Risk management

Aligned with the business model and organisational structure a risk management framework exists based on the internationally recognised COSO Enterprise Risk Management Framework. The framework balances the cost of implementation with benefits obtained from internal control measures intended to:

• promote the achievement of our business objectives;
• gate significant risks;
• Ensure that proper accounting records are maintained and that financial information is reliable;
• safeguard assets; and
• comply with relevant internal policies and procedures and external laws and regulations.

To achieve the Group’s business objectives it is important to identify and control the main risk areas inherent to these objectives. These risk areas have been categorised in line with the Dutch Corporate Governance Code as either 1. strategic, operational, financial risks, 2. compliance risks or 3. financial reporting risks.

The integrated risk management activities are focussed on the identification, assessment, action planning and monitoring of risks connected to their business objectives by the risk owners. The corporate risk management function supports this risk management process and is overseen by the Risk Advisory Committee, the Corporate Risk Manager and the Financial Risk Controller who report directly to the Board of Management and the Audit Committee.

The Group’s risk management framework, including the internal audit function, has been evaluated in 2007 and compared to the best practices for adequate internal control as mentioned in the COSO ERM model. The results of this evaluation have been discussed with the Audit Committee and the external auditor.

It was concluded by the Board of Management that a pragmatic risk management framework is in place that provides reasonable assurance that the Group’s business objectives can be achieved.

While our current internal control environment, our people and our established processes and procedures all contribute to reducing uncertainties or unexpected losses that could affect the achievement of our business objectives, the risk management framework is not intended to provide absolute assurance against the failure to achieve the Group’s business objectives. Furthermore, it cannot provide absolute assurance against material misstatements, losses, fraud, human error, poor judgment in decision-making and violations of legislation and regulations.

In addition, there may be significant risks which have not yet been identified or which have been assessed as not having a significant potential impact on Vedior’s business but could become significant subsequently.

Strategic, operational and financial risks

Periodically risk management workshops are organised throughout the Group to systematically identify strategic, operational and financial risks. In these workshops, operating company management, corporate departments and/or members of the Board of Management are asked to identify their top three strategic, operational and financial risks that are managed to a level they consider acceptable for achieving the related business objectives. The workshop participants are also asked to identify their top three risks that require action.

The controls identified for top risks managed to an acceptable level are collected in a database with best practices. This database is used to support operating companies in further improving their business performance. For the top risks that require action, (additional) risk mitigating plans are drafted and implemented by responsible management. The monitoring of the timely and effective implementation of these plans is integrated into the monthly business review cycle by Zone Management. When one of the top risks is considered to be managed to an acceptable level, the subsequent risk area is identified and (additional) risk mitigating actions are taken. This ongoing risk management process is carried out at Board of Management, corporate and operating company level.

During 2007 a company-wide risk register was introduced. All operating companies are required to prepare a risk register, which includes the top three risks that warrant additional management attention and the proposed action plans to further mitigate those risk areas. In 2008, the risk register will be monitored and discussed by Zone Management and will become part of the monthly business reviews with operating company management.

Prioritisation of risks is undertaken by mapping the likelihood of occurrence and the impact on business objectives in the event the risk would occur. Vedior has developed a Group-wide risk universe currently containing approximately 40 business risks categories. The risks identified during risk management workshops are allocated to one of these categories facilitating the comparison and aggregation of risks.