You are here

Risk and risk management

The Executive Board, under the supervision of the Supervisory Board, bears the ultimate responsibility for identifying and managing the risks associated with the company’s strategy and activities.

Internal Control

All activities of the management in implementing the company strategy and objectives and the management of risks to achieve our objectives are to be carried out in line with our internal control principles set out in the Vopak Key Control Framework (‘VKCF’). Sixteen key processes covering all aspects of our business are covered by this principle-based framework.

 Local management (‘first line of defense’), supported by Divisions and Global Functions, is responsible for ensuring that the internal controls relating to these processes are implemented and operating effectively and thus for managing their key risks. Our Governance framework enables Divisions and Global Functions to act as the ‘second line of defense’ and in doing so they are responsible for the monitoring of internal controls locally including assessing their effectiveness. Global Internal Audit acts as the ‘third line of defense’ performing audits to provide assurance on the existence and effectiveness of internal controls. In addition to the independent audits executed by Global Internal Audit, which include a separate fraud vulnerability assessment for each business process review, the maturity of key control implementation per operating company is assessed annually through the completion of the Control Risk Self-Assessment (CRSA). This covers all key processes and controls in the VKCF including the control environment and those specifically directed at fraud and corruption.

While the CRSA covers all processes, a number of Global functions also perform additional function-specific monitoring activities such as Assure audits by the Global Operations Department, Sourcing and Procurement Self-Assessments by Global Procurement, and Commercial Reviews by Global Commercial and Business Development, all with the objective to assess the extent of implementation and effectiveness and establish further improvements from a functional responsibility perspective. During 2017, various policies were further improved, including the renewing of the Code of Conduct which will be followed by an updated awareness training program in 2018 to be completed by all employees. ‘Alerts’ distributed by various functions throughout the year contribute to the further effectiveness of existing working practices and guidance.

In particular, the alerts that are distributed by Global Operations following incidents. The introduction of new (automated IT) systems via the MOVES program will improve our control environment through the further standardization of processes and systems enabling increased transparency and monitoring of actions. Our Divisional governance structure requires Divisions to carry out monitoring activities with regard to terminals. The effectiveness of these activities are assessed on an annual basis through the Divisional Monitoring Control Self-Assessment, also coordinated by Global Internal Audit at the same time as the CRSA. As referred to in the Corporate Governance chapter, the Executive Board is assisted in fulfilling its responsibilities by the Risk Committee, the Compliance Committee and the Disclosure Committee. These three Committees play an important role in the company’s overall internal control framework by providing cross-functional and cross-divisional advisory insight on key topics directly to the Executive Board. For example, the Compliance Committee focuses on a number of global compliance topics with each relevant function being represented in the committee. Progress on actions and effectiveness are shared. A confirmatory action of both the Compliance and Risk Committees is renewing the group-wide accessibility of company policies. The effectiveness of the committees is assessed by means of a self-assessment at the end of the calendar year with feedback to the Executive Board.

Internal Controls periodically updated

Our VKCF is reviewed periodically to ensure that the design of the controls and guidance remains relevant and effective for the organization while remaining principle based. This process is coordinated through the joint effort of Global Control & Business Analysis and Global Internal Audit with Global functions being responsible for the individual processes under their responsibility. A thorough review was undertaken in 2017 with the objective of reviewing the relevancy of the controls with respect to the key risks and control effectiveness. This process resulted in a revised absolute number of key controls and additional guidance being given as to which activities are expected to be implemented for a given maturity level per control. A maturity scale of 1 – 5 is used. This additional guidance serves to both educate and assist in fair external assessments and self-assessments. Further maturity of VKCF in 2018 and beyond is likely to include increased reference to the self-monitoring opportunities enabled by the new (automated IT) systems in development. 

Management Review Cycle

The regular reporting cycle is key to our control process. Monthly and quarterly management reports are prepared by all operating companies and Divisions including joint ventures in line with clearly defined, mandatory reporting requirements with regular consultations across all the management layers involved. The reports and related discussions between senior management, including but not limited to the Executive Board, cover not only the financial results but also key operational,sustainability, human resources and commercial performance indicators aimed at realizing the strategic objectives and mitigating the accompanying risks. A critical element of these discussions, is comparing progress against prior-year performance and Vopak’s Annual Budget which, together with the two subsequent (plan) years, is reviewed andapproved by the Executive Board for all Divisions and operating companies each year. As noted in theCorporate Governance section, the streamlining of the divisional structure will further improve and optimize organizational efficiency and therefore also management controls. Executive Board members, both collectively and individually, visit terminals and Divisions in the course of the year outside of the periodic (fixed) management review cycle. This includes for example the annual full Executive Board two to three day Comprehensive Review for each Division, Joint Venture Board meetings attendance, Annual Safety Day terminal visits and additional visits. These and similar interactions by Global Directors provide valuable insights into the performance (including behavioral, cultural and internal control factors) of the company.

