Risk management details clearly defined

We ensure the coordinated application of risk management tools by setting out all relevant facts in our corporate regulation. These include the Articles of Association and Code of Procedure of group companies, internal group guidelines and our group-wide risk management guideline, which defines

  • the risk management framework (terms, basic structure, strategy, principles),
  • the risk management organisation (roles and responsibilities, risk units),
  • processes (risk identification, assessment and management),
  • risk reporting as well as
  • monitoring and controlling the effectiveness of risk management.

Based on the internationally recognised II standard, the risk management framework addresses the 3 levels of risk management: corporate objectives, processes and organisation.

The first level of risk management relates to the clustering of corporate objectives. METRO has defined the following clusters:

  • Strategic objectives related to safeguarding the company’s future economic viability (strategy cluster)
  • Operational objectives related to the attainment of set key performance metrics (operations cluster)
  • Corporate management objectives related to with laws, regulations, internal guidelines and specified procedures (governance cluster)
  • Objectives related to appropriate preparations to mitigate event risks such as breakdowns, business interruptions and other crisis events (events cluster)

On the second risk management level ( the process level), the definition of objectives also serves as the starting point for risk mapping. In this context, we identify, classify and manage risks that would jeopardise or inhibit the achievement of our objectives, should these risks materialise. We also work with a list of standardised risks which must be assessed by the risk units. This ensures that all typical operational risks that apply to our business operations are validated. As a rule, we consider all external and internal risks.

On the third risk management level, clusters are delineated in terms of functional categories based on the group’s organisational structures, such as procurement, sales, human resources or real estate. We generally assess risks over a prospective 1-year period; strategic risks cover at least the medium-term planning horizon (3 years). METRO monitors and assesses longer-term risks and opportunities, for example related to climate change, using its issues management system. The Corporate Public Policy department’s Issues Management unit continuously monitors and identifies topics of special interest and media issues of relevance to the group. This enables us to address the public debate with swift, clear and uniform statements. The group’s issues management and risk management systems are closely interconnected.

Risk classification

All identified risks are classified based on uniform standards and quantitative and qualitative indicators with regard to loss potential (detrimental effects on our corporate objectives, the key performance indicator is currently EBIT) and probability of occurrence. We break risks down into the following 4 risk categories:

Loss potential

 

 

Significant

 

> €300 million

Major

 

> €100−300 million

Moderate

 

> €50−100 million

Minor

 

≤ €50 million

Probability of occurrence

 

 

Probable

 

> 50%

Possible

 

> 25–50%

Low

 

≥ 10–25%

Unlikely

 

< 10%

All risks are assessed on the basis of their potential impact at the time of the risk analysis and before potential risk-minimising measures (presentation of gross risks, meaning before the implementation of risk-limitation measures).

Risk units

On the organisational level, we determine the corporate units responsible for setting objectives in a clearly defined area as well as for identifying, classifying and managing risks. METRO’s risk management defines these areas in line with the corporate organisation using independent risk units – generally companies – as well as in terms of function using categories that are responsible for a certain operational function or administrative task. The risk units cover all essential entities of the consolidation group included in the consolidated financial statements.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)
US-based private-sector organisation that developed and published a standard for internal controls in 1992 that is recognised by the US Securities and Exchange Commission. In 2004, this standard was updated and the COSO ERM (Enterprise Risk Management – Integrated Framework), also known as COSO II, was published.
Glossary
Compliance
All measures specifying a company’s and its employees’ behaviour in accordance with legislation, established social guidelines and values.
Glossary