This section provides an overview of our approach to risk and opportunity management, internal control, integrity, cyber security, privacy, asset protection and loss prevention and compliance. For the disclosures required by the Dutch Corporate Governance Code and chapter 5.1a of the Dutch Financial Markets Supervision Act (Wet op het financieel toezicht) we refer to chapter 'Statements of the Board of Management'.
Our enterprise risk management framework has been designed to identify and prioritise our main risks and related opportunities and develop appropriate responses. This framework is based on COSO ERM 2017 and is in line with the principles of the Dutch Corporate Governance Code 2016.
Understanding strategic, operational, regulatory, and financial risk is a vital element of our management decision-making process. Risks and opportunities are identified by means of both a bottom-up (line management) and top-down (executive management) approach, covering the entire business. For those risks deemed material, management develops and reviews comprehensive risk-response plans. For the related opportunities we have developed comprehensive action plans.
Risk management and internal control is considered a line responsibility. All business segments and head office departments are engaged in this company-wide risk management process, which includes:
Mandatory participation in risk management workshops by relevant management team members;
Assessing risks on impact, likelihood of occurrence and control effort;
Mandatory e-learning on integrity for management.
We have built a comprehensive portfolio of Group policies and controls, ensuring discipline in our business processes. These support the Board of Management in its statutory and fiduciary obligations to stakeholders in developing and achieving its strategic, operational, compliance and financial objectives.
We operate our businesses in highly regulated markets. The responsibility for ensuring that regulatory compliance objectives are achieved, and that related decision-making is supported by transparent, accurate and relevant information, is assigned to the following head office functions: Legal, Privacy Office, Compliance, Integrity Office and Public Affairs. The Board of Management and the Supervisory Board monitor the effectiveness and efficiency of the enterprise risk management framework. They are supported by Internal Audit. Our risk management and control systems are designed to reduce the likelihood of errors, incorrect decisions and unforeseen circumstances as much as possible. It provides reasonable, but not absolute, assurance against material misstatement or loss. Although we are making improvements to our risk management and control systems on a continuous basis, we currently do not expect significant changes for the coming year.
Risk appetite is the level of residual risk we deem acceptable to achieve our objectives. The risk appetite is set by the Board of Management in close cooperation with the Executive Committee, based on our strategic goals, our business principles, our policies and procedures, and taking into consideration the highly regulated markets we operate in. The risk appetite is discussed with and endorsed by the Audit Committee. Overall, PostNL’s risk appetite in 2021 did not materially change compared to 2020. Our risk appetite differs per risk type.
Download spreadsheetRisk appetite | Low Behaviour towards risk High Averse Prudent Balanced Considerable Seeking |
---|---|
Strategic risks We aim to deliver on our strategic ambitions and priorities and are willing to accept balanced to considerable risks to achieve this. | Low Behaviour towards risk High |
Operational risks We face operational challenges which require an appropriate level of management attention. The overall objective is to avoid risks that could negatively impact our aim to achieve operational effectiveness and efficiencies. | Low Behaviour towards risk High |
Regulatory risks We strive to be fully compliant with our business principles as well as national and international laws and regulations in relation to the markets in which we operate and we do not accept deviations. | Low Behaviour towards risk High |
Financial risks Our financial strategy is focused on a strong financial position and creating long-term value for our shareholders. Our aim is to have a leverage ratio of adjusted net debt / EBITDA not exceeding 2.0 and only accept risks that do not threaten this. | Low Behaviour towards risk High |
We have analysed the sensitivity of our normalised EBIT for changes in our revenue and different cost items. We prepared a sensitivity analysis to illustrate the impact a single percentage point change would have on normalised EBIT.
Download spreadsheetDriver | Change | Impact on | Amount (in € million) |
---|---|---|---|
Revenue PostNL | +/- 1% | Normalised EBIT | 35 |
Revenue Parcels | +/- 1% | Normalised EBIT | 21 |
Revenue Mail in NL | +/- 1% | Normalised EBIT | 13 |
Cost of materials | +/- 1% | Normalised EBIT | 1 |
Work contracted out and other external expenses | +/- 1% | Normalised EBIT | 17 |
Salaries, pensions and social security contributions | +/- 1% | Normalised EBIT | 11 |
Depreciation, amortisation and impairments | +/- 1% | Normalised EBIT | 1 |
In 2021, we continued to invest in improving the design and effectiveness of our internal controls related to both financial and non-financial reporting. We are satisfied that the amount of IT-related controls we can rely on more than doubled in 2021. These relate to application controls, interface controls, and IT-dependent controls, for example in our customer-to-cash core processes. In 2022, we will further increase the number of reliable IT-related controls. We also continued to test operational effectiveness of these internal controls using our monthly internal control management self-assessment and testing process. As part of this process, management is required to follow up on risks deemed to be inadequately mitigated by internal controls, which might result from, for example, a major organisational or IT change. In some cases, this may require additional actions, including performing and evaluating compensating controls and activities, to reduce the risks of a misstatement in the financial and non-financial reporting.
Management is required to perform self-assessments on the design and operating effectiveness of our internal control environment. This is regularly measured and monitored by the Risk Management and Internal Control department, and the results are discussed in the Internal Control Committee (ICC) meetings. The ICC is composed of the CFO, the director Audit & Security, the director Group Finance, and the director Accounting & Reporting. The external auditor also attends the ICC meetings. The ICC met five times in 2021.
Risk management and internal control reports are also discussed with the Board of Management and the Audit Committee of the Supervisory Board.