk Management (ERM) supports management efforts to identify, measure, respond to, monitor, and report risks that affect the achievement of Sandvik’s strategic, operational and financial objectives. Sandvik has adopted a systematic and integrated approach and management of risks which applies throughout the Sandvik Group.

Key Elements of Sandvik’s ERM process

Risk-01.jpg

The key elements of Sandvik’s ERM process, as further defined in the ERM Procedure, are required to be followed by the management teams of Sandvik’s business areas, divisions, business units, the Group Executive Management and group functions, and when defined by management, in relevant entities or in certain processes. This responsibility includes understanding, managing, communicating, following up and monitoring of risks associated with the relevant part of the business proactively and effectively.

5.2 Business Continuity Management

Business Continuity Management is a strategic approach that involves the development of a response to safeguard the entire business by managing the impact of a business disruption to achieve the company’s business objectives, irrespective of the cause of the disruption.

The Business Continuity Management Procedure sets out common principles for strategic Business Continuity Management to be applied throughout the Sandvik Group.

The purpose is to set the minimum requirements for Sandvik Group entities to ensure their ability to successfully respond to a disruptive event and continue their business operations on an acceptable level. The management teams of all business areas, divisions, business units, production units, functions and entities shall be aware of major risks for the business and ensure that they have an appropriate level of business continuity preparedness to identify, analyze and quantify the potential business impact and develop and implement continuity strategies within their respective organization.

Business Continuity Management Process

risk-02.jpg

5.3 Crisis Management

A sustainable business also requires effective and structured incident and crisis management. To ensure that unexpected events are managed properly, consistently and at the right organizational level within the Sandvik Group, a common approach that establishes the right capabilities for serious incident and crisis management is needed.

The purpose of the Crisis Management Procedure is to set the minimum requirement for how a serious incident or a crisis are to be managed. Priority when a serious incident has occurred or in a crisis situation is to minimize harm to people and the environment in line with Sandvik’s vision of ‘zero harm’ and our Code of Conduct. Once that is established, we take necessary steps to minimize damage to Sandvik’s business operations, safeguard our company brands and business reputation, in order to ensure swift return to normal activities.

The management teams of all Sandvik entities need to have established routines and clearly communicate how their organizations are to act in a crisis or when a serious incident has occurred and ensure that unexpected events are managed properly, consistently and at the right organizational level within Sandvik. This is further detailed in the Crisis Management Procedure.

Key principles of Sandvik’s crisis management

Risk-3.jpg

5.4 Insurance Management

Insurance management on a Sandvik Group level is an effective risk transfer tool to protect the balance sheet and to reach scale advantages such as higher insurance limits, tailored terms and conditions and lower premium costs. A Group consolidated approach also facilitates better risk control and compliance with local regulations and requirements throughout the Sandvik Group.

All Business Areas are ultimately responsible for managing their own risks in accordance with applicable Sandvik policies and procedures. However, all risk transfer through Sandvik’s Global Insurance Programs is a centrally controlled and managed process.

All Subsidiaries should be covered by the Global Insurance Programs. When a new company (NewCo) becomes a Subsidiary, it shall become part of the Global Insurance Program as of the closing date of the transaction.

It is the responsibility of each Business Area to ensure that their risks are adequately insured, through the Global Insurance Programs and through Local Insurance Solutions.

5.5 Loss Prevention

At Sandvik loss prevention is a crucial priority. We follow regulatory requirements and insurance regulations to prevent injuries, environmental damages and economical losses. The national building codes and fire safety regulations are always to be followed as a minimum but never limited to. As these codes and regulations generally do not include protection of critical assets or protection against business interruption, Sandvik Loss Prevention Procedure and work instructions support in these areas as well as in relation to Natural Catastrophe and Security risks.

6. Exceptions

There can be no exceptions made to this policy.

7. Roles and responsibilities

The Presidents of each business area are responsible for ensuring this policy is implemented in their business operations. Corresponding responsibility for the group functions lies with each Executive Vice President and Head of Group Functions.

7.1 Group Risk Management

  • Ensuring that this policy is updated
  • Provide relevant communication, support, training and advice in relation to this Policy.
  • Development of the procedures that are required to ensure compliance with this policy

7.2 Business Area

  • Ensuring the communication, training and implementation of this policy in their relevant business operations.
  • Ensuring sufficient governance and resources to oversee and safeguard compliance to this Policy

7.3 Group Function management

  • Ensuring the communication, training and implementation of this policy in their relevant business operations.
  • Ensuring sufficient governance and resources to oversee and safeguard compliance to this Policy

8. Monitoring of compliance

Implementation and compliance to this policy is ensured through follow up by internal control and internal audit. The following internal controls (RACM) apply to this policy:

  • CG 04 Enterprise Risk Management
  • CG 10 Business Continuity Management

9. References to associated policies and procedures

  • ERM Procedure
  • Crisis Management Procedure
  • Business Continuity Procedure
  • Insurance Procedure
  • Financial Risk Management Policy
  • Claims Procedure
  • Loss Prevention Procedure