The Managing Board is responsible for risk management within DSM. With the support of the Corporate Risk Management department, which reports directly to the CFO, the Managing Board has designed and implemented a well-embedded risk management system and organization in all company units. Risk management at DSM is based upon the COSO-ERM framework, as depicted in the figure below, and this section is structured accordingly.
A full description of DSM’s risk management system and process together with a description of the identified risks is available on the company’s website. These descriptions are to be considered an integral part of this Report.
Mission / Internal environment
- Values and business principles are a key element of the internal environment for risk management and form the starting point for the risk management cycle. DSM’s core value is sustainability, which is directly related to its mission to create brighter lives for people today and generations to come. All DSM employees receive regular training in risk management, covering generic and specific elements as required. This starts with an overarching training in the DSM Code of Business Conduct (see the company's website) and is then further developed along the Triple P principles, whereby either all or selected target groups of DSM employees are required to follow mandatory e-courses for risks related to People, Planet and Profit. See 'Code of Business Conduct' on Business principles.
- DSM has appointed risk managers in its organizational units (business groups, support functions, functional excellence and regions) to execute the risk management cycle, for example via risk management committees.
- DSM's ability to be a reliable business partner is further anchored in compliance with all applicable laws and regulations as well as the corporate requirements, which the company is currently simplifying to increase their effectiveness. At the same time new requirements have also been developed in order to add People+ to DSM’s Brighter Living Solutions alongside ECO+.
Strategy / Objective setting
- During 2015, DSM completed its Corporate Strategy Dialogue (CSD) process and established the company’s Strategy 2018: Driving Profitable Growth, which has set a number of corporate targets for the 2016-2018 period and thereafter. A corresponding corporate risk management plan has been developed to ensure in so far as possible the delivery of these strategic objectives. This plan also forms the basis for the individual units to define their risk management year plans at either business group, (support) function or regional level. This was also incorporated in the incentive system applicable to certain (senior) managers in 2015.
- An important precursor to risk assessments is the company’s overall risk appetite, which is defined by the Managing Board. Within the boundaries of that overall risk appetite, organizational units are encouraged to discuss their individual risk appetite depending on their specific situation.
- In 2015, the Managing Board determined the following overall risk appetite:
Risk Assessment and Response
Risk assessments and responses are carried out at various levels:
- A Corporate Risk Assessment (CRA) is performed by the Managing Board, including the definition of and follow-up on mitigating actions. Besides the input from the Managing Board members themselves, input for the CRA also comes from other members of the Executive Committee, corporate staff and shared service departments, regions, internal risks and incident reports and external sources. All these elements are consolidated by the Corporate Risk Management department. This is followed by a final session in which the Managing Board reaches consensus about the top risks DSM is facing and how to mitigate these, as well as how to respond to other important risks. They also define monitoring actions for certain emerging risks which DSM might face in the longer term (see details below). Potential risk correlations were also discussed to prevent − as far as possible − a scenario with a potential ‘domino effect’ of risks.
- Business Risk Assessments (BRA) and their equivalents for (support) functions and regions are carried out in cross functional teams. Challengers are invited to join these and improve the quality of these risk assessments.
- Process Risk Assessments (PRA) are intended to make the DSM processes as robust, business-specific and fraud-resistant as possible.
- Project risk assessments are performed on an on-going basis to secure successful delivery and value creation. This also forms part of the integration plan for new acquisitions, which includes a compliance program.
Monitoring and reporting
Various means of monitoring and reporting are in place, including the risk committees and ICT tools. These provide a robust and continuous overview of the functioning of the common controls and the mitigation of common risks. The following points should also be noted:
- DSM requires all units to sign a Letter of Representation (LoR) at the end of each book year, confirming their compliance with local laws, regulations and with corporate requirements. The LoR also confirms their reporting integrity and provides an additional platform to report material risks and incidents including possible reputational risks. In order to better monitor the company’s risk pulse and to have more time to follow up on mitigating actions, a shorter and more qualitative version of the LoR was introduced mid-year.
- Besides numerous external audits, DSM’s risk managers take the lead in instigating internal audits to check the effectiveness of the internal controls and risk and incident mitigations. Independent audits, including unannounced audits, were executed by the Corporate Operational Audit department in a program that was agreed with the Audit Committee of the Supervisory Board.
