ESRS G1 – Governance Information

Material Impacts, Risks and Opportunities

G1. Business Conduct

Business Conduct Policies and Corporate Culture (G1-1)

In the double materiality assessment process carried out in spring 2024, a material corporate culture-related sustainability matter identified at the sub-topic level was the operational risk concerning the company’s own operations and the reputational risk that would arise if the corporate culture or the management of sustainability risks did not take into account increasing stakeholder requirements or if the company did not react to changes in legislation and regulations quickly enough.  As an opportunity related to corporate culture, Bittium identified R&D cooperation with partners, which increases innovation, expands the competence of Bittium’s own personnel and promotes business opportunities by improving stakeholder perceptions. The opportunity applies to both Bittium’s own operations and the upstream value chain. A potential competitive advantage was identified through favorable customer and stakeholder perceptions and innovations, if sustainability can be linked to the strategy and thus exceed the minimum requirements. This positive impact is realized in Bittium’s own operations and the downstream value chain.

Bittium’s guiding principles are divided into the company’s strategy, values and Code of Conduct, as well as the mission and vision. Bittium’s values are innovation, courage and trust. The company expects its personnel to act in accordance with its values. Customers and other stakeholders can also expect the company to act in accordance with its values. The extent to which the values are reflected in the company’s operations is measured by means of annual personnel surveys and customer satisfaction surveys. Bittium’s mission is to utilize world-class expertise and innovation to enable secure embedded technology for the benefit of people and societies. The company’s vision is to become a global player in building embedded secure technology solutions within complex environments.

Good governance and ethical principles are the foundation of Bittium’s operations and a prerequisite of business. It is vital for the company that its customers and other stakeholders have trust in Bittium, its product quality and sustainable development. Compliance has been taken into consideration at every level of the company’s organization to ensure compliance with the applicable laws, regulations, internal guidelines, business sustainability requirements and ethical values.    Bittium’s corporate culture is developed regularly as part of the company’s strategy work and evaluated as part of the monitoring of metrics related to the implementation of the strategy. The development of the corporate culture is the responsibility of the Board of Directors, the CEO, the Management Group and the management of the business segments.

Bittium sees to the competence of its personnel by means of orientation training, needs-driven training (e.g. sales training) and leadership training, and by supporting the individual competence development needs of the personnel. Competence development is also supported by diverse work, job rotation, mentoring and learning while working. The maintenance of competence also includes mandatory recurring training courses that are primarily completed in an online learning environment. The recurring training courses are related to information security, legal compliance, anti-corruption and product safety. The implementation of the training programs is monitored on a regular basis. Competence development needs are assessed from the perspective of business needs and the competence strategy. Funds are budgeted for training each year. Decisions on the use of training budgets are ultimately made by the management of the business segments. Training is organized for all personnel groups and organizational levels according to work tasks and roles. The content of orientation training and recurring training is the responsibility of the designated owner of the subject or the function concerned. The high-level responsibility for maintaining the training register and the orientation training process lies with the HR function. A training register with information on all completed training activities is accessible via the HR information management tool.

All of Bittium’s policies presented in connection with the G1 standard cover the entire company’s operations and the value chain to the extent that they have an impact on the value chain. Bittium’s Board of Directors is the highest body in the organization that has approved all of the company’s policies.

The Functions Within the Undertaking that Are Most at Risk in Respect of Corruption and Bribery

Bittium has a Group-wide management system that includes anti-corruption control methods applicable to all business segments, as well as anti-corruption guidelines that apply to the entire personnel. Bittium’s anti-corruption policies are described in more detail in the following documents: Anti-Corruption Code of Conduct for Third Parties, which provides guidelines for value chain participants, such as suppliers of goods and services, and the Anti-Corruption Code of Conduct – Internal Use, which provides guidance to the company’s own personnel with regard to the identification and prevention of corruption and bribery. The content of these policies is aligned with the UN Convention against Corruption. The personnel are required to complete a mandatory self-study module on this subject (Legal – Anti-Bribery Training Self-Study). The company has a whistleblowing channel for reporting potential observations related to corruption or bribery.  

