A prerequisite for the long-term success of our company is to identify opportunities and risks at an early stage and to exploit or manage them.
The Management Board of METRO AG bears overall responsibility for an effective risk management system (RMS) and an effective internal control system (ICS).
The RMS and the ICS of METRO are implemented by the Group Governance department based on the recommendations of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the requirements of the audit standards 981, 340 and 982 of the Institut der Wirtschaftsprüfer in Deutschland e. V. (IDW, Institute of Public Auditors in Germany). The management systems consist of the elements described in the following:
Risk management system and internal control system
Objectives of the RMS and ICS
The overarching objectives of the RMS and ICS are to protect assets and support sustainable growth for METRO. The RMS supports these objectives through systematic reporting on opportunities and risks. It facilitates informed decisions and creates transparency. The ICS supports the aforementioned objectives by creating reliable operational and financial processes in order to ensure the accuracy, completeness and timeliness of financial reporting in particular and compliance with laws and guidelines.
Organisation of the RMS and ICS
Group-wide RMS and ICS tasks and responsibilities are clearly defined and reflect our corporate structure. We combine centralised business management by the management holding company METRO AG with the decentralised responsibility of the METRO national subsidiaries and the service companies that support the operational business. The group’s Governance, Risk and Compliance Committee (GRC Committee) coordinates the risk management system, the internal control system, the compliance management system (CMS) as well as Internal Audit. This organisational structure is based on the governance elements identified in § 107 Section 3 of the German Stock Corporation Act (AktG) as well as the German Corporate Governance Code. The GRC Committee is chaired by the Chief Financial Officer of METRO AG and regularly discusses methods and further developments of the aforementioned management systems. The structural and procedural organisation of the RMS and the ICS are clearly defined in the relevant guidelines and implemented throughout the group.
- Details on the description of the main features of the CMS can be found in chapter 2 principles of the group – 1.3 combined non-financial statement of METRO AG.
Risk management process
We only assume business risks if they are considered to be manageable and if the associated opportunities promise an appropriate increase in our value. We bear and manage the risks associated with the core processes ourselves. These core processes include the development and implementation of business models or the procurement of merchandise and services. Risks associated with supporting processes are mitigated within the group to the extent possible, or transferred to third parties where reasonable. We generally do not assume risks that are related neither to core nor to supporting processes. Risks assessed as probable are included in our corporate planning.
Risks are identified and assessed in the annual risk inventory for METRO AG and its subsidiaries. This is based on a group-wide standardised risk catalogue. In addition, business model-specific risks are supplemented locally.
We classify all risks according to standard criteria using quantitative and qualitative scales. One part of the assessment focuses on the loss potential, which includes negative effects on our business objectives. The key indicator in this regard is EBITDA. The other part of the assessment focuses on the probability of occurrence.
All risks are assessed with their potential impact at the time of the risk analysis and before potential mitigating measures (presentation of gross risks) as well as after deduction of the previously implemented measures (presentation of net risks). The central IT tool myGRC is used to identify and assess risks and to document key response measures. We generally assess risks over a prospective 1-year period; strategic risks cover at least the medium-term planning horizon of 3 years.
After the risks are identified and assessed by the companies, they are allocated by topic to the various functions within METRO and validated by the respective corporate process owners, usually the divisional managers; if necessary, they are then adjusted and supplemented. Longer-term risks, for example related to climate change or political risks, are also taken into account by the relevant functional experts. These so-called functional risks are aggregated into consolidated risks using a scenario analysis based on statistical simulation techniques. In a further step, statistical simulation techniques are used to determine the risk aggregate on the basis of all the consolidated risks and compare the risk aggregate with the equity of METRO AG to then derive the risk-bearing capacity. Before the proposal is submitted to the Management Board of METRO AG for authorisation, the consolidated risks as well as the risk aggregate are first validated and approved by the GRC Committee.
Systematically identifying and communicating opportunities is an integral part of METRO’s corporate management.
For this purpose, we conduct macroeconomic analyses, study relevant trends and evaluate market, competition and location analyses. We also analyse the critical success factors of our business models and the relevant cost drivers of our company. The Management Board of METRO AG specifies the derived market and business opportunities as well as efficiency enhancement potential in the context of strategic as well as short-term and medium-term planning. It does so by engaging in a regular dialogue with the management of the group companies and units at the central holding company. The consolidated opportunities and risks are presented jointly to the GRC Committee and the Management Board.
