Risk management is integrated in Vesteda’s strategic and operational processes. We have defined our risk management policy and implemented a risk management framework in line with the core fund risk profile, as defined in the Vesteda Residential Fund’s Terms and Conditions, extending to all levels of the organisation and all lines of business.
Vesteda has developed its internal risk management framework on the basis of the recommendations of the Committee of Sponsoring Organisations of the Treadway Commission (COSO), the aim of which is to create a reasonable level of assurance on the achievement of organisational targets. Vesteda’s internal control systems include various measures for achieving adequate segregation of duties, prompt recording of significant transactions and data security. Internal accountability and management reports, management reviews and other internal research into the design and operation of the internal controls are an integral part of the internal control systems.
Vesteda also uses the ‘Three lines model’ with respect to managing risks (first line: Management; second line: Business control, Risk committee and Compliance officer; third line: Internal Audit). This model enhances the awareness of the risk culture within Vesteda and underlines and supports accountability for the management of risks and internal controls.
The three lines model emphasises that focus should be on the contribution risk management makes to achieving objectives and creating value, as well as to matters of ‘defence’ and the protection of value. Vesteda also supports the principles to the effect that:
There must be regular interaction between Internal Audit and management to ensure the work of Internal Audit is relevant and aligned with the strategic and operational needs of the organisation.
There is a need for collaboration and communication across both the first and second line roles of management and Internal Audit to ensure there is no unnecessary duplication, overlap, or gaps.
Vesteda’s Internal Audit department is already providing assurance and advice on the adequacy and effectiveness of governance and risk management (including internal controls) to support the achievement of organisational objectives and to promote and facilitate continuous improvement.
The INREV core fund risk profile implies that Vesteda has a relatively low-risk profile since it typically invests in income-producing real estate investments. Vesteda employs relatively low levels of leverage and has limited exposure to real estate development. A significant and stable proportion of its returns are generated through rental income. Overall, Vesteda has a relatively low risk appetite. Please see Note 27 of the consolidated financial statements for a description of our financial risk management objectives and policies.
Vesteda’s risk management framework
Vesteda’s risk management framework is described in the section below.
Vesteda’s risk management activities are overseen by the Risk Committee. The Committee’s tasks include, but are not limited to:
Providing support and advice to the Management Board and Management Team with regard to the periodic identification of Strategic Risks and their assessment and management;
Formulating policy frameworks for operational risk management and ensuring compliance with them;
Making method(s) and techniques available that support line management in the risk management of Operational Risks;
Monitoring Operational Risks and Compliance Risks and their control;
Stimulating risk awareness in the organisation;
Providing insight into the risk profile of the organisation.
The Risk Committee explicitly does not focus on identifying and monitoring Strategic Risks. These are risks that could negatively affect Vesteda’s strategic objectives and are formulated in the most recent Business Plan. This is the responsibility of the Management Board and the Management Team. However, should the Risk Committee identify a risk in the context of its activities that could have an impact on Vesteda's strategic objectives, the Risk Committee will immediately report its findings to the Management Board.
The Risk Committee is chaired by the CFO, who is charged with risk management at Vesteda. Other members of the Risk Committee include the COO, the General Counsel, the Business Control Manager, the D&I Manager and the Compliance Officer. The Internal Audit Manager also joins the meetings of the Risk Committee but is not a member of the Risk Committee. A Risk Charter defines the roles and responsibilities, the tasks, authorities and reporting requirements of the Risk Committee. The Risk Charter was last updated and approved by the Management Board in October 2022.
The scope of risk management
Vesteda distinguishes the following three main risk areas:
1. Risks related to strategic targets as defined in the Business Plan
This relates to specific risks regarding tenants, portfolio, participants (equity funding), organisation and debt funding.
The Management Board and the Management Team primarily focus on:
Identifying and assessing the Strategic Risks annually on the basis of the most recent Business Plan;
Monitoring the Strategic Risks and the effectiveness of the associated control measures on a quarterly basis;
Adjusting the control measures with regard to the Strategic Risks if these are not considered sufficient.
2. Operational risks related to the failure of systems and processes
Operational risk management is part of Vesteda’s business processes and is governed by specific guidelines, policies and key controls designed to manage these operational risks, which are subject to internal reviews and external audits where appropriate.