- The consolidated overview of all aforementioned risks, incidents, audits and mitigating actions is the basis for this risk section and the statements of the Managing Board in accordance with the Dutch Financial Markets Supervision Act at the end of this section as well as provided in the risk management section of the half-year figures.
Control activities are carried out by the appointed risk managers and related risk committees who regularly review:
- compliance aspects such as the implementation of training on values, segregation of duties, and follow-up of audits from various stakeholders;
- the execution, follow up and quality of the relevant set of risk assessments; and
- best practices from internal and external sources to further strengthen DSM’s risk management cycle as well as to ensure appropriate risk management training for all employees at DSM.
In 2015, new advanced ICT tools such as SAP-GRC covering access control, user provisioning and privileged user management have been implemented for the majority of DSM’s units. The Financial Shared Service Center is working on finalizing a pilot for financial process controls.
Information and Communication
Continuous efforts are made to inform employees about the DSM risk management system and train them in its use. Initiatives in 2015 included:
- improvements to the learning management system and its implementation cycle for the DSM Code of Business Conduct training, bringing the number of employees who are fully trained above 90%;
- the roll-out of updates to the DSM risk video and the basic (available for all employees) and advanced risk management courses, as well as the development of a new training for the risk management community on co-creating risk solutions in support of their role as a trusted advisor for the relevant units;
- the introduction of a more user-friendly risk management intranet site;
- the preparation of a short five-page summary of the DSM corporate requirements to improve their use in managing risks and preventing risks from materializing at DSM sites around the world;
- the provision of risk management webinars and other communications tools to address specific (new) risk topics, fraud cases, etc. DSM also facilitated dilemma discussions to improve general risk awareness within the company; and
- the start of an initiative to simplify the DSM policies and requirements in order to improve the effectiveness of the risk management cycle by making the information and communication more concise and risk-based.
The company’s top and emerging risks
The preliminary outcome of the CRA as performed by the Managing Board was reported to and discussed with the Audit Committee of the Supervisory Board in the meeting of 7 December 2015. This ‘top-down’ outcome was compared with the ‘bottom-up’ risks and incidents as reported by all the individual units in their LoR, as well as with the findings from the internal and external audits. This final risk profile was reported to and discussed with the Audit Committee on 15 February 2016 and forms the basis for the main risks and responses as reported on the next page.
The table on the next page shows the four most important risks for DSM not achieving its targets as defined in Strategy 2018: Driving Profitable Growth and the remedial actions to mitigate them. Top risks have a potential impact on DSM's EBITDA of approximately €25 million and over.
Top risks and related mitigating actions
Description of risks
In 2015, DSM finalized important transformation steps, completing the creation of a streamlined and simplified business portfolio and a good platform for growth. Nonetheless the risk of facing increased competition for some product-market combinations remains.
DSM leverages its innovation power to differentiate in the value chain and secure growth. Furthermore, DSM is broadening its offering in terms of products, applications and customer base. Improved marketing and pricing management programs should contribute to enable DSM to increase the value it captures.
People, organization and culture
DSM's capabilities in certain disciplines and the way it manages talent may not be fully at the desired level to execute its plans for above-market growth or its cost and productivity improvement programs.
DSM is adjusting its operating model and strengthened its top leadership structure to manage performance and drive the achievement of its objectives. A culture change program is on-going focused on a results-driven trust/support/can-do mindset. Moreover, DSM will implement a new talent management approach developed in 2015. DSM will improve its existing capabilities by training and attracting additional competences if required.
G lobal financial and economic developments
DSM's Strategy 2018 assumed no major economic downturn with a global GDP growth-rate of 3.2%, although economic headwinds might occur.
DSM assumed exchange rates versus the euro of USD 1.10 and CHF 1.08, while future currency volatilities could have a significant detrimental impact on the achievement of DSM's targets; USD 0.01 volatility in the exchange rate has almost
€10 million EBITDA impact (before hedging).
The same mitigating actions apply to macro-economic developments as for risks related to the market environment.
Furthermore, DSM continues to match cost and revenue currencies wherever possible, while the exchange rate risk is also reduced by DSM's acquisitions in China (Aland) and Latin America (Tortuga) which provide a measure of natural hedge with 'local for local' production.
The appropriateness of the DSM hedging policy will be reviewed.
Program and project management
Besides achieving above-market growth in the period 2016-2018, EBITDA improvements have to be generated via cost savings to be derived from globally leveraging DSM's support functions and a Nutrition-specific cost and productivity improvement program. Although DSM has well-identified initiatives with targeted overall savings of €250-300 million in EBITDA by the end of 2018, the final delivery of the program will require strong program and project management.