Bittium recognizes that, due to its business strategy, the Defense & Security business segment is an attractive target for bribery attempts and, consequently, at risk of corruption or corporate espionage. The business segment provides the defense sector and government officials with communication systems and information security solutions, among other things. Stakeholders related to these products and services are also at risk in respect of corruption and bribery. According to the company’s assessment, the assumed target of bribery attempts is business secrets related to Bittium’s technical capabilities and, potentially, other confidential customer data or information on the public authorities that is in Bittium’s possession. In Bittium’s organization, the most significant personnel group at risk of bribery consists of those with access to technical know-how or other confidential information that provides a competitive advantage, such as executives, product managers, salespersons and possibly also system architects for security solutions and system administrators for IT services.

Corruption related to Bittium’s procurement activities is considered unlikely. Procurement functions are well-controlled internally. In general, Bittium’s risk of corruption and bribery related to products, services or technical solutions is considered to be low. A more significant likely risk is that familiar operators are unintentionally favored in cooperation with domestic stakeholders. Policies related to the prevention of corruption are described in more detail in section G1-3 of this report.

Research and Development Cooperation as Part of Corporate Culture

R&D cooperation with companies and research institutes is an integral part of Bittium’s corporate culture and operations. R&D cooperation projects generate innovations related to information security or well-being, for example. They also contribute to the development of personnel competence and promote business opportunities. Bittium’s participation in domestic, European and international information security development projects may have an impact on stakeholders and provide the company with access to diverse know-how. Through R&D cooperation, Bittium aims to promote innovation and improve the industry’s overall competitiveness through high-quality products. Bittium’s cooperation with educational institutions promotes awareness of information security among students and teachers and provides the company with the opportunity to contribute to building a sustainable society. The policies applicable to R&D cooperation are Bittium’s Code of Conduct and sustainability policy.

The R&D roadmaps for Bittium’s R&D cooperation are created in connection with the preparation of the company’s strategy and published as part of the company’s strategy. Bittium evaluates the results of R&D activities and related costs on a monthly basis, and R&D support is evaluated in research reports submitted to the company’s Board of Directors. Selected representatives of the business segments meet on a monthly basis in the Research Board to review the status of new and ongoing research projects and any changes to the R&D roadmaps. Bittium’s research projects are connected to the businesses’ future technology needs. Bittium also participates in research cooperation forums either through projects or through their management team work, such as ITEA4 (Secure eHealth), the European Defence Fund (EDF) 2021 and 5G Compad. Bittium is an active member of its communities by participating in numerous steering groups in the following research or cooperation forums, for example: Finnish Defence and Aerospace Industries (PIA), Digital Defence Ecosystem (DDE), Finnish Information Security Cluster (FISC), ITEA4, Business Finland, the Digital Native Finland mission and the Faculty Board of the University of Oulu’s Faculty of Information Technology and Electrical Engineering.

Bittium participated in several research and development projects in 2024. The most significant of these was Seamless and Secure Connectivity, which is a Leading Company project funded by Business Finland. The project’s goal is to enable reliable, secure and trouble-tolerant connectivity architectures and products for end-to-end connections in various operational areas, including lifecycle services for products and solutions. The four-year project led by Bittium will last until 2026. The company also has dozens of research projects under way that include national and international parts.

Bittium’s target related to R&D activities is to achieve the objectives of R&D projects in terms of both content and schedule. The scope of research and development activities is its own operations and is carried out both in Finland and internationally, involving the stakeholders described above.  At Bittium, research and development activities are part of continuous development and improvement, and Bittium does not set measurable result-oriented targets for them in accordance with the definition of sustainability reporting or monitor the effectiveness of its operating principles and actions in relation to material sustainability-related impacts, risks or opportunities.

The results of R&D activities are evaluated on a monthly basis, also based on costs and support received. According to Bittium’s sustainability strategy, the company is committed to international and national stakeholder cooperation in the identification of information security threats and the utilization of related information. The implementation of the strategy and its impacts are monitored monthly by the company’s Management Group, and regularly, at least once a year, by the Audit Committee and the Board of Directors.

