Risk Management (continued)
Risk management and internal control
Risk identification and assessment
Internal control activities
Report of the
Report of the
Annual Report 2016
The HEINEKEN Governance, Risk and Compliance activities are an integral part of the HEINEKEN Business Framework. Based on the COSO
reference model, this framework provides an overview of how HEINEKEN's vision, purpose and values lie at the core of the Company's strategic
priorities, organisation structure and behaviours. Translating this into policies and processes, the Code of Business Conduct, Company Rules and Risk
Management process enable the achievement of HEINEKEN's strategic priorities while protecting the Company's employees, assets and reputation.
HEINEKEN's risk management activities seek to ensure identification and appropriate response to any significant threat to the safety of its
employees, the Company's reputation, its assets and the achievement of its strategic objectives. To this end, HEINEKEN has put in place a
comprehensive risk management system which identifies, assesses, prioritises and manages risks on a continuous and systematic basis, and covers
all subsidiaries across regions, countries, markets and corporate functions.
Ongoing identification and assessment of risks is an integral part of HEINEKEN's governance and business review. Implementation of adequate
responses and progress of risk mitigating measures is monitored on a quarterly basis. In parallel, the risks reported by the operating companies
are aggregated on a global level and serve as a basis to determine HEINEKEN's risk management priorities and coordinated risk response across
geographies. Accountability for mitigating, monitoring and reporting on each of the most significant risks is assigned to functional directors.
Internal policies and operational controls are periodically updated to reflect both these key risks and the extent to which the Company is willing
and able to mitigate them.
HEINEKEN's internal control activities aim to provide reasonable assurance as to the accuracy of financial information, the Company's compliance
with applicable laws and internal policies and the effectiveness of internal processes.
The foundation for managing the Company's operations are the Company Rules which translate HEINEKEN's objectives and strategies into clear
rules. They articulate how to work as they comprise all mandatory standards and procedures. Compliance with the rules is tested every year through
self-assessment of key processes and controls by management. Appropriate action plans for deficiencies are established by local management.
Progress on these remediation steps is monitored and reported on at least a quarterly basis.
Underpinning the Company Rules and supporting HEINEKEN's ethical culture, the first rule pertains to the Code of Business Conduct. The Code of
Business Conduct and its underlying policies set out the expected standard of behaviour of all HEINEKEN employees and third parties working with
HEINEKEN. Adherence to these policies is supported by regular training and a reporting platform available 24/7 where employees and third parties
can speak up confidentially and securely if they observe or suspect ethics violations.
HEINEKEN has a 'three lines of defence' structure in place:
- Operational management, as first line of defence, has the ownership, responsibility and accountability for assessing, controlling and
- HEINEKEN's internal control function ('Process Control Improvement'), as second line of defence, oversees compliance with HEINEKEN's policies,
process and controls, drives continuous process improvement, facilitates risk assessments and ensures follow-up of identified risks or deficiencies.
Additional control activities related to financial reporting are performed by the Accounting Reporting and Business Control functions
- Acting as third line of defence, HEINEKEN's internal audit function ('Global Audit') is mandated to perform Group-wide reviews of key processes,
projects and systems, based on HEINEKEN's strategic priorities and most significant risk areas.
Global Audit provides independent and objective assurance and consultancy services. Global Audit employs a systematic and disciplined approach
to evaluate and improve the organisation's governance and risk management processes including reliability of information, compliance with laws,
regulations and procedures, and efficient and effective use of resources. The methodology followed by Global Audit is in accordance with the
standards of the Institute of Internal Auditors and other relevant governing bodies.