- Systematically identify/assess/mitigate the risks (strategic/financial /operational /reputational) which are related to the company’s short and longer term objectives;
- monitor and ensure the company’s reporting is reliable;
- monitor and ensure the company complies with its Core Value and all relevant laws and regulations.
Risk Management Organization
The Managing Board is responsible for risk management in the company and, supported by the Corporate Risk Office, has designed and implemented a risk management system and a risk management organization. The system and the organization are documented in the DSM risk management policy, the DSM Code of Business Conduct, DSM policies in several functional areas and the DSM Corporate Requirements and Directives. The aim of the system is to ensure that the extent to which the company’s strategic and operational objectives are being achieved is understood, that the company’s reporting is reliable and that the company complies with relevant laws and regulations.
Risk Management System
The DSM risk management system is based on the COSO-ERM framework. It has been designed to achieve maximum integration of the risk management process in the normal business processes. It provides for risk assessment tools, controls for risks that commonly occur in the company and monitoring and reporting procedures and systems. The internal controls for the goods and money flows have been ‘built into’ business processes, and tools have been developed to support their implementation and to monitor their effectiveness in operation. In this way, a high level of internal control is achieved efficiently.
Risk management as part of the governance structure
DSM’s overall governance structure is depicted in Figure 1 (above), showing the main governance levels and the most important governance elements and regulations at each level. For DSM, as a company listed on the Amsterdam stock exchange, the primary references for good corporate governance are Dutch law and the Dutch Corporate Governance Code 2008 and its 2016 update (applicable from 2017).
Note: All internal regulations apply in addition to applicable national and international laws and regulations. In cases where internal regulations are incompatible with national or international laws and regulations, the latter prevail.
DSM’s risk management system is based on the Enterprise Risk Management framework of the Sponsoring Organizations of the Treadway Commission (COSO-ERM), and covers the eight risk management elements identified in that model. DSM applies the risk management process to strategic, operational, reporting and compliance risks as specified in the framework, The DSM risk management system is defined at two levels: Corporate (in the Management Framework for the corporate level) and operational (in the Management Framework for operational units). Operational units may add more levels for regions, sites, etc. as necessary.
The COSO-ERM risk management elements:
- Internal environment
- Objective setting
- Event identification
- Risk assessments
- Risk response
- Control activities
- Information and communication
Further starting points for DSM’s risk management system are optimal integration of risk management in the daily business processes and the application of common controls for common risks. The system is described below, first for the corporate level, then for the operational level. The description follows the eight COSO elements.
By instituting the governance structures as described above and specifying Management Frameworks for the corporate level and operational units, the Managing Board has established the internal environment for enterprise risk management. Values and business principles are important elements of the internal environment for risk management. Sustainability is DSM’s core value; this value directly relates to the company’s mission to ‘create brighter lives for people today and generations to come’. The business principles have been derived from this core value and are described in the DSM Code of Business Conduct. This code and the Corporate Policies and Requirements together define the ’tone at the top’ with regard to ethical behavior and doing business. In the execution of its risk management responsibilities, the Managing Board is supported by the Corporate Risk Office.
The strategy for the company is established in the Corporate Strategy Dialogue (CSD). The CSD takes place between every three to five years. If appropriate, risk profiles of alternative scenarios are analyzed before final strategic choices are made. The strategy is translated into concrete objectives (financial and otherwise), the attainment of which is checked in annual strategic reviews.
The chosen strategy is subjected to a Corporate Risk Assessment (CRA), conducted by the Managing Board. In the CRA, developments and events that could influence the achievement of strategic and operational targets are identified. The possible impacts of these events are assessed in terms of impact and likelihood and responses to the top risks are determined. The influence of some important parameters (e.g. exchange-rate fluctuations) is calculated in sensitivity analyses. The CRA is updated on an annual basis.
For sensitive processes at the corporate level, such as treasury and corporate accounting, controls have been defined and implemented.
Performance, risk and compliance are discussed regularly between the relevant accountable management and the Managing Board. The Corporate Risk Office provides information on the DSM risk management system via its Intranet site and regular publications. It also takes care of training programs on risk management and organizes information exchange meetings for risk management experts throughout the company.