Whistleblowing Channel and Whistleblower Protection

Bittium’s personnel and external stakeholders have access to feedback and reporting channels and a whistleblowing channel reporting misconduct. Instructions on the use of the channels have been provided to the personnel on Bittium’s intranet and as part of orientation training. The whistleblowing service can be used to raise concerns about risks of serious misconduct concerning people, the organization, society or the environment. The whistleblowing channel is administered by the external service provider WhistleB. All messages are encrypted. WhistleB safeguards the anonymity of the whistleblower by removing all metadata, including IP addresses. The anonymity of the whistleblower is maintained even in subsequent discussions with the persons responsible for processing the report.

The service can be used to report conduct that may be inconsistent with Bittium’s Code of Conduct or laws and regulations. The whistleblowing channel can also be used to report misconduct that falls within the scope of the Finnish Whistleblower Protection Act, which is based on the EU’s Whistleblower Protection Directive. This includes public procurement (except defense and security procurement), financial services, products and markets, as well as product safety and compliance. If the matter concerns dissatisfaction at the workplace or other similar personnel-related matters, employees are advised to contact their supervisor, as these matters cannot be investigated in connection with the whistleblowing process.

There are several ways to raise concerns: by reporting the matter to one’s direct supervisor or another supervisor within the organization, by exchanging anonymous or confidential messages with the Whistleblowing Team via the whistleblowing channel or, if the concern falls within the scope of the Whistleblower Protection Act and the report has been made in accordance with said legislation, the whistleblower may have the right to report their concern via the centralized external reporting channel of the Office of the Chancellor of Justice, or directly to the competent authority.

Access to messages received via the whistleblowing channel is restricted to designated persons who are authorized to handle whistleblowing cases. Their actions are logged and the handling of cases is confidential. At Bittium, reports received via the whistleblowing channel are investigated by the Whistleblowing Team, which consists of the Chairman of the Audit Committee and Chief Legal Officer as the administrators of the channel, and selected members of Bittium’s sustainability working group who oversee or conduct the investigations. If necessary, the participation of the company’s own experts, external experts or the public authorities can be engaged in the conduct of investigations. The whistleblower will receive an acknowledgment of receipt of the report within seven days. Upon receiving a message, the Whistleblowing Team decides whether to accept or decline the report.

The whistleblowing team will not investigate the reported misconduct if the alleged conduct does not constitute reportable conduct under the whistleblowing guidelines, if the report has not been submitted in good faith or is malicious, if there is insufficient information to allow for further investigation, or if the matter in question has already been resolved. If the report is declined, the whistleblower will be provided with the reasons for the decision. If the report is accepted, appropriate investigation measures will be taken. All messages are treated seriously and in accordance with the whistleblowing guidelines. None of the members of the Whistleblowing Team or any other person taking part in the investigation process will attempt, nor are allowed to attempt, to identify an anonymous whistleblower in any way. The Whistleblowing Team can, if necessary, submit follow-up questions via the anonymous communication channel. Reports are not investigated by anyone who may be involved with, or connected to, the misconduct. Whistleblowing messages are handled in strict confidence by the parties involved. Within three months of acknowledging receipt of the report, the Whistleblowing Team will inform the whistleblower of what measures will be taken in response to the report.

Management of Relationships with Suppliers (G1-2)

In the double materiality assessment process carried out in spring 2024, ensuring the sustainability of the supply chain through supplier requirements, audits and surveys of materials, engaging the personnel’s commitment to the principles of sustainable procurement, and also taking sustainability into account in the subcontracting of personnel was identified as a material sustainability matter at the sub-topic level as a positive impact pertaining to relationships with suppliers in the company’s own operations and the upstream value chain.  Also identified was a potential reputational risk if there were to be sustainability-related violations in the supply chain, such as adverse environmental incidents or negative human rights impacts. The risk concerns the company’s own operations and upstream value chain. Supplier management and cooperation with supplier partners is part of Bittium’s continuous development and improvement. Bittium does not set measurable, result-oriented targets related to supplier management in accordance with the definition of sustainability reporting or monitor the effectiveness of its operating principles and actions in relation to material sustainability-related impacts, risks and opportunities.

