Risk management in 2015

Enterprise Risk Management is a company-wide activity under the responsibility of the Executive Committee. It includes a bottom-up process which aims to provide full coverage of the organization and ensure that we focus on the areas of major risk exposure. The scoping of our 2015 risk management activities was performed by the Executive Committee, business management and corporate directors, in association with the risk management function. In addition to focusing on the coverage of our organization, emphasis is put on key strategic projects and those parts of the company that are most affected by change.

During the year, we facilitated 89 Enterprise Risk Management workshops. In these workshops, more than 1,800 unique risk scenarios were identified and prioritized by the responsible management teams and functional experts. All major risks were responded to by the unit that identified them. The outcomes of all risk analyses are included in risk profiling and trend analysis and made available to higher management. Risk profiles and trends were shared by managers across the company. In the bottom-up consolidation process, the risks were taken to the next management level, where they were re-assessed, either because of the materiality of the risk exposure and/or because of the accumulated effect.

As reported in last year’s annual report, during the fourth quarter of 2014, one of the company’s subsidiaries in the US was the target of an external fraud. Immediate actions were taken. The investigation found that customary and appropriate controls were in place, but those controls were breached, and that this was an isolated event not linked to the operations of the company or its businesses. We successfully reduced the financial impact of the fraud in 2015 and launched an extensive fraud awareness campaign. We will continue to make fraud awareness a standard part of our regular training programs globally.

Our initial focus is on those major risks that may impact the achievement of our strategy in the next three to five years (medium-term risks). In addition, we recognize that there are also relevant risk factors beyond the five-year time horizon which could impact our strategy (long-term risks). Both risk categories are included in this chapter with the understanding that these are not exhaustive lists. There may be current risks that the company has not fully assessed, or that are currently identified as not having a significant impact on the business, but which, at a later stage, could develop into a material impact. Our risk management systems endeavor to ensure the timely identification and actioning of risk trends.