Risk management is integrated in Vesteda’s strategic and operational processes. We have defined our risk management policy and implemented a risk management framework in line with the core fund risk profile, as defined in the Vesteda Residential Fund’s Terms and Conditions, extending to all levels of the organisation and all lines of business.
Vesteda has developed its internal risk management framework on the basis of the recommendations of the Committee of Sponsoring Organisations of the Treadway Commission (COSO), the aim of which is to create a reasonable level of assurance on the achievement of organisational targets. Vesteda’s internal control systems include various measures for achieving adequate segregation of duties, prompt recording of significant transactions and data security. Internal accountability and management reports, management reviews and other internal research into the design and operation of the internal controls are an integral part of the internal control systems.
Vesteda also uses the ‘Three lines model’ with respect to managing risks (first line: Management, second line: Business control, Risk committee and Compliance officer, third line: Internal Audit). This model enhances the awareness of the risk culture within Vesteda and underlines and supports accountability for the management of risks and internal controls.
The three lines model emphasises that focus should be on the contribution risk management makes to achieving objectives and creating value, as well as to matters of ‘defence’ and the protection of value. Vesteda also supports the principles to the effect that:
There must be regular interaction between Internal Audit and management to ensure the work of Internal Audit is relevant and aligned with the strategic and operational needs of the organisation.
There is a need for collaboration and communication across both the first and second line roles of management and Internal Audit to ensure there is no unnecessary duplication, overlap, or gaps.
Vesteda’s Internal Audit department is already providing objective assurance and advice on the adequacy and effectiveness of governance and risk management (including internal controls) to support the achievement of organisational objectives and to promote and facilitate continuous improvement.
The INREV core fund risk profile implies that Vesteda has a relatively low-risk profile since it typically invests in income producing real estate investments. Vesteda employs relatively low levels of leverage and has limited exposure to real estate development. A significant and stable proportion of its returns are generated through rental income. Overall, Vesteda has a relatively low-risk appetite. We refer to Note 26 of the consolidated financial statements for a description of our financial risk management objectives and policies.
Vesteda’s risk management framework
Vesteda’s risk management framework is described in the section below.
Vesteda’s risk management activities are overseen by the Risk Committee. The Committee’s tasks include, but are not limited to:
Providing support and advice to the Management Board and Management Team with regard to the periodic identification of Strategic Risks and their assessment and management.
Formulating policy frameworks for operational risk management and ensuring compliance with them.
Making method(s) and techniques available that support line management in risk management of Operational Risks.
Monitoring Operational Risks and Compliance Risks and their control.
Stimulating risk awareness in the organisation.
Providing insight into the risk profile of the organisation.
The Risk Committee explicitly does not focus on identifying and monitoring Strategic Risks. These are risks that could negatively affect Vesteda's strategic objectives and is formulated in the most recent Business Plan. This is the responsibility of the Management Board and the Management Team. However, should the Risk Committee identify a risk in the context of its activities that could have an impact on Vesteda's strategic objectives, the Risk Committee will immediately report its findings to the Management Board.
The Risk Committee is chaired by the CFO, who is already charged with risk management at Vesteda. Other members of the Risk Committee include the COO, the Corporate Secretary/General Counsel, the Business Control Manager, the D&I Manager and the Compliance Officer. The Internal Audit Manager also joins the meetings of the Risk Committee but is not a member of the Risk Committee. A Risk Charter defines the roles and responsibilities, the tasks, authorities and reporting requirements of the Risk Committee. The Risk Charter was approved by the Management Board in November 2020.
The scope of risk management
Vesteda distinguishes the following three main risk areas:
1. Strategic risks relating to risks with respect to Vesteda’s strategic targets as defined in the Business Plan
This relates to specific risks regarding tenants, portfolio, participants (equity funding), organisation and debt funding.
The Management Board and the Management Team primarily focus on:
Identifying and assessing the Strategic Risks annually on the basis of the most recent Business Plan;
Quarterly monitoring of the Strategic Risks and the effectiveness of the associated control measures;
Adjusting the control measures with regard to the Strategic Risks if these are not considered sufficient.
2. Operational risks relating to failure of systems and processes
Operational risk management is part of Vesteda’s business processes and is governed by specific guidelines, policies and key controls designed to manage these operational risks, which are subject to internal reviews and external audits where appropriate.
