The Managing Board is accountable for the management of all risks associated with our company's strategy and activities. To this end, appropriate risk management and internal control systems are in place. The responsibility for identifying and managing risks lies with DSM's individual units.
The units are supported by the Group Risk Management (GRM) department and are regularly assessed by the Corporate Operational Audit (COA) department. Both GRM and COA report directly to the CFO, and COA has direct access to the CEO as well as to the Audit Committee of the Supervisory Board.
A well-embedded risk management and internal control system and accompanying organization are in place in all units. This approach is based on the COSO-ERM1 framework. This chapter is structured accordingly (see 'DSM Risk Management Cycle' above).
It is the responsibility of the business groups, support functions, functional excellence departments and regions within DSM (the units) to set up, operate, maintain and monitor an appropriate risk management and internal control system within their area of responsibility. This responsibility includes the identification and management of risks. The units are supported in this by risk managers. GRM performs independent reviews based on a set of defined key controls. COA closes the loop through regular assessments of the design and operational effectiveness of the risk management and internal control system.
Mission / Internal environment
Our purpose, core values and business principles are key elements of the internal environment for risk management and form the starting point of the risk management cycle. Our core values are directly related to our purpose of creating brighter lives for all. All our employees receive regular training on values and business principles in line with the Code of Business Conduct.
Strategy / Objective setting
Following the establishment of the corporate strategy, the Executive Committee decides on the risk appetite, which is reviewed annually. In 2019, our risk appetite regarding 'Generic/strategic' risks shifted slightly to 'Open/Hungry' (see figure below).
In line with the corporate strategy, the corporate requirements are defined and maintained. The corporate requirements provide:
Risk-based guidance for managing common business and process risks
Standards to increase the efficiency of our main processes
Risk assessment and response
Risk assessments are carried out at various levels in the organization. We take a standard but flexible, seven-step approach to risk assessments:
Risk assessment planning
Risk identification and clustering
Evaluation and risk response
Periodic monitoring and reviewing
Both short-term risks (up to and including three years) and emerging risks (3–30 years) in the risk areas Generic/strategic, Operational, Financial and reporting and Legal and compliance are the focus of our risk assessments. To continuously improve the effectiveness of our risk assessment process, a Risk Assessment Manual is made available and a risk assessment training program for the facilitation and execution of risk assessments is rolled out.
Corporate Risk Assessment
We periodically conduct a Corporate Risk Assessment (CRA), which is the responsibility of the Managing Board. As part of this assessment, the Executive Committee (EC) reviews and agrees on the short-term top risks as well as emerging risks. The EC also agrees on how to mitigate and monitor these. The outcome of the CRA is reported to, and discussed with, the Audit Committee of the Supervisory Board annually, see 'Top risks' table.
Unit Risk Assessments
The DSM units (the business groups, support functions, functional excellence departments and regions) also conduct various types of risk assessments. Most risk assessments are carried out by cross-functional teams. These teams include experienced facilitators as well as experts who can challenge assumptions in order to help improve the quality of these risk assessments.
Business Risk Assessments focus on risks that could jeopardize the attainment of our strategic goals.
Process Risk Assessments are intended to make our processes as robust and fraud-proof as possible.
Project Risk Assessments focus on specific projects and are updated throughout project execution to secure successful delivery of project objectives and value creation for the company.
Complementing the above, additional specific risk assessments may be performed for areas such as Safety, Health, Environment, Climate, Security and topics such as complex organizational changes.
Control activities are performed at all levels of the company, at various stages within the business processes. They are preventive or investigative in nature and may encompass a range of manual and (semi-) automated controls such as policies, procedures, authorizations, verifications and business performance reviews. These controls also help us to avoid fraud and reputational damage and support the statements of the Managing Board.
We apply a standard approach for monitoring Enterprise Resource Planning (ERP) system access controls, user provisioning, privileged user management and Segregation of Duties for the majority of our units.
At different levels and within different functions in the organization monitoring activities are performed, such as:
The execution of the standard key controls as included in our Internal Control Framework (ICF) is monitored by unit management. Group Risk Management (GRM) additionally provides independent testing of the effectiveness of those key controls, and evaluates the impact of control deficiencies
Total risk overview is reported by the units via the Letter of Representation (LoR) process. The units report on compliance with applicable laws and regulations, our Code of Business Conduct, corporate policies and corporate requirements and related risks, besides more generic/strategic risks. The review also tracks progress in the implementation of defined mitigation actions as well as monitoring incidents that occurred during the year
Tracking of timely completion of DSM values training
Review of incidents, fraud cases, Alert cases, results from phishing tests and the cybersecurity dashboard
Peer audits on specific topics, such as the Purchase to Pay process and SHE
Audits by customers, suppliers, or other external audits
The outcome of the monitoring activities is regularly discussed in unit risk management committees and the Audit Committee of the Supervisory Board to evaluate and manage the risk profile of the units and of the company as a whole.
Information and communication
We strive for an open communication culture and have various channels for communicating risk data and information both internally and externally. These channels enable our organization to provide relevant information for decision-making, such as the status of the risk profile and the effectiveness of the risk management system.
Discussions of risks are integrated into normal business discussions, as these are an intrinsic part of doing business. However, certain specific structures are in place to ensure that special attention is paid to parts of the risk management cycle:
The risk management committees of the units
The global fraud committee
The global issue committee
The Alert procedure
Dedicated discussions with the EC on the CRA and the outcome of the LoR process
The Audit Committee of the Supervisory Board
We use a three-lines-of-defense model to manage risks effectively.
