Our risk management framework is based on the COSO Enterprise Risk Management model. It supports the Group, our Business Units, and our Business Partners in managing risks that might prevent us from achieving our strategic, financial, and operational objectives and in protecting company assets, including our reputation.
ESRS GOV-5
Governance framework
Governance and culture form the foundation for the four pillars of the risk management process (see graphic below) which are strategy & objective setting, risk identification & assessment, risk mitigation & control activities, monitoring & improvement. This protects our value & integrity. Communication & reporting ensures the connection between the pillars and the sharing of adequate information with internal and external stakeholders. The building-blocks are summarized in the following paragraphs.
Our Enterprise Risk Management framework
Governance & culture
As part of our Corporate Governance, the Board of Directors delegated management of the Group to the CEO and the Executive Committee, except where this is restricted by law or regulation. Furthermore, the Executive Committee, with the approval of the Board, has determined the operating model as guidance for the operations of, and cooperation between the Business Units and the Business Partners. These are therefore jointly responsible for achieving our objectives and managing the associated risks.
To further implement this, the following roles and responsibilities are assigned, in line with the Three Lines model:
- First line: identifying, assessing, and managing risks is an integral part of the responsibility of each manager
- Second line: Business Partner functions provide expertise and support, and monitor compliance for their area. They define objectives for the function, Group policies and standards, and efficient and robust business processes, including controls
- Third line: the Group Audit department provides independent, objective assurance and advice regarding the effectiveness of governance, risk management, and control activities
The Board of Directors has approved our values as well as our Code of Business Ethics. The Executive Committee and management are a role model for living out the Code of Business Ethics and ensure compliance with it. This ‘tone at the top’ supports effective risk management by creating risk awareness and giving it appropriate priority. In combination, these elements form the governance & culture foundation of our risk management framework.
Strategy & objective-setting
Our Group and Business Unit strategies and objectives are set by the Executive Committee and presented to the Board of Directors for approval. These strategies and objectives are translated into specific plans and priorities and are elaborated in further detail for all levels in the organization.
Risk identification & assessment
The realization of an ambitious strategy always entails risks. To enable informed decision-making, these risks are identified and assessed at all levels of the organization pursuant to our Enterprise Risk Management framework. Risk assessments may focus on various topics (e.g., business strategy, company process, social/environmental issues). Twice a year, the Executive Committee discusses the material Group risks as part of the Group risk assessment, with the Audit & Risk Committee reviewing and validating these risks before discussing them with the Board of Directors. See Material risks and uncertainties. In addition, topics covering our Group risks are regularly on the agendas of our Executive Committee and our Board of Directors meetings.
Risk mitigation & control activities
As part of our Enterprise Risk Management framework, mitigating actions and controls are defined and implemented for the most relevant risks. Controls include policies, standards, Segregation of Duties (SoD) management, business continuity management, and business reviews. Control activities, whether preventive or detective, are integrated into our processes and executed by the first line.
Monitoring & improvement
The Internal Control department within Legal, Regulatory, Risk and Compliance owns the Internal Control framework. This framework defines the standard set of key controls that must be performed by the first line. It aims to ensure reliable financial reporting, mitigate fraud risks and safeguard our assets. The effectiveness of the key controls is independently tested by the Internal Control department. The effectiveness of the design and the operation of our overall risk management framework is evaluated by the Audit & Risk Committee to support the Board statement.
Communication & reporting
Risk reviews take place by means of structured processes, and on an ad-hoc basis if necessary. Twice a year, as part of our Enterprise Risk Management framework, all Business Units and Business Partners report their material risks and incidents to the Executive Committee and, the Audit & Risk Committee.