Introduction Main risk eventsMain risks and opportunitiesEmerging risks

Introduction

This section provides an overview of our approach to risk and opportunity management, including internal control, integrity, asset protection and loss prevention, privacy and cybersecurity. For the disclosures required by the Dutch Corporate Governance Code and chapter 5.1a of the Dutch Financial Markets Supervision Act (Wet op het financieel toezicht) please see the chapter Statements of the Board of Management. This chapter includes incorporation by reference for GOV-5 and IRO-1 in the sustainability statement.

Our enterprise risk management framework has been designed to identify and prioritise our main risks and related opportunities and develop appropriate responses. This framework is based on COSO ERM 2017 and is in line with the principles of the Dutch Corporate Governance Code 2022.

Understanding strategic, operational, compliance, financial reporting and sustainability reporting risks is a vital element in our management decision-making process. Our risk management and control systems are designed to reduce the likelihood of errors, incorrect decisions and unforeseen circumstances as much as possible. They provide reasonable, but not absolute, internal assurance against material misstatement or loss. Management of the business segments and head office departments are responsible for the effectiveness of the local risk management and opportunity process, including timely identification and assessment of significant risks and opportunities and the development of appropriate risk and opportunity response plans.

Our risk management framework operates on the basis of the Three Lines Model:

  1. The first line involves operational management, which is responsible for identifying, assessing, managing and controlling risks and opportunities at the operational level.
  2. The second line includes risk management and compliance functions that provide oversight, support, feedback and guidance to ensure that the first line effectively manages risks and opportunities.
  3. The third line is the internal audit function, which independently evaluates the effectiveness of the risk management and internal control processes implemented by the first and second lines.
Enterprise Risk Management process

Risks and opportunities are identified in our structured risk management process by means of both a bottom-up (line management) and a top-down (executive management) approach, covering the entire business. For those risks deemed material, management develops and reviews comprehensive risk-response plans, taking into consideration our risk appetite. When management decides to mitigate a risk by implementing an internal control, these controls are formalised in our internal control framework and assessed regularly by means of internal control management self-assessment. For opportunities, line management is required to develop comprehensive action plans.

All business segments and head office departments are engaged in this company-wide risk management process, which includes:

  • Mandatory participation in risk management workshops by relevant management team members
  • Assessing risks and opportunities on impact and likelihood of occurrence
  • Developing appropriate risk and opportunity response plans, including risk mitigating actions for the significant risks in the outcome of the entity risk assessment
  • Inclusion of the key mitigating risk actions in the internal control framework, including management self-assessment
  • The key compliance risks identified in the risk workshops are covered by our compliance risk management system
  • Mandatory e-learning on integrity for management.

We have built a comprehensive portfolio of group policies and controls, ensuring discipline in our business processes. These support the Board of Management in its statutory and fiduciary obligations to stakeholders in developing and achieving its strategic, operational, compliance, financial and reporting objectives.

The Board of Management and the Supervisory Board monitor the effectiveness and efficiency of the enterprise risk management and internal control framework. They are supported by Internal Audit.

In 2024, we initiated improvements to our risk management and control systems, with a particular emphasis on integrating the Corporate Sustainability Reporting Directive (CSRD) standards and associated reporting obligations. A key focus area is strengthening the management of sustainability risks, particularly by embedding the double materiality assessment (DMA) into our enterprise risk management (ERM) framework.

In line with the Dutch Corporate Governance Code, starting from 2025, we are required to include the Risk Management Statement (‘Verklaring Omtrent Risicobeheersing’ (VOR)) in the Statements of the Board of Management chapter. To ensure compliance, we began the implementation of VOR requirements in 2024, proactively aligning our risk management and internal control processes with these new standards. Throughout 2025, we will continue to assess and refine our existing frameworks, further enhancing our ability to meet these obligations and maintain robust risk management practices.

Integration of DMA with ERM, IC, and our strategic plan

At PostNL, we are working towards integrating the DMA with ERM, internal control (IC), and the organisation’s strategic plan—an annual process—to ensure ESG considerations are embedded in our decision-making. Guided by material topics, we aim to align our strategy, KPIs, and risk appetite with ESG priorities.

As part of this effort, the ERM team collaborates periodically with the CSRD Programme Manager to identify and assess ESG-related risks, initiating structured processes that involve the risk management and internal control (RMIC) team in facilitating workshops in line with CSRD requirements. Stakeholder input is gathered for each material topic to design targeted workshops, coordinated by the CSRD Programme Manager and RMIC. These workshops, typically completed in a single round but occasionally requiring a second, produce a consolidated list of material ESG risks and opportunities.

The outcomes of these workshops are aligned with ERM risks and opportunities, identifying key drivers and categorising risks and opportunities to assess their enterprise-wide impact and potential financial implications. For risks and opportunities that exceed the organisation’s appetite threshold, action plans and controls are developed to mitigate impacts and enhance business resilience. These action plans and controls are integrated into the annual strategic planning, forecasting, and budgeting processes, ensuring appropriate management attention and timely budget allocation to drive these initiatives forward.

The strategic plan can only be finalised following approval from the Supervisory Board and the Board of Management. Embedding ESG action plans within the strategic plan ensures sufficient oversight and monitoring by the boards. The ERM team supports the management and integration of these action plans within the organisation’s systems, ensuring alignment with strategic priorities and contributing to the sustainable growth and resilience of the organisation.

Next Previous