The Managing Board is accountable for risk management associated with DSM's strategy and activities. To that end, adequate risk management and internal control systems should be in place. The responsibility for identifying and managing risks lies within the DSM units, supported by the Corporate Risk Management (CRM) department and regularly assessed by the Corporate Operational Audit (COA) department both reporting directly to the CFO and COA having direct access to the CEO and the Audit Committee of the Supervisory Board.
The Managing Board has in place a well-embedded risk management, internal control system and organization in all company units. The approach is based on the COSO-ERM framework. This chapter is structured accordingly (see figure 'DSM Risk Management Cycle').
A full description of DSM's risk management system and process, together with a description of the identified risks, is available on the company website. These descriptions are to be considered an integral part of this Report.
It is the responsibility of the business groups, support functions, functional excellence departments and regions (the units) within DSM to set up, maintain, operate and monitor an appropriate risk management and internal control system within their area of responsibility. This responsibility includes the management, monitoring, reporting and controlling of risks. The units are supported in this by risk managers. COA closes the loop with regular assessments of the design and operational effectiveness of the risk management and internal control systems.
Mission / Internal environment
Values and business principles are key elements of the internal environment for risk management and form the starting point of the risk management cycle. DSM's core value is sustainability, which is directly related to the company's mission to create brighter lives for people today and generations to come. All DSM employees receive regular training on values and business principles per the framework requirements. This starts with overarching training on the DSM Code of Business Conduct.
In 2017, DSM introduced a new global risk management operating model to improve the agility, effectiveness and efficiency of its risk management activities. Risk managers will have dual reporting lines:
- A functional reporting line to guarantee the quality of risk management and continuous improvement
- Business reporting lines to safeguard close connection to business goals and operations
We have made it easier for employees to follow DSM's Corporate Requirements by clearly communicating who exactly needs to understand and adhere to specific requirements. This included updates to our risk management website, which was improved in 2017.
Strategy / Objective setting
DSM's Corporate Risk Management supports the Executive Committee, business groups, and functions at the global and regional levels to deliver on the company's strategy.
Risk assessment and response
An important precursor to risk assessments is the company's overall risk appetite, which is defined and updated annually by the Executive Committee. In 2017, the overall risk appetite has remained the same as in the previous year (see figure below).
Risk assessments and mitigation plans are carried out at various levels in the organization. DSM has a standard but flexible, six-step approach to risk assessments:
- Monitoring and reviewing
Risk assessments focus on various categories including material, non-material and reputational risks. In 2017, we identified additional opportunities for improving how we facilitate, challenge, define and monitor mitigation efforts. As a result, we will also update the risk assessment training program.
Corporate Risk Assessment
DSM conducts a Corporate Risk Assessment (CRA), which is the responsibility of the Managing Board. As part of the assessment, the Executive Committee reviews and agrees on top risks facing DSM, as well as emerging and other important risks. They also agree on how to mitigate and monitor these. The outcome of the CRA is reported to, and discussed with, the Audit Committee of the Supervisory Board annually (see table of top risks).
Business Risk Assessments
DSM's business groups also conduct assessments. Business Risk Assessments (BRAs) and their equivalents for business units, functions and regions are carried out with cross-functional teams. These include experienced facilitators as well as experts who can challenge assumptions to help improve the quality of these risk assessments.
Process Risk Assessments
DSM conducts Process Risk Assessments (PRAs) which are intended to make our processes as robust, business-specific and fraud-proof as possible.
Project Risk Assessments
At the project level, risk assessments are performed on an ongoing basis to secure successful delivery of project objectives and value creation for the company.
DSM has various means of monitoring and related reporting. These include monitoring of events, Letters of Representation (LoR), external/internal audits, compliance checks, and functioning of the common controls. Monitoring and reporting is discussed in risk management committees in order to evaluate and manage the status of the risk profile.
