The Managing Board is accountable for the management of all risks associated with our company's strategy and activities. To this end, appropriate risk management and internal control systems are in place. The responsibility for identifying and managing risks lies with DSM's individual units.
The units are supported by the Group Risk Management (GRM) department and are regularly assessed by the Corporate Operational Audit (COA) department. Both GRM and COA report directly to the CFO, and COA has direct access to the CEO as well as to the Audit Committee of the Supervisory Board.
A well-embedded risk management and internal control system and accompanying organization are in place in all units. This approach is based on the COSO-ERM framework. This chapter is structured accordingly (see figure 'DSM Risk Management Cycle').
A full description of our risk management and internal control system and process, together with a description of the identified risks, is available on the company website.
It is the responsibility of the business groups, support functions, functional excellence departments and regions (the units) within DSM to set up, maintain, operate and monitor an appropriate risk management and internal control system within their area of responsibility. This responsibility includes the management, monitoring, reporting and controlling of risks. The units are supported in this by risk managers. COA closes the loop through regular assessments of the design and operational effectiveness of the risk management and internal control system.
Mission / Internal environment
Values and business principles are key elements of the internal environment for risk management and form the starting point of the risk management cycle. DSM's values are directly related to our purpose of creating brighter lives for all. All our employees receive regular training on values and business principles in line with the framework requirements. They first receive overarching training on the DSM Code of Business Conduct.
In 2018, we implemented a new global risk management operating model to improve the agility, effectiveness and efficiency of our risk management activities. Risk managers have dual reporting lines:
(1) A functional reporting line into Group Risk Management to guarantee the quality of risk management and continuous improvement
(2) A business / support function reporting line to safeguard close connection to business / support function goals and operations
We have made it easier for employees to follow our Corporate Requirements by clearly communicating who exactly needs to understand and adhere to specific requirements.
Strategy / Objective setting
Our Group Risk Management supports the Executive Committee, business groups, and support functions at the global and regional levels with risk assessments, Letter of Representation, Corporate Requirements, Code of Business Conduct, and internal control. It also runs a DSM values and risk management training program to deliver on our company strategy.
Risk assessment and response
An important precursor to any risk assessment is our overall risk appetite, which is defined and updated annually by the Executive Committee. In 2018, our overall risk appetite remained the same as in the previous year (see figure below).
Risk assessments and mitigation plans are carried out at various levels in the organization. We take a standard but flexible, seven-step approach to risk assessments:
- Risk assessment planning
- Risk identification and clustering
- Risk rating
- Evaluation and risk response
- Periodic monitoring and reviewing
Risk assessments focus on various categories including material, non-material and reputational risks and emerging risks. In 2018, we identified additional opportunities for improving how we facilitate, challenge, define and monitor our mitigation efforts. As a result, we created a Risk Assessment Manual and also updated the risk assessment training program regarding facilitation and execution.
Corporate Risk Assessment
We periodically conduct a Corporate Risk Assessment (CRA), which is the responsibility of the Managing Board. As part of this assessment, the Executive Committee reviews and agrees on the top risks facing DSM as well as emerging risks, which could become material after the current strategic period. The Executive Committee also agrees on how to mitigate and monitor these. The outcome of the CRA is reported to, and discussed with, the Audit Committee of the Supervisory Board annually (see table of Top risks).
Business Risk Assessments
Our business groups also conduct assessments. Business Risk Assessments (BRAs) and their equivalents for our business units, functions and regions are carried out by cross-functional teams. These include experienced facilitators as well as experts who can challenge assumptions in order to help improve the quality of these risk assessments.
Process Risk Assessments
We additionally conduct Process Risk Assessments (PRAs) which are intended to make our processes as robust, business-specific and fraud-proof as possible.
Project Risk Assessments
At project level, risk assessments are performed on an ongoing basis to secure successful delivery of project objectives and value creation for the company.
We have various means of monitoring and related reporting. These include monitoring of events, Letter of Representation (LoR), external/internal audits, compliance checks, and functioning of the common controls. Monitoring and reporting are discussed in risk management committees in order to evaluate and manage the status of the risk profile.
