(3) Risk Management System
Vonovia’s strategy has a sustainable and long-term focus. As a result, Vonovia pursues a conservative risk strategy in its business activities. This does not mean minimizing risks, but rather promoting entrepreneurial and responsible action and ensuring the necessary transparency with regard to any possible risks.
In the 2021 fiscal year, Vonovia developed its existing risk management system further to feature a simulation model to calculate its risk-bearing capacity. Taking into account the new version of IDW standard AsS 340, a risk aggregation model was created based on Vonovia’s five-year plan and the Group’s risk-bearing capacity was investigated. Profit for the period and the Group FFO were defined as the values at risk. Several workshops with risk owners were used to quantify the risks to be modeled and analyze the interaction between individual top risks and selected green risks in detail. The outcome of the risk-bearing capacity analysis revealed that there is currently no current threat to Vonovia’s survival over the five-year period. The analysis took a particular look at the parameters of non-compliance with rating criteria (“downgrade”), non-compliance with bond covenants (“covenant breach”) and the possibility of the company becoming overindebted.
The risk management system supports all employees in their day-to-day work in accordance with Vonovia’s mission statement. It ensures the early identification, assessment, management and monitoring of all risks within the Group that exceed the short-term financial risks dealt with by the Performance Management pillar and could pose a risk not only to the company’s results of operations and net assets, but also to intangible assets. This means that potential risks which might impair the value and/or development of the company can be identified at an early stage. Early warning indicators that are specific to the environment and the company are taken into account, as are the observations and regional knowledge of our employees.
The operational management of the risk management system falls within the remit of the Head of Controlling, who is responsible for Risk Controlling. He reports to the Chief Financial Officer (CFO). Risk Controlling initiates the software-supported, periodic risk management process and consolidates and validates the risks reported. It is also responsible for validating the risk management measures and monitoring their implementation. Risk Controlling works with the individual risk owners to define early warning indicators that are used to monitor actual developments with regard to certain risks.
The risk owners are the managers at the level directly below the Management Board. They are responsible for identifying, evaluating, managing, monitoring, documenting and communicating all risks in their sphere of responsibility. They are also responsible for recording and reporting all risks in the company’s risk tool based on the defined reporting cycles (generally on a half-yearly or ad hoc basis, insofar as is necessary).
Based on a half-yearly risk inventory taken in the first and third quarters of a fiscal year Risk Controlling prepares a risk report for the Management Board and the Supervisory Board. It also simulates major risk developments and their impact on the corporate plans and objectives. This reporting system ensures that both managers and supervisory bodies are comprehensively informed. In this way, misguided developments can be recognized in good time and counteraction taken at an early stage. Should significant risks occur unexpectedly, they are reported directly to the Management Board and the Supervisory Board on an ad hoc basis.
The risk management system is updated and refined on a regular basis and is also adjusted to reflect changes at the company. The effectiveness of the risk management system is analyzed in regular audits.
In organizational terms, risk management is assigned directly to the Management Board. The Management Board has overall responsibility in this regard. It decides on the organizational structures and workflows of risk management and provision of resources. It approves the documented risk management findings and takes account of them in steering the company. The Audit Committee of the Supervisory Board monitors the effectiveness of the risk management system.
The risk management system looks at all activities in the risk management process, i.e.,
- Risk identification
- Risk assessment
- Risk aggregation
- Risk control
- Risk monitoring.
Based on the COSO Framework, a risk space with the following four main risk categories has been defined to facilitate risk identification: strategy, regulatory environment & overall statutory framework, operating business and financing (including accounting and tax). A structured risk catalog has been assigned to each of these categories.
When it comes to assessing risk, a distinction is made between risks with an impact on profit and loss and those affecting the balance sheet. Risks with an impact on profit and loss have a negative effect on the company’s sustained earnings power and, as a result, on Group FFO. In general, these risks also have an impact on liquidity. Risks affecting the balance sheet do not impact Group FFO. In particular, these risks can be such that they do not affect liquidity, e.g., because they only impact property values.
If possible, risk assessments are always to be performed in quantitative terms. If this was difficult to achieve or not possible, a qualitative assessment was performed using a detailed matrix comprising five loss categories. The expected amount of loss is classified to one of five categories:
Classification of expected amount of loss
Impact on profit and loss*
Impact on statement of financial position*
Threatens the company’s existence
Possible loss of > € 500 million in Group FFO
Possible balance sheet loss of > € 8,000 million
Dangerous impact on business development, previous business situation cannot be restored in the medium term
Possible loss of € 250 million to € 500 million in Group FFO
Possible balance sheet loss of € 4,000 million to € 8,000 million
Temporarily impairs business development
Possible loss of € 100 million to € 250 million in Group FFO
Possible balance sheet loss of € 1,600 million to € 4,000 million
Low impact, possibly leaving a mark on business development in one or more years
Possible loss of € 25 million to € 100 million in Group FFO
Possible balance sheet loss of € 400 million to € 1,600 million
Minor impact on business development
Possible loss of € 5 million to € 25 million in Group FFO
Possible balance sheet loss of € 80 million to € 400 million
- * Understood as the possible financial loss over five years in accordance with the medium-term planning horizon.
five clusters have been defined for the expected probability of occurrence.
Expected probability of occurrence
It is to be assumed that the risk will materialize during the observation period.
The risk is likely to materialize during the observation period.
The risk could materialize during the observation period.
The risk is unlikely to materialize during the observation period.
It is to be assumed that the risk will not materialize during the observation period.
The expected amount of loss and the probability of occurrence are classified within the set ranges before action (gross) and after action (net) for each risk, documented in a risk tool and transferred to a heatmap there. Risk reporting is based on the net assessment and the assignment of risks in the net heatmap, comprising five categories for both probability of occurrence and the amount of loss.
The term “top risks” refers to the risks assigned to the red and amber fields. These are reported to the Supervisory Board and published as part of the external reporting process. The risks assigned to the red fields are classified as threatening or endangering the company or its survival. The risks assigned to the amber fields are significant to the company. Red and amber risks are subject to intensive monitoring by the Management Board and the Supervisory Board. The risks assigned to the green fields are less significant to the company.
As part of risk management, we focus on material risks, combined with active risk management. If possible and necessary, specific risk management measures are agreed and incorporated into a regular monitoring process to be conducted by Risk Controlling.
Regular risk monitoring by Risk Controlling ensures that risk management measures are implemented as planned.