Structure and Instruments

Vonovia has implemented a comprehensive risk management system that is designed to identify, measure and manage all of the opportunities and risks that are relevant to the company. This reduces risk potential, secures the company’s survival, promotes its strategic further development and supports sustainable action.

Whereas risks are defined as possible developments or events in the future that could result in a negative forecast/deviation from targets for the company, opportunities are seen as positive deviations from an expected outcome.

In the 2018 fiscal year, the risk management system that applied in 2017 was continued. The companies acquired in 2018 were incorporated into the risk process. The reporting threshold for individual risks was increased from € 10,000 to € 500,000.

In organizational terms, risk management is still assigned directly to the Management Board. The Management Board has overall responsibility for the risk management system. It decides on the organizational structures and workflows of risk management and provision of resources. It approves the documented risk management findings and takes account of them in steering the company. The Audit Committee of the Supervisory Board monitors the effectiveness of the risk management system. The risk manager (who is also the Head of Controlling at the same time) reports to the Chief Financial Officer (CFO). Executives belonging to the first level below Management Board level are appointed as risk owners and, in this role, assume responsibility for the identification, assessment, documentation and communication of all material risks in their area of responsibility.

Risk management is responsible for:

  • Raising/increasing risk awareness,
  • Identifying and assessing risks early on,
  • Communicating risks to the relevant decision-makers within the Group,
  • Supporting the budget process by supplying information that is relevant to risk,
  • Taking suitable measures to manage risks and, where appropriate, taking appropriate counteraction and
  • Meeting the statutory requirements by putting the risk management principles into practice and ensuring appropriate documentation.

In the interests of the key stakeholders, customers, employees, suppliers, investors and society, the Management Board pursues a conservative, security-focused risk strategy that also takes the sustainability of our actions into account.

Each and every Vonovia employee is encouraged to act in a risk-conscious manner, i.e., to fully clarify the risk situation in their area of responsibility on the one hand and to handle any risks identified in a responsible manner on the other. Unreasonably high risks are to be avoided.

The risk manager coordinates the recording, assessment, documentation and communication of the risks as part of the risk management process. They trigger the risk management process, consolidate the risk reports of the risk owners and prepare the report for the Management Board and the Supervisory Board. This system helps to ensure the continued existence of the company and to achieve the company’s goals. This allows the Management Board to identify and assess material risks within the company and in the company’s environment systematically and in good time at all times, as well as to take appropriate counteraction.

In order to take the opportunities and risks into account, the company uses an integrated management approach based on five key pillars.

5 Pillars of Risk Management at Vonovia

5 Pillars of Risk Management at Vonovia (Graphic)

(1) Performance Management

Differentiated and high-quality corporate planning and appropriate reporting on deviations between the actual and target operational and financial key figures from Controlling constitute the backbone of the early warning system used at the company. Analyses are made of the business performance compared with the plans approved by the Supervisory Board and the previous year. Furthermore, a forecast is prepared regularly which takes appropriate account of the effect of any potential risks and opportunities on the development of business. Reporting includes detailed monthly controlling reports to the Management Board and the Supervisory Board. The operational business is described in regular reports on key figures, some of which are drawn up on a weekly basis. On the basis of these reports and the deviations that they highlight between the actual and target figures, countermeasures are implemented and then checked in subsequent reporting periods to ensure they are effective.

(2) Compliance Management

Compliance describes the lawful action of the company, its bodies and employees. For the Management Board, compliance with statutory law and the observance of internal guidelines are the basis of corporate management and culture. Compliance is to ensure the integrity of employees, customers and business partners and avoid possible negative consequences for the company.

The management and monitoring of Vonovia is based on the relevant statutory requirements, the Articles of Association and the rules of procedure for the Supervisory Board and the Management Board. They form the basis for the company’s internal rules and guidelines, adherence to which is monitored by a central compliance management system and administered by a guideline management team that forms part of the Legal department.

The guidelines describe clear organizational and monitoring structures with specified responsibilities and appropriately installed checks. The legally compliant behavior of all employees in the business processes is ensured by suitable control procedures and supervision by managers. The company has also put in place a compliance management system based on IDW (Institute of Public Auditors in Germany) standard PS 980 and has appointed a central compliance officer, whose remit focuses on identifying compliance risks, taking suitable measures to avoid and detect these risks and taking appropriate action in response to compliance risks (compliance program).

In terms of specific content, the main features of the compliance management system are Vonovia’s Code of Conduct, which focuses on ethical values and statutory requirements and reinforces the personal responsibility of employees, Vonovia’s Compliance Guidelines and a Business Partner Code setting out requirements that the company’s contractual partners have to meet. An external ombudsman is available to all employees and business partners as a confidant in respect of compliance issues.

(3) Risk Management

Vonovia’s risk management system ensures the early identification, assessment, control and monitoring of all material risks within the Group that exceed the short-term financial risks dealt with by the Performance Management pillar and could pose a risk not only to the company’s results of operations and net assets, but also to intangible assets such as the company’s reputation. This means that potential risks which might impair the value and/or development of the company can be identified at an early stage. Early warning indicators that are specific to the environment and the company are taken into account, as are the observations and regional knowledge of our employees across Germany. The range of early warning indicators is extensive and includes, by way of example, the technical monitoring of the condition of our buildings and the residential environment, the monitoring of the socioeconomic composition of our tenant structure, the analysis of demographic trends and recording of regional migration patterns, the monitoring of adherence to overall regulatory requirements, the monitoring of quoted rents and quoted prices, as well as their development in the portfolio and in newly built properties in our regional residential real estate submarkets, the analysis of developments relating to the regulations governing rental prices, the monitoring of our peers and their business activities, the observation of construction technology trends and developments in the field of building optimization, modernization and new construction, demand analyses on the development of property-related services, monitoring environmental influences, analyses and forecasts relating to the development of the financial markets as well as of interest and exchange rates.

