Risk management details clearly defined

The coordinated application of risk management tools is assured by the compilation of all relevant facts in guidelines. These include the Articles of Association and by-laws of group companies, internal group procedures and our group-wide risk management guideline. It defines

  • the risk management framework (terms, basic structure, strategy, principles),
  • the risk management organisation (roles and responsibilities, risk units),
  • processes (risk identification, assessment and management),
  • risk reporting as well as
  • monitoring and controlling the effectiveness of risk management.

Based on the internationally recognised COSO II standard, the risk management framework addresses the three levels of risk management: corporate objectives, processes and organisation.

The first level of risk management relates to the clustering of corporate objectives. In this respect, METRO GROUP has defined the following clusters:

  • Strategic objectives related to safeguarding the company’s future economic viability (cluster strategy)
  • Operational objectives related to the attainment of set key performance metrics (cluster operations)
  • Corporate management objectives related to compliance with laws, regulations, internal guidelines and specified procedures (cluster governance)
  • Objectives related to appropriate preparations to mitigate event risks such as breakdowns, business interruptions and other crisis events (cluster events)

On the second risk management level – the process level – the definition of objectives also serves as the starting point for risk mapping. In this context, we identify, classify and manage risks that would jeopardise or inhibit the achievement of our objectives should they materialise. Since the risk inventory of 2016, we have also been using a list of standardised risks which the risk units must assess. In this way, we ensure that all typical operational risks that apply to our group are validated. As a rule, we consider all external and internal risks.

In addition, clusters are delineated in terms of functional categories based on the group’s organisational structures, such as procurement, sales, human resources or real estate. In principle, we consider risks over a prospective one-year period. Strategic risks cover at least the medium-term planning horizon (three years). METRO GROUP monitors and assesses longer-term risks and opportunities, for example related to climate change, using its issues management system. The Corporate Public Policy department uses issues management tools to continuously monitor and identify special interest and media issues of relevance to the group to be able to react swiftly and with clear and uniform statements to the public debate. The group’s issues management and risk management systems are closely interconnected. Risks that are likely to materialise are included in our business plans and our outlook. For example, we derived various measures relating to the topic of water consumption during the reporting period. This issue is increasingly gaining importance and we want to position our company accordingly.

Risk classification

All identified risks are classified based on uniform standards and quantitative and qualitative indicators with respect to loss potential (negative effects on our corporate objectives and key performance indicator EBIT) and probability of occurrence (in per cent). In our assessment, we classify the loss potential for the group on the basis of three categories: ≥ €50 million, ≥ €100 million and ≥ €500 million. The probability of occurrence is broken down into five classes: low (< 10 per cent), unlikely (≥ 10 to 25 per cent), possible (> 25 to 50 per cent), likely (> 50 to 90 per cent), high (> 90 per cent). All risks are assessed on the basis of their potential impact at the time of the risk analysis and before potential risk-minimising measures (presentation of gross risks, that is, before the implementation of risk-limitation measures).

Risk units

On the organisational level, we determine the corporate units responsible for setting objectives in a clearly defined area as well as for identifying, classifying and managing risks. METRO GROUP’s risk management defines these areas in line with the corporate organisation using independent risk units – generally companies – as well as in terms of function using categories that are responsible for a certain operational function or administrative task. The risk units cover all essential entities of the consolidation group in the consolidated financial statements.