Risk management is designed to create and preserve value. Important elements are identifying, assessing and responding to risks that may impact the achievement of the business objectives of our company strategy and the execution of control activities. This part of the risk management framework focuses on practices that support the organization in making decisions.
Risk identification, assessments and response
Risk assessments are performed at various levels in the organization. We take a standard, but flexible approach to risk assessments:
- Risk assessment planning
- Risk identification and clustering
- Risk rating
- Evaluation and risk response
Both short-term risks (up to and including three years) and emerging risks (more than three years) in the risk categories strategic, operational, financial, compliance, and reputational are the focus of our risk assessments. A risk assessment manual and training are available to give guidance and continuously improve the effectiveness of our risk assessment process.
Corporate Risk Assessment
We periodically conduct a Corporate Risk Assessment (CRA), which is the responsibility of the Managing Board. As part of this assessment, the Executive Committee reviews and agrees on the short-term top risks as well as emerging risks. The Executive Committee also agrees on how to mitigate and monitor these.
Unit Risk Assessments
The DSM units conduct various types of risk assessments:
- Business Risk Assessments focus on risks that could jeopardize the attainment of our strategic goals and business objectives
- Process Risk Assessments are intended to make our processes more robust and fraud-proof
- Project Risk Assessments focus on specific projects and are updated throughout project execution to secure successful delivery of project objectives and value creation for the company
In addition to the above, specific risk assessments may be performed for areas such as Safety, Health, Environment, Climate, Quality and Security, including Cybersecurity.
Most risk assessments are carried out by cross-functional teams. These teams include experienced facilitators as well as experts who can challenge assumptions to help improve the quality of these risk assessments.
Control activities are integrated in our business processes, and are executed by the first line. They are preventive or detective and may encompass a range of manual and (semi-)automated controls such as policies, procedures, authorizations, verifications and business performance reviews. We apply a standard approach for user access management, including privileged users, as well as Segregation of Duties (SoD) management. These controls also help us to avoid fraud and reputational damage, and support the Statements of the Managing Board.
The Internal Control Framework (ICF) aims to ensure reliable financial reporting, mitigate fraud risks and safeguard our assets. It defines the standard set of key controls that must be performed by the first line. The internal control department within GRM owns the ICF.