Operational and staff units monitor the effectiveness of key controls and regularly report on risks and controls as part of regular business reporting. Material risks and control incidents are reported in annual Letters of Representation, as are the responses to these risks and incidents. The reported risk and incidents are consolidated into a ‘bottom-up’ risk profile that is compared with the ‘top down risk profile’ as derived from the Corporate Risk Assessment; both are then integrated into a final picture. Risks and developments in the risk management system are also reported to the Audit Committee of the Supervisory Board. The bottom-up risk and response overviews are updated at the end of the second quarter.
The Managing Board, supported by the Corporate Staff Departments, maintains the Management Framework for the operational level (see figure 2).
Within this Framework, the Corporate Policies and Requirements form the basis for systematic risk management. The structure of the Corporate Policies, Requirements and Directives is shown in figure 3 (Corporate Directives are temporary or local extensions of the Corporate Requirements and are instituted if an out-of-the-ordinary situation calls for it, for example a travel ban for security reasons).
How DSM applies the eight components of COSO-ERM in operational units is set out below:
An important part of the Internal Environment for risk management is set by the DSM Code of Business Conduct and the communications on risk management as described in the previous section. The Unit Risk Management Requirements additionally specify that each operational unit must:
- have a risk management system in place, the elements of which are accessible via a portal;
- have a risk management organization which, for the business groups, operational service units and some of the regions, includes an audit committee chaired by the unit director, with a risk management coordinator as secretary;
- draw up and monitor the implementation of a Risk Management Year Plan;
- implement a risk management process as described in the Corporate Requirements and outlined below.
The Corporate Requirements require that Corporate Policies are translated into policies for the operational units. They also stipulate that management should take the lead and give the example, and should keep the employees accountable for compliance. In this way the 'tone at the top’ is cascaded downward in the organization.
The Strategy Requirements specify that each operational unit execute a Business Strategy Dialogue (BSD) at regular intervals. The outcome of this strategic process is translated into clear objectives for financial as well as other functional and business fields. If appropriate, risk profiles of alternative scenarios are analyzed before final choices are made. The results and prospects of the unit’s strategy and the related risks and responses are reviewed as part of an annual strategic review.
As part of the BSD, a Business Risk Assessment (BRA) has to be carried out to identify the most important risks inherent in the chosen strategy. BRAs at the level of units reporting directly to the Managing Board are mandatorily supported by the Corporate Risk Office. For internal processes, Process Risk Assessments (PRAs) are carried out at a minimum frequency of once every five years. For the most important risks identified in the BRA and PRA, the unit identifies responses and manages the follow-up to those responses. Risk updates are made twice a year. As part of the BRA, major business disruptions need to be identified for which Business Continuity Plans need to be made.
The DSM risk management system provides for the identification and assessment of responses and controls in two ways: via the BRAs and PRAs as described above and via the identification of common risks and common controls. In companies such as DSM, a large part of the identifiable risks are directly linked to the nature of the operations. Therefore, DSM has chosen to identify and assess these common risks and design common controls for them. These mandatory common controls are described in the Corporate Requirements and cover all functional fields, for both the ongoing business as well as the activities of a project nature.
In the field of the transactional flows of goods and money and the related financial control and reporting processes, the implementation of controls is supported by (standard) ICT solutions. In these cases, the controls are built into (standard) business processes and the application of sufficient segregation of duties is controlled by central authorization management and regular checking for possible conflicts. Through this concept of common risks and common controls, control or mitigation of a large number of common risks is achieved in an efficient way. In their BRAs and PRAs, operational units can focus on unit-specific risks and responses.
All material activities of a project nature need to be run according to the Project Management Process requirements. This ensures that a clear project governance structure, clear project phasing and regular structured risk assessment are in place. Other elements of the requirements, covering specific aspects of project risks are: Mergers and Acquisitions (as part of the Strategy Requirements), Capital Investments (as part of the Control and Accounting Requirements), Large Capital Projects (as part of the Manufacturing Requirements) and Building and Construction (as part of the Safety, Health and Environmental Requirements).