DSM's new way of working with its focus on Accountability (delivering the results) and Collaboration (increase speed) in combination with a new operating model and a new strengthened top structure should enable faster and better execution of the strategic cost and productivity improvement programs. Moreover, DSM continues to invest in change management, strict project management and ongoing monitoring which includes taking corrective actions where needed.
In terms of possible risk correlations, the potential economic headwinds mentioned in the top risk 'Global financial and economic developments' might also impact the top risk of 'Market environment', for which the same mitigating actions as mentioned apply.
DSM’s portfolio was strengthened, streamlined and made more resilient in 2015. Consequently a number of the top risks identified in 2014 no longer qualify:
- The Market environment risk of increased competition/reduced prices for vitamin E has materialized and stabilized, while the markets for a number of products from Human Nutrition & Health have shown signs of picking up again, driven by both industry campaigns and strengthening of the DSM Human Nutrition & Health organization.
- The new DSM operating model, the implementation of which began, addresses the organization's regional and functional effectiveness in the category People, organization and culture.
- DSM successfully concluded its pursuit of strategic actions for Polymer Intermediates and Composite Resins in July 2015 with the establishment of the ChemicaInvest partnership.
- In its new operating model, DSM has made the role of functional excellence departments more explicit and improved their ability to support the business groups in order to ensure that top quartile performance will be met.
Other important risks
Besides the top strategic risks reported above, the CRA has identified a number of other important (sometimes more operational) risks with a potential EBITDA impact of approximately €5 million and over; these include business continuity, product liability, cyber security, ICT complexity, intellectual property and raw material prices. Some of these risks, such as tax risks, are managed at corporate level, whilst others are managed at unit level through rigorous application of the DSM risk management cycle and its risk management practices as explained above. Some risks with the potential to emerge in the mid and longer-term have been identified and discussed by the Managing Board and are reported in the following paragraph. The company’s risk management and internal control system has been designed to monitor and respond to these developments in a timely manner, however 100% assurance can never be achieved.
Emerging & mid-term risks
The following emerging and mid-term risks have been reported by the Managing Board and are being carefully monitored so as to be able to mitigate them or use them as new opportunities in a timely manner:
- Slower development pace of some longer-term DSM Innovation projects such as Clean Cow, new natural sweeteners, etc. To secure these key projects as early as possible, DSM must ensure strict project governance, staffing, adequate R&D and innovation budgets and customer alliances.
- DSM's Nutrition and Performance Materials markets may be disrupted by longer-term changes in food preferences/food systems and/or by innovations (such as 3D printing, new systems replacing fossil by renewable energy, new mobility and transport options, the circular and sharing economy). At the same time these changes might also offer new opportunities in the value chains DSM serves.
- Especially the Animal Nutrition & Health business may be affected by the global or regional spread of infectious diseases. However, DSM has a well-balanced portfolio delivering solutions to different species (including swine, poultry, aquatic and ruminants) and has a good regional spread, which intrinsically reduces this risk.
Enhancement of the risk management system
A number of improvements to the risk management system were developed and implemented during the year, some of which have been mentioned above. The key improvements were:
- Compliance: DSM made significant progress in improving the training of its employees, especially for the Code of Business Conduct training (>90%) and related e-learnings such as Anti-Bribery and Corruption. For a full overview, see 'Code of Business Conduct' on DSM Code of Business Conduct.
- Risk assessments: the quality of the assessments has been stepped up by involving internal and/or external challengers; awareness on reputational risks has been raised by introducing a new tool for the identification and ranking of these risks; and creating more focus by paying more attention to the top risks. DSM introduced a new and simple methodology for bringing emerging risks to light and also improved the monitoring of these risks to ensure timely action. Potential risk correlations were also discussed to prevent − as far as possible − a scenario with a potential ‘domino effect’ of risks.
- Risk solutions: DSM updated its full suite of risk management trainings, including a behavioral training to become a more effective trusted advisor able to co-create risk solutions together with the relevant management teams. The inclusion of more outside-in views and sharing internal and external best practices also contributed.
- Finally, an in-depth presentation of the evolution of the DSM risk management system was shared with the Audit Committee of the Supervisory Board. This ensured that they are fully involved and aware of the developments in enterprise risk management and how they contribute to the achievement of DSM’s strategic objectives.