Risk Management
36
Internal control
Main risks
Processes
Risk Committee
Organisation
Introduction
Financial risks are reported separately in note 11.5
in the Financial Statements on pages 113-116.
Sustainability
Review
Other
Information
Financial
Statements
Report
of the
Supervisory
Board
Report
of the
Executive
Board
Compliance with company policies is periodically
assessed. Deviations from the defined standards
are included in the global monitoring and follow-up
processes, supporting management in addressing
these deviations. Management is responsible for
the definition and timely implementation of action
plans to remediate any deficiency identified as part
of these assessments. The results are reported to the
Executive Board.
The HEINEKEN Rules, policies and controls are
periodically updated to reflect both the Company key
risks and the extent to which the Company is willing
and able to mitigate them.
The Executive Board of HEINEKEN is accountable for
risk management, risk oversight and the protection of
HEINEKEN’s reputation, value of assets and brands.
The Board is assisted by the Risk Committee, chaired
by the CFO, in regular reviews of the Group risk
assessment cycle that summarises the Company’s key
risks, associated mitigating actions and monitoring
activities. These reviews consider the level of risk that
HEINEKEN is willing to take and the type of
HEINEKEN’s objectives it impacts.
The Risk Committee identifies changes to the
Company’s risk exposure and proposes interventions
if required.
HEINEKEN’s internal control activities aim to provide
reasonable assurance as to the accuracy of financial
information, non-financial disclosures, the Company’s
compliance with applicable laws and internal policies,
and the effectiveness of internal processes.
Internal controls have been defined at operating
entity level (HEINEKEN Rules - comprising all
mandatory standards and procedures) and at process
level (Process and Control Standards) for key
processes, including financial reporting, IT and Tax.
For the organisation of risk management activities,
HEINEKEN applies a ‘three lines of defence’ model.
First and most important is the quality and behaviour
of operational management, the first line of defence.
They have the ownership, responsibility and
accountability for assessing and mitigating risks.
Operational management is supported by the second
line of defence functions that oversee compliance
with HEINEKEN’s policies, processes and controls,
facilitate the implementation of risk management
practices and drive continuous improvements of
internal controls.
As third line of defence, the internal audit function
(‘Global Audit’) is mandated to perform Group-wide
reviews of key processes, projects and systems, based
on HEINEKEN’s strategic priorities and most
significant risk areas. Global Audit provides
independent and objective assurance and consultancy
services. It employs a systematic and disciplined
approach to evaluate and improve the organisation’s
governance and risk management process including
reliability of information, compliance with laws,
regulations and procedures, and efficient and
effective use of resources. The methodology followed
by Global Audit is in accordance with the standards of
the Institute of Internal Auditors.
To support the Executive Board’s external
representations, a formal bi-annual Letter of
Representation process is in place. It requires
management to take responsibility for accurate and
complete reporting on financial and non-financial
reporting disclosures, financial reporting controls and
on compliance with the Code of Conduct and other
HEINEKEN Rules, as well as identifying and reporting
on fraud and irregularities.
Risk assessment outcomes are aggregated at a global
level and serve as basis for determining HEINEKEN’s
risk exposure and risk management priorities by the
Risk Committee. Accountability for mitigating,
monitoring and reporting on the most significant risks
is assigned to functional directors who report on
progress and residual risk levels three times per year
to the Risk Committee.
H EINEKEN’s risk management activities seek to
identify and appropriately address any significant
threat to the achievement of the Company’s strategy
and business objectives, its reputation and the
continuity of its operations.
H EINEKEN’s risk management system enables
management to identify, assess, prioritise and
manage risks on a continuous and systematic basis,
and covers all subsidiaries across regions, countries,
markets and corporate functions. Ongoing
identification and assessment of risks, including new
risks arising from changes in the global or local
business environment, are part of HEINEKEN’s
planning, performance and risk management cycles.
Risk assessments are performed by every subsidiary
and all global functions. The implementation of
responses and progress of risk mitigating measures
is monitored on a quarterly basis.
HEINEKEN continues to invest in the evolution of risk
management in the Company. Building on the
existing risk and controls mechanisms, improvements
are aimed at driving business ownership of risks,
increasing business involvement in risk management
and expanding the integrated view of risks.
The risk overview on the next pages highlights the
main risks that could hinder HEINEKEN in achieving
its strategy and business objectives.
This is not a full overview of all risks and uncertainties
that may affect the Company. As new risks emerge
and existing immaterial risks evolve, timely discovery
and accurate evaluation of risks are at the core of
HEINEKEN’s risk management system.
The ways we manage risks related to Responsible
Consumption, Business Conduct and Human Rights
are further detailed in the Sustainability Review
section of our Annual Report on pages 132-196.
Heineken
N.V.
Annual
Report
2023
The Statement of the Executive Board is included
in the Corporate Governance statement on pages
45-52.