Each year, Vesteda’s external auditor provides assurance with respect to the design and effective operation of controls based on the International Standards on Assurance Engagements (ISAE), Standard 3402, type II. Vesteda selects the relevant controls to be audited and concluded upon in the assurance report and these relate to key controls within the most important business processes, primarily Acquisitions, Property and Portfolio Sales and Operations.
3. Compliance risks related to non-compliance with legislation and regulations
Vesteda has a dedicated Compliance Officer who reports on a quarterly basis to the Management Board and Supervisory Committee. The scope of the work of the Compliance Officer is set out in a Compliance Charter. Both internal and external developments, such as trends, risk-increasing developments, incidents and new or changed laws and regulations, can lead to the (partial) revision or adjustment of an established programme. The Compliance Officer constantly monitors these developments, responds to these and discusses them (where necessary) in the quarterly consultations or on an ad-hoc basis with the Management Board and/or the Supervisory Committee or addresses these matters in the Risk Committee. If necessary, the Compliance Officer adjusts these activities (advice, monitoring) accordingly. The annual compliance programme therefore has a dynamic character. It is also possible that the results of (un)planned compliance monitoring gives cause to prioritise a topic, while this was not previously planned. The compliance charter gives substance to this dynamic of compliance activities in various areas. For more detailed information, please see the section Compliance and integrity of this report.
Strategic risk analysis
Vesteda’s strategic risk analysis is based on the following assessment which is executed by the Management Board and Management Team jointly:
Identification of strategic risks, based on the strategic targets and key performance indicators within the five strategic pillars: Tenants, Participants (Equity), Portfolio, Organisation and Funding (Debt). These strategic targets and risks are based on the five-year Business Plan, subject to approval each year in December by Vesteda’s Participants, and actual developments.
An assessment of the level of risk Vesteda is willing to accept in achieving its strategic targets (risk aversion) to provide guidance for decisions relating to risk and return management. The outcome of this assessment also serves as a basis for the review of the effectiveness of the nature and level of internal controls for each risk. The level of risk aversion is measured based on a scale of 1 to 5: Risk averse, Limited risk, Cautious, Flexible, Open.
In alignment with the key characteristics of Vesteda as a Core INREV fund, with a conservative funding policy focusing only on residential real estate in the Netherlands, limited risks or a cautious approach is necessary for Vesteda’s strategic targets (risk aversion of mostly 2, partly 2-3).
Classification of identified risks based on impact (high – low) and to what extent the risk is manageable (manageable to a large extent – not manageable).
Defining the internal controls (taken or to be implemented) for each of the identified risks, the required level of effectiveness for these controls and the relevant key performance indicators to monitor effectiveness.
The outcome of this review is depicted in the ‘Vesteda Risk Profile’ figure below:
Vesteda Risk Profile
For each of the risks shown in the ‘Vesteda Risk Profile’ above, the main internal controls are:
External risks, potential high impact, no or limited controls on risk occurring
Risk: Changes in (rental) laws and regulations
Changes in laws and regulations relating to rent (increases), investments (local requirements or product-specific requirements, e.g. regulated mid-rental segment), building requirements (sustainability), fiscal laws impacting investments in real estate, etc.
As changes in laws and regulations are beyond Vesteda’s direct control, the main focus in addressing this risk is identifying and discussing possible changes and alerting and preparing the organisation. This is realised through our multiple contacts with the sector association IVBN and contacts with city councils, politicians, developers, etc. Where relevant, we take the effect of potential changes in laws and regulation into account in our business planning, including impact analyses and stress testing, where relevant.
With respect to the risk regarding rental regulation, we take an active role in the affordability debate, together with the IVBN. We believe it is important to behave as a socially responsible investor and to highlight the role we have in responsibly investing pension savings and insurance premiums entrusted to us by our participants in residential real estate for middle-income tenants.
Risk: Homes are not compliant with legislation
Our homes cannot meet all requirements set by (EU) legislation with respect to climate mitigation and sustainability.
Vesteda has implemented a number of internal controls for this specific risk, the most important of which are:
An investment programme to improve the energy labels of our homes. Please refer to the section Corporate Sustainability and Social Responsibility of this report.