To ensure that the ‘tone at the top’ regarding ethical conduct and sustainability as laid down in the DSM Code of Business Conduct effectively determines the actual culture and behavior in all of the company, considerable communication and training efforts have been put in place. Booklets containing the Code in 19 languages have been distributed to all employees. Mandatory (e-)learning is in place. Specific training programs are in place for starget groups regarding value based issues e.g. Competition Law, Trade Law compliance, Anti Bribery and Corruption and Privacy Laws.
To ensure sufficient awareness of functional policies and applicable risk-controls, the Corporate Policies and Requirements and their implementation in the operational units are subject to (mandatory) training. A Risk Management Awareness Video is available for all employees world-wide, highlighting the risk management process by analogy with a mountaineering expedition. Specific training programs on risk management are in place for risk management professionals and financial experts. Attention is also given to communication about residual risks (so, after mitigation), for instance in job hand-over procedures at senior management levels.
Information exchange, alignment and collective learning within the community of risk management professionals are achieved via various platforms, meeting at regular intervals (sometimes via (partly) virtual meetings). The Corporate Policies, Requirements and Directives Structure (Figure 3) is available on the DSM Intranet as a portal, giving access to all Policies, Requirements and Directives, including detailed annexes and non-mandatory practices. The portal thus serves as a source of information and a learning structure for risk management and functional professionals.
To help the operational units in implementing the risk management system and in integrating it with the daily business processes, the Management Framework for the operational units (Figure 2) has been made available as a portal on the DSM Intranet. All relevant policies, requirements, practices and standard business processes are to be found under the respective buttons. The operational units have copied the portal for their own use and have added unit-specific business processes, policies, requirements and practices and made links to archived documents, such as standard operating procedures.
The effectiveness of controls is monitored and reported in various ways and using ‘three lines of defense’. The first line of defense is daily management attention to risks and compliant behavior, using the Code of Business Conduct and the requirements as the yard-stick. This management attention is, amongst other means, fed by information from regular control-self-assessments.
At the second line of defense, the risk management system is used to identify and control risks in several ways: through control monitoring in the standard business processes, through monitoring of compliance with the Corporate Requirements, through periodic reporting on risks and controls and through various incident reports. Special tools are available to support the monitoring of the effectiveness of the controls in standard business processes. Specific monitoring is executed with respect to access controls to and segregation of duties in business processes related to the goods and money flow. To this end, operational ERP systems are screened by the Business Process Management department, using specialist analytical tools.
One of the specific objectives of the risk management system is to be able to provide a reasonable level of assurance that the financial reporting does not contain any material inaccuracies and to confirm that the internal controls function properly. Therefore, in the financial field there are detailed accounting and reporting requirements and related annexes specifying amongst other things reporting time schedules and formats, the DSM Chart of Accounts, the IFRS compliant DSM Accounting Rules and the format for a quarterly affidavit, to be signed by the Financial Director of each unit.
To embed risk management in the normal way of doing business, behavior-based practices have been made available to help make risk management sustainable without it becoming a ‘tick the box’ affair. They include workshops on learning from non-conformities and deviations and principle-based compliance. Specific reporting, analyzing and improvement procedures are in place for reported breaches of the Code of Business Conduct. The Fraud Committee, under the direction of the CFO, oversees all material incidents involving fraud. For situations where employees feel unable to report via the line, the DSM Alert System (whistleblower procedure and communication channel) is available for them to report any infringements.
As mentioned in the paragraph on ‘Corporate Level’, at the end of the year, all units confirm that they have applied adequate risk management and report any material residual risks and incidents that have happened over the past year in a Letter of Representation to the Managing Board. These reports, which are updated on a half-yearly basis, are used for the units to identify and track any additional risk mitigating actions needed.
Corporate Operational Audit (COA) and external financial audit act as the third line of defense. COA conducts full operational audits in all units; the average auditing cycle is 3 years and follows a risk based program that is agreed with the Managing Board and the Audit Committee of the Supervisory Board. These ‘cold eye reviews’ use the DSM Code of Business Conduct and the Corporate Requirements as reference and report findings which, dependent on how critical they are, units have to take action on within defined periods. The consolidated COA results and feedback from the operational units on the functioning of the Corporate Requirements and other elements of the risk management system are used to regularly improve the system.
The functioning of the system in 2016
Full details of the functioning of the system in 2016 can be found in the Integrated Annual Report 2016.