Internal control and risk management

Framework for internal control

Ambea’s internal control is based on two perspectives: managing business-related risks and managing financial reporting risks.

The system for internal control as regards the financial reporting aims at ensuring a reliable financial reporting and providing a correct picture of Ambea’s financial position in compliance with laws and applicable accounting standards. Ambea has chosen to implement the COSO as a framework, to provide methods for designing internal control procedures in financial reporting. COSO is an internationally recognised framework for internal governance and control. COSO defines internal control as a process, preformed by the organisation’s board of directors, management and other personnel, formed to deliver a reasonable assurance of that the targets relating to the following categories are fulfilled: (i) efficiency and productivity in the business, (ii) reliable financial reporting, and (iii) compliance with applicable laws and rules.

The risk management regarding the operations, where one of the most important risks is the quality risk, is carried out within in the framework for the management process Care Management Model. The Care Management Model aims to ensure quality control and define measures for how quality improvement shall be implemented. To ensure that high quality is achieved and maintained across all of Ambea’s processes and operations, and throughout its governance structure from management down to each unit and employee, the Company operates a care management model based on the following four central pillars: (i) an industry-leading quality monitoring and reporting system; (ii) a robust governance process; (iii) leadership and education; and (iv) operational excellence and digitalisation.

Control environment

The Company’s board of directors has established an audit committee, focusing on internal control relating to financial reporting, and a quality and sustainability committee, focusing on quality within Ambea’s operations. The board establishes a number of governing documents annually to support the board of directors and executive management to secure a exhaustive internal control and risk management within the group.

On a central level, the executive management is responsible for ensuring that the Company has governing documents relating to internal control, for example the financial policy and the financial handbook. These documents shall support all employees of Ambea to act in accordance with Ambea’s internal rules and guidelines. The executive management is also responsible for regular reporting to the board of directors and auditors committee. The Company’s CFO has, through delegation, an operational responsibility for internal control and risk management with respect to financial reporting and for ensuring implementation and compliance.

Ambea’s control and risk management relating to quality within the organisation is carried out through the Company’s quality management model, a quality system aimed at guaranteeing high quality in all processes and operations. At the unit level there are quality councils and at the central level there is a quality department which reports directly to executive management and to the quality and sustainability committee. Internal control measures are also implemented and IVO conducts inspections on a regular basis.

Risk assessment

In brief, Ambea’s risk managament and evaluation entails as a first step to identify the group’s relevant risks within the framework of the financial reporting, but also within the regular course of business and the quality work pursued by the Company.

The audit committee and executive management are responsible for ensuring that the Company has a process for risk assessment and risk management for the financial reporting.

Ambea continually evaluates the risks associated with its operations, both financial and operational, and control and supervise factors that may affect Ambea’s operating profit/loss. Risk assessment is also a key aspect of the annual strategy process, where specific risks in relation to Ambea’s ability to achieve strategic ambitions are evaluated. When a risk has been identified it will be evaluated in relation to how big impact a risk can have on the company’s strategy should the risk materialise and the probability for the risk to materialise. Furthermore, risks within internal control as regards the financial reporting are continuously analysed and evaluated within the regular course of business.

The company has determined that one of the most significant risk challenges is how to manage quality risk, i.e. the risk that the quality will not meet the requirements of the authorities or care recipients and the political risk due to the fact that conditions for the company’s business are largely based on political decisions. Both of these risks are best managed by having a sound quality management model with clear ethical guidelines and a high degree of transparency in Ambea’s operations. The quality and sustainability committee and the executive management are responsible for ensuring that a process for risk assessment and risk management is available for the quality and sustainability work.

Control activities and monitoring

Follow-up and control routines of the operations are performed regularly based on established goals. The board performs its control measures largely through the quality and sustainability committee as relates to quality risk and the audit committee as relates to financial risks.

The internal control as regards financial reporting consists of various defined processes which includes the internal authority structure, manual and automated controls and verifications, documentation of financial procedures and policies for each area. Ambea also has an established control structure which includes three level in the organisation: controllers within every divison, a comprehensive company finance function  and ultimately the audit committee.

In addition to control activites on a process level, a number of central group controls are performed, for example thorugh monthly financial and operational reporting and the formalised budget and forecast processes. The company’s key financial reporting processes are evaluated on an ongoing basis by the CFO and others in the financial department, who in their turn report to the audit committee. The company’s auditor reviews selected parts of the financial risk governance and reports the outcome to the audit committee.

Ambea’s follow-up work of financial internal control is mainly done through an ongoing process of monitoring performance in relation to set targets and through the development of key ratios with focus on early warning signals.

The system for internal control as regards the financial reporting aims at ensuring a reliable reporting and follow up of Ambea’s quality results and to ensure a requisite monitoring and compliance of the company’s policies, principles and instructions and of law and other requirements. To measure the quality of its operations Ambea, among other things, conducts ongoing quality surveys and prepares quality reports.

Compliance with policies and laws are checked and any deviations and identified risks within the framework of control procedures leads to corrective measures, improvement of processes, routines and supervision  after being prepared within the executive management or the board of directors. In addition to the managing director’s and the executive management’s daily work with risks in the operations and financial reporting the managing director presents an annual comprehensive group risk analysis, including all identified risks of Ambea and a plan including measures as regards the highest prioritised risks.

Information and communication

Ambea has communication and information channels aimed at making it possible for relevant information to be spread quickly and appropriately, both internally and externally. The communication structure is based on that relevant information shall be communicated in the right way, to the right recipient and at the right time. To communicate relevant information, both upwards and downwards in the organisation and to external parties, is an integrated part of Ambea’s operative governance and an important part of good internal control. It is the responsibility of the management to secure that the persons managing processes within Ambea have sufficient knowledge of the material risks and the control activities related thereto in the specific process. In addition, there is an established work practice to ensure that an employee reports defects and deviations discovered with regard to control even if such have been corrected. The purpose is to obtain a comprehensive view of how the work is performed and be able to take measures and make improvements in the processes.