Risk Management Structure and Instruments
The market environment and the overall statutory/regulatory conditions to which Vonovia is subject are constantly changing. Vonovia is also developing on an ongoing basis with the implementation of the strategy and the associated business activities. This means that new opportunities and risks arise on a regular basis, and that the extent of existing opportunities and risks can change at any time.
As a result, Vonovia has implemented a comprehensive risk management system that ensures that all of the risks that are relevant to the company can be identified, evaluated and managed. This reduces risk potential, secures the company’s survival, supports its strategic further development and promotes responsible entrepreneurial action.
Risks are defined as possible events or developments that could have a negative impact on the company’s expected economic development and, as a result, could lead to a negative deviation from the short-term plans (budget and forecasts) and the company’s medium-term plans (five-year plan).
Opportunities are possible events or developments that could have a positive impact on the company’s expected economic development.
In the 2020 fiscal year, the company’s risk management system was enhanced and brought into line with the aspects of sustainability added to corporate strategy. This also involved explicitly including sustainability risks in the risk management system. Details are set out in Section (3) Risk Management System. Overall, Vonovia’s risk management system is based on an integrated five-pillar risk management approach.
(1) Performance Management
Differentiated and high-quality corporate planning and appropriate reporting on deviations between the actual and target operational and financial key figures from Controlling constitute the backbone of the early warning system used at the company. Analyses are made of the business performance compared with the plans approved by the Supervisory Board and the previous year. Furthermore, a forecast is prepared regularly which takes appropriate account of the effect of any potential risks and opportunities on the development of business. Reporting includes detailed monthly controlling reports to the Management Board and the Supervisory Board. The operational business is described in regular reports on key figures, some of which are drawn up on a weekly or daily basis. On the basis of these reports and the deviations that they highlight between the actual and target figures, countermeasures are implemented and then checked in subsequent reporting periods to ensure they are effective.
(2) Compliance Management
Compliance means that the company, its bodies and employees act in line with the applicable rules and regulations. For the Management Board, compliance with statutory law and the observance of internal guidelines are the basis of corporate management and culture. Compliance is to ensure the integrity of employees, customers and business partners and avoid possible negative consequences for the company.
The management and monitoring of Vonovia is based on the relevant statutory requirements, the Articles of Association and the rules of procedure for the Supervisory Board and the Management Board. They form the basis for the company’s internal rules and guidelines, adherence to which is monitored by a central compliance management system and administered by a guideline management team that forms part of the Legal department.
The guidelines describe clear organizational and monitoring structures with specified responsibilities and appropriately installed checks. The legally compliant behavior of all employees in the business processes is ensured by suitable control procedures and supervision by managers. The company has also put in place a compliance management system based on IDW (Institute of Public Auditors in Germany) standard PS 980 and has appointed a central compliance officer, whose remit focuses on identifying compliance risks, taking suitable measures to avoid and detect these risks and taking appropriate action in response to compliance risks (compliance program).
In terms of specific content, the main features of the compliance management system are Vonovia’s Code of Conduct, which focuses on ethical values and statutory requirements and reinforces the personal responsibility of employees, Vonovia’s Compliance Guidelines and a Business Partner Code setting out requirements that the company’s contractual partners have to meet. An external ombudsman is available to all employees and business partners as a confidant in respect of compliance matters.
(3) Risk Management System
Vonovia’s strategy has a sustainable and long-term focus. As a result, Vonovia pursues a conservative risk strategy in its business activities. This does not mean minimizing risks, but rather promoting entrepreneurial and responsible action and ensuring the necessary transparency with regard to any possible risks.
In the second half of 2020, Vonovia enhanced the content of its existing risk management system and brought it into line with its corporate strategy, to which sustainability aspects had been added. For the ESG risks, not only the effect of the risks on Vonovia (outside-in view), but also the effect on the environment and society (inside-out view) were added. A materiality analysis was used in the 2020 fiscal year to investigate potential ESG (Environmental, Social, Governance) risks for the first time and assess their materiality. The updated sustainability targets are at the heart of Vonovia’s new corporate strategy. We aim to focus our activities on reducing CO2 emissions and on areas of action that will help us to achieve a climate-neutral housing stock, on specific neighborhood strategies, customer satisfaction and service quality, our appeal as an employer, governance and compliance aspects. Accordingly, a non-financial key figure, the Sustainability Performance Index, has been included in the management system as a key performance indicator with effect for the 2021 fiscal year. Details can be found in the chapter on our management system.
The risk management system supports all employees in their day-to-day work in accordance with Vonovia’s mission statement. It ensures the early identification, assessment, management and monitoring of all risks within the Group that exceed the short-term financial risks dealt with by the Performance Management pillar and could pose a risk not only to the company’s results of operations and net assets, but also to intangible assets. This means that potential risks which might impair the value and/or development of the company can be identified at an early stage. Early warning indicators that are specific to the environment and the company are taken into account, as are the observations and regional knowledge of our employees.
