Risk management details clearly defined
The coordinated application of risk management tools is assured by the compilation of all relevant facts in guidelines. These include the Articles of Association and by-laws of group companies, internal group procedures and METRO GROUP’s group-wide risk guideline. It defines
- the risk management framework (terms, basic structure, strategy, principles),
- the risk management organisation (roles and responsibilities, risk units),
- processes (risk identification, assessment and management),
- risk reporting as well as
- monitoring and controlling the effectiveness of risk management.
Based on the internationally recognised COSO II standard, the risk management framework addresses the three levels of risk management: corporate objectives, processes and organisation.
The first level of risk management relates to the clustering of corporate objectives. In this respect, METRO GROUP has defined the following clusters:
- Strategic objectives related to safeguarding the company’s future economic viability (cluster strategy)
- Operational objectives related to the attainment of set key operational metrics (cluster operations)
- Corporate management objectives related to compliance with laws, regulations, internal guidelines and specified procedures (cluster governance)
- Objectives related to appropriate preparations to mitigate event risks such as breakdowns, business interruptions and other crisis events (cluster events)
On the second risk management level – the process level, the definition of objectives also serves as the starting point for risk mapping. In this context, we identify, classify and manage risks that would jeopardise or inhibit the achievement of our objectives should they materialise. As a rule, we consider all external and internal risks.
In addition, clusters are delineated in terms of functional categories, such as procurement, sales, human resources or real estate, based on the group’s organisational structures. In principle, we consider risks over a prospective one-year period. Strategic risks cover at least the medium-term planning horizon (three years). Any risks that are likely to occur are included in our business plans and outlook.
All identified risks are classified based on uniform standards and quantitative and qualitative indicators with respect to the extent of damage (negative effects on our corporate objectives and key metric EBIT) and probability of occurrence (in per cent). In our assessment, we classify the extent of damage relevant to the group on the basis of three categories: ≥ €50 million, ≥ €100 million and ≥ €500 million. The probability of occurrence is broken down into five categories: low (< 10 per cent), unlikely (≥ 10 to 25 per cent), possible (> 25 to 50 per cent), likely (> 50 to 90 per cent), high (> 90 per cent). All risks are assessed on the basis of their potential impact at the time of the risk analysis and before potential risk-minimising measures (presentation of gross risks, that is, before the implementation of risk limitation measures).
On the organisational level, we determine the corporate units responsible for setting objectives in a clearly defined area as well as identifying, classifying and managing risks. METRO GROUP’s risk management defines these areas in line with the corporate organisation using independent risk units – generally companies – as well as in terms of function using categories that are responsible for a certain operational function or administrative task. The risk units cover the entire consolidation group in the consolidated financial statements.