Structure and Instruments
Vonovia has a comprehensive risk management system in place that aims to subject the entrepreneurial opportunities and risks to differentiated, regular monitoring. Risks are defined as possible developments or events in the future that could result in a negative forecast/deviation from targets for the company, whereas opportunities are seen as positive deviations from an expected outcome.
Organizationally, risk management is assigned directly to the Management Board, which regularly monitors its effectiveness. The Management Board has overall responsibility for the risk management system. It decides on the organizational structures and workflows of risk management and provision of resources. It approves the documented risk management findings and takes account of them in steering the company. The Audit Committee of the Supervisory Board monitors the effectiveness of the risk management system. Executives belonging to the first level below Management Board level are appointed as risk owners and, in this role, assume responsibility for the identification, assessment, documentation and communication of all material risks in their area of responsibility.
For the benefit of the company’s five main interest groups – customers, employees, investors, society and suppliers – the Management Board pursues a conservative, security-focused risk strategy.
Each and every Vonovia employee is encouraged to act in a risk-conscious manner, i.e., to fully clarify the risk situation in their area of responsibility on the one hand and to handle any risks identified in a responsible manner on the other. Unreasonably high risks are to be avoided. The threshold value for the reporting of new individual risks takes account of the company’s conservative strategy and currently amounts to a low value of € 10,000 per individual risk. This allows the company to ensure that suitable measures are taken to avoid, reduce or transfer risks or to consciously accept calculated risks.
The risk manager coordinates the recording, assessment, documentation and communication of the risks as part of the risk management process. He triggers the risk management process, consolidates the risk reports of the risk owners and prepares the report for the Management Board and the Supervisory Board. The Internal Audit department monitors the risk management function as part of its auditing remit.
This system not only ensures the continued existence of the company but also makes a sustainable contribution to achieving the company’s goals. The Management Board is able at all times to identify and assess material risks within the company and in the company’s environment in good time as well as to take appropriate counteraction.
In order to take the opportunities and risks into account, the company uses an integrated management approach based on five key pillars.
(1) Performance Management
High-quality corporate planning and appropriate reporting on operational and financial key figures from Controlling constitute the backbone of the early warning system used at the company. Analyses are made of the business performance compared with the plans approved by the Supervisory Board and the previous year. Furthermore, a forecast is prepared regularly which takes appropriate account of the effect of any potential risks and opportunities on the development of business. Reporting includes detailed monthly controlling reports to the Management Board and the Supervisory Board. The direct operational business is described in regular reports on key figures, some of which are drawn up on a weekly basis. On the basis of these reports and the deviations that they highlight between the actual and target figures, countermeasures are implemented and then checked in subsequent reporting periods to ensure they are effective.
(2) Compliance Management
Compliance describes the lawful action of the company, its bodies and employees. For the Management Board, compliance with statutory law and the observance of internal guidelines are the basis of corporate management and culture. Compliance is to ensure the integrity of employees, customers and business partners and avoid possible negative consequences for the company.
The management and monitoring of Vonovia is based on the relevant statutory requirements, the Articles of Association and the rules of procedure for the Supervisory Board and the Management Board. They form the basis for the company’s internal rules and guidelines, adherence to which is monitored by a central compliance management system and administered by a guideline management team that forms part of the Legal department.
The guidelines describe clear organizational and monitoring structures with specified responsibilities and appropriately installed checks. The legally compliant behavior of all employees in the business processes is ensured by suitable control procedures and supervision by managers. The company has also put in place a compliance management system based on IDW (Institute of Public Auditors in Germany) standard PS 980 and has appointed a central compliance officer, whose remit focuses on identifying compliance risks, taking suitable measures to avoid and detect these risks and taking appropriate action in response to compliance risks (compliance program).
In terms of specific content, the main features of the compliance management system are Vonovia’s Code of Conduct, which focuses on ethical values and statutory requirements and reinforces the personal responsibility of employees, Vonovia’s Compliance Guidelines and a Business Partner Code setting out requirements that the company’s contractual partners have to meet. An external ombudsman is available to all employees and business partners as a confidant in respect of compliance issues.
At present, there have been no known major violations of laws or rules by employees.
(3) Risk Management
Vonovia’s risk management system ensures the early identification, assessment, control and monitoring of all material risks within the Group that exceed the short-term financial risks dealt with by the Performance Management pillar and could pose a risk not only to the company’s results of operations and net assets, but also to intangible assets such as the company’s reputation. This means that potential risks which might impair the value and/or development of the company can be identified at an early stage. Early warning indicators that are specific to the environment and the company are taken into account, as are the observations and regional knowledge of our employees across Germany. The range of early warning indicators is extensive and includes, by way of example, the technical monitoring of the condition of our buildings and the residential environment, the analysis of demographic trends and recording of regional migration patterns, the monitoring of supply, rental price and new construction forecasts in our regional residential real estate submarkets, the analysis of developments relating to the regulations governing rental prices, the monitoring of our peers and their business activities, the observation of construction technology trends and developments in the field of building optimization and modernization, demand analyses on the development of property-related services and analyses and forecasts relating to the development of the financial markets and interest rates.