The operational management of the risk management system falls within the remit of the Head of Controlling, who is responsible for Risk Controlling. He reports to the Chief Financial Officer (CFO). Risk Controlling initiates the software-supported, periodic risk management process and consolidates and validates the risks reported. It is also responsible for validating the risk management measures and monitoring their implementation. Risk Controlling works with the individual risk owners to define early warning indicators that are used to monitor actual developments with regard to certain risks.
The risk owners are the managers at the level directly below the Management Board. They are responsible for identifying, evaluating, managing, monitoring, documenting and communicating all risks in their sphere of responsibility. They are also responsible for recording and reporting all risks in the company’s risk tool based on the defined reporting cycles (generally on a half-yearly or ad hoc basis, insofar as is necessary).
Based on a half-yearly risk inventory taken in the first and third quarters of a fiscal year Risk Controlling prepares a risk report for the Management Board and the Supervisory Board. It also simulates major risk developments and their impact on the corporate plans and objectives.
This reporting system ensures that both managers and supervisory bodies are comprehensively informed. In this way, misguided developments can be recognized in good time and counteraction taken at an early stage. Should significant risks occur unexpectedly, they are reported directly to the Management Board and the Supervisory Board on an ad hoc basis.
The risk management system is updated and refined on a regular basis and is also adjusted to reflect changes at the company. The effectiveness of the risk management system is analyzed in regular audits.
In organizational terms, risk management is assigned directly to the Management Board. The Management Board has overall responsibility in this regard. It decides on the organizational structures and workflows of risk management and provision of resources. It approves the documented risk management findings and takes account of them in steering the company. The Audit Committee of the Supervisory Board monitors the effectiveness of the risk management system.
The risk management system looks at all activities in the risk management process, i.e.,
- Risk identification
- Risk assessment
- Risk aggregation
- Risk management
- Risk monitoring.
Based on the COSO Framework, a risk universe with the following four main risk categories has been defined to facilitate risk identification: strategy, regulatory environment & overall statutory framework, operating business and financing (including accounting and tax). A structured risk catalog has been assigned to each of these categories.
When it comes to assessing risk, a distinction is made between risks with an impact on profit and loss and those affecting the balance sheet. Risks with an impact on profit and loss have a negative effect on the company’s sustained earnings power and, as a result, on Group FFO. In general, these risks also have an impact on liquidity. Risks affecting the balance sheet do not impact Group FFO. In particular, these risks can be such that they do not affect liquidity, e.g., because they only impact property values.
If possible, risk assessments are always to be performed in quantitative terms. If this was difficult to achieve or not possible, a qualitative assessment was performed using a detailed matrix comprising five loss categories. The expected amount of loss is classified to one of five categories:
Category |
Class |
Description |
Impact on profit and loss* |
Impact on statement of financial position* |
||
---|---|---|---|---|---|---|
|
|
|
|
|
||
Very high |
5 |
Threatens the company’s existence |
Possible loss of > € 500 million in Group FFO |
Possible balance sheet loss of |
||
High |
4 |
Dangerous impact on business development, previous business situation cannot be restored in the medium term |
Possible loss of € 250 million to € 500 million in Group FFO |
Possible balance sheet loss of € 4,000 million to € 8,000 million |
||
Considerable |
3 |
Temporarily impairs business development |
Possible loss of € 100 million to € 250 million in Group FFO |
Possible balance sheet loss of € 1,600 million to € 4,000 million |
||
Noticeable |
2 |
Low impact, possibly leaving a mark on business development in one or more years |
Possible loss of € 25 million to € 100 million in Group FFO |
Possible balance sheet loss of € 400 million to € 1,600 million |
||
Low |
1 |
Minor impact on business development |
Possible loss of € 5 million to € 25 million in Group FFO |
Possible balance sheet loss of € 80 million to € 400 million |
||
|
Five clusters have been defined for the expected probability of occurrence.
Category |
Class |
Definition |
Probability |
---|---|---|---|
|
|
|
|
Very likely |
5 |
It is to be assumed that the risk will materialize during the observation period. |
95% |
Likely |
4 |
The risk is likely to materialize during the observation period. |
60–95% |
Possible |
3 |
The risk could materialize during the observation period. |
40–59% |
Unlikely |
2 |
The risk is unlikely to materialize during the observation period. |
5–39% |
Very unlikely |
1 |
It is to be assumed that the risk will not materialize during the observation period. |
< 5% |
|
|
|
|
The expected amount of loss and the probability of occurrence are classified within the set ranges before action (gross) and after action (net) for each risk, documented in a risk tool and transferred to a heatmap there. Risk reporting is based on the net assessment and the assignment of risks in the net heatmap, comprising five categories for both probability of occurrence and the amount of loss.
