Risk and opportunity management approach

This section provides an overview of our approach to risk and opportunity management, internal control, integrity, asset protection and loss prevention privacy and cyber security. For the disclosures required by the Dutch Corporate Governance Code and chapter 5.1a of the Dutch Financial Markets Supervision Act (Wet op het financieel toezicht) we refer to the 'Statements of the Board of Management'download chapter.

Introduction to risk and opportunity management

Our enterprise risk management framework has been designed to identify and prioritise our main risks and related opportunities and develop appropriate responses. This framework is based on COSO ERM 2017 and is in line with the principles of the Dutch Corporate Governance Code 2016. During 2022, we invested in further extending the compliance dimension of the ERM framework.

Understanding strategic, operational, compliance, and financial risk is a vital element of our management decision-making process. Risks and opportunities are identified by means of both a bottom-up (line management) and top-down (executive management) approach. The risk workshops cover the entire business, and include dedicated risk workshops on significant subjects, such as climate change and human rights. For those risks deemed material, management develops and reviews comprehensive risk-response plans. For the related opportunities we have developed comprehensive action plans.

Risk management and internal control is considered a line responsibility. All business segments and head office departments are engaged in this company-wide risk management process, which includes:

  • Mandatory participation in risk management workshops by relevant management team members

  • Assessing risks on impact, likelihood of occurrence and control effort

  • Mandatory e-learning on integrity for management

Enterprise Risk Management process

We have built a comprehensive portfolio of Group policies and controls, ensuring discipline in our business processes. These support the Board of Management in its statutory and fiduciary obligations to stakeholders in developing and achieving its strategic, operational, compliance and financial objectives. In 2022 we introduced a new policy and risk management approach on digital ethics, to safeguard against ethical risks that may originate in the application of artificial intelligence, robotics and machine learning.

The Board of Management and the Supervisory Board monitor the effectiveness and efficiency of the enterprise risk management framework. They are supported by Internal Audit. Our risk management and control systems are designed to reduce the likelihood of errors, incorrect decisions and unforeseen circumstances as much as possible. It provides reasonable, but not absolute, internal assurance against material misstatement or loss. We are making improvements to our risk management and control systems on a continuous basis, such as the improved internal control on compliance risks, IT risks and digital ethics risks implemented during 2022. For the coming year, these improvements are related to the implementation of the EU Taxonomy and the CSRD standards, where a focus is being placed on how companies manage their sustainability risks.

Risk appetite

Risk appetite is the level of residual risk we deem acceptable to achieve our objectives. The risk appetite is set by the Board of Management in close cooperation with the Executive Committee, based on our strategic goals, our business principles, our policies and procedures, and taking into consideration the highly regulated markets we operate in. The risk profile is compared with PostNL's established risk appetite after each risk management workshop. Where there is a difference between the risk level and risk appetite bandwidth, management initiates an action plan. The risk appetite is discussed with and endorsed by the Audit Committee. Overall, PostNL’s risk appetite in 2022 did not materially change compared to 2021 and will be maintained for 2023. Our risk appetite differs per risk type. In 'Main risks and opportunities'download the risk level and the future trend as assessed in 2022 are included.

Download spreadsheet

Risk appetite

Low

Behaviour towards risk

High

Averse

Prudent

Balanced

Considerable

Seeking

Strategic risks

We aim to deliver on our strategic ambitions and priorities and are willing to accept balanced to considerable risks to achieve this.

Low

Behaviour towards risk

High

Operational risks

We face operational challenges which require an appropriate level of management attention. The overall objective is to avoid risks that could negatively impact our aim to achieve operational effectiveness and efficiencies.

Low

Behaviour towards risk

High

Regulatory risks

We strive to be fully compliant with our business principles as well as national and international laws and regulations in relation to the markets in which we operate and we do not accept deviations.

Low

Behaviour towards risk

High

Financial risks

Our financial strategy is focused on a strong financial position and creating long-term value for our shareholders. Our aim is to have a leverage ratio of adjusted net debt / EBITDA not exceeding 2.0 and only accept risks that do not threaten this.

Low

Behaviour towards risk

High

Sensitivity analysis

Download spreadsheet

PostNL Sensitivity analysis

Driver

Change

Impact on

Amount (in million)

Revenue PostNL

+/- 1%

Normalised EBIT

31

Revenue Parcels

+/- 1%

Normalised EBIT

19

Revenue Mail in NL

+/- 1%

Normalised EBIT

12

    

Cost of materials

+/- 1%

Normalised EBIT

1

Work contracted out and other external expenses

+/- 1%

Normalised EBIT

16

Salaries, pensions and social security contributions

+/- 1%

Normalised EBIT

11

Depreciation, amortisation and impairments

+/- 1%

Normalised EBIT

2

We have analysed the sensitivity of our normalised EBIT for changes in our revenue and different cost items.

We prepared a sensitivity analysis to illustrate the impact a single percentage point change would have on normalised EBIT.

Internal control framework

In 2022, we continued to invest in improving the design and effectiveness of our internal controls related to both financial and non-financial reporting, aiming for a good balance between preventive and detective controls. We are satisfied that the number of IT-related controls we can rely on has increased in 2022. These relate to application controls, interface controls, and IT-dependent manual controls. In 2023, we will extend the use of IT-related controls to other risk processes for a more robust and mature internal control framework. Additionally, we will continue to optimise and implement controls related to non-financial reporting. We also continued to test operational effectiveness of these internal controls using our monthly internal control management self-assessment and testing process. As part of this process, management is required to follow up on risks deemed to be inadequately mitigated by internal controls. In some cases, this may require additional actions, including performing and evaluating compensating controls and activities, to reduce the risks of a misstatement in the financial and non-financial reporting.

Management is required to perform self-assessments on the design and operating effectiveness of our internal control environment. This is regularly measured and monitored by the Risk Management and Internal Control department, and the results are discussed in the Internal Control Committee (ICC) meetings. The ICC is composed of the CFO, the director Audit & Security, the director Group Finance, and the director Accounting & Reporting. The external auditor also attends the ICC meetings. The ICC met five times in 2022.

Risk management and internal control reports are also discussed with the Board of Management and the Audit Committee of the Supervisory Board.