When it comes to Bittium’s suppliers and other partners, the company has, in many cases, worked with them in close cooperation for a long time, in accordance with established rules and operating practices. Continuous communication enables open dialogue. Suppliers and partners expect fair and sustainable operations and long-term cooperation from Bittium. For its part, Bittium expects that the business operations of its suppliers and partners are sustainable, and this is monitored on a regular basis. Bittium takes due diligence into account in its operations. Together with its supply chain partners and other stakeholders, Bittium strives to identify both actual and potential adverse impacts on the environment and people, including human rights impacts, throughout the value chain. As part of its sustainability management and operations, the company prevents and mitigates adverse impacts by monitoring the effectiveness of actions related to due diligence. Bittium’s external and internal stakeholders have access to a whistleblowing procedure aimed at mitigating potential risks to the company.

Bittium regularly audits its identified strategically important or otherwise critical suppliers of production materials in accordance with the annual audit plan and pre-defined criteria. Audits are carried out either as a self-assessment based on the Bittium Supplier Manual or as an audit conducted by Bittium. In 2024, Bittium continued to deepen its cooperation with critical manufacturing partners and component suppliers to identify common development areas and thereby improve quality and cost efficiency. In connection with these activities, Bittium continued to develop a supplier management tool in 2024.

Bittium is committed to operating in accordance with the values documented in Bittium’s policies and also expects its partners to adhere to them. Bittium has established policies as part of its quality management, environmental management and information security management systems. Bittium has established contractual terms for suppliers of goods and services. The aim is to apply these contractual terms to purchase orders placed by Bittium. The degree of application depends on the criticality of the supplier. The general terms include, for example, terms pertaining to the avoidance of counterfeit materials, conflict minerals, certificates of conformity, the prevention of corruption and compliance with trade rules. Bittium is committed to fulfilling its legal obligations and preventing, identifying and eliminating corrupt practices and cooperating with other parties to prevent bribery and corruption. Bittium also expects its suppliers and other external partners to take anti-bribery and anti-corruption measures as necessary. Bittium has issued an anti-corruption statement. As part of Bittium’s general contractual terms, the supplier also undertakes to comply with the applicable anti-corruption laws and regulations. If terms other than Bittium’s general contractual terms are applied, anti-corruption practices must not be compromised on.

Bittium has integrated ethical and social perspectives into its procurement policy. Procurement is carried out in accordance with the principles of legality and ethics. The same is required from Bittium’s supplier partners. Bittium has procurement-related guidelines (Bittium Procurement Policy) in place, which specify aspects related to the ethical and sustainable perspectives of procurement and supply chain risk management, among other topics. The supplier’s commitment to ethical conduct, compliance with the applicable national and international laws, respecting human rights and compliance with internationally recognized ethical standards, such as the SA8000 Social Accountability Standard, are applied as criteria for supplier approval.

Identified strategically significant or otherwise critical suppliers of services and products are required to make a commitment to sustainable business practices and they must comply with Bittium’s Code of Conduct as well as Bittium’s supplier guidelines and the Bittium Supplier Manual, the latest versions of which are available on Bittium’s website. (MP-P) The Supplier Manual contains the key policies, practices and requirements for Bittium’s supply chain. The requirements are related, among other things, to business practices, anti-corruption, the prohibition of child labor and forced labor, environmental issues, occupational safety and human rights, including material-specific requirements. The requirements also include assurances from suppliers that they do not engage in procurement from companies located in politically critical areas or subject to other national or international restrictions.

The documents that guide the selection of critical suppliers of goods and services and quality control are the Bittium Self-assessment Checklist, the Audit Assessment Checklist and the General Purchase Agreement. Bittium must have access to evidence of compliance with the requirements, and the supplier of goods or services must be able to provide such evidence upon request. Engaging the entire personnel’s commitment to the principles of sustainable procurement is an important part of ensuring the sustainability of the supply chain. Sustainable purchasing is a part of Bittium’s mandatory environmental training, which employees complete through self-study. Bittium’s Procurement Policy provides guidance on operating practices related to procurement and plays a key role in ensuring consistency, quality, cost-efficiency and compliance in the procurement process. Bittium does not systematically train persons working in the area of procurement in relation to the supplier requirements, but there are plans to increase this type of training in the coming years. (Policies related to payments and their impact on small and medium-sized undertakings in particular are described in more detail in section G1-6.)

