This section provides an overview of our approach to risk and opportunity management, internal control, integrity and compliance. It includes the disclosures required by the Dutch Corporate Governance Code and chapter 5.1a of the Dutch Financial Markets Supervision Act (Wet op het financieel toezicht).
Our enterprise risk management framework has been designed to identify and prioritise our main risks and develop appropriate responses. This framework is based on COSO ERM 2017 and is in line with the principles of the Dutch Corporate Governance Code 2016.
Understanding strategic, operational, regulatory, and financial risks is a vital element of our management decision-making process. Risks are identified by means of both a bottom-up (line management) and top-down (executive management) approach, covering the entire business. For those risks deemed material, management develops and reviews comprehensive risk response plans.
Risk management and internal control is considered a line responsibility. All business segments and head office departments are engaged in this company-wide risk management process, which includes:
Mandatory participation in risk management workshops by relevant management team members;
Assessing risks on impact, likelihood of occurrence and control effort;
Mandatory e-learing on integrity for management.
We have built a comprehensive portfolio of Group policies and controls, ensuring discipline in our business processes. These support the Board of Management in its statutory and fiduciary obligations to stakeholders in developing and achieving its strategic, operational, compliance and financial objectives.
We operate our businesses in highly regulated markets. The responsibility for ensuring that regulatory compliance objectives are achieved, and that related decision-making is supported by transparent, accurate and relevant information, is assigned to the following head office functions: Legal, Privacy Office, Compliance, Integrity Office and Public Affairs. The Board of Management and the Supervisory Board monitor the effectiveness and efficiency of the enterprise risk management framework. They are supported by Internal Audit.
Our risk management and control systems are designed to reduce the likelihood of errors, incorrect decisions and unforeseen circumstances as much as possible. It provides reasonable, but not absolute, assurance against material misstatement or loss. Although we are making improvements to our risk management and control systems on continuous basis, we currently do not expect significant changes for the coming year.
Risk appetite | Low Behaviour towards risk High Averse Prudent Balanced Considerable Seeking |
---|---|
Strategic risks We aim to deliver on our strategic ambitions and priorities and are willing to accept balanced to considerable risks to achieve this. | Low Behaviour towards risk High |
Operational risks We face operational challenges which require an appropriate level of management attention. The overall objective is to avoid risks that could negatively impact our aim to achieve operational effectiveness and efficiencies. | Low Behaviour towards risk High |
Regulatory risks We strive to be fully compliant with our business principles as well as national and international laws and regulations in relation to the markets in which we operate and we do not accept deviations. | Low Behaviour towards risk High |
Financial risks Our financial strategy is focused on a strong financial position and creating long-term value for our shareholders. Our aim is to have a leverage ratio of adjusted net debt / EBITDA not exceeding 2.0 and only accept risks that do not threaten this. | Low Behaviour towards risk High |
Risk appetite is the level of residual risk we deem acceptable to achieve our objectives. The risk appetite is set by the Board of Management in close cooperation with the Executive Committee, based on our strategic goals, our business principles, our policies and procedures, and taking into consideration the highly regulated markets we operate in. The risk appetite is discussed with and endorsed by the Audit Committee. Overall, PostNL’s risk appetite in 2020 did not materially change compared to 2019. Our risk appetite differs per risk type:
In 2020, we continued investing resources to improve the design of our internal controls over financial and non-financial reporting including more reliance on IT controls in our core processes. Also, we continued to test operational effectiveness of these internal controls using our monthly internal control management self-assessment and testing process. As part of this process management is required to follow up on risks deemed to be inadequately mitigated by internal controls, which might result from, for example, a major organisational or IT change. In some cases, this may require additional actions, including performing and evaluating compensating controls and activities, to reduce the risks of a misstatement in the financial and non-financial reporting.
Performance of our internal control environment is regularly measured and monitored by Risk Management and Internal Control department, and the results are discussed in the Internal Control Committee (ICC) meetings. The ICC is composed of the CFO, the director Audit & Security, the director Group Finance, and the director Accounting & Reporting. The external auditor also attends the ICC meetings. The ICC met five times in 2020.
Risk management and internal control reports are also discussed with the Board of Management and the Audit Committee of the Supervisory Board.