Introduction

Ownership

Executive Board

Supervisory Board

Comply or Explain

Articles of Association

Risk management

Home > Governance > Risk management

Risk Management

This section presents an overview of HEINEKEN’s Risk Management and Control Systems including a description of the most important risks, HEINEKEN’s exposure and its main mitigation efforts. Managing risks is explicitly on the management’s agenda and embedded in the HEINEKEN Company Rules. Our aim with the Risk Management and Control Systems is to meet our strategic objectives whilst effectively protecting the Company and its brands against reputational and financial damage. Continuity and sustainability of the business are as important to the stakeholders as growing and operating the business. As a business, we balance our financial sustainability with playing a role in society. Social responsibility and sustainability underpin everything we do.

Risk Management and Control Systems

The HEINEKEN Risk Management and Control Systems aim to ensure that the risks of the Company are identified and managed, and that the strategic objectives are met whilst complying with applicable laws and regulations at a reasonable level of assurance. A system of controls that ensures adequate financial reporting is in place. HEINEKEN’s internal control system is based on the COSO Internal Control Framework.

Risk appetite

The Company is recognised for its drive for quality, consistency and financial discipline. An entrepreneurial spirit is encouraged across the Group in order to seek opportunities that support continuous growth through business development and brand building, whilst taking controlled risks. The international spread of the country portfolio, the robust balance sheet and strong cash flow form the context of the risk appetite of the Company.

Risk profile

HEINEKEN is a single-product company operating in the alcohol-producing business with a high level of commonality in its worldwide business operations, which are spread over many developed and emerging markets. The worldwide activities are exposed to varying degrees of risk and uncertainty. Some of these may result in a material impact at the level of a particular Operating Company if not identified or effectively managed, but may not have material impact on Group level.

As both the Group and its most valuable brand carry the same name, reputation management is of utmost importance.

The image of our sector and products is of key importance to maintain our licence to operate and to grow the beer category in a responsible manner. This is especially relevant in markets where beer has a less favourable image.

Compared to other leading beer companies, HEINEKEN has a significantly wider geographical spread of its businesses and therefore does not depend on the performance in a limited number of markets. Latin America, Africa and Asia Pacific are important developing regions for HEINEKEN as its global organic volume growth is largely driven by growth in these regions. Political instability in parts of these regions could adversely affect earnings and cash flow.

A significant part of the Company’s results is realised by joint ventures and via licence agreements. HEINEKEN may face the risk that joint ventures are not always acting in the best interests of the Company.

Risk management

HEINEKEN strives to be a sustainable and performance-driven company. This is achieved by doing business, which by nature involves taking risks and managing those risks. Structured risk assessments are integrated in change projects, business planning, performance monitoring processes, common processes and system implementations and acquisitions and business integration activities. The Risk Management and Control Systems are considered to be in balance with HEINEKEN’s risk profile and appetite, although such systems can never provide absolute assurance. HEINEKEN’s Risk Management and Control Systems are subject to continuous review and adaptations in order to remain in balance with its growing business size and changes in its risk profile.

Responsibilities

The Executive Board has overall responsibility for HEINEKEN’s Risk Management and Control Systems. It is responsible for resource allocation and risk-management policy setting. Its overall effectiveness is subject to review by the Audit Committee. Regional, Operating Company and Functional Management are responsible for managing performance, identifying and managing related risks and the effectiveness of operations within the rules set by the Executive Board.

In 2011, a Risk Committee chaired by HEINEKEN’s CFO was installed. This Risk Committee supports the Executive Board with their responsibility for risk management. The Risk Committee met twice in 2011 to discuss the results of the risk assessment process and to prioritise the main risks. Prioritisation was based on the potential impact on the Company and brand reputation, the Company’s strategic objectives, the safety and health of our people, and the safeguarding of our assets.

HEINEKEN Company Rules

The HEINEKEN Company Rules are a key element of risk management and are in place to set the boundaries within which Operating Companies should conduct their business. A governance procedure and activities ensuring continuous awareness, compliance and follow-up are in place. The annual Assurance Letter provides additional comfort on financial reporting and the compliance with selected HEINEKEN Company Rules. Regional presidents, general and finance managers of the operation Companies sign for compliance on behalf of their Management Teams on an annual basis.

