Risk management and the internal control structure
The aim of our risk management and internal control structure is to achieve a balance between an effective, professional enterprise, and the risk profile that we are aiming for as a business. Our risk management and internal controls, based on the COSO Enterprise Risk Management Framework, make a significant contribution to the prompt identification and adequate management of strategic and market risks. They also support us in achieving our operational and financial targets and complying with legislation and regulations.

Risk management approach
The Executive Board, under the supervision of the Supervisory Board, has ultimate responsibility for Vopak’s risk management and internal control structure. The divisional management teams are responsible for implementing the strategy, achieving results, identifying underlying opportunities and risks and ensuring effective operations. They have to act in accordance with the policy and standards set by the Executive Board, in which they are supported by corporate departments.

Each division’s management has integrated risk management into business activities and strategic operations. Opportunities and risks, and follow-up of measures to mitigate risks are discussed at this level as part of the standard management review cycles. The quality of the ERM approach is subject to regular internal audits. At the corporate level, this process is coordinated and the ERM information from the divisions is analyzed.

The Executive Board approves the annual budget and two-year plans for each division. These budgets contain clear objectives for each of the three strategic pillars, risks and opportunities, activities and performance indicators. It also designates the managers with ultimate responsibility.

To avoid execution risk, the Executive Board discusses the conditions (enablers) with the divisions. Each quarter, the Executive Board and the Division Management Team discuss progress on implementing the company’s strategy, business plans, key performance indicators, quarterly results, key risks, opportunities and progress on mitigating measures.

At the end of the year, terminal and divisional managers use the Control Risk Self-Assessment to establish how effective the risk management and internal control structure have been. The results of this questionnaire, developments during the past year and departures from trends are discussed with the Executive Board.

The Executive Board, which bears ultimate responsibility for the proper functioning of risk management and the internal control structure, discusses the company’s results, key performance indicators and strategy (and adjustments to it), the results and effectiveness of risk management and the internal control structure with the Audit Committee and the Supervisory Board. Corporate Internal Audit provides further assurance on the functioning of risk management and the internal control framework. The external auditor also offers assurance on the internal control framework and the adequacy of the financial reporting systems. The results are discussed with the Audit Committee. Each half-year and the financial year are closed when the management of the company concerned, the divisions and the Executive Board sign Letters of Representation.