Review and revision
Internal Control review
The testing of the effectiveness of the key controls as included in our Internal Control Framework (ICF) is performed by the Internal Control department within GRM. This is one of the pillars of our House of Control supporting the Statements of the Managing Board.
COA, as the third line, conducts independent operational audits based on the mandatory guidance of ‘The Institute of Internal Auditors’ to provide additional assurance to the Managing Board that significant risks are being managed and controlled effectively, efficiently and sustainably. Some of these audits are unannounced. The scope and frequency of COA audits is set according to the ranking of the auditable units in terms of the magnitude of risk, based on a number of defined characteristics. This program is agreed by the Executive Committee and the Audit Committee of the Supervisory Board.
Enhancement of the risk management system
During 2021, the following main improvements were made to our risk management framework:
- Group Risk Management was extended with the expertise areas Information Security Risk Management and Sustainability Risk Management
- Our Code of Business Conduct was extended with the business principles Quality and Social media, and the corresponding training has been updated accordingly
- Our Corporate Requirements regarding privacy and personal data processing were updated
- The approach for determining the risk appetite was updated. The category of reputational risks was added and the criteria to rate the risk appetite have been changed in order to give better guidance to the units for decision making
- The risk assessment process was improved, addressing both internal and external risk factors in a more structured way
- The roles, responsibilities and processes to manage Segregation of Duties (SoD) conflicts were strengthened, supported by new tooling
- The automation level of internal controls was increased, improving the efficiency and effectiveness of control execution and testing