This section provides an overview of our approach to risk management, internal control, integrity and compliance. It includes the disclosures required by the Dutch Corporate Governance Code and chapter 5.1a of the Dutch Financial Markets Supervision Act (Wet op het financieel toezicht).
Our enterprise risk management framework has been designed to identify and prioritise our main risks and develop appropriate responses. This framework is based on COSO ERM 2017 (2017 Enterprise Risk Management – Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission) and is in line with the principles of the Dutch Corporate Governance Code 2016.
Understanding strategic, operational, regulatory, and financial risks is a vital element of our management decision-making process. Risks are identified by means of both a bottom-up (line management) and top-down (senior management) approach, covering the entire business. For those risks deemed material, management develops and reviews comprehensive risk response plans.
Risk management and internal control is considered a line responsibility. All business segments and head office departments are engaged in this company-wide risk management process, which includes:
Mandatory participation in risk management workshops by relevant management team members
Assessing risks on impact, likelihood of occurrence and control effort (the additional effort required to achieve further risk mitigation).
We have built a comprehensive portfolio of Group policies and controls, ensuring discipline in our business processes. These support the Board of Management in its statutory and fiduciary obligations to stakeholders in developing and achieving its strategic, operational, compliance and financial objectives.
We operate our businesses in highly regulated markets. The responsibility for ensuring that regulatory compliance objectives are achieved, and that related decision-making is supported by transparent, accurate and relevant information, is assigned to the following head office functions: Legal, Privacy Office, Compliance, Integrity Office and Public Affairs. The Board of Management and the Supervisory Board monitor the effectiveness and efficiency of the enterprise risk management framework. They are supported by Internal Audit.
Our risk management and control systems are designed to reduce the likelihood of errors, incorrect decisions and unforeseen circumstances as much as possible. It provides reasonable, but not absolute, assurance against material misstatement or loss.
Risk appetite is the level of residual risk we deem acceptable to achieve our objectives. The risk appetite is set by the Board of Management in close cooperation with the Executive Committee, based upon our strategic goals, our business principles, our policies and procedures, and taking into consideration the highly regulated markets we operate in. The risk appetite is discussed with the Audit Committee. Overall, PostNL’s risk appetite in 2019 did not materially change compared to 2018. Our risk appetite differs per risk type:
Behaviour towards risk
We aim to deliver on our strategic ambitions and priorities and are willing to accept balanced to considerable risks to achieve this.
Behaviour towards risk
We face operational challenges which require an appropriate level of management attention. The overall objective is to avoid risks that could negatively impact our aim to achieve operational effectiveness and efficiencies.
Behaviour towards risk
We strive to be fully compliant with our business principles as well as national and international laws and regulations in relation to the markets in which we operate and we do not accept deviations.
Behaviour towards risk
Our financial strategy is focused on a strong financial position and creating long-term value for our shareholders. Our aim is to have a leverage ratio of adjusted net debt / EBITDA not exceeding 2.0 and only accept risks that do not threaten this.
Behaviour towards risk
In 2019, we continued to invest the resources required to document and evaluate the design of internal controls over financial and non-financial reporting. Also, we continued to test the operational effectiveness of these internal controls. The effectiveness of internal controls is tested by management. Management is required to follow up on risks deemed to be inadequately mitigated by internal controls, which might result from, for example, a major organisational or IT change. This requires additional actions, including performing and evaluating compensating controls and activities, to reduce the risks of a misstatement in the financial and non-financial reporting.
Performance of our internal control environment is regularly measured and monitored, and the results are discussed in the Internal Control Committee (ICC) meetings. The ICC is composed of the CFO, the director Audit & Security, the director Group Finance, and the director Accounting & Reporting. The external auditor also attends the ICC meetings. The ICC met five times in 2019.
Risk management and internal control reports are also discussed with the Board of Management and the Audit Committee of the Supervisory Board.
We are committed to sound business conduct. We therefore manage our business according to applicable laws and regulations and according to the PostNL Business Principles, which provide guidance on interaction with colleagues, customers, business partners and society in general. A company-wide integrity programme ensures that the Business Principles are applied consistently throughout the organisation.
The Integrity Committee advises and assists the Board of Management in developing, implementing and monitoring Group policies and procedures aimed at enhancing integrity and ethical behaviour and preventing fraud, corruption and bribery. The Integrity Committee is composed of the director Audit & Security, the manager Integrity Office, the Corporate Security Officer, the director Legal, the manager People Development, the director Communication & Investor Relations and the director Logistic solutions.
The Integrity Committee oversees investigations based on reports of possible breaches filed under the PostNL Business Principles, the PostNL Group procedure on whistleblowing and the PostNL Group procedure on fraud prevention, anti-bribery and anti-corruption.
PostNL recognises the need to have detailed fraud prevention and anti-bribery and anti-corruption policies, procedures and reporting mechanisms in place to protect our business integrity and to comply with all applicable laws and regulations. Anti-bribery and anti-corruption legislation, both in our home country and the countries we operate in, is very important for PostNL to conduct its business globally. All reported incidents of actual or suspected corruption or bribery will be promptly and thoroughly investigated and dealt with appropriately.
The Integrity Committee advises the Board of Management and line management on the mitigation of fraud risks and on ethical, anti-bribery and anti-corruption matters. The Integrity Committee reports regularly to the Board of Management and every six months to the Supervisory Board.
The focus of our integrity approach is to regularly ensure our employees are familiar with the PostNL Business Principles. Our company-wide e-learning module on integrity is mandatory for management and for office workers, and voluntary for production staff. The module is part of our regular onboarding programme. In 2019, we launched a new version of the e-learning module. Through this e-learning module on integrity we aim to educate management and employees about our Business Principles, and the desired behaviour based on these principles.
In accordance with the requirements of the Corporate Governance Code, we also performed an assessment connected to the organisational awareness with our business principles. The ‘Employee engagement monitor 2019’ addressed employees' familiarity with the PostNL Business Principles, and their perception whether we work according to the PostNL Business Principles. The main outcome of this assessment in 2019 showed that 81% (2018: 84%) of the responders are (partly) familiar with the PostNL Business Principles. Of this 81%, in total 70% (2018: 68%) perceive that PostNL partly works according to the PostNL Business Principles and 28% (2018: 26%) perceive this as continuously. We use the outcome of the monitor as input for our integrity approach and our activities at the PostNL Group companies.
During the year we started 724 investigations in response to integrity-related issues. These investigations covered issues such as theft of mail or parcels, bribery and corruption, or failure to follow workplace practices. This resulted in 258 discontinued work relationships. At year-end 2019, 44 investigations were ongoing. To the best of our knowledge, we had no cases of bribery or corruption that had a significant impact on our business.
Although not identified as key risks, we have identified risks of bribery and corruption in the area of procurement, where breaches to our policies could occur between suppliers and PostNL employees.
PostNL’s Group policies and procedures reflect and define the view of the Board of Management and the way we conduct our business.
Performance and compliance are integral parts of our ERM approach and are monitored regularly in discussions between the appropriate line management and the Board of Management via dedicated compliance reviews, internal audits, through the monitoring duties of PostNL committees and through the internal letter of representation. For the purposes of issuing the letter of representation, all managing directors and finance directors of PostNL’s Group entities and company-level management reporting directly to the Board of Management perform a self-assessment of their responsibilities in the risk assessment process, effectiveness of internal controls procedures and financial and non-financial reporting process. The signed internal letters of representation are the basis for the letter of representation that the Board of Management signs off as part of the audit by the external auditor.