Risk management system and internal control system

A prerequisite for the long-term success of our company is to identify opportunities and risks at an early stage and to exploit or manage them.

The Management Board of METRO AG bears overall responsibility for an effective risk management system (RMS) and an effective internal control system (ICS).

The RMS and the ICS of METRO are implemented by the Group department based on the recommendations of the and the requirements of the standards 981 and 982 of the Institut der Wirtschaftsprüfer in Deutschland e. V. (IDW, Institute of Public Auditors in Germany). Accordingly, the management systems consist of the following elements:

Risk management system and internal control system

Risk management system and internal control system (graphic)

Objectives of the RMS and ICS

The overarching objectives of the RMS and ICS are to protect assets and support sustainable growth for METRO. The RMS supports these objectives through systematic reporting on opportunities and risks. It facilitates informed decisions and creates transparency. The ICS supports the aforementioned objectives by creating reliable operational and financial processes in order to ensure the accuracy, completeness and timeliness of financial reporting in particular and with laws and guidelines.

Organisation of the RMS and ICS

Group-wide RMS and ICS tasks and responsibilities are clearly defined and reflect our corporate structure. We combine centralised business management by the management holding company METRO AG with the decentralised responsibility of the METRO national subsidiaries and the service companies that support the operational business.

It is the responsibility and a legal obligation of the Management Board of METRO AG to organise a governance, risk and compliance system (GRC system) for METRO. We regard the risk management system, the internal control system, the compliance management system (CMS) as well as Internal Audit to be components of the GRC system. This organisational structure is based on the governance elements identified in § 107 Section 3 of the German Stock Corporation Act (AktG) as well as the German Corporate Governance Code. The fundamental principles of the GRC system are defined and documented in our governance, risk and compliance guideline. On this basis, we continuously work on increasing the efficiency and effectiveness of the GRC system.

The group’s Governance, Risk and Compliance Committee (GRCC) is chaired by the Chief Financial Officer of METRO AG and regularly discusses methods and further developments of the GRC subsystems. The structural and procedural organisation of the RMS and the ICS are clearly defined in the relevant guidelines and implemented throughout the group.

Identification, assessment and steering of risks

We only assume business risks if they are considered to be manageable and if the associated opportunities promise an appropriate increase in our value. We bear the risks associated with the core processes of the wholesale business ourselves. These core processes include the development and implementation of business models, decisions about store locations and the procurement and sale of merchandise and services. Risks associated with supporting processes are mitigated within the group or transferred to third parties where reasonable. We generally do not assume risks that are related neither to core nor to supporting processes. Risks assessed as probable are included in our business plans.

Risks are identified and assessed in the annual risk inventory for METRO AG and its subsidiaries. This is based on a standardised risk catalogue. In addition, business model-specific risks are supplemented locally.

We classify all risks according to standard criteria using quantitative and qualitative scales. One part of the assessment focuses on the loss potential, which includes negative effects on our business objectives. The key indicator here is . The other part of the assessment focuses on the probability of occurrence. We break risks down into the following 4 risk categories:

Loss potential

 

Significant

> €300 million

Major

> €100−300 million

Moderate

> €50−100 million

Minor

≤ €50 million

Probability of occurrence

 

Probable

> 50%

Possible

> 25–50%

Low

≥ 10–25%

Unlikely

< 10%

All risks are assessed with their potential impact at the time of the risk analysis and before potential mitigating measures (presentation of gross risks). The central IT tool myGRC is used to identify and assess risks and to document key control measures. We generally assess risks over a prospective 1-year period; strategic risks cover at least the medium-term planning horizon of 3 years.

After the risks are identified and assessed by the companies, they are allocated by topic to the various functions within METRO and validated by the respective corporate process owners, usually the divisional managers; if necessary, they are then adjusted and supplemented. Long-term risks and opportunities, for example related to climate change or political risks, are also taken into account by the relevant functional experts. Based on these so-called functional risk profiles, the Group department prepares a proposal of consolidated risks. Before the proposal is submitted to the Management Board of METRO AG for authorisation, it is first reviewed and approved by the GRC Committee.

Systematically identifying and communicating opportunities is an integral part of METRO’s corporate management.

For this purpose, we conduct macroeconomic analyses, study relevant trends and evaluate market, competition and location analyses. We also analyse the critical success factors of our business models and the relevant cost drivers of our company. The Management Board of METRO AG specifies the derived market and business opportunities as well as efficiency enhancement potential in the context of strategic as well as short-term and medium-term planning. It does so by engaging in a regular dialogue with the management of the group companies and units at the central holding company. As a wholesale company, we pursue market- and customer-driven business approaches in this process and continually review our strategy to ensure long-term sustainable growth. The consolidated opportunities and risks are presented jointly to the GRC Committee and the Management Board.

The responsibility for steering risks lies with the functionally and operationally responsible persons within METRO. The ICS supports the group companies in fulfilling their responsibility to manage process risks.

Internal control system for financial and operational processes

METRO’s ICS defines group-wide minimum requirements for the design of the internal control system for financial processes (for example accounting and tax processes) or operational processes (such as purchasing processes and processes in the markets) for METRO AG and its subsidiaries. Among others, these requirements cover the control design, control execution, monitoring the effectiveness of controls and reporting on effectiveness analyses. The METRO control framework, the local control design of the companies, the control execution and documentation as well as the effectiveness analyses of the subsidiaries are also documented in the central IT tool myGRC.

IFRS accounting guideline

A group-wide accounting guideline that is compulsory for all companies included in the consolidated financial statements ensures the uniform METRO group-wide application of accounting procedures. The guideline is periodically updated by the Corporate Accounting & Controlling department. The management of each major group company is obligated to confirm compliance with the guidelines in a formal declaration on each reporting date.

