Risk management details clearly defined

We ensure the coordinated application of risk management tools by setting out all relevant facts in our corporate regulation. These include the Articles of Association and by-laws of group companies, internal group guidelines and our group-wide risk management guideline, which defines

• the risk management framework (terms, basic structure, strategy, principles),
• the risk management organisation (roles and responsibilities, risk units),
• processes (risk identification, assessment and management),
• risk reporting as well as
• monitoring and controlling the effectiveness of risk management.

Based on the internationally recognised COSO II standard, the risk management framework addresses the 3 levels of risk management: corporate objectives, processes and organisation.

The first level of risk management relates to the clustering of corporate objectives. METRO has defined the following clusters:

• Strategic objectives related to safeguarding the company’s future economic viability (strategy cluster)
• Operational objectives related to the attainment of set key performance metrics (operations cluster)
• Corporate management objectives related to compliance with laws, regulations, internal guidelines and specified procedures (governance cluster)
• Objectives related to appropriate preparations to mitigate event risks such as breakdowns, business interruptions and other crisis events (events cluster)

On the second risk management level – the process level – the definition of objectives also serves as the starting point for risk mapping. In this context, we identify, classify and manage risks that would jeopardise or inhibit the achievement of our objectives, should they materialise. We also work with a list of standardised risks which must be assessed by the risk units. This ensures that all typical operational risks that apply to our business operations are validated. As a rule, we consider all external and internal risks.

On the third level, clusters are delineated in terms of functional categories based on the group’s organisational structures, such as procurement, sales, human resources or real estate. We generally assess risks over a prospective 1-year period, strategic risks cover at least the medium-term planning horizon (3 years). METRO monitors and assesses longer-term risks and opportunities, for example related to climate change, using its issues management system. The Corporate Public Policy department’s Issues Management unit continuously monitors and identifies topics of special interest and media issues of relevance to the group. This enables us to address the public debate with swift, clear and uniform statements. The group’s issues management and risk management systems are closely interconnected.

Risk classification

All identified risks are classified based on uniform standards and quantitative and qualitative indicators with regard to the potential extent of damages (detrimental effects on our corporate objectives, the key performance indicator is currently EBIT, to be switched to EBITDA in the future) and probability of occurrence. We break risks down into the following 4 risk categories:

All risks are assessed on the basis of their potential impact at the time of the risk analysis and before potential risk-minimising measures (presentation of gross risks, meaning before the implementation of risk-limitation measures).

Risk units

On the organisational level, we determine the corporate units responsible for setting objectives in a clearly defined area as well as for identifying, classifying and managing risks. METRO’s risk management defines these areas in line with the corporate organisation using independent risk units – generally companies – as well as in terms of function using categories that are responsible for a certain operational function or administrative task. The risk units cover all essential entities of the consolidation group included in the consolidated financial statements.