The DSM risk management system 2011
(N.B.: These descriptions are to be considered as an elucidation of the Integrated Annual Report; they describe the system as it was operating in 2011 and will not be updated during the year).
Risk management as part of the governance structure
DSM’s overall governance structure is depicted in Figure 1, showing the main governance levels and the most important governance elements and regulations at each level. For DSM, as a company listed on the Amsterdam stock exchange, the primary references for good corporate governance are Dutch law and the amended Dutch corporate governance code 2008 (Frijns Code).
Note: All internal regulations apply in addition to applicable national and international laws and regulations. In cases where internal regulations are incompatible with national or international laws and regulations, the latter prevail.
As part of good corporate governance, the Frijns Code requires that the Managing Board ensure that there is a risk management system that is suitable for the company, that reporting is reliable and that laws and regulations are being complied with.
Risk management starting points
DSM’s risk management system is based on the Enterprise Risk Management framework of the Sponsoring Organizations of the Treadway Commission (COSO-ERM), and covers the eight risk management elements identified in that model. DSM applies the risk management process to strategic, operational, reporting and compliance risks as specified in the framework, The DSM risk management system is defined at two levels: Corporate (in the Management Framework for the corporate level) and operational (in the Management Framework for operational units). Operational units may add more levels for regions, sites, etc. as necessary.
The COSO-ERM risk management elements:
- Internal environment
- Objective setting
- Event identification
- Risk assessments
- Risk response
- Control activities
- Information and communication
- Monitoring
Further starting points for DSM’s risk management system are optimal integration of risk management in the daily business processes and the application of common controls for common risks. The system is described below, first for the corporate level, then for the operational level. The description follows the eight COSO elements.
Corporate level
By instituting the governance structures as described above and specifying Management Frameworks for the corporate level and operational units, the Managing Board has established the internal environment for enterprise risk management. Values and business principles are important elements of the internal environment for risk management. Sustainability is DSM’s core value; this value directly relates to the company’s mission to ‘create brighter lives for people today and generations to come’. The business principles have been derived from this core value and are described in the DSM Code of Business Conduct. This code and the Corporate Policies and Requirements together define the ’tone at the top’ with regard to ethical behavior and doing business. In the execution of its risk management responsibilities, the Managing Board is supported by the Corporate Risk Office.
The strategy for the company is established in the Corporate Strategy Dialogue (CSD). The CSD takes place between every three to five years. If appropriate, risk profiles of alternative scenarios are analyzed before final strategic choices are made. The strategy is translated into concrete objectives (financial and otherwise), the attainment of which is checked in annual strategic reviews. The present CSD ‘DSM in motion; driving focused growth’ has targets set for 2013, 2015 and 2020.
The chosen strategy is subjected to a Corporate Risk Assessment (CRA), conducted by the Managing Board. In the CRA, developments and events that could influence the achievement of strategic and operational targets are identified. The possible impacts of these events are assessed in terms of impact and likelihood and responses to the top risks are determined. The influence of some important parameters (e.g. exchange-rate fluctuations) is calculated in sensitivity analyses. The CRA is updated on an annual basis; the 2011 update was executed in a session of the full Managing Board in November 2011.
For sensitive processes at the corporate level, such as treasury and corporate accounting, controls have been defined and implemented.
Performance, risk and compliance are discussed regularly between the relevant accountable management and the Managing Board. The Corporate Risk Office provides information on the DSM risk management system via its Intranet site and regular publications. It also takes care of training programs on risk management and organizes information exchange meetings for risk management experts throughout the company.
Operational and staff units monitor the effectiveness of key controls and regularly report on risks and controls as part of regular business reporting. Material risks and control incidents are reported in annual Letters of Representation, as are the responses to these risks and incidents. The reported risk and incidents are consolidated into a ‘bottom-up’ risk profile that is compared with the ‘top down risk profile’ as derived from the Corporate Risk Assessment; both are then integrated into a final picture. Risks and developments in the risk management system are also reported to the Audit Committee of the Supervisory Board. The bottom-up risk and response overviews are updated at the end of the second quarter.
