A prerequisite for the long-term success of our company is to identify opportunities and risks at an early stage and to exploit or manage them.
The Management Board of METRO AG bears overall responsibility for an effective risk management system (RMS) and an effective internal control system (ICS).
The RMS and the ICS of METRO are implemented by the Group Governance department based on the recommendations of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the requirements of the audit standards 981 and 982 of the Institut der Wirtschaftsprüfer in Deutschland e. V. (IDW, Institute of Public Auditors in Germany). Accordingly, the management systems consist of the following elements:
Objectives of the RMS and ICS
The overarching objectives of the RMS and ICS are to protect assets and support sustainable growth for METRO. The RMS supports these objectives through systematic reporting on opportunities and risks. It facilitates informed decisions and creates transparency. The ICS supports the aforementioned objectives by creating reliable operational and financial processes in order to ensure the accuracy, completeness and timeliness of financial reporting in particular and compliance with laws and guidelines.
Organisation of the RMS and ICS
Group-wide RMS and ICS tasks and responsibilities are clearly defined and reflect our corporate structure. We combine centralised business management by the management holding company METRO AG with the decentralised responsibility of the METRO national subsidiaries and the service companies that support the operational business.
It is the responsibility and a legal obligation of the Management Board of METRO AG to organise a governance, risk and compliance system (GRC system) for METRO. We regard the risk management system, the internal control system, the compliance management system (CMS) as well as Internal Audit to be components of the GRC system. This organisational structure is based on the governance elements identified in § 107 Section 3 of the German Stock Corporation Act (AktG) as well as the German Corporate Governance Code. The fundamental principles of the GRC system are defined and documented in our governance, risk and compliance guideline. On this basis, we continuously work on increasing the efficiency and effectiveness of the GRC system.
The group’s Governance, Risk and Compliance Committee (GRCC) is chaired by the Chief Financial Officer of METRO AG and regularly discusses methods and further developments of the GRC subsystems. The structural and procedural organisation of the RMS and the ICS are clearly defined in the relevant guidelines and implemented throughout the group.
In financial year 2021/22, we enhanced our risk management system to align with the requirements of IDW PS 340 (by the Institute of Public Auditors).
- Details on the description of the main features of the CMS can be found in chapter 2.3 summarised non-financial statement of METRO AG.
Risk management process
We only assume business risks if they are considered to be manageable and if the associated opportunities promise an appropriate increase in our value. We bear the risks associated with the core processes of the wholesale business ourselves. These core processes include the procurement and sale of merchandise and services, the development and implementation of business models as well as decisions about store locations. Risks associated with supporting processes are mitigated within the group or transferred to third parties where reasonable. We generally do not assume risks that are related neither to core nor to supporting processes. Risks assessed as probable are included in our business plans.
Risks are identified and assessed in the annual risk inventory for METRO AG and its subsidiaries. This is based on a group-wide standardised risk catalogue. In addition, business model-specific risks are supplemented locally.
We classify all risks according to standard criteria using quantitative and qualitative scales. One part of the assessment focuses on the loss potential, which includes negative effects on our business objectives. The key indicator in this regard is EBITDA. The other part of the assessment focuses on the probability of occurrence.
All risks are assessed with their potential impact at the time of the risk analysis and before potential mitigating measures (presentation of gross risks) as well as after deduction of the previously implemented measures (presentation of net risks). In order to facilitate a reasonable reconciliation, the response measures are evaluated and documented with regard to their impact on the loss potential as well as the probability of occurrence of the underlying risks. The central IT tool myGRC is used to identify and assess risks and to document key response measures. The measures are also tracked in myGRC throughout the year beyond the period of the risk inventory. We generally assess risks over a prospective 1-year period; strategic risks cover at least the medium-term planning horizon of 3 years. For reporting purposes, we focus on the net presentation, as the assessment and aggregation of net risks is particularly relevant in the comparison of risks with risk-bearing capacity.
After the risks are identified and assessed by the companies, they are allocated by topic to the various functions within METRO and validated by the respective corporate process owners, usually the divisional managers; if necessary, they are then adjusted and supplemented. Longer-term risks, for example related to climate change or political risks, are also taken into account by the relevant functional experts. These so-called functional risks are aggregated into consolidated risks using a scenario analysis based on statistical simulation techniques. In financial year 2021/22, a stable portfolio of consolidated risks was introduced, to which the functional risks are assigned based on their content. This makes it easier to compare information from year to year and to analyse the interdependencies between the consolidated risks. In a further step, statistical simulation techniques are used to determine the risk aggregate on the basis of all the consolidated risks, and the risk aggregate is compared with the risk-bearing capacity. Before the proposal is submitted to the Management Board of METRO AG for authorisation, the consolidated risks as well as the risk aggregate are first reviewed and approved by the GRC Committee.
- The consolidated risks considered significant by the Management Board of METRO AG are listed under ‘Description of the opportunity and risk situation’.
Systematically identifying and communicating opportunities is an integral part of METRO’s corporate management.
For this purpose, we conduct macroeconomic analyses, study relevant trends and evaluate market, competition and location analyses. We also analyse the critical success factors of our business models and the relevant cost drivers of our company. The Management Board of METRO AG specifies the derived market and business opportunities as well as efficiency enhancement potential in the context of strategic as well as short-term and medium-term planning. It does so by engaging in a regular dialogue with the management of the group companies and units at the central holding company. As a wholesale company, we pursue market- and customer-driven business approaches in this process and continually review our strategy to ensure long-term sustainable growth. The consolidated opportunities and risks are presented jointly to the GRC Committee and the Management Board.