The risk owners use the systematic risk inventory process described above to identify and update the risks in their respective areas of responsibility on a regular basis. Once validated by the risk manager, these risks are split into five risk categories: “economic environment and market-related risks,” “regulatory and legal risks,” “risks related to business,” “financial risks” and “other risks.” The potential amount of loss and the probability of occurrence are classified within set ranges before action (gross) and after action (net) for each risk and documented in a Group-wide risk register. As with the period used for medium-term corporate planning, the observation period used is five years. Based on the probability of occurrence and the amount of loss arising from the gross and net risk assessments, a score is established for each risk and the risks are prioritized accordingly. The ten risks with the highest score make up the “Top 10 risks.”

Risk Classification



Probability of occurrence


in %


Amount of loss


in € million














< 20




< 5





21 to 50




5 to 25





51 to 80




25 to 250



Very likely
















The risk management system and the risk register are updated and refined on a regular basis and are also adjusted to reflect changes at the company. The effectiveness of the risk management system is examined in regular audits.

Risk management is documented regularly in a half-yearly risk report, which is made available to the Management Board. The Audit Committee of the Supervisory Board is informed twice a year at its regular meetings about the risk situation. The risk management system is described in a risk reporting policy that is updated on an annual basis.

This reporting system ensures that both managers and supervisory bodies are comprehensively informed and provides relevant operational early warning indicators. In this way, misguided developments can be recognized in good time and counteraction taken at an early stage. Should material risks occur unexpectedly, they are reported directly to the Management Board on an ad hoc basis.

(4) Internal Control System

The Internal Control System (ICS) comprises the basic principles, procedures and regulations aimed at supporting the effectiveness and cost-effectiveness of our business activities, ensuring due and proper and reliable internal and external accounting and ensuring compliance with the legal provisions that apply to the company.

All key processes at Vonovia are recorded and documented centrally with the help of a process management software solution. In addition to the relevant process steps, this documentation highlights key risks and controls in the interests of a process-oriented internal control system. It provides the binding basis for subsequent evaluations, audits and reporting to the executive bodies of Vonovia SE on the effectiveness of the ICS within the meaning of Section 107 (3) sentence 2 of the German Stock Corporation Act (AktG).

Overall responsibility for structuring and implementing the ICS lies with Vonovia’s Management Board. The Management Board delegates this responsibility to process and control owners. The Internal Audit department provides support in the establishment and further technical development of the ICS in addition to performing its primary audit duties in full. IT is responsible for providing technical and administrative support for the documentation software.

The aim of the accounting-related internal control and risk management system is to ensure due and proper and legally compliant financial reporting pursuant to the relevant regulations. The accounting-related internal control and risk management system is embedded in the overarching Group-wide risk management system.

Organizationally, responsibility for preparing the financial statements lies with the Chief Financial Officer’s department and, in particular, with the Accounting department. Therefore, the Accounting department exercises the authority to lay down guidelines for the application of relevant accounting standards as well as for the content and timing of the steps in the financial statements preparation process.

From the organizational and systems side, the preparation of the financial statements for all companies included in the consolidated financial statements as well as the preparation of the consolidated financial statements themselves are performed in the central shared service center functions of the Accounting department, which ensures consistent and continual application of accounting policies in a uniform financial statement preparation process. Furthermore, through the shared service center functions it is ensured that both content and organizational changes in the requirements are incorporated in the financial statement preparation process.

The financial statements of the companies included in the consolidated financial statements – with the exception of Sweden and France – are located in an IT SAP environment. They are subject largely to uniform charts of account, accounting guidelines, processes and process controls. The requirement of separation of functions and the four-eye principle are taken appropriate account of with preventive and also subsequent checks. The subsidiaries in Sweden and France report their data as part of a structured data recording process.

The relevant financial statement data of the individual companies are made available to the SAP consolidation module via an integrated, automated interface with comprehensive validation rules for further processing and preparation of the consolidated financial statements. An authorization concept is in place granting access to the financial statements in line with the respective job profile of the employee.

Newly acquired companies are incorporated into the internal control environment as part of a structured integration process, which includes integration in terms of both IT systems and processes relating to financial statements.

Once the financial statements have been drawn up, the annual and consolidated financial statements, including the consolidated management report, are submitted to the Audit Committee of the Supervisory Board. The Committee then makes a recommendation for the Supervisory Board to adopt or approve them. This examination may include the auditor’s presence at the committee meeting and is subject to the auditor’s report. The Audit Committee is continually involved in the establishment and refinement of the accounting-related internal control and risk management system.

(5) Internal Audit

The system and control environment, business processes and the internal control system are audited on a regular basis by Vonovia’s Group Audit department. The annual audit plan is based on a risk-oriented evaluation of all relevant audit areas of the Group (audit universe) and is approved by the Management Board/the Supervisory Board’s Audit Committee.

The audits conducted throughout the year focus on assessing the effectiveness of the control and risk management systems, identifying process improvements in order to minimize risks and ensuring the sustainability of Vonovia’s business activities. Corresponding ad hoc reviews are also performed in consultation with the compliance officer and the Management Board. The internal reports are presented to the Management Board, the individuals responsible for the area reviewed, the risk manager and the compliance officer on a regular basis. The Audit Committee receives a quarterly summary of the audit results and measures. The implementation status of the agreed measures is monitored on an ongoing basis after the relevant due dates and is reported to the Management Board and the Audit Committee on a quarterly basis. A follow-up audit is conducted to ensure that any serious findings have been remedied.

The Internal Audit department also reviews the Sustainability Report and the Non-financial Declaration.