Annual Report 2019

Risk Management Structure and Instruments

The market environment and the overall statutory/regulatory conditions to which Vonovia is subject are constantly changing. Vonovia is also developing on an ongoing basis with the implementation of the strategy and the associated business activities. This means that new opportunities and risks arise on a regular basis, and that the nature of existing opportunities and risks can change.

As a result, Vonovia has implemented a comprehensive risk management system that is designed to identify, evaluate and manage all of the risks that are relevant to the company. This reduces risk potential, secures the company’s survival, supports its strategic further development and promotes responsible entrepreneurial action.

Risks are defined as possible events or developments that could have a negative impact on the company’s expected economic development and, as a result, could lead to a negative deviation from the short-term plans (budget and forecasts) and the company’s medium-term plans (five-year plan).

Opportunities are possible events or developments that could have a positive impact on the company’s expected economic development.

In the 2019 fiscal year, the risk management system that applied in the past was revised. Details are set out in Section (3) Risk Management System. Overall, Vonovia’s risk management system is based on an integrated five-pillar risk management approach.

5 Pillars of Risk Management at Vonovia

5 Pillars of Risk Management at Vonovia (Graphic)

(1) Performance Management

Differentiated and high-quality corporate planning and appropriate reporting on deviations between the actual and target operational and financial key figures from Controlling constitute the backbone of the early warning system used at the company. Analyses are made of the business performance compared with the plans approved by the Supervisory Board and the previous year. Furthermore, a forecast is prepared regularly which takes appropriate account of the effect of any potential risks and opportunities on the development of business. Reporting includes detailed monthly controlling reports to the Management Board and the Supervisory Board. The operational business is described in regular reports on key figures, some of which are drawn up on a weekly basis. On the basis of these reports and the deviations that they highlight between the actual and target figures, countermeasures are implemented and then checked in subsequent reporting periods to ensure they are effective.

(2) Compliance Management

Compliance means that the company, its bodies and employees act in line with the applicable rules and regulations. For the Management Board, compliance with statutory law and the observance of internal guidelines are the basis of corporate management and culture. Compliance is to ensure the integrity of employees, customers and business partners and avoid possible negative consequences for the company.

The management and monitoring of Vonovia is based on the relevant statutory requirements, the Articles of Association and the rules of procedure for the Supervisory Board and the Management Board. They form the basis for the company’s internal rules and guidelines, adherence to which is monitored by a central compliance management system and administered by a guideline management team that forms part of the Legal department.

The guidelines describe clear organizational and monitoring structures with specified responsibilities and appropriately installed checks. The legally compliant behavior of all employees in the business processes is ensured by suitable control procedures and supervision by managers. The company has also put in place a compliance management system based on IDW (Institute of Public Auditors in Germany) standard PS 980 and has appointed a central compliance officer, whose remit focuses on identifying compliance risks, taking suitable measures to avoid and detect these risks and taking appropriate action in response to compliance risks (compliance program).

In terms of specific content, the main features of the compliance management system are Vonovia’s Code of Conduct, which focuses on ethical values and statutory requirements and reinforces the personal responsibility of employees, Vonovia’s Compliance Guidelines and a Business Partner Code setting out requirements that the company’s contractual partners have to meet. An external ombudsman is available to all employees and business partners as a confidant in respect of compliance matters.

(3) Risk Management System

Vonovia’s strategy has a sustainable and long-term focus. As a result, Vonovia pursues a conservative risk strategy in its business activities. This does not mean minimizing risks, but rather promoting entrepreneurial and responsible action and ensuring the necessary transparency with regard to any possible risks.

The risk management system supports all employees in their day-to-day work in accordance with Vonovia’s mission statement. It ensures the early identification, assessment, management and monitoring of all risks within the Group that exceed the short-term financial risks dealt with by the Performance Management pillar and could pose a risk not only to the company’s results of operations and net assets, but also to intangible assets. This means that potential risks which might impair the value and/or development of the company can be identified at an early stage. Early warning indicators that are specific to the environment and the company are taken into account, as are the observations and regional knowledge of our employees.

The operational management of the risk management system falls within the remit of the Head of Controlling, who is responsible for Risk Controlling, and reports to the Chief Financial Officer (CFO). Risk Controlling initiates the periodic risk management process and consolidates and validates the risks reported. It is also responsible for validating the risk management measures and monitoring their implementation. Risk Controlling works with the individual risk owners to define early warning indicators that are used to monitor actual developments with regard to certain risks. It measures and reports on these early warning indicators at regular intervals.

The risk owners are the managers at the level directly below the Management Board. They are responsible for identifying, evaluating, managing, monitoring, documenting and communicating all risks in their sphere of responsibility. They are also responsible for risk reporting to Risk Controlling based on the defined reporting cycles (generally on a half-yearly or ad hoc basis, insofar as is necessary).

Based on a half-yearly risk inventory taken in the first and third quarters of a fiscal year, Risk Controlling prepares a risk report for the Management Board and the Supervisory Board. It also simulates major risk developments and their impact on the corporate plans and objectives.