The most important types of risks for our units, as well as any incidents, are reported annually and reviewed mid-year through the LoR, which all reporting units are required to sign. This 'bottom-up' report is checked against the risks reported by the CRA, as well as against the findings from the internal and external audits.
Our risk managers also support internal audits in their work of checking the effectiveness of the internal controls, compliance status, risk mitigations, and incident repairs.
The consolidated overview of all the aforementioned monitoring is the basis for this risk section and the statements of the Managing Board at the end of this section.
Control activities ensure the safeguarding of our assets and the integrity of our financial reporting. They help us to avoid fraud and reputational damage and they also support the statements of the Managing Board. We have implemented the core of the internal control framework to bring relevant key controls for its main supporting processes into an overarching Internal Control Framework. Relevant function leads manage their key controls, which will enable DSM and its stakeholders to have a comprehensive oversight of all internal controls in scope. Control activities are carried out by the responsible unit managers and regularly reviewed in Risk Management Committees. These activities include:
- Compliance with training requirements, segregation of duties, and follow-up of audits of various stakeholders
- Execution, follow-up and quality of the relevant set of risk assessments
- Best practices from internal and external sources to further strengthen our risk management cycle as well as to ensure appropriate risk management awareness and relevant training for our employees
We apply a standard approach for monitoring ERP (Enterprise Resource Planning) access controls, user provisioning and privileged user management for the majority of our units.
Information and communication
Continuous efforts are made to inform employees about the DSM risk management system and to support and/or train them in its use.
Assessment of the design and effectiveness of the risk management and internal control system
Three lines of defense exist to manage risks.
First line: Line management within the units, executing risk management and internal control activities.
Second line: Risk management, assessing the effectiveness of the risk management and internal control activities, both at unit and corporate level.
Third line: Corporate Operational Audit (COA), conducting independent audits/reviews, some of these unannounced. The scope and frequency of the COA audits is set according to the ranking of the auditable units in terms of the magnitude of risk, based on a limited number of defined characteristics. This program has been agreed by the Executive Committee and the Audit Committee of the Supervisory Board.
The internal audits conducted in 2018 did not indicate any material failings in the design and effectiveness of our risk management and internal control system.
The outcome of the CRA for Strategy 2021 in July 2018 and the CRA review of December 2018 were reported to and discussed with the Audit Committee of the Supervisory Board. This 'top-down' outcome corresponded very well with the 'bottom-up' risks and incidents as reported by all the individual units in their respective Letter of Representation, as well as with the findings from the internal and external audits. This final risk profile was reported to and discussed with the Audit Committee of the Supervisory Board in February 2019 and forms the basis for the main risks and responses as reported in the table.
The table on the next page shows the four most important risks that might prevent us from achieving the targets defined in Strategy 2021. It also describes the mitigating actions we are taking. Top risks have a potential impact on DSM's EBITDA of an indicative €30 million or more, or have a large non-financial impact such as on reputation.
Top risks and related mitigating actions
Description of risks
Product portfolio and purpose driven growth
The quality and relevance of the current DSM portfolio of products is fully reflected in the above-market growth rates achieved in all businesses. To sustain this strong market position DSM needs to continuously invest in its existing products and invest in large innovation projects for which the time to market is uncertain.
DSM also aims to execute value creating M&A, predominantly in nutrition, to further evolve its portfolio. This will require resources and could constitute a distraction affecting the ongoing business performance.
In order to sustain organic growth all business groups have customer-centricity programs running. Upgrade of the sales force and a more agile organization is part of these programs. These programs will continue and, where needed, be reinforced in 2019.
Top innovation projects are closely monitored, with a well-established stage-gate approach and regular status reviews with the Executive Committee. Where possible, time-to-market is shortened via customer and/or innovation alliances, such as the recently announced joint venture with Cargill to introduce zero-calorie, cost-effective sweeteners.
To avoid distraction across the company, M&A initiatives are managed centrally. Staffing has also been organized to ensure flawless integrations while maintaining the running business performance.
Market environment and competitive position
DSM has created a streamlined and simplified business portfolio and a good platform for growth, as 2018's results have shown.