Prevention and Detection of Corruption and Bribery (G1-3)

In the double materiality assessment process carried out in spring 2024, potential reputational risk if violations related to corruption and bribery were to occur in the company’s own operations or supply chain was identified as a material sustainability matter at the sub-topic level in relation to corruption and bribery. The impacts of the risk concern the upstream value chain and the company’s own operations.

Bittium has customers in both the public and the private sector. The business environment involves constant changes in legislation and regulation, as well as increasing requirements from the stakeholders concerning sustainable operations and risk management. Bittium is committed to compliance with laws, regulations and ethical business practices in all of its operations. Bittium has zero tolerance of bribery and corruption. The company aims to ensure ethical business practices and compliance with the corporate culture and increase awareness of sustainable business practices through training. Bittium’s corporate culture is based on commitment to shared values and transparency. At Bittium, prevention of corruption and bribery is part of continuous development and improvement and Bittium does not set measurable result-oriented targets for it as defined in sustainability reporting or monitor the effectiveness of its operating principles and actions in relation to material sustainability-related impacts, risks and opportunities.

Bittium adheres to sustainable business conduct and also requires the same from its identified critical suppliers of goods and services. Bittium’s Code of Conduct covers perspectives related to fair business conduct, including anti-corruption measures, good corporate citizenship, the protection of intellectual property rights, human rights and fairness, a safe workplace community, data protection and information security, insider rules, a sustainable future and ensuring ethics and transparency. Bittium’s sustainability and anti-corruption and anti-bribery principles are communicated by keeping the material available on the external website (Anti-Corruption Statement, Code of Conduct, the Whistleblowing channel and its description) and by keeping material intended for the personnel up-to-date and available (Anti-Corruption Statement, Code of Conduct). Bittium expects its identified critical partners and suppliers of goods and services to comply with Bittium’s Code of Conduct and Supplier Manual. The guidelines include the key policies, practices, and requirements for Bittium’s supply chain. The requirements are related, among other things, to business practices, anti-corruption measures, environmental issues, occupational safety, and human rights, including material-specific requirements. The aforementioned guidelines and principles are publicly available on the company’s website.

Mandatory anti-corruption training is organized for all of the company’s personnel. The training includes a test that must be passed in order for the completion of the training to be entered in the training register. The training must be retaken at three-year intervals. The training is also part of the orientation training program for new employees. Of the new employees who started in 2024, 56% had completed the Legal Anti-Bribery Self-Study module included in orientation training by the end of 2024. The target of the training is to help the personnel understand corruption and bribery at a conceptual and practical level; grasp the threats and adverse impacts on society and business operations that result from corruption and bribery; recognize risks and situations related to corruption and bribery; and understand their responsibility as the organization’s employee with regard to the prevention of corruption and bribery, the reporting of suspected incidents and reacting to concerns in a timely manner. All of Bittium’s personnel, including those working in functions-at-risk and the company’s senior executive management, are within the scope of the training. Anti-corruption and anti-bribery training is completed as a self-study module, and it covers 100% of the company’s functions-at-risk.

Concerns related to corruption and bribery can be raised via the whistleblowing channel. At Bittium, reports received via the whistleblowing channel are investigated by the Whistleblowing Team, which consists of the Chairman of the Audit Committee and Chief Legal Officer as the administrators of the channel, and selected members of Bittium’s sustainability working group who oversee or conduct the investigations. If necessary, the participation of the company’s own experts, external experts or the public authorities can be engaged in the conduct of investigations. Any party to whose actions or duties the whistleblower report relates to in some way cannot participate in the investigation of the matter.  If the administrators of the whistleblowing channel receive a whistleblower report that mentions an administrator of the channel, a member of the sustainability working group, the CEO or a member of the Board of Directors, or if the link between the person who is the subject of the report and the aforementioned persons is indirectly implied in the whistleblower report, this may constitute a risk to an independent and objective investigation. In such a situation, the administrator who is the subject of the report will be excluded from the investigation and their right to use the whistleblower channel’s case management tool will be suspended. If the CEO or a member of the Board of Directors were to be subject to a suspicion related to corruption or bribery, this would be communicated to all members of the Board of Directors via the digital work platform used by the Board of Directors. In other respects, the results are reported based on need and, depending on the severity of the reported issue, to the company’s administrative, management and supervisory bodies. The whistleblowing channel and the process for handling reports received through it are described in more detail as part of disclosure requirement G1-1.