The responsibility for steering risks lies with the functionally and operationally responsible persons within METRO. The ICS supports the group companies in fulfilling their responsibility to manage process risks.
Internal control system for financial and operational processes
METRO’s ICS defines group-wide minimum requirements for the design of the internal control system for financial processes (for example accounting and tax processes) or operational processes (such as purchasing processes and processes in the markets) for METRO AG and its subsidiaries. Among others, these requirements cover the control design, control execution, the monitoring of the effectiveness of controls and reporting on effectiveness analyses. The METRO control framework, the local control design of the companies, the control execution and documentation as well as the effectiveness analyses of the subsidiaries are also documented in the central IT tool myGRC.
IFRS accounting guideline
A group-wide IFRS accounting guideline that is compulsory for all companies included in the consolidated financial statements ensures the uniform METRO group-wide application of accounting procedures. The guidelines are periodically updated by the Corporate Accounting department. The management of each major group company is obligated to confirm compliance with the guidelines in a formal declaration on each reporting date.
Accounting processes of companies included in the consolidated financial statements
The separate financial statements of the companies to be included in the consolidated financial statements are generally prepared using SAP-based accounting systems (SAP FI). Clearly assigned competencies and roles ensure clearly defined responsibilities for the individual financial statement preparation activities. This unambiguous functional separation also prevents potential conflicts of interest. Many group companies prepare their separate financial statements on the basis of a centrally managed table of accounts using uniform accounting rules.
To avoid risks relating to non-compliance with accounting rules, deadlines or dates and to document the work steps to be performed as part of the preparation of separate and consolidated financial statements in accordance with IFRS, planning tools are available to assist in monitoring the content and timing of work processes. The scheduling and monitoring of the milestones and activities as well as the design of individual company internal controls necessary for the preparation of separate financial statements are part of the responsibilities of the respective company’s management.
Accounting processes for consolidation purposes
The consolidation of accounting-related data for the purpose of group reporting is performed by a centralised consolidation system (CCH Tagetik). All consolidated METRO companies must work within this system. It provides a uniform accounts table to be used by all consolidated companies in accordance with the IFRS accounting guideline. Once they have been transmitted from the separate financial statements to the consolidation system, they are subjected to an automated plausibility review in relation to accounting-specific contexts and dependencies. Any errors or warning messages generated by the system during this validation process must be addressed by the person responsible for the separate financial statements before the data are transmitted to the consolidation facility.
The processes and controls used in the preparation of the consolidated financial statements include the completeness check of the consolidation group, verification of punctual, complete and correct data submission, avoidance of undesirable data changes and a complete and error-free execution of typical consolidation steps. The latter are subjected to system-based and manual controls. The automated plausibility reviews (validations) apply to the consolidation measures similarly as they are intended for the separate financial statement data.
To warrant the security of the group’s information technology systems (IT), access to the accounting-related IT systems is regulated. Access authorisations are centrally managed and are subject to customary approval mechanisms. Generally, each company included in the consolidated financial statements is subject to the regulations concerning IT security. These regulations are summarised in an IT security guideline, with risk-oriented compliance being monitored by the Internal Audit unit.
Reporting on RMS and ICS
All insights gained in the context of RMS, ICS and CMS reporting are included in the GRC reporting. It provides an overall view of the opportunity and risk situation of the group and an assessment of the effectiveness of the measures taken. The GRC report includes:
- the assessment of the management of METRO AG regarding the effectiveness of the governance management subsystems,
- the opportunity and risk profile of the group, and
- the recommendations on risk steering measures and the optimisation of the governance approach.
The Management Board regularly informs the Supervisory Board and the Audit Committee about issues relating to the management of opportunities and risks. Twice a year, the Supervisory Board is provided with a written report on the organisation and focus of the RMS and ICS as well as the current opportunity and risk situation.
In the event of sudden, serious risks to the net assets, financial position or earnings position, an ad hoc reporting system is used to ensure that the Management Board of METRO AG receives all necessary information directly and without delay.
Monitoring and improvement of the RMS and ICS
The Supervisory Board of METRO AG is responsible for monitoring the governance management systems in accordance with § 107 Section 3 of the German Stock Corporation Act (AktG). GRC reporting in particular enables the Supervisory Board to fulfil its duties. In accordance with the requirements of the German Corporate Sector Supervision and Transparency Act (KonTraG) as well as the provisions of § 317 Section 4 of the German Commercial Code (HGB), the external auditor periodically assesses the company’s early-warning system. The results of this audit are presented to the Management Board and the Supervisory Board. In addition, the risk management system was subjected to an external effectiveness audit in financial year 2021/22 in accordance with the requirements of IDW audit standard 981. The audit was successfully completed and the effectiveness was confirmed to the Management Board and the Supervisory Board.
Key elements of internal monitoring include effectiveness checks performed by Internal Audit based on risk-oriented annual audit planning as well as self-assessments of the management systems by the Management Board based on GRC reporting. Taking into account the external and internal audits of the RMS and ICS performed during the financial year, no matters have come to our attention that cause us to believe that the RMS or ICS were not adequate and effective in all material aspects during the period from 1 October 2021 to 30 September 20221.
The Group Governance department has implemented monitoring controls for RMS and ICS, which are performed by Group Governance and documented in the central IT tool myGRC. Furthermore, Group Governance conducts annual systematic evaluations of all findings gathered throughout the year, such as those arising from Internal Audit results, findings of external auditors and feedback from users. In this way, the management systems are continuously improved.
1 Unaudited with the exception of the adequacy and effectiveness statements in accordance with IDW PS 981 relating to the RMS. This statement by the Management Board is a disclosure required by GCGC 2022 and is not subject to the audit, as it is not part of the management report.