Responsibility for concrete risk control in daily business is decentralized and lies with the first management level below the Management Board, whereas the risk manager (same level as the Head of Controlling) is assigned to the Chief Controlling Officer’s division. The risk owners use a systematic process to identify and update all risks in their respective areas of responsibility on a regular basis. Once validated by the risk manager, these risks are split into five categories: “economic environment and market-related risks,” “regulatory and legal risks,” “risks related to business,” “financial risks” and “other risks.” The potential amount of loss and the probability of occurrence are classified within set ranges before action (gross) and after action (net) for each risk and documented in a Group-wide risk register. As with the period used for medium-term corporate planning, the observation period used is five years. Based on the probability of occurrence and the amount of loss arising from the gross and net risk assessments, a score is established for each risk and the risks are prioritized accordingly. The ten risks with the highest score make up the “Top 10 risks.”
The risk management system and the risk register are updated and refined on a regular basis and are also adjusted to reflect changes at the company. The effectiveness of the risk management system is examined in regular audits.
Risk management is documented regularly in a half-yearly risk report, which is made available to the Management Board. The Audit Committee of the Supervisory Board is informed twice a year at its regular meetings about the risk situation. The risk management system is described in a risk reporting policy that is updated on an annual basis.
This reporting system ensures that both managers and supervisory bodies are comprehensively informed and provides relevant operational early warning indicators. In this way, misguided developments can be recognized in good time and counteraction taken at an early stage. Should material risks occur unexpectedly, they are reported directly to the Management Board on an ad hoc basis.
(4) Internal Control System
Vonovia’s Management Board is responsible for the preparation of the annual financial statements, the consolidated financial statements and the combined and Group management report. This includes responsibility for the setup and maintenance of a suitable accounting-related internal control and risk management system.
The aim of the accounting-related internal control and risk management system is to ensure due and proper and legally compliant financial reporting pursuant to the relevant regulations. The accounting-related internal control and risk management system is embedded in the overarching Group-wide risk management system.
Organizationally, preparation of the financial statements is in the area of responsibility of the Chief Financial Officer and in particular of the Accounting department. Therefore, the Accounting department exercises the authority to lay down guidelines for the application of relevant accounting standards as well as for the content and timing of the steps in the financial statements preparation process.
From the organizational and systems side, the preparation of the financial statements for all companies included in the consolidated financial statements as well as the preparation of the consolidated financial statements themselves are performed in the central shared service center of the Accounting department, which ensures consistent and continual application of accounting policies in a uniform financial statement preparation process. Furthermore, through the shared service center it is ensured that both content and organizational changes in the requirements are incorporated in the financial statement preparation process.
The financial statements of all companies included in the consolidated financial statements are located in a computerized SAP environment with a uniform system configuration and are thus subject to uniform charts of account, accounting guidelines, processes and process controls. The requirement of separation of functions and the four-eye principle are taken appropriate account of with preventive and also subsequent checks.
Finally, the relevant financial statement data of the individual companies are made available to the SAP consolidation module via an integrated, automated interface with comprehensive validation rules for further processing and preparation of the consolidated financial statements. A comprehensive authorization concept is in place granting access to the financial statements in line with the respective job profile of the employee.
Newly acquired companies are immediately incorporated into the internal control environment as part of a structured integration process, which includes integration in terms of both IT systems and processes relating to financial statements. The prepared consolidated financial statements and the individual financial statements of the companies included then constitute the authoritative source of data for internal analysis and external communications.
Once the financial statements have been drawn up, the annual and consolidated financial statements, including the consolidated management report, are submitted to the Audit Committee of the Supervisory Board. The Committee then makes a recommendation for the Supervisory Board to adopt or approve them. This examination may include the auditor’s presence at the committee meeting and is subject to the auditor’s report. The Audit Committee is continually involved in the establishment and refinement of the accounting-related internal control and risk management system.
(5) Internal Audit
The effectiveness of the system and control environment, as well as the internal control system, is checked on a regular basis by the Internal Audit department. Internal Audit’s annual audit plan is drawn up on a risk-oriented basis, taking particular account of the company’s risk atlas, and is approved by the Management Board/Audit Committee of the Supervisory Board. The audits conducted throughout the year focus on assessing the effectiveness of the control and risk management systems, as well as identifying process improvements in order to minimize risks. Audits are also conducted in consultation with the compliance officer. The internal audit reports are provided to the Management Board, the responsible head of the audited department and the risk manager on a regular basis. The Audit Committee receives a quarterly summary of the audit results. The implementation status of all jointly approved improvement measures is checked on an ongoing basis after the relevant due dates and reported to the Management Board and to the Audit Committee of the Supervisory Board at their regular meetings.