Accounting processes of companies included in the consolidated financial statements

The separate financial statements of the companies to be included in the consolidated financial statements are generally prepared using SAP-based accounting systems (SAP FI). Clearly assigned competencies and roles ensure clearly defined responsibilities for the individual financial statement preparation activities. This unambiguous functional separation also prevents potential conflicts of interest. Many group companies prepare their separate financial statements on the basis of a centrally managed table of accounts using uniform accounting rules.

To avoid risks relating to non- with accounting rules, deadlines or dates and to document the work steps to be performed as part of the preparation of separate and consolidated financial statements in accordance with IFRS, planning tools are available to assist in monitoring the content and timing of work processes. The scheduling and monitoring of the milestones and activities as well as the design of individual company internal controls necessary for the preparation of separate financial statements are part of the responsibilities of the respective company’s management.

Accounting processes for consolidation purposes

The consolidation of accounting-related data for the purpose of group reporting is performed by a centralised consolidation system (CCH Tagetik). All consolidated METRO companies must work within this system. It provides a uniform accounts table to be used by all consolidated companies in accordance with the IFRS accounting guideline. Once they have been transmitted from the separate financial statements to the consolidation system, they are subjected to an automated plausibility review in relation to accounting-specific contexts and dependencies. Any errors or warning messages generated by the system during this validation process must be addressed by the person responsible for the separate financial statements before the data are transmitted to the consolidation facility.

The processes and controls used in the preparation of the consolidated financial statements include the completeness check of the consolidation group, verification of punctual, complete and correct data submission, avoidance of undesirable data changes and a complete and error-free execution of typical consolidation steps. The latter are subjected to system-based and manual controls. The automated plausibility reviews (validations) apply to the consolidation measures similarly as they are intended for the separate financial statement data.

IT security

To warrant the security of the group’s information technology systems (IT), access to the accounting-related IT systems is regulated. Access authorisations are centrally managed and are subject to customary approval mechanisms. Generally, each company included in the consolidated financial statements is subject to the regulations concerning IT security. These regulations are summarised in an IT security guideline, with group-wide compliance being monitored by the Internal Audit unit.

Reporting on RMS and ICS

All insights gained in the context of RMS, ICS and CMS reporting are included in the GRC reporting. It provides an overall view of the opportunity and risk situation of the group and an assessment of the effectiveness of the measures taken. The GRC report includes:

  • the assessment of the management of METRO AG regarding the effectiveness of the governance management subsystems,
  • the opportunity and risk profile of the group, and
  • the recommendations on risk steering measures and the optimisation of the governance approach.

The Management Board regularly informs the Supervisory Board and the Audit Committee about issues relating to the management of opportunities and risks. Twice a year, the Supervisory Board is provided with a written report on the organisation and focus of the RMS and ICS as well as the current opportunity and risk situation.

In the event of sudden, serious risks to the net assets, financial position or earnings position, an ad hoc reporting system is used to ensure that the Management Board of METRO AG receives all necessary information directly and without delay.

Monitoring and improvement of the RMS and ICS

The Supervisory Board of METRO AG is responsible for monitoring the in accordance with § 107 Section 3 of the German Stock Corporation Act (AktG). GRC reporting in particular enables the Supervisory Board to fulfil its duties. In accordance with the requirements of the German Corporate Sector Supervision and Transparency Act (KonTraG) as well as the provisions of § 317 Section 4 of the German Commercial Code (HGB), the external auditor periodically assesses the company’s early-warning system. The results of this audit are presented to the Management Board and the Supervisory Board.

Key elements of internal monitoring include effectiveness checks performed by Internal Audit based on risk-oriented annual planning as well as self-assessments of the management systems by the local management.

The Group Governance department has implemented monitoring controls for RMS and ICS, which are performed by Group Governance and documented in the central IT tool myGRC. One of these controls involves the annual systematic evaluation of all findings gathered throughout the year, such as those arising from audit results, findings of external auditors and feedback from users. In this way, the management systems are continuously improved.

Governance
Statutory and factual regulatory framework for the management and supervision of a company.
Glossary
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
US-based private-sector organisation that developed and published a standard for internal controls in 1992 that is recognised by the U.S. Securities and Exchange Commission. In 2004, this standard was updated and the COSO ERM (Enterprise Risk Management – Integrated Framework), also known as COSO II, was published.
Glossary
Audit
A procedure that assesses an organisation’s processes and structures according to previously formulated standards and guidelines. For example, an audit provides information on the effectiveness of process optimisation measures. If an audit is conducted by an external auditor, the certificate issued after the review can be used as evidence of adherence to standards.
Glossary
Compliance
All measures specifying compliance with legal requirements as well as social guidelines and values by a company and its employees.
Glossary
EBIT (Earnings Before Interest and Taxes)
Profit or loss before financial result and (income) taxes. Due to its independence from different forms of financing and tax systems, this key figure is also used for international comparison with other companies, among other things.
Glossary
Governance
Statutory and factual regulatory framework for the management and supervision of a company.
Glossary
IFRS (International Financial Reporting Standards)
Internationally applicable rules for financial reporting developed by the IASB. Contrary to the accounting rules under the German Commercial Code, the IFRS emphasise the informational function.
Glossary
Compliance
All measures specifying compliance with legal requirements as well as social guidelines and values by a company and its employees.
Glossary
Governance management system
System for controlling all management and monitoring processes of a company. The METRO governance management system comprises the risk management system, the internal control system, the compliance management system and the internal auditing system.
Glossary
Audit
A procedure that assesses an organisation’s processes and structures according to previously formulated standards and guidelines. For example, an audit provides information on the effectiveness of process optimisation measures. If an audit is conducted by an external auditor, the certificate issued after the review can be used as evidence of adherence to standards.
Glossary