0
30
Risk Management
Risk appetite
Internal control
Risk Committee
Organisation
Processes
Heineken N.V.
Annual Report 2020
Introduction
Report of the
Executive Board
Report of the
Supervisory Board
Financial
Statements
Sustainability
Review
Other
Information
HEINEKEN's risk appetite is the result of its wide
geographical spread, prudent financial management
and commitment to long-term value creation.
Risks are taken consciously, assessing their impact
on HEINEKEN's objectives. The level of risk
HEINEKEN is willing to take depends on the type
of objective it impacts (reputational, financial or
business continuity related).
Reputational
HEINEKEN is reliant on the reputation of its brands
and the protection of its intellectual property rights.
Reputation management is of utmost importance to
HEINEKEN. We have invested considerable effort in
protecting our brands, including the registration of
trademarks and domain names. We aim to reduce
the risks that could negatively impact our reputation
to the furthest extent possible, accepting that this
may come at a cost.
Financial
HEINEKEN is keen on pursuing commercial
opportunities to deliver top line growth, accepting
uncertainties linked to its strategic choices and
the context of the individual markets in which
it operates.
Business continuity
HEINEKEN makes the availability of its brands a
priority, accepting only minimal disruptions to its
operations. In addition, HEINEKEN continuously
invests to make the organisation future-proof and
ensure the sustainability of the business.
HEINEKEN's internal control activities aim to
provide reasonable assurance as to the accuracy of
financial information, non-financial disclosures,
the Company's compliance with applicable laws
and internal policies, and the effectiveness of
internal processes.
Internal controls have been defined at operating
entity level (HEINEKEN Rules, comprising all
mandatory standards and procedures) and at
process level (Process and Control Standards) for key
processes, including financial reporting, IT and Tax.
Compliance with company policies is periodically
assessed. Deviations from the defined standards
are included in the global monitoring and follow-up
processes, supporting management in addressing
these deviations. Management is responsible for
definition and timely implementation of action
plans to remediate any deficiency identified as part
of these assessments. The results are reported to the
Executive Board.
The Company Rules, policies and controls are
periodically updated to reflect both the Company
key risks and the extent to which the Company is
willing and able to mitigate them.
The Executive Board of HEINEKEN is accountable
for risk management, risk oversight and the
protection of HEINEKEN's reputation, value of assets
and brands.
The Board is assisted by the Risk Committee, chaired
by the CFO, in regular reviews of the Group risk
assessment cycle that summarises the Company's
key risks, associated mitigating actions and
monitoring activities. These reviews consider the
level of risk that HEINEKEN is willing to take and the
type of HEINEKEN's objectives it impacts.
The Risk Committee identifies changes to the
Company's risk exposure and proposes interventions
if required.
For the organisation of risk management activities,
HEINEKEN applies a 'three lines of defence'
model. First and most important is the quality and
behaviour of operational management, the first line
of defence. They have the ownership, responsibility
and accountability for assessing and mitigating risks.
Operational management is supported by the second
line of defence functions that oversee compliance
with HEINEKEN's policies, processes and controls,
facilitate the implementation of risk management
practices and drive continuous improvements of
internal controls.
As third line of defence, the internal audit function
('Global Audit') is mandated to perform Group-
wide reviews of key processes, projects and
systems, based on HEINEKEN's strategic priorities
and most significant risk areas. Global Audit
provides independent and objective assurance and
consultancy services. It employs a systematic and
disciplined approach to evaluate and improve the
organisation's governance and risk management
process including reliability of information,
compliance with laws, regulations and procedures,
and efficient and effective use of resources.
The methodology followed by Global Audit is in
accordance with the standards of the Institute of
Internal Auditors.
To support the Executive Board's external
representations, a formal bi-annual Letter of
Representation (LoR) process is in place. It requires
management to take responsibility and covers
financial and non-financial reporting disclosures,
financial reporting controls, compliance with the
Code of Conduct and other HEINEKEN Rules, as well
as fraud and irregularities.
HEINEKEN's risk management activities seek to
identify and appropriately address any significant
threat to the achievement of the Company's strategy
and business objectives, its reputation and the
continuity of its operations.
HEINEKEN's risk management system enables
management to identify, assess, prioritise and
manage risks on a continuous and systematic
basis, and covers all subsidiaries across regions,
countries, markets and corporate functions.
Ongoing identification and assessment of risks,
including new risks arising from changes in the
global or local business environment, are part
of HEINEKEN's planning, performance and
risk management cycles. Risk assessments are
performed by every subsidiary and all global
functions. The implementation of responses and
progress of risk mitigating measures is monitored on
a quarterly basis.
Risk assessment outcomes are aggregated at a global
level and serve as basis for determining HEINEKEN's
risk exposure and risk management priorities by
the Risk Committee. Accountability for mitigating,
monitoring and reporting on the most significant
risks is assigned to functional directors who report
on progress and residual risk levels three times per
year to the Risk Committee.
HEINEKEN continues to invest in the further
improvement of risk management in the Company.
Built on the basis of the existing risk and controls
mechanisms, several improvements have been
implemented. These are aimed at driving business
ownership of risks, increasing business involvement
in risk management and expanding the integrated
view of risks and controls.