Nonetheless the risk remains of facing increased competition for some product-market combinations, especially from low-cost/margin players. DSM actively needs to manage its competitive position, which includes capacity expansions for selected products.
The existing strength of the portfolio, as a result of continued investments made in innovation, has resulted in a broadening of DSM's product, application and customer base.
Nonetheless, customer-centricity programs have been initiated to increase/protect the value captured. Increased sales and marketing effectiveness is a key element of these programs.
The company has a multi-year plan to ensure timely capacity expansions and/or external sourcing to manage growth. Operational continuous improvement programs also secure maximum output from existing installations.
People, organization and culture
In order to continue to deliver above-market growth and retain strong operational efficiency, DSM requires a high-quality pipeline of talents and effective people development.
While good progress has been made in talent management, further improvements may be required to fully embed a culture of customer-centricity, agility and cost-consciousness to support the organization in its growth ambitions.
In order to have the right people and culture to sustain an organic growth focus, DSM has initiated customer-centricity programs across all business groups. The Strategy update announced in June 2018 also emphasized strongly the actions in place to support internationalization & diversity, leadership development and culture (see People).
To make sure we make full use of our resources we will put more focus on inclusive, agile and high-performing teams.
Operating in a digital world
Despite a good track record and having procedural and system controls in place, cybercrime constantly needs attention to protect our assets and information. This risk is exacerbated by the accelerating pace of digitalization.
DSM has further strengthened its cyber security. A risk assessment was performed for information technology and operational technology systems in 2018. Specific programs have been rolled out to improve cyber security of production plants and R&D laboratory systems. Monitoring to detect security incidents and incident response is in place. In 2018, a new reporting dashboard was also developed to monitor trends and enhance early detection of vulnerabilities.
As part of the CRA for Strategy 2021, all risks from the previous strategy were assessed in order to ascertain whether they are top risks for the new strategy as well. The risks shown in the top risk table are a combination of current and new top risks.
The following three emerging risks have been identified by the Executive Committee. They are being carefully monitored so that we can take action or use them as new opportunities in a timely manner.
1. Our Nutrition and Materials markets may be disrupted by longer-term changes such as:
- New food preferences / food systems
- Potential impact of climate and health trends on animal protein
- Innovations such as 3D printing
- Replacing fossil fuels by energy from renewable sources
- New mobility and transport options
This could create a risk if the speed of change in the world is higher than our speed of adaptation to it.
2. We may not be able to adjust our environmental footprint fast enough.
3. We may not be able to respond to climate change fast enough in connection with:
- Sourcing risks
- Physical risks (e.g. in operations)
- Disruption to our end-markets (transitional risks)
At the same time, these emerging risks will also offer new opportunities for our Brighter Living Solutions.
Other important risks
Besides the top risks reported in the previous table and other emerging risks that need to be taken into account, there are also some other important risks, sometimes of a more operational nature. These include business continuity, product liability, intellectual property, tax and digitalization risks. DSM did not identify any significant company-specific risks associated with Brexit, other than the general external uncertainties around, for example, currency and other economic developments associated with the different scenarios for the UK exiting the EU.
Our risk management and internal control system has been designed to monitor and respond to the maximum extent possible.
Enhancement of the risk management system
During 2018, the following major improvements were made to our risk management framework:
- New global Risk Management organization rolled out
- Core of Internal Control Framework implemented
- Letter of Representation updated: specific attention for Emerging risks and two new risk categories, Climate risks and Internal Control risks
- To support the LoR submissions, dedicated sessions were organized to discuss potential climate risks in more detail with the individual business groups
- More focus on the quality of Risk Assessments (new Risk Assessment Training Program and Manual)
- The DSM Cyber Fraud Awareness e-learning was introduced for all our employees, to increase their awareness of important types of cybercrime (ransomware, man-in-the middle attack, fake CEO email)
As a standard practice, the Audit Committee of the Supervisory Board was given detailed insight into the status of our risk management system in 2018. This ensured that this committee remained fully involved in, and aware of the status of, and developments in, the dynamic process of enterprise risk management and how it has the potential to help us to achieve our strategic objectives.