Operational level
The Managing Board, supported by the Corporate Staff Departments, maintains the Management Framework for the operational level (see figure 2).
Within this Framework, the Corporate Policies and Requirements form the basis for systematic risk management. The structure of the Corporate Policies, Requirements and Directives is shown in figure 3 (Corporate Directives are temporary or local extensions of the Corporate Requirements and are instituted if an out-of-the-ordinary situation calls for it, for example a travel ban for security reasons).
How DSM applies the eight components of COSO-ERM in operational units is set out below.
Internal Environment
An important part of the Internal Environment for risk management is set by the DSM Code of Business Conduct and the communications on risk management as described in the previous section. The Unit Risk Management Requirements additionally specify that each operational unit must:
- have a risk management system in place, the elements of which are accessible via a portal;
- have a risk management organization which, for the business groups, operational service units and some of the regions, includes an audit committee chaired by the unit director, with a risk management coordinator as secretary;
- draw up and monitor the implementation of a Risk Management Year Plan;
- implement a risk management process as described in the Corporate Requirements and outlined below.
The Corporate Requirements require that Corporate Policies are translated into policies for the operational units. They also stipulate that management should take the lead and give the example, and should keep the employees accountable for compliance. In this way the 'tone at the top’ is cascaded downward in the organization.
Objective Setting
The Strategy Requirements specify that each operational unit execute a Business Strategy Dialogue (BSD) at regular intervals. The outcome of this strategic process is translated into clear objectives for financial as well as other functional and business fields. If appropriate, risk profiles of alternative scenarios are analyzed before final choices are made. The results and prospects of the unit’s strategy and the related risks and responses are reviewed as part of an annual strategic review.
Event identification, risks assessment and risk response
As part of the BSD, a Business Risk Assessment (BRA) has to be carried out to identify the most important risks inherent in the chosen strategy. BRAs at the level of units reporting directly to the Managing Board are mandatorily supported by the Corporate Risk Office. For internal processes, Process Risk Assessments (PRAs) are carried out at a minimum frequency of once every five years. For the most important risks identified in the BRA and PRA, the unit identifies responses and manages the follow-up to those responses. Risk updates are made twice a year. As part of the BRA, major business disruptions need to be identified for which Business Continuity Plans need to be made.
Control activities
The DSM risk management system provides for the identification and assessment of responses and controls in two ways: via the BRAs and PRAs as described above and via the identification of common risks and common controls. In companies such as DSM, a large part of the identifiable risks are directly linked to the nature of the operations. Therefore, DSM has chosen to identify and assess these common risks and design common controls for them. These mandatory common controls are described in the Corporate Requirements and cover all functional fields, for both the ongoing business as well as the activities of a project nature.
In the field of the transactional flows of goods and money and the related financial control and reporting processes, the implementation of controls is supported by (standard) ICT solutions. In these cases, the controls are built into (standard) business processes and the application of sufficient segregation of duties is controlled by central authorization management and regular checking for possible conflicts. Through this concept of common risks and common controls, control or mitigation of a large number of common risks is achieved in an efficient way. In their BRAs and PRAs, operational units can focus on unit-specific risks and responses.
All material activities of a project nature need to be run according to the Project Management Process requirements. This ensures that a clear project governance structure, clear project phasing and regular structured risk assessment are in place. Other elements of the requirements, covering specific aspects of project risks are: Mergers and Acquisitions (as part of the Strategy Requirements), Capital Investments (as part of the Control and Accounting Requirements), Large Capital Projects (as part of the Manufacturing Requirements) and Building and Construction (as part of the Safety, Health and Environmental Requirements).
Information and communication
To ensure that the ‘tone at the top’ regarding ethical conduct and sustainability as laid down in the DSM Code of Business Conduct effectively determines the actual culture and behavior in all of the company, considerable communication and training efforts have been put in place. Booklets containing the Code in 17 languages have been distributed to all employees. Mandatory (e-)learning about and subsequent acknowledgment of the Code is in place and currently being rolled out. Specific training programs are in place for specific target groups regarding Competition Law and Trade Law compliance.
