The DSM risk management system

Risk management as part of the governance structure
DSM’s overall governance structure is depicted in figure 1. It shows the main governance levels and the most important governance elements and regulations at each level. For DSM, as a company listed at the Amsterdam stock exchange, the measure for good corporate governance is the Dutch Corporate Governance Code (“Tabaksblat Code”).

Figure 1: DSM’s overall governance structure
Note: All internal regulations apply in addition to applicable national and international laws and regulations. If incompatibility occurs, the latter prevail.

As a part of good corporate governance, the Tabaksblat Code requires that the Managing Board ensures that there is a risk management system that is suitable for the company, that reporting is reliable and that laws and regulations are being complied with.

Risk management starting points
DSM’s risk management system is based on the Enterprise Risk Management framework of the Sponsoring Organizations of the Treadway Commission (COSO-ERM), and covers the eight risk management elements identified in that model. The framework also specifies that the risk management process must be applied to strategic, operational, reporting and compliance risks and that it is executed at all levels of the organization. The DSM risk management system is specified in the Management Frameworks for the corporate and operational unit levels.

The COSO-ERM risk management elements:

• Internal environment
• Objective setting
• Event identification
• Risk assessments
• Risk response
• Control activities
• Information and communication
• Monitoring

Further starting points for DSM’s risk management system are: optimal integration of risk management in the daily business processes and the application of common controls for common risks. The system is described below, first for the corporate level, then for the operational level. The description follows the eight COSO-elements.

Corporate level
By instituting the governance structures as described above and specifying Management Frameworks for the corporate and operational levels, the Managing Board has established the internal environment for enterprise risk management. The DSM Values, Corporate Policies and Requirements define the “tone at the top” with regard to ethical behavior and doing business. In the execution of its risk management responsibilities, the Managing Board is supported by the Corporate Risk Management department. 

The strategy for the company is established in the Corporate Strategy Dialogue (CSD). The CSD takes place about every three to five years. If appropriate, risk profiles of alternative scenarios are analyzed before final strategic choices are made. The strategy is translated into concrete objectives, financial and otherwise, the attainment of which is checked in annual strategic reviews.

The chosen strategy is subjected to a Corporate Risk Assessment (CRA), conducted by the Managing Board. In the CRA developments and events that could influence the achievement of strategic and operational targets are identified. The possible impacts of these events are assessed and responses for the top risks are determined. The influence of some important parameters (e.g. exchange-rate fluctuations) is calculated in sensitivity-analyses. The CRA is updated on an annual basis.

For the processes on the corporate level such as treasury and corporate accounting controls have been defined and implemented.

Performance, risk and compliance are discussed regularly between accountable management and the Managing Board. The Corporate Risk Management department provides information on the DSM risk management system via its Intranet site and regular publications. It also takes care of modules on risk management in several corporate training programs and organizes information exchange meetings for risk management experts throughout the company.

Operational and staff units monitor the effectiveness of key controls and regularly report on risks and controls as part of regular business reporting. Material risks are reported annually in the annual strategic review and Letters of Representation. Risks and developments in the risk management system are also reported to the Audit Committee of the Supervisory Board.

Operational level

Management Framework for the operational level; Corporate Policies and Requirements
The Managing Board, supported by the Corporate Staff Departments, maintains the Management Framework for the operational level (see figure 2).

Figure 2: Management Framework for the operational level

Within this Framework, the Corporate Policies and Requirements form the basis for systematic risk management. The structure of the Corporate Policies, Requirements and Directives is shown in figure 3 (Corporate Directives are temporary or local extensions of the Corporate Requirements and are instituted if a special situation calls for it, e.g. a travel-ban for security reasons).

Figure 3: Structure of the Corporate Policies, Requirements and Directives

Below, it is described how DSM covers the eight components of the COSO-ERM-Cube.

Internal Environment
An important part of the Internal Environment for risk management is set by the DSM Values and the communications on risk management as described in the previous section. The Unit Risk Management Requirements additionally specify that each operational unit must put a risk management organization in place and that reporting of control failures and material risks must be encouraged. The Corporate Requirements require that Corporate Policies are translated into policies for the operational units. They also stipulate that management should take the lead and give the example, and should keep the employees accountable for compliance. In this way the “tone at the top” is cascaded downward in the organization. 

Objective Setting
The Strategy Requirements specify that each operational unit execute a Business Strategy Dialogue (BSD) at regular intervals. The outcome of this strategic process is translated into clear objectives for financial as well as other functional and business fields. If appropriate, risk profiles of alternative scenarios are analyzed before final choices are made. The results and prospects of the unit’s strategy and the related risks and responses are reviewed in an annual strategic review.

Event identification, risks assessment and risk response
As part of the BSD, events are identified that could influence the risk profile of the business. The Unit Risk Management Requirements specify that, following a BSD, a Business Risk Assessment (BRA) has to be carried out to identify the most important risks inherent to the chosen strategy. If important risks are identified in the internal processes, specific Process Risk Assessments (PRA’s) are carried out for those processes. For the most important risks identified in the BRA and PRA, the unit identifies responses and manages the follow-up of those responses.

Control activities
The DSM risk-management system provides for the identification, assessment and identification of responses and controls in two ways: via the BRA’s and PRA’s as described above and via the identification of common risks and common controls. In companies such as DSM, a large part of the identifiable risks are directly linked to the nature of the operations. Therefore, DSM has chosen to identify and assess these common risk and design common controls for them. These mandatory common controls are part of the Corporate Requirements and cover all functional fields. In the field of the primary flow of goods and the related financial control processes and in some supportive processes, the implementation of controls is supported by standard ICT-solutions. In these cases, the controls are built into so-called standard business processes. Through this concept of common risks and common controls, control or mitigation of a large number of common risks is achieved in an efficient way. In their BRA’s and PRA’s, operational units can focus on unit specific risks and responses.

A business continuity plan needs to be prepared for an effective response to all risks with a potentially very serious impact which, although they have a very low chance of occurring, cannot be excluded altogether.

Information and communication
The Corporate Policies and Requirements and their implementation in the operational units are subject to (mandatory) training and specific attention is given to communication about risks, for instance in job hand-over procedures at senior management levels.

To help the operational units in implementing the risk management system and in integrating it with the daily business processes, the Management Framework for the operational level (figure 2) has been made available as a portal on the DSM Intranet. All relevant policies, requirements, practices and standard business processes are to be found under the respective buttons. The operational units can copy the portal for their own use and add unit-specific business processes, policies, requirements and practices and make links to archived documents, such as standard operating procedures.

Monitoring, reporting, embedding and continuous improvement
The effectiveness of controls is monitored and reported in various ways: through control monitoring in the standard business processes, monitoring of compliance with the Corporate Requirements, periodic reporting on risks and controls and through various incident reports. Special tools are available to support the monitoring of the effectiveness of the controls in standard business processes.

One of the specific objectives of the risk-management system is to be able to provide a reasonable level of assurance that the financial reporting does not contain any material inaccuracies and confirm that the internal controls function properly. Therefore, In the financial field there are detailed accounting and reporting requirements and related annexes specifying amongst other things reporting time schedules and formats, the DSM Chart of Accounts, the IFRS compliant DSM Accounting Rules and the format for a quarterly affidavit, to be signed by the Financial Director of each unit.

To embed risk management in the normal way of doing business, behavior-based practices have been made available to help make risk management sustainable without it becoming a “tick the box” affair. They include workshops on learning from deviations and principle-based compliance.

Feedback from the operational units on the functioning of the Corporate Requirements and other elements of the risk management system is used to regularly improve the system.