The risk management and reporting process involves identifying, assessing, quantifying, mitigating and monitoring the most significant business-related risks. The process includes evaluation of existing, and the planning of new, risk mitigation plans for the identified risks in order to continuously improve risk management. Successful risk management implemented in the business processes decreases the likelihood of risk realisation and mitigates the negative effects of realised risks. The risk reporting process gathers data on risks and the respective mitigation plans into one group-wide risk register, for annual reporting to Citycon's Board of Directors. This is done in conjunction with the budgeting process so that the risks are linked to the annual business targets. In order to evaluate the importance of each risk and to improve the comparativeness, an estimate of the loss associated with each risk is determined together with the probability of risk realisation. The possibly realised risks during the previous year are also estimated and reported.
Each function has a dedicated person who is the owner of the risks in that area and also is responsible for the reporting of the risks, the mitigation plans and the follow-up on their implementation. The Risk Steering Committee, composed of senior-level managers, prepares the core risk report for the Board of Directors. It is the duty of the CEO and the Corporate Management Committee to develop and maintain procedures in line with the principles of risk management approved by the Board of Directors. The Board of Directors regularly monitors the company's business risks and uncertainties and reports them as required under the legislation in force and regulations or guidelines issued by the Finnish Financial Supervisory Authority.
The main risk factors that can materially affect Citycon's business and financial results are associated with property values, leasing, property development, property transactions, operations, environment and people and financing. The company’s main risk factors, along with its main risk management actions, are presented in the Financial Review each year and in the Corporate Governance Statement each year. Near-term risks and uncertainties are described in the interim reports issued by the company quarterly.