To ensure sufficient awareness of functional policies and applicable risk-controls, the Corporate Policies and Requirements and their implementation in the operational units are subject to (mandatory) training. In 2011 a Risk Management Awareness Video was created and made available for all employees world-wide, highlighting the risk management process by analogy with a mountaineering expedition. Specific training programs on risk management are in place for risk management professionals and financial experts. Attention is also given to communication about residual risks (so, after mitigation), for instance in job hand-over procedures at senior management levels.
Information exchange, alignment and collective learning within the community of risk management professionals are achieved via various platforms, meeting at regular intervals (sometimes via (partly) virtual meetings). The Corporate Policies, Requirements and Directives Structure (Figure 3) is available on the DSM Intranet as a portal, giving access to all Policies, Requirements and Directives, including detailed annexes and non-mandatory practices. The portal thus serves as a source of information and a learning structure for risk management and functional professionals.
To help the operational units in implementing the risk management system and in integrating it with the daily business processes, the Management Framework for the operational units (Figure 2) has been made available as a portal on the DSM Intranet. All relevant policies, requirements, practices and standard business processes are to be found under the respective buttons. The operational units have copied the portal for their own use and have added unit-specific business processes, policies, requirements and practices and made links to archived documents, such as standard operating procedures.
Monitoring, reporting, embedding and continuous improvement
The effectiveness of controls is monitored and reported in various ways and using ‘three lines of defense’. The first line of defense is daily management attention to risks and compliant behavior, using the Code of Business Conduct and the requirements as the yard-stick. This management attention is, amongst other means, fed by information from regular control-self-assessments.
At the second line of defense, the risk management system is used to identify and control risks in several ways: through control monitoring in the standard business processes, through monitoring of compliance with the Corporate Requirements using a special Compliance Tracker, through periodic reporting on risks and controls and through various incident reports. Special tools are available to support the monitoring of the effectiveness of the controls in standard business processes. Specific monitoring is executed with respect to access controls to and segregation of duties in business processes related to the goods and money flow. To this end, operational ERP systems are screened by the Business Process Management department, using specialist analytical tools.
One of the specific objectives of the risk management system is to be able to provide a reasonable level of assurance that the financial reporting does not contain any material inaccuracies and to confirm that the internal controls function properly. Therefore, in the financial field there are detailed accounting and reporting requirements and related annexes specifying amongst other things reporting time schedules and formats, the DSM Chart of Accounts, the IFRS compliant DSM Accounting Rules and the format for a quarterly affidavit, to be signed by the Financial Director of each unit.
To embed risk management in the normal way of doing business, behavior-based practices have been made available to help make risk management sustainable without it becoming a ‘tick the box’ affair. They include workshops on learning from non-conformities and deviations and principle-based compliance. Specific reporting, analyzing and improvement procedures are in place for reported breaches of the Code of Business Conduct. The Fraud Committee, under the direction of the CFO, oversees all material incidents involving fraud. For situations where employees feel unable to report via the line, the DSM Alert System (whistleblower procedure and communication channel) is available for them to report any infringements.
As mentioned in the paragraph on ‘Corporate Level’, at the end of the year, all units confirm that they have applied adequate risk management and report any material residual risks and incidents that have happened over the past year in a Letter of Representation to the Managing Board. These reports, which are updated on a half-yearly basis, are used for the units to identify and track any additional risk mitigating actions needed.
Corporate Operational Audit (COA) and external financial audit act as the third line of defense. COA conducts full operational audits in all units; the average auditing cycle is 3 years and follows a risk based program that is agreed with the Managing Board and the Audit Committee of the Supervisory Board. These ‘cold eye reviews’ use the DSM Code of Business Conduct and the Corporate Requirements as reference and report findings which, dependant on how critical they are, units have to take action on within defined periods. The consolidated COA results and feedback from the operational units on the functioning of the Corporate Requirements and other elements of the risk management system are used to regularly improve the system.
