At dsm-firmenich, effective risk management is essential to safeguarding our performance, enabling strategic execution, and supporting our purpose.
Our Enterprise Risk Management framework
Our Enterprise Risk Management (ERM) framework is based on the COSO Enterprise Risk Management model. It supports the Group, our Business Units, and our Business Partners in managing risks that might prevent us from achieving our strategic, financial, and operational objectives as well as in protecting company assets and our reputation. It is embedded in our operating model to ensure risks are identified early, assessed consistently, mitigated effectively, monitored continuously, and reported transparently.
Governance and culture
Governance and culture form the foundation for the four pillars of our ERM framework, which are: strategy & objective-setting, risk identification & assessment, risk mitigation & control activities, and monitoring & improvement. This protects our value & integrity. Communication & reporting ensures the connection between the pillars and the sharing of adequate information with internal and external stakeholders. As part of our Governance framework, the Board of Directors has delegated the management of the Group to the CEO and the Executive Committee, except where restricted by law or regulation. The CEO and the Executive Committee are authorized, within these limits, to further sub-delegate their authority as appropriate. With the approval of the Board, the Executive Committee has established the internal governance operating model, which guides the operations of, and cooperation between, the Business Units (operational management) and the Business Partners. These groups are jointly responsible for achieving our objectives and managing the associated risks, in accordance with the Company’s internal Governance framework and the official delegation of authority.
With respect to risk management, the Board of Directors sets the strategic direction and holds ultimate accountability for the effectiveness of the ERM Framework. The Board has delegated oversight of risk management to the Audit & Risk Committee, which reviews the design of the Framework, sets the Group risk appetite, and validates the outcomes of the Group Risk Assessment. The Executive Committee implements the ERM framework, assigns risk owners, and ensures that risk‑informed thinking is embedded across the company. Our culture plays a central role in how risk is managed. Leaders at all levels are expected to act as role models by encouraging open dialogue, fostering psychological safety, promoting transparency in raising and escalating risks, and demonstrating accountability in managing them. Risk management is most effective when people feel empowered to speak up early, challenge constructively, and take ownership of responsible decision‑making.
Our Code of Business Ethics and Group Policy framework guide employees and leaders in making consistent, principled decisions. These foundations support a culture where integrity, compliance, sustainability, and risk awareness are embedded in everyday behaviors and in how we collaborate, innovate, and execute our strategy. The Board of Directors has formally approved our corporate values as well as our Code of Business Ethics. The Executive Committee and management actively model the principles outlined in the Code of Business Ethics and ensure the consistent application of the Code across the organization. This clear ‘tone from the top’ fosters a culture of risk awareness and prioritization, which is essential for effective risk management.
How risk management creates value at dsm‑firmenich
Our ERM framework contributes directly to the performance and resilience of dsm‑firmenich. It supports the company in:
Safeguarding our people, assets, and reputation and protecting the long‑term value of the company
Enabling strategic decisions by ensuring that risks, uncertainties, and opportunities are assessed early and systematically
Supporting value creation by helping to identify opportunities inherent in change, innovation, and investment decisions
Raising awareness and fostering a risk‑informed culture across Business Units and Business Partners, ensuring that leaders and teams understand the nature, drivers, and potential impacts and opportunities associated with specific risks
Providing timely and relevant risk‑based insights to leadership, supporting strategy planning, prioritization and performance management
Strengthening compliance and governance by promoting consistent application of Group policies, standards, and external regulatory requirements
Providing resilience and being a reliable partner for our customers
Roles and responsibilities: The Three Lines model
To further implement our ERM framework, the following roles and responsibilities are assigned, in line with the Three Lines model by the Institute of Internal Auditors (IIA):
-
First line (Business Units/operational management), with support from Business Partners: managers and staff within the Business Units are responsible for identifying, assessing, and managing risks as an integral part of their daily operations. They own the risks and are accountable for implementing appropriate controls and ensuring that objectives are met. Finance operates as the first line for the financial reporting process
-
Second line: Functions (including ERM, Legal, Compliance and Sustainability) that provide expertise, support, and independent monitoring for their areas. They define objectives, Group policies, and standards. They support and challenge the first line, and monitor risk-related and compliance matters, including controls
-
Third line (internal audit): The Group Audit department provides independent, objective assurance and advice regarding the effectiveness of governance, risk management, and control activities. This function is fully independent from operational management and reports directly to the Board of Directors or the Audit & Risk Committee
Strategy and objective-setting
Our Group functions and Business Unit strategies and objectives are set by the responsible Executive Committee member and presented to the Board of Directors for approval. They are translated into specific plans and priorities and then elaborated upon for all levels in the organization. Each material Group risk has an Executive Committee member accountable for defining risk responses and ensuring cross-functional coordination. Business Unit/Business Partner leaders act as cluster owners or delegated risk owners.
Risk identification and assessment
The realization of any ambitious strategy always entails risks. To enable informed decision-making, these risks are identified and assessed at all levels of the organization in line with our ERM framework.
Assessments include Group risk assessment, business risk assessments, strategy-related risk assessments, process/project risk assessments, and site risk assessments conducted under the Business Continuity Management framework. As part of these assessments, risks are identified using the Group risk categories and are evaluated using standardized impact and likelihood scales to ensure consistency across the company. The impact scale reflects strategic, financial, operational, compliance, and reputational dimensions. Specific periods are defined for short‑term and long‑term time horizons. They are used consistently in the double materiality assessment (DMA), see General information in the Sustainability Statements.
Twice a year, the Executive Committee discusses the material Group risks as part of the Group risk assessment, with the Audit & Risk Committee reviewing and validating these risks before discussing them with the Board of Directors; see Material risks and uncertainties.
Risk mitigation and control activities
As part of our ERM framework, mitigating actions and controls are defined and implemented for the most relevant risks. Controls include policies, standards, segregation of duties (SoD) management, business continuity management, and business reviews. Control activities, whether preventive or detective, are integrated into our processes and executed by the first line. Second line sets standards and monitors, and Group Audit provides independent assurance.
Monitoring and improvement
To ensure that risk mitigation and control activities embedded in our business processes operate effectively, dsm‑firmenich has established a framework that supports the achievement of our objectives. To support the first line, the company has an Internal Control function that provides expertise to process owners, defines and maintains key control requirements, and monitors the adequacy of the design and execution of these controls. Key controls are those identified by management as essential to ensuring reliable internal and external reporting and compliant, well‑controlled operations.
Communication and reporting
Risk reviews take place by means of structured processes and on an ad-hoc basis if necessary. Twice a year, as part of our ERM framework, all Business Units and Business Partners report their material risks and incidents to the Executive Committee and the Audit & Risk Committee.