Risk management details clearly defined
The coordinated use of measures within risk management is ensured by the fact that all relevant specifications for the structural and procedural organisation are compiled in sets of rules. These include the Articles of Association and Code of Procedure of group companies, internal group guidelines and our group-wide risk management guideline, which defines
- the risk management framework (terms, basic structure, strategy, principles),
- the risk management organisation (roles and responsibilities, risk units),
- processes (risk identification, assessment and management),
- risk reporting as well as
- monitoring and control of the effectiveness of risk management.
Based on the internationally recognised COSO II standard, the risk management framework addresses the 3 levels of risk management: corporate objectives, processes and organisation. The update to the COSO II standard published in 2018 is taken into account.
The first level of risk management relates to the clustering of corporate objectives. METRO has defined the following clusters:
- Strategic objectives related to safeguarding the company’s future economic viability (strategy cluster)
- Operational objectives related to the attainment of set key performance metrics (operations cluster)
- Corporate management objectives related to compliance with laws, regulations, internal guidelines and specified procedures (governance cluster)
- Objectives related to appropriate preparations to mitigate event risks such as breakdowns, business interruptions and other crisis events (events cluster)
At the 2nd level of risk management, the process level, we use a catalogue of standard risks that must be assessed by the risk units in a binding manner. This ensures that all typical operational risks that apply to our business operations are validated. Additionally, companies supplement their company-specific risks.
On the 3rd risk management level, clusters are delineated in terms of functional categories based on the group’s organisational structures, such as procurement, sales, human resources or real estate as well as an assignment to group companies.
Risk classification
All identified risks are classified based on uniform standards and quantitative and qualitative indicators with regard to loss potential (detrimental effects on our corporate objectives, the key performance indicator is EBIT) and probability of occurrence. We break risks down into the following 4 risk categories:
Loss potential |
|
|---|---|
Material |
> €300 million |
Significant |
> €100−300 million |
Moderate |
> €50−100 million |
Minor |
≤ €50 million |
Probability of occurrence |
|
Likely |
> 50% |
Possible |
> 25–50% |
Low |
≥ 10–25% |
Unlikely |
< 10% |
All risks are assessed on the basis of their potential impact at the time of the risk analysis and before potential risk-minimising measures (presentation of gross risks). We generally assess risks over a prospective 1-year period; strategic risks cover at least the medium-term planning horizon of 3 years. METRO monitors and assesses longer-term opportunities and risks, for example related to climate change or political risks, using its issues management system.
Risk units
On the organisational level, we determine the corporate units responsible for setting objectives in a clearly defined area as well as for identifying, classifying and controlling risks. METRO’s risk management defines these areas in line with the corporate organisation using independent risk units – generally companies – as well as in terms of function using categories that are responsible for a certain operational function or administrative task. The risk units cover all essential companies of the consolidation group included in the consolidated financial statements.