In March 2021, Vesteda adopted the ‘Policy on the integration of sustainability risks and factors into the investment decision making process’ providing insight in which potential sustainability risks Vesteda has identified and how these risks and principal adverse impacts on sustainability factors are integrated in investment decisions of new acquisitions.
Sustainability and climate risks form an important part of Vesteda’s investment decision process for new acquisitions. Vesteda applies its technical standards to assess whether new (potential) investments comply with Vesteda’s sustainability and technical requirements. Since the beginning of 2021, Vesteda has been using an ESG framework to determine a sustainability impact score for each project to provide for a broader scope on relevant sustainability risks and factors and to ensure new projects meet the applicable ESG requirements to be qualified as sustainable.
Please refer to the section Environmental – Improve sustainable performance on page 51 of this report and the section Acquisitions and dispositions on page 37.
Risk: Climate incidents
Climate incidents affecting our portfolio, such as flooding, heat stress, earthquakes, etc.
This is also a risk that is to a large extent beyond Vesteda’s direct control. However, in terms of mitigating the impact of climate incidents, Vesteda has taken the following measures:
A climate risk scan for the entire portfolio. Please refer to the section Physical climate risks on page 53 of this report.
Specific attention for the risks of heat stress and flooding in our long-term maintenance programme per building complex. Please refer to the section Physical climate risks on page 53 of this report.
Strategic risks, potential medium to high impact, reasonable or high level of controls possible on risk occurring
Risk: Investors seek other investment opportunities
Investments in Vesteda (residential real estate) become less attractive for potential new and current investors (primarily as a result of an imbalance between return and risk).
Each year, participants have to approve the Business Plan, which includes the strategy to achieve the targets as set out in the Investment Guidelines of the Terms and Conditions. For example, the outperformance of the three-year MSCI index and a target for the TER. The achievement of the targets is monitored on a monthly, quarterly and annual basis.
We have frequent meetings with participants, at which we communicate market developments and the progress of the strategy implementation. In the current market environment, with political discussions on affordability, the impact of rent increases and (potential) new legislation on rent increases, we believe it is important to discuss Vesteda’s strategy as a socially responsible investor, especially when this pertains to decisions regarding tenant satisfaction, rent increases and sustainability.
Risk: Disruptive technology
Vesteda’s business model is disrupted by new innovative technology.
Digital technology provides the residential investment industry (and adjacent sectors) in general and Vesteda in specific with new resources to create and capture value for all stakeholders. This may, for example, mean that a residential property functions as a platform for the sale of additional goods and services to its users as well, thereby increasing the tenant's perception of value and willingness to pay for it. As a result, boundaries between sectors may blur and young, agile and cost-efficient companies may become a competitor for existing players in the relatively traditional housing market. Digital technology may also be a source of optimised rental income streams and structural savings in general, operational and capital expenditures, while at the same time improving sustainability, tenant satisfaction and risk profile of the investment.
Exploiting the full potential of digital technology requires a deep understanding of the opportunities and risks associated with it and requires a holistic vision on digital technology as a key resource for strategy definition and execution. Vesteda is already applying digital technology in several parts of its business model and processes, and is working on incorporating digital technology in strategy definition and organizational design more and more. Failure to keep up with these developments may have a negative effect on Vesteda's competitive position in the longer term and access to new investment product. Vesteda mitigates this risk today by recognizing both the opportunities and the risks of digital technology and step by step improving its business model and organisation using digital technology.
Risk: Unable to invest in attractive acquisitions
Vesteda is unable to invest in new attractive acquisition opportunities.
Dutch residential investments are seen as a safe haven with an attractive risk/return profile, due to the scarcity in supply, high demand and low interest rates. In this high investor demand market Vesteda is active throughout the value chain: Vesteda is proactively interacting with developers, contractors and local authorities using our in-depth knowledge of local markets and developments and positioning ourselves as a solid long-term partner.
As part of our acquisition policy, we have furthermore implemented a range of internal controls, including:
Monitoring of acquisition leads funnel and conversion of leads.
Yearly evaluation of IRR requirements.
Performance analyses of realised acquisitions compared with the investment proposal.
