Introduction to risk and opportunity management
Our enterprise risk management framework has been designed to identify and prioritise our main risks and related opportunities and develop appropriate responses. This framework is based on COSO ERM 2017 and is in line with the principles of the Dutch Corporate Governance Code 2022.
Understanding strategic, operational, compliance, financial and reporting risks is a vital element in our management decision-making process. Our risk management and control systems are designed to reduce the likelihood of errors, incorrect decisions and unforeseen circumstances as much as possible. They provide reasonable, but not absolute, internal assurance against material misstatement or loss. Management of the business segments and head office departments are responsible for the effectiveness of the local risk management and opportunity process, including timely identification and assessment of significant risks and the development of appropriate risk response plans.
Risks and opportunities are identified in our structured risk management process by means of both a bottom-up (line management) and a top-down (executive management) approach, covering the entire business. For those risks deemed material, management develops and reviews comprehensive risk-response plans. When management decides to mitigate a risk by implementing an internal control, these controls are formalised in our internal control framework and assessed regularly by means of internal control management self-assessment. For the related opportunities, line management is required to develop comprehensive action plans.
All business segments and head office departments are engaged in this company-wide risk management process, which includes:
- Mandatory participation in risk management workshops by relevant management team members
- Assessing risks on impact, likelihood of occurrence and control effort
- Developing appropriate risk response plans, including risk mitigating actions for the significant risks in the outcome of the entity risk assessment
- Inclusion of the key mitigating risk actions in the internal control framework, including management self-assessment
- The key compliance risks identified in the risk workshops are covered by our compliance risk management system
- Mandatory e-learning on integrity for management.
Enterprise Risk Management process
We have built a comprehensive portfolio of Group policies and controls, ensuring discipline in our business processes. These support the Board of Management in its statutory and fiduciary obligations to stakeholders in developing and achieving its strategic, operational, compliance, financial and reporting objectives.
The Board of Management and the Supervisory Board monitor the effectiveness and efficiency of the enterprise risk management and internal control framework. They are supported by Internal Audit.
We are making improvements to our risk management and control systems on a continuous basis, and for the coming year these improvements are mainly related to the implementation of the CSRD standards, along with the associated reporting requirements, where a focus is placed on how we manage our sustainability risks. Additionally, in 2024 we will explore how we can best integrate the Double Materiality Analysis (DMA) process into our current ERM process.