The Managing Board of HeidelbergCement AG is obliged to set up and supervise an internal control and risk management system. The Managing Board also has overall responsibility for the scope and organisation of the established systems. The Supervisory Board and its Audit Committee also review the effectiveness of the risk management system on a regular basis.
HeidelbergCement has installed transparent regulations to govern competences and responsibilities for risk management that are based on the Group’s structure.
A code of conduct, guidelines, and principles apply across the Group for the implementation of systematic and effective risk management. The standardised internal control and risk manage- ment system at HeidelbergCement is based on financial resources, operational planning, and the risk management strategy established by the Managing Board. It comprises several components that are carefully coordinated and systematically incorporated into the structure and workflow organisation.
The essential elements of the risk management system are:
– documentation of the general conditions for a methodical, efficient risk management in a Group guideline. In addition to this Risk Management Policy, the Group’s Code of Business Conduct is concerned with the code of conduct and compliance standards to be observed.
– coordination of risk management in the Group Insurance & Corporate Risk department – managers responsible for corporate risk at country level
– direct information and open communication of quantified risks between the Managing Board and country management
– standardised and regular reporting at Group and country level
Organisation of risk management at HeidelbergCement
Supervisory Board Managing Board
Group functions
Group areas / Country management
Auditors 1)
1) Part of the annual audit
2) Legal, Compliance, Tax, IT, Treasury, Corporate Finance, Human Resources, Strategy & Development, Marketing & Sales
Insurance &
Corporate Risk Controlling & ConsolidationReporting, Group functionsOther 2)
Internal Audit
Risk management process
In order to optimise risk management, we are employing comprehensive software across the Group to map the entire risk management process. By using this software, we have implemented the basic conditions for increasing transparency and efficiency in all phases of the risk management process and for contributing to audit security. The software helps us with, among other things, the clear representation of the Group structure and the assignment of appropriate local respon- sibilities, the systematic recording and tracking of risks as well as proposed countermeasures
over time, or the provision of uniform evaluation schemes. The visualised risk data can now be consolidated in a timely manner, analysed flexibly and in various ways, and depicted using stan- dardised risk reporting.
We plan to introduce risk management working groups for the clarification of specific issues and for the international exchange of information in order to further develop adequate risk awareness.
Identification and assessment of risks
The process of identifying risks is performed regularly on a decentralised basis by the country management and by the globally responsible Group functions. General macro-economic data as well as other industry-specific factors and risk information sources serve as auxiliary parameters for the identification process.
Appropriate thresholds for reporting relevant risks have been established for the individual coun- tries, taking into account their specific circumstances. On the basis of our Group’s risk model and according to the defined risk categories, the risks are assessed with reference to a minimum probability of occurrence of 10 % and their potential extent of damage. The operational planning cycle is used as the base period for the probability forecast. In addition to this risk quantification, geared towards a duration of twelve months, there exists also an obligation to report on new and already known risks with medium- or long-term risk tendencies. The impacts on the key parameters – operating income, profit after tax, and cash flow – are used as a benchmark to assess damage potential. Both dimensions of risk assessment can be visualised by means of a risk map.
Dimensions of risk assessment
The underlying scaling is as follows:
Likelihood
Unlikely 1 to 20 %
Seldom 21 % to 40 %
Possible 41 % to 60 %
Likely 61 % to 100 %
Impact Definition of impact on business activity, financial performance and results of operations, and cash flow
Low Negligible negative impact (≤ €20 million)
Moderate Limited negative impact (> €20 million)
Significant Significant negative impact (> €120 million)
Critical Harmful negative impact (> €220 million)
Impact
Likelihood Unlikely
High Medium
Low
Seldom Possible Likely
Critical Significant Moderate Low Combined management r eport Corpor ate Governance
Consolidated financial statements
Additional information
2
3
4
The risk statement also includes risks that do not have a direct impact on the financial situation, but that can have an effect on non-monetary factors such as reputation or strategy. In the case of risks that cannot be directly calculated, the potential extent of damage is assessed on the basis of qualitative criteria such as low risk or risks constituting a threat to the Group’s existence. The process of regular identification is supplemented with an ad-hoc risk report in the event of the sudden occurrence of serious risks or of sudden damage caused. This can arise, in particular, in connection with political events, trends in the financial markets, or natural disasters.
Aggregating, reporting, monitoring, and controlling risks
The quantitative, updated risk reports for all business lines in our Group countries are presented to the Managing Board on a quarterly basis within the framework of central management report- ing to ensure that risks are monitored in a structured and continuous way. Correlations between individual risks and events are considered at local level as far as possible. The quarterly manage- ment meetings provide a platform for the Managing Board and responsible country managers to discuss and determine appropriate risk control measures promptly. Decisions are thus made as to which risks will be intentionally borne independently and which will be transferred to other risk carriers, as well as which measures are suitable for reducing or avoiding potential risks.
The Group Insurance & Corporate Risk department is responsible for coordinating the risk man- agement processes. It summarises all significant quantitative and qualitative risks for countries and Group functions on a quarterly basis in a central risk map. The Group’s detailed risk report is presented to the Managing Board once a year. In addition, interim reporting to the Supervisory Board is effected in the course of the year.
Monitoring and adjustments
The Group Internal Audit department systematically examines and assesses risk management to help increase risk awareness. In addition, the auditor carries out an examination of the risk management system as part of the annual audit in accordance with legal guidelines to determine whether the monitoring system is capable of identifying in good time any issues that could threaten the Group’s existence. The Managing Board also regularly informs the Supervisory Board and its Audit Committee about the risk situation.