The most important types of risks for DSM's units, as well as any incidents, are annually reported and reviewed mid-year through the LoR, which all reporting units are required to sign. This 'bottom-up' report is checked against the risks reported by the CRA, as well as with the findings from the internal and external audits.
DSM's risk managers also support internal audits to check the effectiveness of the internal controls, compliance status and risk mitigations, and incident repairs.
The consolidated overview of all aforementioned monitoring is the basis for this risk section and the statements of the Managing Board at the end of this section.
Control activities are carried out by appointed unit risk managers and unit risk management committees, who regularly review:
- compliance with training implementation, segregation of duties, and follow-up of audits of various stakeholders;
- execution, follow-up and quality of the relevant set of risk assessments; and
- best practices from internal and external sources to further strengthen DSM's risk management cycle as well as to ensure appropriate risk management awareness and relevant training for DSM employees.
During 2017, DSM implemented a standard approach to monitoring ERP access controls, user provisioning and privileged user management for the majority of the company's units. DSM started to bring relevant key controls for its main supporting processes into an overarching Internal Control Framework. Relevant function leads are currently mapping their key controls, and this will enable DSM and its stakeholders to have a comprehensive oversight of all Internal Controls in scope. A pilot, as proof of concept, is planned for 2018.
Information and communication
Continuous efforts are made to inform employees about the DSM risk management system and to support and/or train them in its use. In addition to the many initiatives from 2016, the main deliverable in 2017 was the further development, improvement and updating of the risk management training curriculum and the risk management training program.
Assessment of the design and effectiveness of the risk management and internal control system
DSM has three lines of defense to manage risks:
- Line management within the units
- Risk management and internal control (on unit and corporate level)
The effectiveness of the risk management activities by the first line of defense is assessed by internal audits, coordinated by the risk managers of the units being the second line of defense.
In addition to that, independent audits, some unannounced, are conducted by COA (third line of defense) in a program that was agreed with the Executive Committee and the Audit Committee of the Supervisory Board.
The 2017 internal audits have not indicated any material failings in the design and effectiveness of the internal risk management and control systems of the company.
The preliminary outcome of the CRA was reported to and discussed with the Audit Committee of the Supervisory Board in the meeting of December 2017. This 'top-down' outcome corresponded very well with the 'bottom-up' risks and incidents as reported by all the individual units in their Letter of Representation, as well as with the findings from the internal and external audits. This final risk profile was reported to and discussed with the Audit Committee of the Supervisory Board in February 2018 and forms the basis for the main risks and responses as reported in the table.
The table of top risks shows the four most important risks that might prevent DSM achieving the targets defined in Strategy 2018: Driving Profitable Growth. It also describes the mitigating actions. Top risks have a potential impact on DSM's EBITDA of an indicative €30 million or more, or have a large non-financial impact such as on reputation.
Top risks and related mitigating actions
Description of risks
Market environment and competition
DSM has created a streamlined and simplified business portfolio and a good platform for growth, as 2017's results have shown. Nonetheless the risk remains of facing increased competition for some product-market combinations, especially from low cost/margin players, while DSM actively needs to also manage capacity expansions for selected products.
The existing strength of the portfolio, as a result of continued investments made in innovation, has resulted in a broadening of DSM's product, application and customer base. Nonetheless, improvements to marketing and sales management programs (customer centricity, agility) will continue to increase/protect the value captured, while the company plans timely capacity expansions and/or external sourcing to manage growth. Operational continuous improvement programs also secure maximum output from existing installations.
People, organization and culture
In order to continue to deliver above-market growth and retain strong operational efficiency, DSM requires a high-quality pipeline for talents and good people development. Although good progress has been made with the introduction of a new talent management program, further improvements may be required to fully embed a culture of agility and cost-consciousness to support the organization in its growth ambitions.
DSM has adjusted its operating model and has strengthened its top leadership to enhance accountability for performance. All executives attended in 2017 a specifically designed 'Lead & Grow' leadership program focused on managing rapid change and uncertain business conditions. The monitoring of progress in the talent pipeline will continue focusing on the need to further enhance diversity.