Role of Internal Audit

The role of Global Internal Audit is to provide assurance and advice to the Executive Board in its responsibility for the existence and effectiveness of internal controls that are in place to safeguard the company’s strategy including that of riskmanagement at operating company level. Independent and objective assurance activities relating to the design, application and effective functioning of governance, risk management and internal controls fall under the category of valuepreservation. Value creation refers to the advising activities designed to add value and improve operations and the set up. Internal Audit primarily executes audits of an operational, IT, investigative and compliance nature with the audit of financial external reports being the responsibility of Vopak’s external auditor. Internal Audit reports directly to the full Executive Board and its activities are also overseen by the Supervisory Board and in particular the Audit Committee of the Supervisory Board. The Internal Audit Charter has been endorsed by the Executive Board and the Audit Committee. Internal Audit consists of a core team located at the Global Head office and, in order to ensure full effectiveness, is supplemented by subject matter experts either from the business or external support as appropriate. The annual internal audit plan executed by Global Internal Audit is developed using a risk-based approach focusing on the key risks in alignment with the ERM process and the level of assurance by means of various activities carried out by the company in monitoring those risks. An assessment of the extent that our principal risks are ‘assured’ not only by Global Internal Audit but alsoby Global functions was carried out in 2017 as input for the 2018 audit plan. The Global Internal Audit universe includes all processes, entities and activities within the company including joint ventures, associates and projects. Global and Divisional functions are also in scope. The process for development of the plan includes dialogues with Divisional Management teams, Global Directors, the Executive Board and the Audit Committee, the outcome of the company’s enterprise risk process, critical factors for achieving company success and the results of monitoring activities by the Global Functions as described. Throughout the year, the results of all audits and advisory activities are shared and discussed with the Executive Board and discussed each quarter with the Audit Committee. Progress in relation to the plan is reported. The follow up of audit findings is the responsibility of the auditee with monitoring thereof and subsequent closure being the responsibility of the Division and/or Global as appropriate. This process is formalized biannually by Global Internal Audit through the ‘audit findings follow-up process’, the outcome of which is reported to the Executive Board and the Audit Committee. This process provides for an independent view on the progress of both the implementation and effectiveness of recommendations. The audit findings follow-up meetings also take into account follow-up from reviews undertaken by other functions such as Assure and Commercial reviews. Continuous evaluation of the Global Internal Audit function takes place through various stakeholder feedback tools such as evaluation forms completed by both the auditee and subject matter experts. The results are reported to the Executive Board and theAudit Committee on an annual basis. In addition, anexternally performed Quality Assurance audit by theDutch Institute of Internal Auditors takes place on afive-year basis. The first review at the end of 2016was positive and reconfirmed that internal audits areperformed in accordance with the InternationalInternal Auditing Standards. An evaluation of thefunction by the Executive Board and Audit Committeehas taken place.

Management assessment, Letters of Representation and In-Control Statement

Management is of the opinion that the processes inplace as described, including those in the CorporateGovernance chapter, are of a maturity that enablesimplementation and effectiveness of riskmanagement and internal control to be assessed with the conclusion that there have been no major failings in the internal risk management and control systems relating to the risks observed during the financial year.

Additional improvements, such as policy refinement and automated systems, serve to further improve ourmaturity level and not change the processes. The conclusion that there were no major failings is underpinned by the Letter of Representation that is signed by Terminal Management, Divisional Finance Directors, Division Presidents and Global Directors at the end of each half year and full year. This letter represents the key elements of internal control and full disclosure of deviations to that control as appropriate. The results of this process including deviations are discussed with the Executive Board and, together with the results of the various monitoring and assurance activities as described above which are explicitly reevaluated by both Global Control & Business Analysis and Global Internal Audit for the purposes of the In-Control Statement at year end, give input and advice to the In-Control Statement issued by our Executive Board. For our In-Control Statement, reference is made to the statement issued by the Executive Board, included directly after the Financial Statements.