Risk Management and Control System
44 Annual Report 2009 - Heineken N.V.
Report of the Executive Board
Managing risks and protecting the business from the
effects of disasters, failures and reputational damage
is explicitly on the management's agenda. Continuity
and sustainability of the business is as important to
stakeholders as growing and operating the business.
Risk Management and Control System
The Heineken Risk Management and Control Systems aim
to ensure that the risks of the Company are identified and
managed, and that the operational and financial objectives
are met in compliance with applicable laws and regulations
at a reasonable level of assurance. A system of control that
ensures adequate financial reporting is in place. Heineken's
internal control system is based on the COSO Internal
Control Framework.
Risk appetite
The Company is recognised for its drive for quality,
consistency and financial discipline. An entrepreneurial
spirit is encouraged across the Group in order to seek
opportunities that support continuous growth such as
business development and innovation, whilst taking
controlled risks. The carefully balanced country portfolio
and the robust balance sheet are a reflection of the risk
appetite of the Company.
Risk profile
Heineken is a single-product company with a high level of
commonality in its worldwide business operations, spread
over many mature and emerging markets. The worldwide
activities are exposed to varying degrees of risk and
uncertainty. Some of these may result in a material impact
on a particular Operating Company if not identified and
managed, but may not materially affect the Group as a whole.
Compared to other leading beer companies, Heineken has a
significantly wider global spread of its businesses, and does
not depend on a limited number of markets.
Risk management
Heineken strives to be a sustainable and performance-driven
company. This involves taking risks and managing risks.
Structured risk assessments are integrated into change
projects, business planning, performance monitoring
processes, common processes and system implementations,
and acquisitions and business integration activities. The Risk
Management and Control Systems are considered to be in
balance with Heineken's risk profile and appetite, although
such systems can never provide absolute assurance.
Heineken's Risk Management and Control Systems are subject
to continuous review and adaptations in order to remain in
balance with its continuous growth and the changes in the
risk profile.
Responsibilities
The Executive Board, under the supervision of the
Supervisory Board, has overall responsibility for Heineken's
Risk Management and Control Systems. Regional and
Operating Companies management are responsible for
managing performance, identifying and managing related
risks and the effectiveness of operations within the rules set
by the Executive Board. This is supported and supervised
by Group functions.
Heineken Company Rules
The Heineken Company Rules are a key element of the Risk
Management System and are in place to set the boundaries
within which Operating Companies should conduct their
business. A governance procedure and activities ensuring
continuous awareness and compliance are in place. This is
managed by the Heineken Company Rules Network that meets
on a semi-annual basis. The annual Assurance Letter provides
additional comfort on financial reporting and selected
Company Rules and is signed by all Regional Presidents,
General and Finance Managers on behalf of their
management teams on an annual basis.
Business planning and performance monitoring
The main pillars of Heineken's internal governance activities
are annual business planning and performance monitoring
processes. Operating Companies' strategies, business plans,
key risks and quarterly performance are discussed with
Regional Management. Regional performance is discussed
with the Executive Board. The approved business plans
include clear objectives, performance indicators and target
setting that provide the basis for monitoring performance
compared to the business plan. These plans also contain
an annual assessment of the main risks, mitigations and
financial sensitivities. This process was further improved
in the year under review. Heineken is finalising the
implementation of an integrated management information
system for reporting to Regions and Group.
Internal control in Operating Companies
Development and implementation of best practice processes
are continuously being improved on a Group-wide basis,
supported by common IT systems. Based on revenue at
the end of 2009, 65 per cent of the operations worked in
accordance with the evolving Heineken common system.
Additionally, documentation, measurement and performance
of processes under the Business Process Management Initiative
are continuously being improved by Group functions.
Best practice key control frameworks are embedded in
developed common processes/systems. This ensures the
integrity of the information processing in supporting the
day-to-day transactions and financial and management
reporting. Internal Audit is strongly involved in monitoring
key controls embedded in main business processes and
assessing its effectiveness based on a common audit
approach. Control monitoring by management has
strengthened with the implementation of an integrated
management information system.