Operating in a digital world
Despite a good track record and having procedural and system controls in place, cyber crime constantly needs attention to protect our assets and information. This risk is exacerbated by the accelerating pace of digitalization. In addition, if DSM does not progress fast enough, delays in digitalization is in itself a risk, impacting future competitiveness.
DSM is strengthening its governance structure around cyber security, with particular attention to production plants and R&D laboratory systems. Monitoring to detect security incidents and incident response is in place. The company is also accelerating the deployment of digital initiatives following a full IT and digital transformation that took place in 2017, with the view to embed a digital mindset in all parts of the organization.
Product portfolio and innovation-driven growth
The quality and relevance of the current DSM portfolio of products is fully reflected in the above-market growth rates achieved in all businesses. To sustain this strong market position DSM is investing in innovations for which the time to market is uncertain. Delays in key projects constitute a risk to mid-term sustainable growth and the company's ability to maintain highly relevant product offerings.
Product portfolio management has led to more focus in terms of capital allocation and project prioritization. Top projects are closely monitored, with a well-established stage-gate approach and regular status reviews with the Executive Committee. Where possible, time-to-market is shortened via customer and/or innovation alliances.
The top risks as defined in 2017 relate largely to the same topics as those identified in 2016. The main changes versus 2016 are:
- Although still a risk, 'Geopolitical, global financial and economic developments' has dropped out of the top risks list as the global economic outlook has improved compared to 2016 and related mitigation actions such as geographical diversification are working.
- The risk of 'Program and Project Management' has decreased and is not a top risk anymore due to the good progress made in 2017 on the cost reduction and productivity improvement programs.
- The existing 2016 risks related to operating in a digital world have increased and are now combined into a top risk.
- The 2016 emerging risk relating to some longer-term DSM Innovation projects is now reflected in the top risk 'Product portfolio and innovation driven growth'.
The following two emerging risks have been identified by the Executive Committee. They are being carefully monitored so that DSM can take action or use them as new opportunities in a timely manner.
1. DSM's Nutrition and Materials markets may be disrupted by longer-term changes such as:
- new food preferences / food systems;
- potential impact of climate and health trends on animal protein;
- innovations such as 3D printing;
- replacing fossil fuels by energy from renewable sources; and
- new mobility and transport options.
This could create a risk if the speed of change in the world is higher than DSM's speed of adaptation to it.
2. DSM may not be able to adjust its environmental footprint or respond to climate change related disruption in its end-markets fast enough.
At the same time, these two emerging risks will also offer new opportunities for DSM's Brighter Living Solutions.
Other important risks
Besides the top risks reported in the previous table and other emerging risks that need to be taken into account, the CRA has identified some other important (sometimes more operational) risks. These include business continuity, product liability, intellectual property and tax risks. The company's risk management and internal control system has been designed to monitor and respond to the maximum extent possible.
Enhancement of the risk management system
During 2017, considerable effort was spent on the development and design of a new global risk management operating model, including dual reporting lines for risk managers to ensure quality of risk management and close connection to business goals and operations. Implementation started in January 2018.
Other improvements to the risk management framework:
- Long-term value creation and the company culture we aspire has been included in the update of the Code, in line with the Dutch Corporate Governance Code.
- Further simplification of several Corporate Requirements, the Code, the corresponding training program (shorter, more inspiring, and targeted content in e-learnings and a new global learning management system has significantly increased the efficiency of risk management.
- A project to update our Internal Control Framework has been started because of changes in DSM's portfolio, redesign of operating models, audit findings and the update of the Dutch Corporate Governance Code.
As a standard practice, the Audit Committee of the Supervisory Board was given in-depth insight into the status of the DSM risk management system. This ensured that this committee remained fully involved and aware of the status of, and developments in, enterprise risk management and how this has the potential to help achieve DSM's strategic objectives.