Yearly approval by participants of the Business Plan, which includes the acquisition strategy and funding of acquisitions.
Preventable risks, medium to low impact, high level of controls possible on risk occurring
Risk: Negative tenant experiences
Vesteda’s image and reputation is affected by negative tenant experiences which may result in low(er) tenant satisfaction scores.
Vesteda measures tenant satisfaction continuously and this is one of Vesteda’s major key performance indicators. It is included in the annual targets for the Management Team, senior management, departments and employees. Please refer to the section Tenant satisfaction surveys of this report.
In the event of tenant complaints, Vesteda strives to act and communicate quickly and transparently. Vesteda makes sure that cases are evaluated and that lessons learned are shared internally in order to improve future processes.
Risk: Irregularities in the letting process.
Vesteda’s image and reputation is affected by irregularities in the letting process.
Vesteda has implemented customer due diligence procedures to comply with anti-money laundering legislation relating to tenants and others. Vesteda provides employees who are in charge of screening tenants with additional training and reference materials. The Compliance department has been expanded, providing more support in the letting process and the assessment of new tenants. In addition, Vesteda will organise dilemma workshops in 2022 for the Digital Sales team. Please refer to the section Compliance and integrity of this report.
Risk: Insufficient experience and capabilities within the organisation
The risk that Vesteda cannot attract and retain the right talent to achieve its ambitions and the risk that Vesteda’s employees are less engaged and show lack of performance (due to working from home).
Vesteda has a professional HR department in charge of attracting and retaining highly qualified staff, through recruitment procedures, talent management, training programmes, etc. Please refer to the section Workforce of this report.
As a result of COVID-19, with the vast majority of employees working from home, there is also a risk of less engagement between employees and the organisation. Post COVID-19, this risk may still be relevant as employees will work from home on a more structural basis. In addition to the already existing development programmes and activities related to making Vesteda a High Performing Organisation, focus is therefore also on more frequent communications, by the Management Team and by the managers, and recognition of the contribution of our employees (individually and by department) to keep our employees aligned and engaged with the organisation and vice versa.
In addition, Vesteda plans to review and update its remuneration policy, which can help in attracting and retaining staff.
Please refer to section Organisation and staff of this report.
The monitoring of the above-mentioned strategic risks and the effectiveness of internal controls, as well as identifying new strategic risks is the responsibility of the Management Board and the Management Team and will be discussed at least quarterly in 2022 as part of quarterly reporting.
Risk Committee activities in 2021
In the year under review, the Risk Committee frequently discussed Vesteda’s digital organisation and the risks related to our IT systems and possible cybercrimes and attacks with the D&I Manager. The Treasury Manager reported to the Risk Committee on a quarterly basis on the compliance with Vesteda’s funding targets, including stress tests on liquidity and financial covenants. The Internal Audit Manager reported to the Risk Committee on ISAE controls. Furthermore, the Compliance Officer reported on Compliance risks and the Client Due Diligence procedures, which procedures were further implemented in our IT systems in 2021.
In 2021, the Risk Committee was informed on a regular basis on the COVID-19 measures and the related risks.
Vesteda updated its Risk Management Policy in 2021.
‘In control’ statement
The Management Board is responsible for implementing and maintaining adequate risk management and internal control systems and for assessing the effectiveness of these systems.
In the year under review, we evaluated and monitored our risk management and internal control systems, as further described in the above Risk management section of this report. Based on this assessment, we concluded with reasonable, but not absolute, assurance that:
The annual report provides sufficient insights into any failings in the effectiveness of the internal risk management and control systems.
The aforementioned systems provide reasonable assurance that the financial reporting does not contain any material inaccuracies.
Based on the current state of affairs, it is justified that the financial reporting is prepared on a going concern basis.
The annual report states those material risks and uncertainties that are relevant to the expectation of Vesteda’s continuity for the period of twelve months after the preparation of the report.
It is important to note that effective risk management, with embedded internal controls, no matter how well designed and implemented, provides the Management Board with only reasonable assurance regarding the achievement of Vesteda’s objectives. The achievement of objectives is affected by limitations inherent in all management processes. Therefore, in this context ‘reasonable assurance’ refers to the degree of certainty that would be satisfactory for a prudent manager in the management of their business and affairs in the given circumstances.