Risk management is integrated in Vesteda’s strategic and operational processes. We have defined our risk management policy and implemented a risk management framework in line with the core fund risk profile, as defined in the Vesteda Residential Fund’s Terms and Conditions, extending to all levels of the organisation and all lines of business.
Vesteda has developed its internal risk management framework on the basis of the recommendations of the Committee of Sponsoring Organisations of the Treadway Commission (COSO), the aim of which is to create a reasonable level of assurance on the achievement of organisational targets. Vesteda’s internal control systems include various measures for achieving adequate segregation of duties, prompt recording of significant transactions and data security. Internal accountability and management reports, management reviews and other internal research into the design and operation of the internal controls are an integral part of the internal control systems.
Vesteda also uses the ‘Three lines model’ with respect to managing risks (first line: Management, second line: Business control, Risk committee and Compliance officer, third line: Internal Audit). This model enhances the awareness of the risk culture within Vesteda and underlines and supports accountability for the management of risks and internal controls. The principles-based approach of the new three lines model (published on 21 July 2020) emphasises that focus should be on the contribution risk management makes to achieving objectives and creating value, as well as to matters of ‘defence’ and the protection of value. Vesteda also supports the principles to the effect that:
There must be regular interaction between Internal Audit and management to ensure the work of Internal Audit is relevant and aligned with the strategic and operational needs of the organisation.
There is a need for collaboration and communication across both the first and second line roles of management and Internal Audit to ensure there is no unnecessary duplication, overlap, or gaps.
Vesteda’s Internal Audit department is already providing objective assurance and advice on the adequacy and effectiveness of governance and risk management (including internal controls) to support the achievement of organisational objectives and to promote and facilitate continuous improvement.
The INREV core fund risk profile implies that Vesteda has a relatively low-risk profile since it typically invests in income producing real estate investments. Vesteda employs relatively low levels of leverage and has limited exposure to real estate development. A significant and stable proportion of its returns are generated through rental income. Overall, Vesteda has a relatively low-risk appetite. We refer to Note 26 in the section Notes to the consolidated financial statements for a description of our financial risk management objectives and policies.
Vesteda’s risk management framework
Vesteda’s risk management framework is described in the section below.
Vesteda’s risk management activities are overseen by the Risk Committee. The Committee’s tasks include, but are not limited to:
Advising the Management Board and the Management Team on risk management.
Designing and maintaining the strategic risk management policy.
Advising and facilitating the design and maintenance of the operational risk management policy.
Ensuring the appropriate yearly review of the risk management policy by the Management Board and the Management Team.
Increasing awareness of risk management throughout Vesteda.
Monitoring the effectiveness of key controls related to operational risks and compliance risks.
Reporting on risk management to the Management Board and the Management Team, the Audit Committee and the Supervisory Committee.
The Risk Committee is chaired by the CFO, who is already charged with risk management at Vesteda. Other members of the Risk Committee include the Operations Director (appointed to COO in January 2021), the Corporate Secretary/General Counsel, the Business Control Manager, the D&I Manager and the Compliance Officer. The Internal Auditor also joins the meetings of the Risk Committee but is not a member of the Risk Committee. A Risk Charter defines the roles and responsibilities, the tasks, authorities and reporting requirements of the Risk Committee. The Risk Charter was amended last year and approved by the Management Board in November 2020.
The scope of risk management
Vesteda distinguishes the following three main risk areas:
1. Strategic risks relating to risks with respect to Vesteda’s strategic targets as defined in the Business Plan
This relates to specific risks regarding tenants, portfolio, participants (equity funding), organisation and debt funding.
2. Operational risks relating to failure of systems and processes
Operational risk management is part of Vesteda’s business processes and is governed by specific guidelines, policies and key controls designed to manage these operational risks, which are subject to internal reviews and external audits where appropriate.
Each year, Vesteda’s external auditor provides assurance with respect to the design and effective operation of controls based on the International Standards on Assurance Engagements (ISAE), Standard 3402, type II. Vesteda selects the relevant controls to be audited and concluded upon in the assurance report and these relate to key controls within the most important business processes, primarily Acquisitions, Property and Portfolio Sales and Operations.
3. Compliance risks related to non-compliance with legislation and regulations
Vesteda has a dedicated Compliance Officer who reports on a quarterly basis to the Management Board and Supervisory Committee. The scope of the work of the Compliance Officer is set out in a Compliance Charter, which was approved by the Management Board in May 2017. Both internal and external developments, such as trends, risk-increasing developments, incidents and new or changed laws and regulations, can lead to the (partial) revision or adjustment of an established programme. The Compliance Officer constantly monitors these developments, responds to these and discusses them (where necessary) in the quarterly consultations or on an ad-hoc basis with the Management Board and/or the Supervisory Committee. If necessary, the Compliance Officer adjusts their activities (advice, monitoring) accordingly. The annual compliance programme therefore has a dynamic character. It is also possible that the results of (un)planned compliance monitoring gives cause to prioritise a topic, while this was not previously planned. The compliance charter gives substance to this dynamic of compliance activities in various areas. For more detailed information, please see the Compliance and Integrity section of this report.
