The aim of our risk management and internal control structure is to find the right balance between an effective, professional enterprise and the risk profile that we are aiming for as a business. Our risk management and internal controls, based on the COSO Enterprise Risk Management Framework, make a significant contribution to the prompt identification and adequate management of strategic and market risks. They also support us in achieving our operational and financial targets and in complying with the applicable laws and regulations.
The Executive Board, under the supervision of the Supervisory Board, has the ultimate responsibility for Vopak’s risk management and internal control structure. The divisional management teams are responsible for implementing the strategy, achieving results, identifying underlying opportunities and risks and ensuring effective operations. They have to act in accordance with the policy and standards set by the Executive Board, in which they are supported by corporate departments.
Divisional management teams have risk management integrated in their strategic, tactical and operational business activities. Opportunities and risks assessments and follow-up actions to mitigate the risks identified are discussed as part of the standard management review cycles. The quality of these activities is regularly audited. At a corporate level, the ERM process is coordinated, the ERM information analyzed, consolidated and reported to the Executive Board, to the divisional management teams and to corporate functional directors.
The Executive Board approves the annual budget and two-year plans for each division. These budgets contain clear objectives for each of the three strategic pillars, risks and opportunities, activities and performance indicators. It also designates the ultimate responsibility to the managers. To avoid execution risk, the Executive Board discusses the conditions (enablers) with the divisions. Each quarter, the Executive Board and the Divisional Management Team discuss the progress made on implementing the company’s strategy, business plans, key performance indicators, quarterly results, key risks, opportunities and mitigating measures taken. At the end of the year, terminal and divisional managers use the Control Risk Self-Assessment to assess how effective the risk management and internal control structures have been. The results and trend analyzes are discussed with the Executive Board. The Executive Board, which bears ultimate responsibility for the proper functioning of the risk management and the internal control structure, discusses the company’s results, key performance indicators and strategy (and adjustments to it), the outcomes and effectiveness of risk management and the internal control structure with the Audit Committee and the Supervisory Board. Corporate Internal Audit provides further assurance on the functioning of risk management and the internal control framework. The external auditor assesses the internal controls over financial reporting to the extent that an assessment is efficient for his financial statement’s audit. The results are discussed with the Audit Committee. Management of our terminals, divisions and the Executive Board sign Letters of Representation at the end of each half year and full year.