Governance

HEINEKEN improved its governance cycle, consisting of strategic planning, annual business planning and operational planning and performance monitoring. Strategies, business plans, key risks and quarterly performance of Operating Companies are discussed with Regional Management. Regional performances are discussed with the Executive Board. The approved three-year business plans from Regions and Global Functions include clear objectives, target setting and performance indicators that provide the basis for monitoring performance compared to the business plans. These plans also contain an annual assessment of the main risks, mitigation plans and financial sensitivity analysis.

Internal control in Operating Companies

Best-practice processes are continuously developed and implemented on a Group-wide basis, supported by Common IT Systems with embedded key control frameworks. This ensures the integrity of information processing in supporting the day-to-day transactions and financial and management reporting. Whereas the HEINEKEN Common Systems are continuously rolled out to more Operating Companies, the implementation of these common systems is still in process for the most recent acquisitions. Internal Audit is strongly involved in monitoring key controls embedded in main business processes and assessing their effectiveness based on a common audit approach.

Code of Business Conduct and Whistle-blowing

The Code of Business Conduct and Whistle-blowing procedure is applicable to all majority-owned operations, regional offices and head office whilst implementation is in progress for recent acquisitions. Compliance is supported through continuous monitoring of effectiveness and compliance reviews. Employees may report suspected cases of serious misconduct to their direct superior, the local Trusted Representative or anonymously to an independently run confidential helpline. The Integrity Committee oversees the functioning of the Whistle-blowing procedure and reports quarterly to the Executive Board and Audit Committee on reported cases and effectiveness of the procedure. On-going training is carried out at Operating Company level to further increase awareness and understanding.

Supervision

The Executive Board oversees the adequacy and functioning of the entire system of risk management and internal control, assisted by Global Functions. Internal Audit provides independent assurance and advice on the Risk Management and Internal Control Systems. Assurance meetings at both local and regional level oversee the adequacy and operating effectiveness of the Risk Management and Internal Control Systems in their respective environments. Regional Management and Internal Audit participate in the local meetings in order to ensure an effective dialogue and transparency. The outcome and effectiveness of the Risk Management and Internal Control Systems are evaluated by the Executive Board and the Audit Committee.

Financial reporting

The risk management and control systems for financial reporting include clear accounting policies, a standard chart of accounts and Assurance Letters signed by regional and local management. The HEINEKEN common systems and embedded control frameworks are implemented in a large number of the Operating Companies and support common accounting and regular financial reporting in standard forms. Testing of key controls relevant for financial reporting is part of the Common Internal Audit Approach in Operating Companies on common systems. The external audit activities provide additional assurance on the financial reporting. Within the scope of the external auditors’ financial audit assignment, they also report on internal control issues through their management letters, and they attend the regional and certain local assurance meetings.

The internal risk management and control systems, as described in this section, provide a reasonable assurance that the financial reporting does not contain any errors of material importance. The risk management and control systems worked properly in the year under review.

This statement cannot be construed as a statement in accordance with the requirements of Section 404 of the US Sarbanes-Oxley Act 2002, which is not applicable to Heineken N.V.

Main risks

Under the explicit understanding that this is not an exhaustive list, HEINEKEN’s main risks and related mitigating measures are described below. The main Company risks have been discussed with the Audit Committee and shared with the Supervisory Board and are annually reviewed.

HEINEKEN’s main strategic and operational risks, including mitigating measures, are described below.

The finance risks are separately enclosed as note 32 to the financial statements.

