PGGM risk framework
For the implementation of risk management, we use the PGGM risk framework to structurally provide insight into, monitor and report on risks. PGGM’s Risk Framework is based on the COSO Enterprise Risk Management methodology accepted internationally as standard.
Risk management at PGGM is organised in accordance with the generally accepted ‘three lines of defence’ model. Responsibility and primary risk management lie with line management (first line). The Finance & Control and Risk & Compliance departments (second line) supervise and report on the risks. Internal Audit (third line) assesses whether the management demonstrably complies with the different requirements stipulated in relation to risk management.
With every decision, risks are taken, consciously and unconsciously, in order to realise certain objectives. In order to determine whether we are willing to run a particular risk, and to what extent, it is necessary to determine our risk appetite. If a risk is assessed as lying beyond the risk appetite, extra control measures are necessary in order to bring this risk within the limits of the risk appetite. The risks and the accompanying risk appetite are divided into three risk clusters: Corporate, Service Provision and Reputation. We have also made a distinction in relation to certain risks between risk appetite in a ‘running the business’ situation (execution) and risk appetite in relation to ‘changing the business’ situations. This is based on the thinking that continuity and reliability weigh the heaviest in the performance of our service provision, while major change programmes sometimes require more latitude for experimentation and learning, for example in the event of innovations.
Effective risk management goes hand in hand with a healthy risk culture. The risk culture we strive for is focused on risk-aware behaviour in an open and honest environment in which we are accountable to each other for responsibilities, results and behaviour in relation to PGGM’s values, standards and objectives. PGGM stands for a risk culture in which incidents – no matter how uncomfortable – are reported. We can then learn from these and mitigate their impact as quickly as possible and take structural measures to prevent similar situations in the future. To be able to offer best-in-class service, working under architecture must constitute an integral element of the corporate culture. In addition to the substantive mitigating measures (procedures, controls, etc.), known as ‘hard controls’, the ‘soft controls’ (behaviour and matters that influence the behaviour of others) also receive attention. In investigations by Internal Audit and in background and trend analyses of incidents by Risk & Compliance, attention is also devoted to the soft controls, the underlying causes of the problem and the behaviour appropriate for a solution.
Risk management process
Enterprise Risk Management is a continual process at all levels of our organisation. The Risk & Compliance department is responsible for coordinating the risk management process and draws up a monthly risk report. This risk report presents the risk picture for each cluster of risks, compared with the risk appetite. The substance of the risk report is discussed and adopted by our Unit Risk Committee. In addition to the risks that actually manifested themselves, the Committee specifically considers the risks that could manifest themselves in the short and longer term, i.e. the prospective risks.
Based on this overall risk profile, actions are initiated and we issue an ‘In Control Statement’ (ICS). With the ICS, PGGM Vermogensbeheer’s management team (first line) declares that internal control measures have been realised and have worked effectively and that it can be stated with a reasonable degree of certainty that the business operations were conducted in a controlled manner, with integrity. The ICS also states that the risk picture presented provides a true and fair view of PGGM’s risks, which is confirmed through the co-signature of the ICS in the second line by the Manager Enterprise Risk Management.
Risk management developments in 2019
We updated the PGGM Risk Framework in 2019. The PGGM Risk Framework was brought in line with the changes made to the risk management process in 2018 and 2019 as a result of, among other things, the updated risk appetite and PGGM risk language. In 2019, the risk appetite was defined based on the PGGM risk language and we started making the risk appetite more concrete in risk cards for each risk, including a link to the control measures (hard and soft controls). The next steps for structurally embedding this process will be taken in 2020.
We also updated the set of Risk & Compliance control indicators in 2019. In this context, several control indicators relating to incidents were specified for asset management. New control measures for, among other things, IT disruptions, project progress and budget overruns were included in the set. Existing control indicators were tightened up and outdated control indicators were scrapped.
Read more about our main risks and uncertainties in our financial statements