Risk management

The Managing Board is responsible for risk management within DSM. With the support of the Corporate Risk Management department, which reports directly to the CFO, the Managing Board has designed and implemented a well-embedded risk management system and organization in all company units. Risk management at DSM is based upon the COSO-ERM framework, as depicted in the figure below, and this section is structured accordingly.

A full description of DSM’s risk management system and process together with a description of the identified risks is available on the company website. These descriptions are to be considered an integral part of this Report.

enterprise risk management

Mission / Internal environment

Values and business principles are a key element of the internal environment for risk management and form the starting point for the risk management cycle. DSM’s core value is sustainability, which is directly related to its mission to create brighter lives for people today and generations to come. All DSM employees receive regular training regarding values and business principles, covering generic and specific elements as required. This starts with an overarching training in the DSM Code of Business Conduct (CoBC) (see the company website) and is then further developed along the Triple P principles, whereby either all or else selected target groups of DSM employees are required to follow mandatory e-courses for risks related to People, Planet and Profit. See DSM Code of Business Conduct.

  • In 2016, the average implementation score across DSM for the values-related courses mentioned above further increased to more than 95%. This figure includes a new e-learning on Data Privacy Knowledge. Data protection is an area of increasing importance and societal interest. This course was introduced to increase awareness and further safeguard the data DSM holds on, for instance, employees, customers, suppliers and other partners in line with applicable legal requirements.
  • In order to improve the effective use of the DSM Corporate Requirements, a number of these requirements were simplified during 2016, making it easier for target audiences to understand which elements of the requirements apply to them and how to effectively deploy them. Online tools have also been improved in support.

Strategy / Objective setting

  • A corporate risk management plan has been developed to support the delivery of the strategic targets of DSM's Strategy 2018: Driving Profitable Growth. This plan also forms the basis for the individual units to define their risk management year plans at either business group, (support) function or regional level. This plan was updated and incorporated in the incentive system applicable to certain (senior) managers in 2016.
  • An important precursor to risk assessments is the company’s overall risk appetite, which is defined by the Managing Board. In 2016, DSM extended and updated its risk categories. This was followed by an update of the company’s risk appetite by the Executive Committee. The risk appetite depiction has been updated to show a somewhat more ‘hungry’ position on Generic/strategic risks in 2016; this is acknowledged as being a better reflection of DSM’s appetite, in particular with regard to innovation and talent management.
DSM Risk Appetite

Risk assessment and response

  • Risk assessments and corresponding mitigation plans are carried out at various levels in the organization. The Managing Board is responsible for the Corporate Risk Assessment (CRA). The full Executive Committee reaches consensus about the top risks DSM is facing and how to mitigate these, as well as how to respond to other important risks. The Corporate Risks are discussed on a regular basis by the Executive Committee and owners are assigned for the various risk mitigation plans. Several risks were reduced during 2016, for instance through the roll-out of SAP-GRC access controls for continuous control monitoring, which has nearly been finalized. Meanwhile some new risk elements emerged as indicated below, especially in the top risks section. The Executive Committee also defined monitoring actions for a slightly higher number of emerging risks that DSM might face in the longer term (details below).
  • Various opportunities have been defined to further strengthen how risks are being assessed and mitigated across the various units. DSM intends to further improve the quality of risk management facilitation, challenge, and the definition and monitoring of mitigation actions, both in its running businesses as well as in projects. Potential risk correlations were also discussed to prevent − as far as possible − a scenario with a potential ‘domino effect’ of risks; see ‘Top risks’ in this section.

Monitoring and reporting

Various means of monitoring and reporting are in place, including risk committees and ICT tools. These provide a robust and continuous overview of the functioning of the common controls and the mitigation of common risks. The following points should also be noted:

  • The Letter of Representation (LoR), which all reporting units are required to sign, also confirms their reporting integrity and provides an additional platform to report material risks and incidents including possible reputational risks. In 2016, we further strengthened the LoR procedure by requesting the units to also report potential deviations from laws and regulations and/or the Corporate Requirements that may occur for a given period due to specific circumstances; for instance, it takes time to train the employees at a newly acquired unit in all of DSM’s safety and ethical requirements. Another improvement in 2016 was the use of high-level risk findings, such as from the CRA and/or outside-in risk examples, to further complete and improve the quality of the LoR.
  • Besides numerous external audits, DSM’s risk managers also support internal audits to check the effectiveness of the internal controls and risk and incident mitigations. Independent audits, including unannounced audits, were executed by the Corporate Operational Audit (COA) department in a program that was agreed with the Executive Committee and the Audit Committee of the Supervisory Board.
  • Building on a new COA approach to executing end-to-end process audits, DSM has concluded that it should further strengthen end-to-end operational risk management. DSM also believes that in case incidents do occur, more in-depth root cause analysis will ensure that learnings can be better extracted and shared to prevent recurrence in the future.
  • The consolidated overview of all aforementioned risks, incidents, audits and mitigating actions is the basis for this risk section and the statements of the Managing Board in accordance with the Dutch Financial Markets Supervision Act at the end of this section. It is additionally provided in the risk management section of the half-year figures.