First line: the responsibility for identifying and managing risks, including all internal controls activities, lies with the individual units.
Second line: GRM designs, implements and maintains the overall risk management framework for the company. GRM assesses the overall effectiveness of the risk management and internal control activities and provides insight into the overall risk profile of the company. GRM also supports the first line of defense in risk identification and management by designing and developing standards, systems and tools. Besides GRM, there are also other departments acting as a second line of defense, for instance, DSM Operations & Responsible Care (Manufacturing, SHE & Security), and Group Control & Accounting.
Third line: COA conducts independent audits/reviews, some of these being unannounced. The scope and frequency of COA audits is set according to the ranking of the auditable units in terms of the magnitude of risk, based on a limited number of defined characteristics. This program is agreed by the EC and the Audit Committee of the Supervisory Board.
Enhancement of the risk management system
During 2019, the following main improvements were made to our risk management framework:
We further strengthened the ICF with the support of all business groups, GRM and all support functions. The maturity of both the activities of the first and second line of defense was increased. Additionally, more legal entities adopted ICF standards
A new values training was launched on 'Respectful Behavior', which is mandatory for all employees
Due to the addition of two new Life Saving Rules (LSR), 'Transport and Warehouse Safety' and 'Hot Work', the LSR training was updated accordingly
GRM and COA expanded their review of fraud cases, incidents, COA findings, and Alert cases to also identify trends, underline root causes and define mitigating actions
We improved the LoR process by giving more guidance on the reporting and the description of short-term risks and emerging risks
DSM risk profile
The risk management activities as performed by the first line of defense as well as the reviews/audits conducted by the second and third line of defense in 2019 did not indicate any material failings in the design and effectiveness of our risk management and internal control system.
The consolidated overview of all the aforementioned is the basis for the 'Statements of the Managing Board' at the end of this risk management section.
The table below shows the four most important risks that might prevent us from achieving the targets defined in Strategy 2021, including the actions that we are taking to reduce our exposure further. These risks are labeled as Top risks as the exposure on DSM's EBITDA is an indicative €30 million or more, or because they have a major non-financial impact such as on reputation.
The following emerging risks have been identified by the Executive Committee. Where relevant, actions have been defined to anticipate them in a timely manner.
Emerging risk 1: Our Nutrition and Materials markets may be disrupted by longer-term changes driven by:
New food preferences / food systems
Climate transition risks impacting our end-markets, such as animal protein
Innovations such as 3D printing
New mobility and transport options
This could create a risk if the speed of change in the world is higher than our speed of adaptation to it.
Emerging risk 2: We may not be able to adjust our own operations and supply chain fast enough to deal with environmental and climate risks (both physical and transition risks).
Emerging risk 3: Risk of increasing polarization in the world. This could lead to new legislation and new regulations having a negative impact for DSM (such as increasing taxation, trade barriers, and labor costs).
At the same time, these emerging risks will also offer new opportunities for our Brighter Living Solutions.
Other important risks
Besides the top risks and the emerging risks, there are also specific market-related risks. For example, our Animal Health & Nutrition business was impacted by outbreaks of livestock diseases in 2019. Although our market position and product portfolio allow us to take advantage of opportunities arising in other geographical areas as well as from other species, the impact might not fully be offset.
There are also more generic business risks, such as business continuity, sourcing, product liability, intellectual property, tax and digitalization risks. Our risk management and internal control system is setup to adequately monitor and respond to these risks.
We did not identify any significant company-specific risks associated with Brexit and the ongoing trade war between the US and China, other than the general uncertainties around, for example, currency and other economic developments.
Top risks, status and related mitigating actions in progress
People, organization and culture
There is a risk that we might not be able to attract, retain and develop the workforce required to deliver on our strategy, to deliver above-market growth and retain strong operational efficiency. Progress has been made to create a more international and diverse workforce and steps have been taken to build more inclusive, agile and high-performing teams. In the current labor market, attracting and retaining talents with the right level of expertise, background and mindset requires constant attention and efforts and therefore we still consider this a top risk.
Product portfolio and purpose-driven growth
There is a risk that we might not be able to deliver above-average organic growth aligned to our strategic targets. We are continuously investing in our existing product portfolio and in large innovation projects, and focus on growth opportunities in the domains Nutrition & Health, Climate & Energy and Resources & Circularity. Top innovation projects are closely monitored, with a well-established stage-gate approach and regular status reviews with the Executive Committee. Despite the processes in place, time-to-market remains uncertain.
Market environment and competitive position
There is a risk that we might not meet our strategic targets due to increasing competition, especially from low-cost/margin players. Therefore, we have created a streamlined and simplified business portfolio and a good platform for growth. As a result of continued investments in innovation and acquisitions, our product and service portfolio has broadened, which allows us to serve a broader customer base better and to differentiate ourselves from our competition.
Operating in a digital world
There is a risk that we might be negatively impacted by cybercrime, and therefore we continued to strengthen our cybersecurity in 2019. Following risk assessments, a multi-year program is being rolled out focusing on improving our cybersecurity capabilities in three areas: information technology, operations technology, and R&D laboratory systems. The program is addressing cyber security by looking at risk identification, protection, detection, response and recovery taking account of people, technology and process dimensions.