G16 Risk management
Taking calculated risks is an integral part of the development of any company. Umicore’s Board of Directors is ultimately responsible for assessing the risk proﬁle of the Company within the context of the Company strategy and external factors such as market conditions, competitor positioning, technology developments etc and ensuring that adequate processes are in place to manage these risks. Umicore’s management is tasked with successfully exploiting business opportunities whilst at the same time limiting possible business losses. In order to achieve this, Umicore operates a comprehensive risk management system. The aim of this system is to enable the Company to identify risks in a proactive and dynamic way and to manage or mitigate these identiﬁed risks to an acceptable level wherever this is possible. Internal control mechanisms exist throughout Umicore to provide management with reasonable assurance of the Company’s ability to achieve its objectives. These controls cover the effectiveness and efﬁciency of operations, the reliability of ﬁnancial processes and reporting, the compliance with laws and regulations, and provide for the mitigation of errors and fraud risks.
16.1 Risk management process
Each of Umicore’s business units operates in an environment which carries speciﬁc growth expectations and differing degrees of market and technological uncertainty. Therefore, the primary source of risk identiﬁcation lies with the business units themselves.
The ﬁrst step in the risk management process is to enable and channel the identiﬁcation of the various material risks. Umicore has established a business risk assessment process to be undertaken by each business unit and corporate department. The process requires that all units carry out a risk scan in order to identify all signiﬁcant risks (ﬁnancial and non-ﬁnancial) that might affect the ability of the business unit to meet its objectives as set out in its strategic plans. The process then requires that each of these risks be described in detail in a risk card. Besides the assessment of potential impact and likelihood, the risk card also contains information on the status of any management action or mitigation plan and the ownership thereof.
These risk cards are then fed back to the member of the Executive Committee responsible for that peculiar business area. A consolidated review takes place at the level of the Executive Committee, the outcome of which is presented to the Audit Committee and to the Board of Directors. The Audit Committee, on behalf of the Board of Directors, carries out an annual review of the Company’s internal control and risk management systems and looks into speciﬁc aspects of internal control and risk management on an on-going basis.
Each business unit and corporate department is responsible for the mitigation of its own risks. The Executive Committee intervenes in cases where managing a certain risk is beyond the capacities of a particular business unit. The Executive Committee and the Chief Executive Ofﬁcer are also responsible in a broader context for identifying and dealing with those risks that affect the broader group such as strategic positioning, funding or macroeconomic risks. A speciﬁc monitoring role is given to Umicore’s Internal Audit department in order to provide oversight for the risk management process.
16.2 Internal control system
Umicore adopted the COSO framework for its Enterprise Risk Management and has adapted its various controls constituents within its organization and processes. “The Umicore Way” (http://www.umicore.com/en/vision/values/) and the “Code of Conduct” are the cornerstones of the Internal Control environment; together with the concept of management by objectives and through the setting of clear roles and responsibilities they establish the operating framework for the Company.
Speciﬁc internal control mechanisms have been developed by business units at their level of operations, while shared operational functions and corporate services provide guidance and set controls for cross-organizational activities. These give rise to speciﬁc policies, procedures and charters covering areas such as supply chain management, human resources, information systems, environment, health and safety, legal, corporate security and research and development.
Umicore operates a system of Minimum Internal Control Requirements (MICR) to speciﬁcally address the mitigation of ﬁnancial risks and to enhance the reliability of ﬁnancial reporting.
Umicore’s MICR framework requires all Group entities to comply with a uniform set of internal controls in 12 processes. Within the Internal Control framework, speciﬁc attention is paid to the segregation of duties and the deﬁnition of clear roles and responsibilities. MICR compliance is monitored by means of annual self-assessments to be signed off by the senior management. The outcome is reported to the Executive Committee and to the Audit Committee of the Board of Directors. Up till 2014 the control entities (in average 130 entities) aimed at reaching the established compliance threshold for each control activity. The Internal Audit department reviews the compliance assessments during its missions.
During 2015, the self-assessment process has been redesigned with the purpose to move from a judgemental to an objective methodology by using questionnaires. The ﬁrst tests of the new self-assessment occurred successfully towards the end of 2015. In parallel the requirements are being reedited in order to simplify and to bring even more focus on segregation of incompatible tasks.