Our risk management framework is based on the COSO Enterprise Risk Management model. It supports the Group, our Business Units and Business Partners functions in managing risks that might prevent us from achieving our strategic, financial, and operational objectives and in protecting company assets, including reputation. It also supports compliance with laws and regulations, as well as reliable financial and non-financial reporting.
Our approach to Risk Management
The building blocks of our risk management framework are shown in the diagram. Governance and culture form the foundation, on which the pillars of the risk management process – strategy & objective setting, risk identification & assessment, risk mitigation & control activities, monitoring & improvement – are standing to protect our value & integrity. Communication & reporting ensures the connection between the pillars and sharing of adequate information with internal and external stakeholders. The building blocks are summarized in the paragraphs below.
Risk management framework
Governance & culture
As part of our Corporate Governance, the Board of Directors has delegated the management of the Group to the CEO and the Executive Committee, except where this is restricted by law and other regulations. Furthermore, the Executive Committee, with the approval of the Board of Directors, has determined the Operating Model Framework as guidance for the operations of, and cooperation within, the Group, the Business Units and Business Partners, who are therefore jointly responsible for achieving our objectives and managing the associated risks.
To further implement this, the following roles and responsibilities are assigned, in line with the Three Lines Model:
- First line: the responsibility for identifying, assessing, and managing risks is an integral part of the responsibility of each manager
- Second line: Business Partner functions provide expertise and support, and monitor compliance for their functional area. They define objectives for the function, group policies and standards, and efficient and robust business processes including controls
- Third line: the Corporate Operational Audit department provides independent, objective assurance and advice regarding the effectiveness of governance, risk management, and control activities
The Board of Directors has approved our values as well as our Code of Business Ethics. The Executive Committee and management are a role model for living out the Code of Business Ethics and ensure compliance with it. This ‘tone at the top’ supports effective risk management by creating risk awareness and giving it appropriate priority. In combination, these elements form the governance and culture foundation of our risk management framework.
Strategy & objective-setting
Our Group strategy and objectives are determined by the Board of Directors, supported by the Executive Committee. The Group strategy and objectives are translated into specific plans and priorities for Business Unit and Business Partner leadership and elaborated in further detail for lower levels in the organization.
Risk identification & assessment
The realization of an ambitious strategy will always entail risks. To enable informed decision-making, these risks are identified and assessed at all levels in the organization. Risk assessments may focus on various topics (e.g., Safety, Health and Environment (SHE), security, climate) and are regularly updated. At least once per year, the Executive Committee discusses the material risks for the company as part of the Group risk assessment, and the Board of Directors reviews and approves these material risks. For more information, see Material risks and uncertainties.
Risk mitigation & control activities
Mitigating actions and controls are defined and implemented for the most relevant risks. Controls include policies, standards, Segregation of Duties (SoD) management, business continuity management and business performance reviews. Control activities, which can be preventive or detective, are integrated into our business processes and are executed by the first line.
Monitoring & improvement
The Internal Control department within Legal, Regulatory, Risk & Compliance owns the Internal Control Framework. It defines the standard set of key controls that must be performed by the first line and it aims to ensure reliable financial reporting, mitigate fraud risks and safeguard our assets. The effectiveness of the key controls is independently tested by the Internal Control department.
The effectiveness of the design and the operation of our overall risk management framework is evaluated by the Audit & Risk Committee of the Board of Directors to support the Board Statements.
Communication & reporting
Reviewing of risks and incidents takes place via structured processes, and if needed on an ad-hoc basis. Twice per year all Business Units and Business Partners report their material risks and incidents to the CEO. These are discussed in the Executive Committee as well as the Audit & Risk Committee.