Risk management and internal control are an important part of Patria's management and control systems. Risk management and internal control perform regular assessments to ensure appropriate reporting, risk management, integrity, ethical business conduct and compliance with laws and regulations as well as Patria guidelines and processes. Through integrity, compliance and high ethical standards of business conduct, Patria's reputation and value of its assets are also ensured.

Risk management framework

Patria has a risk management and internal control policy, approved by the Board of Directors, which specifies the related tasks, objectives, components, responsibilities and authorities. The Board provides the ultimate oversight and direction for risk management and internal control and has allocated main responsibility for these actions to the Audit Committee appointed by the Board.

The Audit Committee consists of board members that have specific understanding of the various topics that are in the scope of the Audit Committee responsibilities as per the Audit Committee Charter. Specific focus is on monitoring ethical and compliant business practices and ensuring that the ethics and compliance program of Patria is in accordance with the industry's best practices especially concerning anti-bribery and anti-corruption.

The primary responsibility for risk management and internal control lies with the business units and Patria Group functions in their area of responsibility. The President & CEO of Patria is responsible for the proper functioning and monitoring of risk management and internal control.

Patria's Group functions provide guidelines for risk management and internal control and perform monitoring on different levels in their respective organizations. An internal audit function and the internal and external auditors and security and quality auditors evaluate the effectiveness of risk management and internal control. In addition, Patria customers execute different audits and perform different control activities to ensure compliance by Patria with the customer requirements.

Risk is understood as the effect of uncertainty, negative or positive, on the objectives of Patria's operations, profitability and other areas. Risk management is a process which ensures that the risks and opportunities are identified, assessed and treated in an appropriate way and extensively enough. Risk management helps to ensure achievement of the objectives and avoidance of losses to the resources.

Risks are categorized as strategic and business risks, operational risks, financial risks and safety, security and hazard risks. Risk management in Patria is based on the COSO ERM framework, ISO 31000 standard and industry specific standards and requirements.

Internal audit and external audit

Patria has an Internal Audit function, outsourced to an independent operator, that evaluates and contributes to ensuring the efficiency and feasibility of risk management and internal controls, the reliability of financial reporting, ethical and compliant business conduct, and compliance with the applicable legislation, regulations and guidelines. The Internal Audit function reports regularly to the Audit Committee nominated by the Board of Directors. The Audit Committee and Board approve an annual internal audit plan and issue further instructions for the Internal Audit to perform specific audits or other control actions. The findings of the Internal Audit are regularly reported to the Board's Audit Committee as well as Patria Board of Management. Patria management is responsible for implementing the corrective actions and development items instructed by the Audit Committee.

Due to the risks involved in the defence industry sector, specifically, special focus is on assuring ethical business conduct, anti-corruption and anti-bribery in business operations.

Both the internal auditors as well as the external auditors comply with the International Standards for the Professional Practices regarding Auditing. Internal Audit reports on its activities and findings to the Audit Committee and Patria’s management. The Audit Committee confirms the internal audit plans and the external audit plans annually.

The company's external auditors report their observations and findings at least once a year to the relevant business units and to the Group's financial management, as well as to the Board of Directors and the Audit Committee. The external auditors also submit a statutory auditors' report to the company's shareholders.

Internal Audit focus areas in practice and recently conducted internal audits

The focus areas for Internal Audit are annually decided upon by the Audit Committee and the Board of Directors. Internal audits are conducted regularly so that all main areas of operations are covered during the different years and follow-up audits are conducted after a reasonable time period from the initial audit. The internal audit plan is a “rotating” plan to ensure that no operational areas are excluded from internal auditing for unreasonably long periods.

In addition to the formal internal audits, there is special attention and focus on such business operations that introduce higher corruption and bribery risks (such as use of third party agents for sales and marketing) also in the regular daily operations and in meetings of the Board of Management, Board of Directors, Audit Committee, as is feasible and as necessary.

More information on risk management, main risks and opportunities in Patria's Annual Reviews