Risk management details clearly defined

The coordinated use of measures within risk management is ensured by the fact that all relevant specifications for the structural and procedural organisation are compiled in sets of rules. These include the Articles of Association and Code of Procedure of group companies, internal group guidelines and our group-wide risk management guideline, which defines

  • the risk management framework (terms, basic structure, strategy, principles),
  • the risk management organisation (roles and responsibilities, risk units),
  • processes (risk identification, assessment and management),
  • risk reporting as well as
  • monitoring and control of the effectiveness of risk management.

Based on the internationally recognised II standard, the risk management framework addresses the 3 levels of risk management: corporate objectives, processes and organisation. The update to the COSO II standard published in 2018 is taken into account.

The first level of risk management relates to the clustering of corporate objectives. METRO has defined the following clusters:

  • Strategic objectives related to safeguarding the company’s future economic viability (strategy cluster)
  • Operational objectives related to the attainment of set key performance metrics (operations cluster)
  • Corporate management objectives related to with laws, regulations, internal guidelines and specified procedures ( cluster)
  • Objectives related to appropriate preparations to mitigate event risks such as breakdowns, business interruptions and other crisis events (events cluster)

At the 2nd level of risk management, the process level, we use a catalogue of standard risks that must be assessed by the risk units in a binding manner. This ensures that all typical operational risks that apply to our business operations are validated. Additionally, companies supplement their company-specific risks.

On the 3rd risk management level, clusters are delineated in terms of functional categories based on the group’s organisational structures, such as procurement, sales, human resources or real estate as well as an assignment to group companies.

Risk classification

All identified risks are classified based on uniform standards and quantitative and qualitative indicators with regard to loss potential (detrimental effects on our corporate objectives, the key performance indicator is ) and probability of occurrence. We break risks down into the following 4 risk categories:

Loss potential



> €300 million


> €100−300 million


> €50−100 million


≤ €50 million

Probability of occurrence



> 50%


> 25–50%


≥ 10–25%


< 10%

All risks are assessed on the basis of their potential impact at the time of the risk analysis and before potential risk-minimising measures (presentation of gross risks). We generally assess risks over a prospective 1-year period; strategic risks cover at least the medium-term planning horizon of 3 years. METRO monitors and assesses longer-term opportunities and risks, for example related to climate change or political risks, using its issues management system.

Risk units

On the organisational level, we determine the corporate units responsible for setting objectives in a clearly defined area as well as for identifying, classifying and controlling risks. METRO’s risk management defines these areas in line with the corporate organisation using independent risk units – generally companies – as well as in terms of function using categories that are responsible for a certain operational function or administrative task. The risk units cover all essential companies of the consolidation group included in the consolidated financial statements.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)
US-based private-sector organisation that developed and published a standard for internal controls in 1992 that is recognised by the U.S. Securities and Exchange Commission. In 2004, this standard was updated and the COSO ERM (Enterprise Risk Management – Integrated Framework), also known as COSO II, was published.
All measures specifying a company’s and its employees’ behaviour in accordance with legislation, established social guidelines and values.
Statutory and factual regulatory framework for the management and supervision of a company.
EBIT (Earnings Before Interest and Taxes)
Profit or loss before financial result and (income) taxes. Due to its independence from different forms of financing and tax systems, this key figure can also be used for international comparison with other companies.