The term “top risks” refers to the risks assigned to the red and amber fields. These are reported to the Supervisory Board and published as part of the external reporting process. The risks assigned to the red fields are classified as threatening or endangering the company or its survival. The risks assigned to the amber fields are significant to the company. Red and amber risks are subject to intensive monitoring by the Management Board and the Supervisory Board. The risks assigned to the green fields are less significant to the company.
As part of risk management, we focus on material risks, combined with active risk management. If possible and necessary, specific risk management measures are agreed and incorporated into a regular monitoring process to be conducted by Risk Controlling.
Regular risk monitoring by Risk Controlling ensures that risk management measures are implemented as planned.
(4) Internal Control System
The Internal Control System (ICS) comprises the basic principles, procedures and regulations aimed at supporting the effectiveness and cost-effectiveness of our business activities, ensuring due and proper and reliable internal and external accounting and ensuring compliance with the legal provisions that apply to the company.
All key processes at Vonovia are recorded and documented centrally with the help of a process management software solution. In addition to the relevant process steps, this documentation highlights key risks and controls in the interests of a process-oriented internal control system (ICS). It provides the binding basis for subsequent evaluations, audits and reporting to the executive bodies of Vonovia SE on the effectiveness of the ICS within the meaning of Section 107 (3) sentence 2 of the German Stock Corporation Act (AktG).
Overall responsibility for structuring and implementing the ICS lies with Vonovia’s Management Board. The Management Board delegates this responsibility to process and control owners. The Internal Audit department provides support in the further technical development of the ICS in addition to performing its primary audit duties in full. Internal Audit is responsible for providing technical support for the documentation software, with administrative support being provided by IT.
The aim of the accounting-related internal control and risk management system is to ensure due and proper and legally compliant financial reporting pursuant to the relevant regulations. The accounting-related internal control and risk management system is embedded in the overarching Group-wide risk management system.
Organizationally, responsibility for preparing the financial statements lies with the Chief Financial Officer’s (CFO) department and, in particular, with the Accounting department. Therefore, the Accounting department exercises the authority to lay down guidelines for the application of relevant accounting standards as well as for the content and timing of the steps in the financial statements preparation process.
From the organizational and systems side, the preparation of the financial statements for all companies included in the consolidated financial statements as well as the preparation of the consolidated financial statements themselves are performed in the central shared service centers, which ensures consistent and continual application of accounting principles in a uniform financial statement preparation process. Furthermore, through the shared service center functions it is ensured that both content and organizational changes in the requirements are incorporated in the financial statement preparation process.
The financial statements of the companies included in the consolidated financial statements – with the exception of the companies in Sweden and the investments in France and the Netherlands – are located in an IT SAP environment. They are subject largely to uniform charts of account, accounting guidelines, processes and process controls. The requirement of separation of functions and the dual-review principle are taken appropriate account of with preventive and also subsequent checks. The subsidiaries in Sweden and the investments in France and the Netherlands report their data as part of a structured data recording process.
The relevant financial statement data of the individual companies are made available to the SAP consolidation module via an integrated, automated interface with comprehensive validation rules for further processing and preparation of the consolidated financial statements. An authorization concept is in place granting access to the financial statements in line with the respective job profile of the employee.
Newly acquired companies are incorporated into the internal control environment as part of a structured integration process, which includes integration in terms of both IT systems and processes relating to financial statements.
Once the financial statements have been drawn up, the annual and consolidated financial statements, including the consolidated management report, are submitted to the Audit Committee of the Supervisory Board. The Committee then makes a recommendation for the Supervisory Board to adopt or approve them. This examination may include discussion with the auditor and is subject to the auditor’s report. The Audit Committee is continually involved in the establishment and refinement of the accounting-related internal control and risk management system.
(5)Internal Audit
The system and control environment, business processes and the internal control system (ICS) are audited on a regular basis by Vonovia’s Group Audit department. The annual audit plan is based on a risk-oriented evaluation of all relevant audit areas of the Group (audit universe) and is approved by the Management Board and the Supervisory Board’s Audit Committee.
The audits conducted throughout the year focus on assessing the effectiveness of the control and risk management systems, identifying process improvements in order to minimize risks and ensuring the sustainability of Vonovia’s business activities. Corresponding special ad hoc audits are also performed in consultation with the Management Board. The internal reports are presented to the Management Board, the individuals responsible for the area reviewed and, in cases involving significant and serious findings, the risk manager and, where relevant, the compliance officer on a regular basis. The Audit Committee receives a quarterly summary of the audit results and measures. The implementation status of the agreed measures is monitored on an ongoing basis after the relevant due dates and is reported to the Management Board and the Audit Committee on a quarterly basis. A follow-up audit is conducted to ensure that any serious findings have been remedied.