As described above, the Risk Committee focuses on providing support and advice with respect to strategic risks and defining the policy framework for operational risk management. Operational risk management continues to be the responsibility of the business. The Risk Committee monitors the effectiveness of operational controls and compliance.
Strategic risk analysis
In 2020, the Management Team thoroughly reviewed Vesteda’s strategic risks based on the Business Plan 2020-2024, actual business developments in 2020 and the strategic outlines for the Business Plan 2021-2025. The review consisted of:
Identification of strategic risks, based on the strategic targets and key performance indicators within the five strategic pillars: Tenants, Participants (Equity Funding), Portfolio, Organisation and Funding (Debt Funding).
An assessment of the extent to which Vesteda is risk averse for each of the strategic targets. The objective of this assessment was to create a common understanding of the level of risks Vesteda is willing to accept in achieving its strategic targets and to provide guidance for decisions relating to risk and return management. It also serves as a basis for the review of the effectiveness of the nature and level of internal controls for each risk. The level of risk aversion was measured based on a scale of 1 to 5:
The assessment concluded that limited risks or a cautious approach is necessary (risk aversion of mostly 2, partly 2-3) for Vesteda’s strategic targets. This approach is in alignment with the key characteristics of Vesteda as a Core INREV fund with a conservative funding policy focusing only on residential real estate in the Netherlands.
Classification of identified risks based on impact (high – low) and to what extent the risk is manageable (to a large extent manageable – not manageable).
The outcome of this review is depicted in the ‘Vesteda Risk Profile’ figure below:
Vesteda Risk Profile
Defining the internal controls (taken or to be implemented) for each of the identified risks, the required level of effectiveness for these controls and the relevant key performance indicators to monitor effectiveness.
For each of the risks shown in the ‘Vesteda Risk Profile’ above, the main internal controls are:
External risks, potential high impact, no or limited controls on risk occurring
Risk: Changes in laws and regulations
Changes in laws and regulations relating to rent increases, investments (local requirements or product specific requirements, e.g. regulated mid-rental segment), building requirements (sustainability), fiscal laws impacting investments in real estate, etc.
As changes in laws and regulations are beyond Vesteda’s direct control, the main focus in addressing this risk is identifying and discussing possible changes and alerting and preparing the organisation. This is realised through our multiple contacts with the sector association IVBN and contacts with city councils, politicians, developers, etc. Where relevant, we take the effect of potential changes in laws and regulation into account in our business planning, including impact analyses and stress testing, where relevant.
With respect to the risk regarding rental regulation, we do take an active role in the affordability debate, together with the IVBN, and we once again voluntarily capped the annual rent increase in 2020. We believe it is important to behave as a socially responsible investor and to highlight the role we have in responsibly investing pension savings and insurance premiums entrusted to us by our participants in residential real estate for middle-income tenants.
Risk: Homes are not compliant with legislation
Our homes do not comply with legislation with respect to climate mitigation and sustainability.
Vesteda has implemented a number of internal controls for this specific risk, the most important of which are:
An investment programme to improve the energy labels of our homes. Please refer to the section Corporate Sustainability and Social Responsibility of this report.
New acquisitions should comply with Vesteda’s building requirements and with Vesteda’s sustainability principles. Please refer to the section Environmental – Improve sustainable performance on page 55 of this report.
In addition, every acquisition investment proposal has to include a climate risk scan.
Risk: Climate incidents
Climate incidents affecting our portfolio, such as flooding, heat stress, earthquakes, etc.
This is also a risk that is to a large extent beyond Vesteda’s direct control. However, in terms of mitigating the impact of climate incidents, Vesteda has taken the following measures:
A climate risk scan for the entire portfolio. Please refer to the section Physical climate risks on page 58 of this report.
Specific attention for the risks of heat stress and flooding in our long-term maintenance programme per building complex. Please refer to the section Physical climate risks on page 58 of this report.
Strategic risks, potential medium to high impact, reasonable or high level of controls possible on risk occurring
Risk: Investors seek other investment opportunities
Investments in Vesteda (residential real estate) become less attractive for potential new and current investors (primarily as a result of an imbalance between return and risk).
Each year, participants have to approve the Business Plan, which includes the strategy to achieve the targets as set out in the Investment Guidelines of the Terms and Conditions. For example, the outperformance of the three-year MSCI index and a target for the TER. The achievement of the targets is monitored on a monthly, quarterly and annual basis.