Internal control system for financial and operational processes
METRO’s ICS defines group-wide minimum requirements for the design of the internal control system for financial and operational processes for METRO AG and its subsidiaries. Among others, these requirements cover the control design, control execution, the monitoring of the effectiveness of controls and reporting on effectiveness analyses. The METRO control framework, the local control design of the companies, the control execution and documentation as well as the effectiveness analyses of the subsidiaries are also documented in the central IT tool myGRC.
IFRS accounting guideline, financial reporting processes and IT security
In the following, we describe the significant characteristics of our internal control and risk management systems pursuant to § 289 Section 4 and § 315 Section 4 of the HGB with regard to financial reporting processes. The IFRS accounting guideline, which is applicable throughout the group and regularly updated, ensures uniform accounting procedures for the entire METRO group. The management of each major group company must submit a declaration for each quarterly and annual financial statement that confirms compliance with the guideline.
The separate financial statements of the group entities are primarily prepared using SAP-based accounting systems (SAP FI). Access authorisations in the IT systems and clearly assigned competencies and roles, with the involvement of the METRO Global Solution Center, ensure the appropriate functional separation for the recognition of ongoing transactions and the preparation of financial statements. A majority of group companies prepare their separate financial statements on the basis of standardised processes. Management of the respective company bears responsibility for shaping the financial processes and the specific design and performance of internal controls in consideration of the minimum requirements that apply throughout the group.
METRO consolidates accounting-related data for the purpose of group reporting via the centralised consolidation system (CCH Tagetik). All consolidated group companies are integrated in this system. These companies use a uniform accounts table in accordance with the IFRS accounting guideline. Once the data have been transmitted from the separate financial statements to the consolidation system, they are subjected to an automated plausibility review in relation to typical contexts and dependencies. Furthermore, processes and controls are used in the preparation of the consolidated financial statements that ensure the completeness and verify the punctual, complete and correct submission of data. They also avoid undesirable data changes and ensure the error-free execution of consolidation steps. To warrant data security in general, access to the accounting-related systems is regulated and the Internal Audit unit takes a risk-oriented approach to monitoring compliance with the general IT security guideline.
Reporting on RMS and ICS
All insights gained in the context of RMS, ICS and CMS reporting are included in the GRC reporting. It provides an overall view of the opportunity and risk situation of the group and an assessment of the effectiveness of the aforementioned management systems. The GRC report includes:
- the assessment of the management of METRO AG regarding the effectiveness of the management systems,
- the opportunity and risk profile of the group, and
- the recommendations on risk steering measures and the optimisation of the governance approach.
The Management Board regularly informs the Supervisory Board and the Audit Committee about issues relating to opportunities and risks. Twice a year, the Supervisory Board is provided with a written report on the organisation and focus of the RMS and ICS as well as the current opportunity and risk situation.
In the event of sudden, serious risks to the net assets, financial position or earnings position, an ad hoc reporting system is used to ensure that the Management Board of METRO AG receives all necessary information directly and without delay.
Monitoring and improvement of the RMS and ICS
The Supervisory Board of METRO AG is responsible for monitoring the governance management systems in accordance with § 107 Section 3 of the German Stock Corporation Act (AktG). GRC reporting in particular enables the Supervisory Board to fulfil its duties. In accordance with the requirements of the German Corporate Sector Supervision and Transparency Act (KonTraG) as well as the provisions of § 317 Section 4 of the German Commercial Code (HGB), the external auditor periodically assesses the company’s early-warning system. The results of this audit are presented to the Management Board and the Supervisory Board.
Key elements of internal monitoring include effectiveness checks performed by Internal Audit based on risk-oriented annual audit planning as well as self-assessments of the management systems by the Management Board based on GRC reporting. Taking into account the audits of the RMS and ICS performed during the financial year, no matters have come to the attention of the Management Board of METRO AG that cause it to believe that the RMS or ICS were not adequate and effective in all material aspects during the period from 1 October 2022 to 30 September 2023.1
The Group Governance department has implemented monitoring controls for RMS and ICS, which are performed by Group Governance and documented in the central IT tool myGRC.
1 This statement by the Management Board is an (unaudited) disclosure required by GCGC 2022 and is not subject to the audit, as it is not part of the management report.