Doing business is an act of balancing business opportunities with risks and control activities. We have formal and standardised processes in place to support our strategy execution. Based on our risk appetite we evaluate our risk profile. For all relevant risks and opportunities we develop and implement appropriate action plans and measures.
This section provides an overview of our approach to risk and opportunity management, internal control, integrity, asset protection and loss prevention privacy and cyber security. For the disclosures required by the Dutch Corporate Governance Code and chapter 5.1a of the Dutch Financial Markets Supervision Act (Wet op het financieel toezicht) we refer to the 'Statements of the Board of Management'
chapter.
Our enterprise risk management framework has been designed to identify and prioritise our main risks and related opportunities and develop appropriate responses. This framework is based on COSO ERM 2017 and is in line with the principles of the Dutch Corporate Governance Code 2016. During 2022, we invested in further extending the compliance dimension of the ERM framework.
Understanding strategic, operational, compliance, and financial risk is a vital element of our management decision-making process. Risks and opportunities are identified by means of both a bottom-up (line management) and top-down (executive management) approach. The risk workshops cover the entire business, and include dedicated risk workshops on significant subjects, such as climate change and human rights. For those risks deemed material, management develops and reviews comprehensive risk-response plans. For the related opportunities we have developed comprehensive action plans.
Risk management and internal control is considered a line responsibility. All business segments and head office departments are engaged in this company-wide risk management process, which includes:
Mandatory participation in risk management workshops by relevant management team members
Assessing risks on impact, likelihood of occurrence and control effort
Mandatory e-learning on integrity for management
We have built a comprehensive portfolio of Group policies and controls, ensuring discipline in our business processes. These support the Board of Management in its statutory and fiduciary obligations to stakeholders in developing and achieving its strategic, operational, compliance and financial objectives. In 2022 we introduced a new policy and risk management approach on digital ethics, to safeguard against ethical risks that may originate in the application of artificial intelligence, robotics and machine learning.
The Board of Management and the Supervisory Board monitor the effectiveness and efficiency of the enterprise risk management framework. They are supported by Internal Audit. Our risk management and control systems are designed to reduce the likelihood of errors, incorrect decisions and unforeseen circumstances as much as possible. It provides reasonable, but not absolute, internal assurance against material misstatement or loss. We are making improvements to our risk management and control systems on a continuous basis, such as the improved internal control on compliance risks, IT risks and digital ethics risks implemented during 2022. For the coming year, these improvements are related to the implementation of the EU Taxonomy and the CSRD standards, where a focus is being placed on how companies manage their sustainability risks.
Risk appetite is the level of residual risk we deem acceptable to achieve our objectives. The risk appetite is set by the Board of Management in close cooperation with the Executive Committee, based on our strategic goals, our business principles, our policies and procedures, and taking into consideration the highly regulated markets we operate in. The risk profile is compared with PostNL's established risk appetite after each risk management workshop. Where there is a difference between the risk level and risk appetite bandwidth, management initiates an action plan. The risk appetite is discussed with and endorsed by the Audit Committee. Overall, PostNL’s risk appetite in 2022 did not materially change compared to 2021 and will be maintained for 2023. Our risk appetite differs per risk type. In 'Main risks and opportunities' the risk level and the future trend as assessed in 2022 are included.
Risk appetite |
Behaviour towards risk High Averse Prudent Balanced Considerable Seeking |
|---|---|
Strategic risks We aim to deliver on our strategic ambitions and priorities and are willing to accept balanced to considerable risks to achieve this. |
Behaviour towards risk High     |
Operational risks We face operational challenges which require an appropriate level of management attention. The overall objective is to avoid risks that could negatively impact our aim to achieve operational effectiveness and efficiencies. |
Behaviour towards risk High |
Regulatory risks We strive to be fully compliant with our business principles as well as national and international laws and regulations in relation to the markets in which we operate and we do not accept deviations. |
Behaviour towards risk High |
Financial risks Our financial strategy is focused on a strong financial position and creating long-term value for our shareholders. Our aim is to have a leverage ratio of adjusted net debt / EBITDA not exceeding 2.0 and only accept risks that do not threaten this. |
Behaviour towards risk High |
Driver | Change | Impact on | Amount (in € million) |
|---|---|---|---|
Revenue PostNL | +/- 1% | Normalised EBIT | 31 |
Revenue Parcels | +/- 1% | Normalised EBIT | 19 |
Revenue Mail in NL | +/- 1% | Normalised EBIT | 12 |
Cost of materials | +/- 1% | Normalised EBIT | 1 |
Work contracted out and other external expenses | +/- 1% | Normalised EBIT | 16 |
Salaries, pensions and social security contributions | +/- 1% | Normalised EBIT | 11 |
Depreciation, amortisation and impairments | +/- 1% | Normalised EBIT | 2 |
We have analysed the sensitivity of our normalised EBIT for changes in our revenue and different cost items.
We prepared a sensitivity analysis to illustrate the impact a single percentage point change would have on normalised EBIT.
In 2022, we continued to invest in improving the design and effectiveness of our internal controls related to both financial and non-financial reporting, aiming for a good balance between preventive and detective controls. We are satisfied that the number of IT-related controls we can rely on has increased in 2022. These relate to application controls, interface controls, and IT-dependent manual controls. In 2023, we will extend the use of IT-related controls to other risk processes for a more robust and mature internal control framework. Additionally, we will continue to optimise and implement controls related to non-financial reporting. We also continued to test operational effectiveness of these internal controls using our monthly internal control management self-assessment and testing process. As part of this process, management is required to follow up on risks deemed to be inadequately mitigated by internal controls. In some cases, this may require additional actions, including performing and evaluating compensating controls and activities, to reduce the risks of a misstatement in the financial and non-financial reporting.
Management is required to perform self-assessments on the design and operating effectiveness of our internal control environment. This is regularly measured and monitored by the Risk Management and Internal Control department, and the results are discussed in the Internal Control Committee (ICC) meetings. The ICC is composed of the CFO, the director Audit & Security, the director Group Finance, and the director Accounting & Reporting. The external auditor also attends the ICC meetings. The ICC met five times in 2022.
Risk management and internal control reports are also discussed with the Board of Management and the Audit Committee of the Supervisory Board.
Low
iOS
Android