Incidents of Corruption or Bribery (G1-4)

No suspected or confirmed incidents of corruption were reported at Bittium in 2024. No investigations were opened regarding violations of legislation concerning corruption and bribery, and no convictions were handed down. There were also no pending cases, convictions or fines concerning actions taken in previous years.

Political Influence and Lobbying Activities (G1-5)

In the double materiality assessment process carried out in spring 2024, the potential to grow the business even in the short term due to the changed geopolitical climate and increased information security threats was identified as a material sustainability matter at the sub-topic level in the form of an opportunity related to political influence and lobbying activities. The opportunity concerns the company’s own operations and downstream value chain.

Bittium does not have policies or guidelines directly related to political influence and lobbying activities, nor does the company have designated persons responsible for monitoring the implementation of political influence and lobbying. Bittium has an Anti-Corruption Statement and a Code of Conduct, which address the principles of good business conduct in general. In 2025, Bittium will develop guidelines concerning political influence and lobbying activities and organize the division of responsibilities for internal control related to these topics. In 2024, Bittium did not make political contributions or engage in party-political lobbying by participating in the campaigns of political parties or individual candidates by making financial or in-kind contributions.

Bittium is not legally obliged to be a member of a chamber of commerce or other organization that represents its interests. As part of local community engagement, Bittium is a member of the Oulu Chamber of Commerce. Chambers of commerce are organizations that promote business and economic freedom and engage in advocacy for the business sector. Chambers of commerce also provide legal advice and organize training activities. Chamber of commerce membership is voluntary for all companies in Finland. Bittium is a member of Technology Industries of Finland. Technology Industries of Finland is a Finnish advocacy organization for the technology industry. Technology Industries of Finland discloses its lobbying activities in accordance with the Transparency Register Act. Bittium is not registered in the EU Transparency Register or an equivalent transparency register in a Member State.

Bittium has identified material impacts related to political influence. During 2024, Bittium’s representatives participated in various events, such as trade fairs relevant to the company’s business, events organized by the Chamber of Commerce, and events related to the operations of the Finnish Defence Forces. Bittium’s representatives also participated in two export promotion trips organized by Business Finland. The destinations were Korea, Japan and Italy. Political decision-makers and operators, such as the Minister of Defence and the Minister of Transport and Communications, representatives of the Finnish Defence Forces and the Ministry of Defence, the wellbeing services counties, official organizations, various municipalities and regional operators, as well as ambassadors from different countries, have also visited Bittium to familiarize themselves with the company’s operations. Bittium’s goal for these meetings is to create visibility for the company and increase awareness of Bittium’s special expertise and products both in Finland and abroad. An important goal of the visits and discussions is to meet potential customers in the areas of information security and defense, and to build relationships with them. In the meetings, Bittium aims to express its view that official approval processes related to regulation and political decisions should move ahead swiftly so that slow processes would not significantly hinder the development of the company’s business. Bittium’s material sustainability topics have not been significantly taken into account or promoted in events aimed at political influence or lobbying.

Of the members of Bittium’s administrative, management and supervisory bodies, Raimo Jyväsjärvi worked in the public administration during the two years preceding his election to the Board of Directors, as Director General of the Resource Policy Department and National Armaments Director. His responsibilities in that role included the development of the resources of military national defense resources in the area of defense materiel policy, matters related to the steering of companies that provide services to the Defence Administration, and the export control of defence materiel.

Payment Practices (G1-6)

Approved purchase invoices submitted to Bittium are paid on Mondays and Thursdays. In accordance with Bittium’s payment practices, invoices are always paid by the due date. This applies to companies of all sizes, including small and medium-sized undertakings and all supplier categories. 100% of payments have been made in accordance with the standard terms. On average, it takes 30 days from the date of the invoice to the due date. On average, it takes 32 days from the date of the invoice to the payment date. The calculation is based on a sample from the period 1.1.2024–31.12.2024.    The calculation is based on extracting all purchase invoices paid during the year from the invoicing system. The total number of invoices and the number of days related to the term of payment have been taken into account in calculating the averages for the term of payment and the actual time of payment. There are no legal proceedings currently outstanding for late payments.