This reporting system ensures that both managers and supervisory bodies are comprehensively informed and provides relevant operational early warning indicators. In this way, misguided developments can be recognized in good time and counteraction taken at an early stage. Should significant risks occur unexpectedly, they are reported directly to the Management Board and the Supervisory Board on an ad hoc basis.

The risk management system is updated and refined on a regular basis and is also adjusted to reflect changes at the company. The effectiveness of the risk management system is analyzed in regular audits.

In organizational terms, risk management is assigned directly to the Management Board. The Management Board has overall responsibility in this regard. It decides on the organizational structures and workflows of risk management and provision of resources. It approves the documented risk management findings and takes account of them in steering the company. The Audit Committee of the Supervisory Board monitors the effectiveness of the risk management system.

Further Development of the Risk Management System in 2019

Vonovia further developed its previous risk management system in the second half of 2019. All activities forming part of the risk management process, i. e.

  • Risk identification
  • Risk assessment
  • Risk aggregation
  • Risk control
  • Risk monitoring

were reviewed and adjusted if necessary.

Based on the COSO Framework, a risk universe with the following four main risk categories was defined to facilitate risk identification: strategy, regulatory environment & overall statutory framework, operating business and financing (including accounting and tax). A structured risk catalog was assigned to each of these categories.

Changes were also made to the key data for risk assessments, with a distinction now being made between risks with an impact on profit and loss and those affecting the balance sheet. Risks with an impact on profit and loss have a negative effect on the company’s sustained earnings power and, as a result, on Group FFO. In general, these risks also have an impact on liquidity. Risks affecting the balance sheet do not impact Group FFO. In particular, these risks can be such that they do not affect liquidity, e. g., because they only impact property values.

If possible, risk assessments are always to be performed in quantitative terms. If this was difficult to achieve or not possible, a qualitative assessment was performed using a detailed matrix comprising five loss categories.

The previous classification of the expected amount of loss in four categories



Value limits






< € 5 million



€ 5 million to € 25 million



€ 25 million to € 250 million



> € 250 million




has been switched to a system comprising five categories:




Impact on profit and loss*

Impact on statement of financial position*


Understood as the possible financial loss over five years in accordance with the medium-term planning horizon.






Very high


Threatens the company’s existence

Possible loss of > € 500 million in Group FFO

Possible balance sheet loss of > € 8,000 million



Dangerous impact on business development, previous business situation cannot be restored in the medium term

Possible loss of € 250 million to € 500 million in Group FFO

Possible balance sheet loss of € 4,000 million to € 8,000 million



Temporarily impairs business development

Possible loss of € 100 million to € 250 million in Group FFO

Possible balance sheet loss of € 1,600 million to € 4,000 million



Low impact, possibly leaving a mark on business development in one or more years

Possible loss of € 25 million to € 100 million in Group FFO

Possible balance sheet loss of € 400 million to € 1,600 million



Minor impact on business development

Possible loss of € 5 million to € 25 million in Group FFO

Possible balance sheet loss of € 80 million to € 400 million

This means that the threshold for risks that need to be reported has been increased from € 0.5 million to € 5 million in the period under review.

The expected probability of occurrence of the risks has also been reclustered. The previous classification of the probability of occurrence in four categories:

















Very likely





has been switched to a system comprising five categories:









Very likely


It is to be assumed that the risk will materialize during the observation period.

> 95%



The risk is likely to materialize during the observation period.




The risk could materialize during the observation period.




The risk is unlikely to materialize during the observation period.


Very unlikely


It is to be assumed that the risk will not materialize during the observation period.

< 5%





The expected amount of loss and the probability of occurrence are classified within set ranges before action (gross) and after action (net) for each risk, documented in a Group-wide risk register and transferred to a heatmap.

Previous Valuation Model

Previous Valuation Model (Graphic)

The previous assessment model featuring a combined gross and net assessment was discontinued at the time of the report for the second half of the year. Since then, the risk reporting is based on the net assessment and the assignment of risks in the net heatmap, comprising five categories for both probability of occurrence and the expected amount of loss.

Net Heatmap

Net Heatmap (Graphic)

The term “top risks” (previously referred to as the “top 10 risks”) now refers to the risks assigned to the red and amber fields. These are reported to the Supervisory Board and published externally as part of the corporate reporting process. The risks assigned to the red fields are classified as threatening or endangering the company or its survival. The risks assigned to the amber fields are significant to the company. Red and amber risks are subject to intensive monitoring by the Management Board and the Supervisory Board. The risks assigned to the green fields are not material for the company.

As part of the risk recording process in the second half of 2019, we conducted an extensive aggregation process for individual risks with related content.

As part of risk management, we focused on material risks, combined with active risk management. If possible and necessary, new specific risk management measures were agreed and incorporated into a regular monitoring process to be conducted by Risk Controlling.

Regular risk monitoring by Risk Controlling ensures that risk management measures are implemented as planned.