Risk category	Risk description	Mitigation
Non-compliance	Increasing risk of non-compliance with laws and regulations due to strong growth in many new (emerging) markets. Specific risks are: Increased restrictions in availability Tax and excise increases Non-compliance with competition laws Non-compliance with local tax regulations.	Implementation and assessment of compliance with Company Rules Procedures and training Legal Control Framework Tax Control Framework.
Alcohol	Alcohol abuse remains a serious concern in many markets and prompts legislators to further restrictive measures including restrictions and/or bans on advertising, sponsorship, points-of-sale and increased governance tax. Specific risks are: Darkening of the market Increasing taxes and duties Increased restrictions in availability.	Support to WHO on responsible consumption Work through EU Alcohol & Health Forum to reduce alcohol-related harm Company Rule regarding responsible commercial communication.
Quality and integrity of our products	Poor quality or integrity of our products may result in reputational damage, resulting in lower volumes and may even result in financial claims. Specific risks are: Insufficient quality of products Recalls.	Production controls Business continuity plans Recall procedures.
Safety, health and environment	Incidents and accidents in the supply chain and in our route to market might occur. Specific risks are: Physical injuries Incidents and accidents Fatalities.	Strengthened global SHE organisation, procesess and procedures Tracking, monitoring and evaluation of accidents and fatalities.
Management capabilities	We may not be successful in attracting, developing and retaining talented staff with the required capabilities. Specific risks are: Less than required number of talented staff employed to fill current and future positions Lower than required quality of staff in key positions.	Develop and increase our management talent pipeline Implementation of a new appraisal and evalution process Strengthening management development programmes Established functional Succession Committees.
Availability and volatility in prices of raw materials, commodities, energy and water	Risk of limited availability of raw materials, commodities, energy and water. Volatility in prices of raw materials and commodities may impact our profit. Specific risks are: Limited availability Failure to pass on price increases Business disruption.	Leveraging scale by making use of flexibility in contracts Active hedging policy Implementation of a Global Purchasing organisation Improvement of our knowledge of the market and our suppliers.
Industry consolidation	We might fail to successfully participate in industry consolidation and miss opportunities to acquire target companies. Specific risks are: Missed opportunities Overpaying Unsuccessful business integration.	Strengthened the M&A activities and organisation Strong due diligence processes Implementation of a common business integration process.
Marketing and brand management	Inability to further build our brands due to lack of consumer insight, unsuccessful innovations and ineffective use of social media. The Company may not be able to defend its intellectual property rights. Specific risks are: Limited or unsuccessful innovations Failure to use opportunities of social media.	Strengthened commercial organisation Implemented marketing academy Investments in consumer and market intelligence Strengthened innovation organisation Increased use of social media.
Disruptions in the supply chain	Disruptions in the supply chain may lead to inability to deliver key products to key customers, leading to lower volumes. Specific risks are: Failure of IT systems.	Business continuity plans Implementation of back-up scenarios.
Economic environment	The current economic uncertainties could impact our business and those of our customers, especially in on-trade business. This may lead to lower volumes, pressure on prices and increased credit risk. The economic downturn may impact the solvency of our suppliers. Specific risks are: Declining on-trade market Downtrading Increasing credit risk Increasing taxes Discontinuity of our supply due to solvency problems of our critical suppliers. Impairment of goodwill related to acquisitions and Pension plan shortfalls due to the development of financial markets.	Additional monitoring and mitigating actions related to customers' solvency in on-trade Implementation of a Global Credit Policy Strengthened the supplier selection process Evaluation of the financial position of critical suppliers.
Information security	Loss of confidential information and disruption of processes due to unavailability of IT systems. Specific risks are: Failure of IT systems Disruption of processes outsourced to shared service centres.	Strengthened the Company's information security policy Implementation and testing of redundancy measures with our outsourcing partners Implementation of measures to secure confidentiality and integrity of data.
Business improvement and transformation	Risk that benefits of strategic transformation programmes will not be realised, that we face significant cost overruns and that the quality of the deliverables is less than required. Specific risks: Estimated benefits too ambitious Ineffective or inefficient programme execution.	Strengthened the selection and prioritisation of business improvement projects Involvement of top management in all selected projects Monitoring of project costs and benefits Improved project governance organisation including project management organisations and progress reporting.

There may be current risks that do not have a significant impact on the business but which could – at a later stage – develop a material impact on the Company’s business. The Company’s risk management systems are focused on timely discovery of such risks.