Risk management

Introduction

Our internal risk management and control systems are designed to identify, prioritise and evaluate our main risks and develop appropriate responses. This framework is based on COSO ERM 2017 and is in line with the principles of the Dutch Corporate Governance Code 2025. Understanding strategic, operational, financial, compliance, financial reporting and sustainability reporting risks is a vital element in our management decision-making process. Our internal risk management and control systems are designed to reduce the likelihood of errors, incorrect decisions and unforeseen circumstances as much as possible. They provide the substantiation for our evaluation of the effectiveness of the operation of our internal controls.

Management of the business segments and head office departments are responsible for the effectiveness of the internal risk management and control process, including timely identification and assessment of significant risks and the development of appropriate risk response plans. For the disclosures required by the Dutch Corporate Governance Code and chapter 5.1a of the Dutch Financial Markets Supervision Act (Wet op het financieel toezicht) please refer to chapter 14, Statements of the Board of Management.

Our internal risk management and control systems operate on the basis of the Three Lines Model:

1. The first line involves operational management, which is responsible for identifying, assessing, managing and controlling risks at the operational level.
2. The second line includes risk management and compliance functions that provide expertise, support, monitoring and challenge to ensure that the first line effectively manages risks and opportunities.
3. The third line is the internal audit function, which independently evaluates the effectiveness of the internal risk management and control systems as designed and operated by the first and second lines.

Risks are identified in our structured risk management process through both a bottom-up (line management) and a top-down (executive management) approach, covering the entire business. For those risks deemed material, management develops and reviews comprehensive risk-response plans, taking into consideration our risk appetite. When management decides to mitigate a risk by implementing an internal control, these controls are formalised in our internal control framework and assessed regularly through internal control management self-assessment.

All business segments and head office departments are engaged in this company-wide risk management process, which includes:

• Mandatory participation in risk management workshops by relevant management team members
• Assessing risks based on impact and likelihood of occurrence
• Developing appropriate risk response plans, including mitigation actions for the significant risks
• Inclusion of the key mitigating risk actions in the internal control framework, including management self-assessment
• Mandatory e-learning on integrity for management and key risk functions.

We have built a comprehensive portfolio of group policies and controls, ensuring discipline in our business processes. These support the Board of Management in its statutory and fiduciary obligations to stakeholders in developing and achieving its strategic, operational, financial, compliance and reporting objectives.

The Board of Management and the Supervisory Board monitor the effectiveness and efficiency of the internal risk management and control systems. They are supported by Internal Audit.

“Our internal risk management and control systems are designed to identify, prioritise and evaluate our main risks and develop appropriate responses”

In 2025, in line with the requirements of the Corporate Sustainability Reporting Directive (CSRD), we have explored integrating the double materiality assessment (DMA), the Climate Risk and Human rights salience assessment into our Enterprise Risk Management (ERM) framework. For more details on DMA please refer to the General disclosures in the Sustainability statement. This enables an annual review of value chain developments, stakeholder feedback and ESG-related impacts, risks and opportunities (IROs), helping to embed ESG considerations in our decision-making and keep our risk appetite aligned with our ESG priorities. In parallel, in accordance with the Dutch Corporate Governance Code 2025, we included the Risk Management Statement (‘Verklaring Omtrent Risicobeheersing’ – VOR) in the Statements of the Board of Management chapter.

Internal risk management and control systems

Senior management is responsible for the effectiveness of the design and operation of the internal risk management and control systems within their area of responsibility. They are required to perform self-assessments on the design and operating effectiveness of our internal controls. This is regularly measured and monitored by the Risk Management and Internal Control department, and the results are discussed in the Internal Control Committee (ICC) meetings.

The ICC is composed of the CFO, the director Audit & Security, the director Group Finance, and the director Accounting & Reporting. The external auditor also attends the ICC meetings. The ICC met five times in 2025. Internal risk management and control reports are discussed with the Board of Management and the Audit Committee of the Supervisory Board. As part of this process, management is required to follow up on risks deemed to be inadequately mitigated by internal controls. In some cases, this may require additional actions, including performing and evaluating compensating controls and activities, to reduce the risks of misstatements in financial or sustainability reporting or to manage operational or compliance risks.

In 2025, PostNL integrated, in accordance with the revised Dutch Corporate Governance Code, the Risk Management Statement into its Board Report. This statement confirms, within the limitations set out in the Code, the design and the level of operating effectiveness of our internal risk management and control systems covering operational, compliance, financial reporting and sustainability reporting risks.

In accordance with this new risk reporting requirement, we have made explicit the levels of assurance or certainty per risk type within our internal risk management and control systems.

The systems are designed and operating to be able to provide reasonable assurance that the financial reporting under IFRS in this annual report does not contain any material inaccuracies. Furthermore, these systems provide limited assurance that the sustainability reporting under the CSRD and the EU Taxonomy in this annual report is free from material misstatements.

The operational and compliance risk management and control systems are designed and operating to be able to provide appropriate comfort that the identified operational and compliance risks are effectively managed in line with PostNL’s risk appetite, the complexity of our enterprise, the inherent limitations of these systems and other disclosures on these systems.

The scope of the operational risk management and control system is set to cover the core business processes like customer-to-cash, purchase-to-pay, hire-to-retire, business resilience and continuity management in operations, IT general controls and cybersecurity.

The scope of the compliance risk management and control system is set to cover the laws and regulations and the related internal policies and procedures on business conduct, Dutch postal law, human rights and labour conditions, the environment, transportation, Dutch privacy law (GDPR) and the upcoming Dutch cybersecurity law (NIS2). Our compliance risk management and control system is structured in accordance with the ‘Levers of Control’ model, in addition to COSO ERM (2017) requirements.

Looking ahead, we will continue to work closely with the business to evaluate the need for additional or revised controls and assess the implications of these changes on the effectiveness of the design and operation of newly established (automated) controls. This ongoing collaboration ensures that our control environment remains robust and aligned with evolving business needs.