At the same time as the methodological overhaul of the risk management system in the second half of 2019, a project to introduce new risk management software was launched. The new software is scheduled to be implemented in the first half of 2020.

(4) Internal Control System

The Internal Control System (ICS) comprises the basic principles, procedures and regulations aimed at supporting the effectiveness and cost-effectiveness of our business activities, ensuring due and proper, and reliable internal and external accounting, and ensuring compliance with the legal provisions that apply to the company.

All key processes at Vonovia are recorded and documented centrally with the help of a process management software solution. In addition to the relevant process steps, this documentation highlights key risks and controls in the interests of a process-oriented internal control system (ICS). It provides the binding basis for subsequent evaluations, audits and reporting to the executive bodies of Vonovia SE on the effectiveness of the ICS within the meaning of Section 107 (3) sentence 2 of the German Stock Corporation Act (AktG).

Overall responsibility for structuring and implementing the ICS lies with Vonovia’s Management Board. The Management Board delegates this responsibility to process and control owners. The Internal Audit department provides support in the establishment and further technical development of the ICS in addition to performing its primary audit duties in full. IT is responsible for providing technical and administrative support for the documentation software.

The aim of the accounting-related internal control and risk management system is to ensure due and proper and legally compliant financial reporting pursuant to the relevant regulations. The accounting-related internal control and risk management system is embedded in the overarching Group-wide risk management system.

Organizationally, responsibility for preparing the financial statements lies with the department of the Chief Financial Officer (CFO) and, in particular, with the Accounting department. Therefore, the Accounting department exercises the authority to lay down guidelines for the application of relevant accounting standards as well as for the content and timing of the steps in the financial statements preparation process.

From the organizational and systems side, the preparation of the financial statements for all companies included in the consolidated financial statements as well as the preparation of the consolidated financial statements themselves are performed in the central shared service centers, which ensures consistent and continual application of accounting principles in a uniform financial statement preparation process. Furthermore, through the shared service center functions it is ensured that both content and organizational changes in the requirements are incorporated in the financial statement preparation process.

The financial statements of the companies included in the consolidated financial statements – with the exception of Sweden and France – are located in an IT SAP environment. They are subject largely to uniform charts of account, accounting guidelines, processes and process controls. The requirement of separation of functions and the dual-review principle are taken appropriate account of with preventive and also subsequent checks. The subsidiaries in Sweden and France report their data as part of a structured data recording process.

The relevant financial statement data of the individual companies are made available to the SAP consolidation module via an integrated, automated interface with comprehensive validation rules for further processing and preparation of the consolidated financial statements. An authorization concept is in place granting access to the financial statements in line with the respective job profile of the employee.

Newly acquired companies are incorporated into the internal control environment as part of a structured integration process, which includes integration in terms of both IT systems and processes relating to financial statements.

Once the financial statements have been drawn up, the annual and consolidated financial statements, including the consolidated management report, are submitted to the Audit Committee of the Supervisory Board. The Committee then makes a recommendation for the Supervisory Board to adopt or approve them. This examination may include discussion with the auditor and is subject to the auditor’s report. The Audit Committee is continually involved in the establishment and refinement of the accounting-related internal control and risk management system.

(5) Internal Audit

The system and control environment, business processes and the internal control system (ICS) are audited on a regular basis by Vonovia’s Group Audit department. The annual audit plan is based on a risk-oriented evaluation of all relevant audit areas of the Group (audit universe) and is approved by the Management Board and the Supervisory Board’s Audit Committee.

The audits conducted throughout the year focus on assessing the effectiveness of the control and risk management systems, identifying process improvements in order to minimize risks and ensuring the sustainability of Vonovia’s business activities. Corresponding special ad hoc audits are also performed in consultation with the Management Board. The internal reports are presented to the Management Board, the individuals responsible for the area reviewed and, in cases involving significant and serious findings, the risk manager and, where relevant, the compliance officer on a regular basis. The Audit Committee receives a quarterly summary of the audit results and measures. The implementation status of the agreed measures is monitored on an ongoing basis after the relevant due dates and is reported to the Management Board and the Audit Committee on a quarterly basis. A follow-up audit is conducted to ensure that any serious findings have been remedied.

The Internal Audit department also reviews the Sustainability Report and the Non-financial Declaration.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a private-sector U.S. organization. It was founded in 1985. In 1992, COSO published the COSO model, an SEC-recognized standard for internal controls. This provided a basis for the documentation, analysis and design of internal control systems. In 2004, the model was further developed and the COSO Enterprise Risk Management (ERM) Framework was published. Since then, it has been used to structure and develop risk management systems.
Group FFO
Group FFO reflects the recurring earnings from the operating business. In addition to the adjusted EBITDA for the Rental, Value-add, Recurring Sales and Development segments, Group FFO allows for recurring current net interest expenses from non-derivative financial instruments as well as current income taxes. This key figure is not determined on the basis of any specific international reporting standard but is to be regarded as a supplement to other performance indicators determined in accordance with IFRS.