Risk Management (continued)
Internal control
Organisation
Processes
O Q,
Introductio^^^^^^^^^^H Report of the Executive Board^^^^^l Report of the Supervisory Board
HEINEKEN's internal control activities aim to provide
reasonable assurance as to the accuracy of financial
information, non-financial disclosures, the Company's
compliance with applicable laws and internal policies,
and the effectiveness of internal processes.
Internal controls have been defined at entity-
level (HEINEKEN Rules, comprising all mandatory
standards and procedures) and at process
level (Process and Control Standards) for key
processes, including financial reporting, IT and Tax.
Compliance with company policies is periodically
assessed. Deviations from the defined standards
are included in the global monitoring and follow-up
processes, supporting management in addressing
these deviations. Management is responsible for
definition and timely implementation of action
plans to remediate any deficiency identified as part
of these assessments. The results are reported to
the Executive Board. The Company Rules, policies
and controls are periodically updated to reflect both
the Company key risks and the extent to which the
Company is willing and able to mitigate them.
Risk committee
The Executive Board of HEINEKEN is accountable for
risk management, risk oversight and the protection
of HEINEKENs reputation, value of assets and
brands. The Board is assisted by the Risk Committee,
chaired by the CFO, in regular reviews of the
Group risk assessment cycle that summarises the
Company's key risks, associated mitigating actions
and monitoring activities. These reviews consider the
level of risk that Heineken is willing to take and the
type of HEINEKEN's objectives it impacts.
The Risk Committee identifies changes to the
Company's risk exposure and proposes interventions
if required.
For the organisation of risk management activities,
HEINEKEN applies a 'three lines of defence'
model. First and most important is the quality and
behaviour of operational management, the first line
of defence. They have the ownership, responsibility
and accountability for assessing and mitigating
risks. Operational management is supported by
the second line of defence functions that oversee
compliance with HEINEKEN's policies, processes
and controls, facilitate the implementation of
risk management practices and drive continuous
improvements of internal controls. As third line of
defence, the internal audit function ('Global Audit')
is mandated to perform Group-wide reviews of
key processes, projects and systems, based on
HEINEKEN's strategic priorities and most significant
risk areas. Global Audit provides independent and
objective assurance and consultancy services.
Financial Statements
Sustainability Review
Heineken N.V. Annual Report 2018
Other Information
It employs a systematic and disciplined approach
to evaluate and improve the organisation's
governance and risk management process including
reliability of information, compliance with laws,
regulations and procedures, and efficient and
effective use of resources. The methodology
followed by Global Audit is in accordance with the
standards of the Institute of Internal Auditors and
other relevant governing bodies.
To support the Executive Board's external
representations, a formal bi-annual Letter of
Representation (LoR) process is in place. It requires
management to demonstrate accountability
and covers financial and non-financial reporting
disclosures, financial reporting controls, compliance
with the Code of Conduct and other HEINEKEN
Rules as well as fraud and irregularities.
Risk assessment outcomes are aggregated at
a global level and serve as basis for determining
HEINEKEN's risk exposure and risk management
priorities by the Risk Committee. Accountability for
mitigating, monitoring and reporting on the most
significant risks is assigned to functional directors
who report on progress and residual risk levels three
times per year to the Risk Committee.
HEINEKEN continues to invest in the further
improvement of risk management in the Company.
Built on the basis of the existing risk and controls
mechanisms, we have implemented several
improvements. These are aimed at driving business
ownership of risks, further increasing business
involvement in risk management and expanding
the integrated view of risks and controls.
HEINEKEN's risk management activities seek to
identify and appropriately address any significant
threat to the achievement of the Company's
strategy and business objectives, its reputation
and the continuity of its operations. HEINEKEN's
risk management system enables management
to identify, assess, prioritise and manage risks on
a continuous and systematic basis, and covers all
subsidiaries across regions, countries, markets and
corporate functions.
Ongoing identification and assessment of risks,
including new risks arising from changes in the
global or local business environment, are part
of HEINEKEN's planning, performance and
risk management cycles. Risk assessments are
performed by every subsidiary and global function.
The implementation of responses and progress
of risk mitigating measures is monitored on a
quarterly basis.