The Risk Advisory Committee advises the Board of Management regarding business risks including compliance risks. The committee is comprised of corporate officers and two board members covering Finance, Operations, Financial Reporting, Legal, IT, Communication and Risk Management.
The committee met seven times in 2007 and discussed risks the Group faced and suggested risk mitigating actions to the Board of Management. The minutes of the Risk Advisory Meetings are forwarded to the Audit Committee and the External Auditors. Areas of specific focus for the Risk Advisory Committee in 2007 included:
Terms of Reference, policies and procedures In 2007, we reviewed and updated our corporate policies and procedures and added a new policy specifically addressing risk management procedures. Any overlap between policies and procedures was removed to provide better clarity. Furthermore, all corporate policies and procedures were translated into seven languages in addition to English. Vedior’s policies are a comprehensive set of rules, minimum standards and best practice guidelines which address the following issues:
- Code of Conduct
- Whistleblower Policy
- Contract Liability Guidelines
- Trademark Policy
- Risk Management Policy
- Insider Dealing rules
- Competition Compliance Guide
- Employee Expenses and Travel Policy
- Health and Safety Policy
- Disclosure Guidelines
- Auditor Independence Policy
- Accounting Manual
|
- Financial Control Framework
- Insurance Guidelines
- Finance & Banking Policy
- Document Retention Policy
- Internet & Email Guidelines
- Minimum Website Standards
- IT Risk Management
- Data Protection Policy
- Software Asset Management Policy
- Disaster Recovery Business Process Continuity Minimum Standards
|
Vedior’s control document for all policies and procedures is our Terms of Reference. In addition, the Terms of Reference also specify approval and advice requirements for public relations, legal, financial, operational, commercial, human resources and health and safety issues. During 2007, the Risk Advisory Committee also took the opportunity to update the Terms of Reference and, in September, company managers were requested to confirm compliance with the Terms of Reference via a new online sign-off procedure contained within our corporate intranet. This online process will require completion on an annual basis and enables the Board of Management to better monitor any areas of non compliance. Individual follow-up will be given to those operating companies reporting any non compliant issues. Failure to comply with the Terms of Reference (or failure to notify the Board of Management of non compliance) could result in disciplinary action, including termination of employment.
Potential infringement of competition/anti-trust laws A Competition Compliance Guide has been in place for many years. To decrease the risk of non compliance, our local legal counsels as well as company managers within our largest markets are provided with training by an external law firm. In relation to the ongoing competition investigation launched in France in 2004, Vedior has taken a number of steps to further strengthen the corporate compliance structure of our French operations.
Disaster recovery business process continuity (‘DRBPC’) A policy establishing DRBPC standards has been in place for a number of years, however not all operating company DRBPC plans were kept up to date and appropriately tested. During 2007, efforts were made to raise awareness of this issue across the whole management team of the Group. By the end of the year, progress was made and individual follow-up will be given to operating companies that have not yet updated or tested their plans. Key controls on disaster recovery and business continuity will also become part of the Financial Control Framework.
Financial risks
Information on financial risks is provided here.
Financial reporting risks
From the financial reporting risk management perspective, the key risk is material misstatements in financial reporting.
To be able to achieve reliable financial reporting at the operating company and Group level, in accordance with Vedior’s reporting requirements, our internal risk management and control systems include the following:
- A comprehensive and uniform financial reporting system with which operational and financial performance is reported for consolidation purposes and measured monthly against budget and market developments.
- Annual business plans and budgets approved by the Board of Management and subsequently monitored throughout the year.
- Monthly operational board meetings in which, with some minor exceptions, the relevant member of the Board of Management will participate and the highlights of which will be reported by such member to the Board of Management.
- A Financial Control Framework consisting of a self-assessment on the effectiveness of key controls for the primary financial reporting processes.
- Internal control systems and accounting procedures reviewed by the Group’s external auditor in connection with their audit of Vedior’s financial statements.
The financial reporting risk management approach is focussed on assessing the operating company’s key financial reporting controls and, wherever possible, further improving these financial reporting controls. These self-assessments are performed based on the Financial Control Framework which is implemented within operating companies representing over 82% of 2007 Group sales. The results of the local self-assessments are reviewed by the Financial Risk Controller to ensure reliability of the financial reporting controls. Action plans are developed by the operating companies based on the results of the local self-assessments and reviews, including recommendations provided by the external auditors. The timely follow-up given to the action plans is monitored by the Financial Risk Controller as well as the Zone Controllers.
As part of the audit of the 2007 consolidated financial statements of the Group the external auditor considers, as far as he deems necessary for the purpose of the audit, internal control relevant to the entity’s preparation and fair presentation of the financial statements in order to design the appropriate audit procedures. No opinion on the effectiveness of the entity’s internal control is expressed however as a result of the audit engagement the external auditor reported on the design and implementation of the internal controls as far as considered in view of the audit. Where internal controls were considered, the work of the external auditor was focussed on the processes revenue, registration of temporary workers, registration of clients and orders, payroll for temporary workers, billing of clients, information resources and financial reporting.
The external auditor did not report material observations based on his consideration of the internal controls in light of the audit however several findings were reported, amongst other to further strengthen the Financial Control Framework and the IT controls. Several improvement actions have been taken for example, the addition of general computer controls as part of the Financial Control Framework.
The report of the external auditor has been discussed with the Board of Management and the Audit Committee, and improvement actions are closely monitored by the Board of Management.
In-control statement
Based on experiences in the past and the evaluation of the risk management framework, the Board of Management concluded that, in line with the Best practise provision II.1.4 of the Dutch Corporate Governance Code, the risk management and control systems relating to financial reporting provide reasonable assurance that the 2007 financial statements do not contain any material inaccuracies and that these systems have worked properly in the past year.
At the date of publication of the Annual Report, there are no indications that these systems will not continue to work properly in the current year.
However, projections regarding future effectiveness are subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the Group’s policies and procedures may deteriorate.