Control activities

Control activities are carried out by the appointed unit risk managers and related unit risk committees, who regularly review:

  • compliance aspects such as the implementation of training on values, segregation of duties, and follow-up of audits from various stakeholders;
  • the execution, follow-up and quality of the relevant set of risk assessments; and
  • best practices from internal and external sources to further strengthen DSM’s risk management cycle as well as to ensure appropriate risk management training for all employees at DSM.

DSM continued to implement new advanced ICT tools such as SAP-GRC covering access control, user provisioning and privileged user management for the majority of the company’s units. After some delay due to the development of the new target operating model for the Finance function, the Financial Shared Service Center started work on a pilot for the further implementation of financial process controls.

Information and Communication

  • Continuous efforts are made to inform employees about the DSM risk management system and train them in its use. In addition to the many initiatives from 2015 listed on the company website, the main 2016 deliverable was the further roll-out of updated and intensive risk management training programs in the US, China, Switzerland and the Netherlands.
  • In 2016, DSM received external recognition for its risk management approach, being named best in class in this respect in the Dow Jones Sustainability World Index, while the Dutch AFM (Autoriteit Financiële Markten) highlighted DSM’s reporting on Risk appetite and Top risks as good practices.

The company’s top and emerging risks

The preliminary outcome of the CRA was reported to and discussed with the Audit Committee of the Supervisory Board in the meeting of 6 December 2016. This ‘top-down’ outcome corresponded very well with the ‘bottom-up’ risks and incidents as reported by all the individual units in their LoR, as well as with the findings from the internal and external audits. This final risk profile was reported to and discussed with the Audit Committee on 13 February 2017 and forms the basis for the main risks and responses as reported on the next page.

Top risks

The table on the next page shows the four most important risks to DSM not achieving its targets as defined in Strategy 2018: Driving Profitable Growth as well as the remedial actions to mitigate them. Top risks have a potential impact on DSM's EBITDA of approximately €30 million and over.

The top risks as defined in 2016 relate to the same topics as those identified in 2015. Besides a further sharpening of the definitions used to reflect both internal and external developments during the year, the main changes versus 2015 are:

  • ‘Geopolitical, global financial and economic developments’ have become the number two top risk for our company (2015: number three) as geopolitical risks have increased, while at the same time oil prices have become very uncertain and more volatile.
  • 'People, organization and culture' dropped to the number three position as a result of the implementation of the new talent management model, as well as the on-going roll-out of the new target operating model for the company.
Top risks and related mitigating actions
Description of risks
Mitigating actions
  
Market environment
 
In 2015, DSM finalized key transformation steps, completing the creation of a streamlined and simplified business portfolio and a good platform for growth, as 2016’s results have shown.
Nonetheless the risk of facing increased competition for some product-market combinations remains, while DSM actively needs to manage capacity expansions for selected products.
DSM leverages its innovation power to differentiate in the value chain and secure growth. Furthermore, DSM is broadening its offering in terms of products, applications and customer base. Improved marketing and sales management programs should contribute to enabling DSM to increase/protect the value it captures, while the company plans timely capacity expansions and/or external sourcing to manage growth. This is strictly monitored by the Executive Committee.
Geopolitical, global financial and economic developments
 
DSM's Strategy 2018 assumed no major economic downturn with a global GDP growth-rate of 3.2%, although economic headwinds might occur. Events such as major changes in the political landscape and/or an increase in oil price (volatility) may impact the Materials business in particular.
DSM assumed exchange rates versus the euro of approximately USD 1.10 and CHF 1.08, while future currency volatilities could have a significant impact on the achievement of DSM's targets.
The same mitigating actions apply to macro-economic developments as for risks related to the market environment. Furthermore, DSM continues to match cost and revenue currencies wherever possible, while the transactional exchange rate risk has been reduced by, among other things, the continued development of DSM’s acquired businesses in China and Latin America, which provide a measure of natural hedge with 'local for local' production.
Improved scenario planning is being developed to secure continued delivery in line with targets even should the oil price deviate significantly from original assumptions.
People, organization and culture
 
DSM has significantly altered its organizational structure and operating model, potentially temporarily affecting DSM's capabilities in certain disciplines. The way DSM manages talent may also not be fully at the desired level to execute its plans for above-market growth or its cost and productivity improvement programs.
DSM is adjusting its operating model and has strengthened its top leadership structure precisely to manage performance and drive the achievement of its objectives. A culture change program is on-going focused on a results-driven trust/support/can-do mindset. Moreover, DSM will speed up/be more progressive in rolling out its talent management approach. DSM will improve its existing capabilities by training and attracting additional competences if required.
Program and project management
 