We have frequent meetings with participants, at which we communicate market developments and the progress of the strategy implementation. In the current market environment, with political discussions on affordability, the impact of rent increases and (potential) new legislation on rent increases, we believe it is important to discuss Vesteda’s strategy as a socially responsible investor, especially when this pertains to decisions regarding tenant satisfaction, rent increases, sustainability and, specifically in 2020, our approach to supporting tenants during the COVID-19 pandemic.
Risk: Disruptive technology
Vesteda’s business model is disrupted by new innovative technology.
Disruptive technology may potentially have a significant impact on Vesteda. This risk is to a large extent mitigated, as we perform our own property management and are in control of rental and property data and systems, which could be a major barrier to entry in this property segment, in combination with relatively low vacancy rates and a structural imbalance between the supply and demand of residential real estate.
We also encourage and stimulate technology training and we are participating in educational programmes organised by (for instance) sector associations and exchange experience and knowledge with peers abroad, our participants, etc. to keep our knowledge of technology developments up to date.
Risk: Unable to invest in attractive acquisitions
Vesteda is unable to invest in new attractive acquisition opportunities.
As part of our acquisition policy, we have implemented a range of internal controls, including:
Monitoring of acquisition leads funnel and conversion of leads.
Yearly evaluation of IRR requirements.
Performance analyses of realised acquisitions compared with the investment proposal.
Yearly approval by participants of the Business Plan, which includes the acquisition strategy and funding of acquisitions.
Risk: Engagement organisation (work from home)
As a result of COVID-19, with the vast majority of employees working from home, there is an increasing risk of a less engagement between employees and the organisation. Post COVID-19, this risk may still be relevant as employees will work from home on a more structural basis.
In addition to the already existing development programmes and activities related to making Vesteda a High Performing Organisation, focus has been and will be on more frequent communications, by the Management team and by the managers, and recognition of the contribution of our employees (individually and by department) to keep our employees aligned with the organisation and vice versa. In 2021, we will also invite our employees to help define what is needed from the organisation and from our employees to maintain the right level of engagement in the organisation. Please refer to section Organisation & staff for our plans to keep our employees aligned with the organisation and vice versa.
Preventable risks, medium to low impact, high level of controls possible on risk occurring
Risk: Negative tenant experiences
Vesteda’s image and reputation is affected by negative tenant experiences.
Vesteda measures tenant satisfaction continuously and this is one of Vesteda’s major key performance indicators. It is included in the annual targets for the Management Team, senior management, departments and employees. Please refer to the section Tenant satisfaction surveys of this report.
Risk: Insufficient experience and capabilities within the organisation
Insufficient experience and capabilities within the organisation.
Vesteda takes a range of measures to ensure that it attracts and retains highly qualified staff, such as recruitment procedures, talent management, training programmes, etc. Please refer to the section Workforce of this report.
The monitoring of the above-mentioned strategic risks and the effectiveness of internal controls, as well as identifying new strategic risks is the responsibility of the Management Board and the Management Team and will be discussed at least quarterly in 2021 as part of quarterly reporting.
Risk Committee activities in 2020
During the year under review, the Risk Committee discussed the risks related to Vesteda’s digital organisation and climate risks with the D&I Managers and the Sustainability Programme Manager. The Treasury Manager reported to the Risk Committee on the compliance with Vesteda’s funding targets, including stress tests on liquidity and financial covenants. Furthermore, the Compliance Officer reported on Compliance risks and the Client Due Diligence procedures and the HR Director reported on HR-related risks.
In 2020, the Risk Committee was informed on a regular basis on the COVID-19 measures and the related risks.
‘In control’ statement
The Management Board is responsible for implementing and maintaining adequate risk management and internal control systems and for assessing the effectiveness of these systems.
In the year under review, we evaluated and monitored our risk management and internal control systems, as further described in the above Risk management section of this report. Based on this assessment, we concluded with reasonable, but not absolute, assurance that:
The annual report provides sufficient insights into any failings in the effectiveness of the internal risk management and control systems.
The aforementioned systems provide reasonable assurance that the financial reporting does not contain any material inaccuracies.
Based on the current state of affairs, it is justified that the financial reporting is prepared on a going concern basis.
The annual report states those material risks and uncertainties that are relevant to the expectation of Vesteda’s continuity for the period of twelve months after the preparation of the report.
It is important to note that effective risk management, with embedded internal controls, no matter how well designed and implemented, provides the Management Board with only reasonable assurance regarding the achievement of Vesteda’s objectives. The achievement of objectives is affected by limitations inherent in all management processes. Therefore, in this context ‘reasonable assurance’ refers to the degree of certainty that would be satisfactory for a prudent manager in the management of his business and affairs in the given circumstances.