Besides achieving above-market growth in the period 2016-2018, EBITDA improvements have to be generated via cost savings to be derived from globally leveraging DSM's support functions and a Nutrition-specific cost and productivity improvement program. Although DSM’s well-identified initiatives with targeted overall savings of € 250-300 million in Adjusted EBITDA by the end of 2018 (versus the 2014 baseline) are on track at the end of 2016, the final delivery of the programs will continue to require strong program and project management.
DSM's new way of working with its focus on Accountability (delivering the results) and Collaboration (increased speed) in combination with a new operating model and a new, strengthened, top structure should enable faster and better execution of the strategic cost and productivity improvement programs. Moreover, DSM continues to invest in change management and ongoing monitoring, which includes taking corrective actions where needed. So far these major programs are well on track.

Other important risks

Besides the top strategic risks reported on the right, the CRA has identified a number of other important (sometimes more operational) risks with a potential EBITDA impact of approximately €5 million and over; these include business continuity, product liability, cyber security, ICT complexity, intellectual property and raw material prices. Some of these risks, such as tax risks, are managed at corporate level, while others are managed at unit level through rigorous application of the DSM risk management cycle and its risk management practices as explained above. Some risks with the potential to emerge in the mid- and longer-term have been identified and discussed by the Managing Board and are reported in the following paragraph. The company’s risk management and internal control system has been designed to monitor and respond to these developments in a timely manner, however complete prevention or mitigation can never be achieved. A combined corporate and unit effort is ongoing to reduce potential ICT, cyber security and internal control-related risks.

Emerging & mid-term risks

The following three emerging and mid-term risks have been reported by the Managing Board (the first two of which were identified in 2015, with the third a new addition following the 2016 CRA) and are being carefully monitored so as to be able to mitigate them or use them as new opportunities in a timely manner:

  • Slower development pace of some longer-term DSM Innovation projects such as Clean Cow, new natural sweeteners, etc. To secure these key projects as early as possible, DSM must ensure strict project governance, staffing, and adequate R&D and innovation budgets, as well as customer alliances.
  • DSM's Nutrition and Materials markets may be disrupted by longer-term changes in food preferences/food systems, such as the potential impact of climate change and health trends on animal protein consumption, and/or by innovations such as 3D printing, new systems replacing fossil fuels by energy from renewable sources, new mobility and transport options, and the circular and sharing economy. At the same time, these changes might also offer new opportunities in the value chains DSM serves.
  • New: DSM may not be able to develop new business models fast enough to take advantage of digital transformation trends in all its market segments.

Risk correlation

In terms of possible risk correlations, the potential geopolitical and economic headwinds mentioned in the top risk 'Geopolitical, global financial and economic developments' might also impact the top risk of 'Market environment'; a domino or compounding effect could occur. This kind of potential risk correlation is visualized for the top four risks in the chart below. Correlated risks could either strengthen or partly mitigate one another.

Top risk correlations

Broadly the same mitigating actions apply for these potentially correlated top risks. As a further mitigating action, DSM is strengthening its commercial capabilities as well as its innovation and sourcing strategies to secure insofar as possible the top-line growth and margins it targets.

Enhancement of the risk management system

A number of improvements to the risk management system were developed and implemented during the year, some of which have been mentioned above. The key improvements were:

  • Compliance: DSM further strengthened the implementation score of the nine values-related trainings (which now include Privacy) to an average of above 95%. A program to improve the effectiveness and execution of the DSM Corporate requirements and related internal controls by simplifying them is underway. Improved learning from incidents and better operational end-to-end risk management are on the agenda for 2017 and onward.
  • Risk assessments: improvements include updating and extending the list of risk definitions, while additional Executive Committee attention to the topic clearly strengthened the tracking of actions from the CRA. Potential risk correlations were also discussed to prevent – insofar as possible − situations with a potential ‘compounding effect’ of risks. Nonetheless, there is more work required to further enhance the quality of the risk assessments in terms of preparation, facilitation, challenging and defining mitigating actions.
  • Risk solutions: an updated risk management training program was delivered to DSM’s largest regions. The inclusion of more outside-in views and the sharing of internal and external best practices contributed to risk management maturity.
  • The Audit Committee of the Supervisory Board was given in-depth insight into the 2016 improvements to the DSM risk management system, including those areas recognized externally as best in class, as well as the areas for future efforts as mentioned above. This ensured that they remained fully involved and aware of the developments in enterprise risk management and how these risk management improvements (could) contribute to the achievement of DSM’s strategic objectives.