Each year, Vesteda’s external auditor provides assurance with respect to the design and effective operation of controls based on the International Standards on Assurance Engagements (ISAE), Standard 3402, type II. Vesteda selects the relevant controls to be audited and concluded upon in the assurance report and these relate to key controls within the most important business processes, primarily Acquisitions, Property and Portfolio Sales and Operations.
3. Compliance risks related to non-compliance with legislation and (internal) regulations
Vesteda has a dedicated Compliance Officer who reports on a quarterly basis to the Management Board and Supervisory Committee. The scope of the Compliance Officer’s work is set out in the Compliance Charter. Both internal and external developments, such as trends, risk-increasing developments, incidents and new or changed laws and regulations, can lead to the (partial) revision or adjustment of an established programme. The Compliance Officer constantly monitors these developments, responds to these and discusses them (where necessary) in the quarterly consultations or on an ad-hoc basis with the Management Board and/or the Supervisory Committee or addresses these matters in the Risk Committee. If necessary, the Compliance Officer adjusts these activities (advice, monitoring) accordingly. The annual compliance programme therefore has a dynamic character. It is also possible that the results of (un)planned compliance monitoring gives cause to prioritise a topic, while this was not previously planned. The compliance charter gives substance to this dynamic of compliance activities in various areas. For more detailed information, please see the Compliance and integrity section of this report.
Fraud risks and measures to prevent fraud are evaluated as part of the yearly review of the design and effective operation of controls based on the ISAE, Standard 3402, type II, as well as part of the annual Systematic Compliance Risk Analysis (SCRA, see page 44). This SCRA includes relevant fraud risk scenarios based on likelihood, impact, risk appetite and mitigating control measures. Furthermore in 2022 the Internal Auditor and the Compliance Officer assessed Vesteda's business operations and possible areas that may be vulnerable to irregularities and fraud, benchmarked against a report by the Association of Institutional Property Investors in the Netherlands on managing fraud risk in the institutional real estate sector (IVBN publication: ‘Beheersing van frauderisico’s in de institutionele vastgoedsector’). This report lists 115 general and specific controls to mitigate fraud risks. The overall conclusion was that Vesteda generally scores well against this benchmark. The more detailed findings of the benchmark will be used to further improve internal controls in 2023.
As mentioned in the Compliance and integrity section of this report, the Compliance Officer and Internal Audit Manager conducted several investigations regarding potential fraud by employees in 2022. The findings from these investigations are also used to improve internal controls.
Strategic risk analysis
Vesteda’s strategic risk analysis is based on the following assessment, which is executed by the Management Board and Management Team jointly:
Identification of strategic risks, based on the strategic targets and key performance indicators within the three strategic pillars: economic value, social value and organisation. These strategic targets and risks are based on the five-year Business Plan, subject to approval by Vesteda’s Participants each year in December, and actual developments;
An assessment of the level of risk Vesteda is willing to accept in achieving its strategic targets (risk aversion) to provide guidance for decisions related to risk and return management. The outcome of this assessment also serves as a basis for the review of the effectiveness of the nature and level of internal controls for each risk. The level of risk aversion is measured based on a scale of 1 to 5: Risk averse, Limited risk, Cautious, Flexible, Open.
In alignment with the key characteristics of Vesteda as a Core INREV fund, with a conservative funding policy focusing only on residential real estate in the Netherlands, limited risks or a cautious approach is necessary for Vesteda’s strategic targets (risk aversion of mostly 2, partly 2-3).
Classification of identified risks based on impact (high – low) and to what extent the risk is manageable (ranging from largely manageable – not manageable);
Defining the internal controls (taken or to be implemented) for each of the identified risks, the required level of effectiveness for these controls and the relevant key performance indicators to monitor effectiveness.
The outcome of this review is depicted in the ‘Vesteda Risk Profile’ figure below:
Vesteda Risk Profile
For each of the risks shown in the ‘Vesteda Risk Profile’ above, the main internal controls are:
External risks, potential high impact, no or limited controls on risk occurring
Risk: Changes in (rental) laws and regulations
Changes in laws and regulations related to rent (increases), investments (local requirements or product-specific requirements, e.g. regulated mid-rental segment), building requirements (sustainability), fiscal laws impacting investments in real estate, etc.
As changes in laws and regulations are beyond Vesteda’s direct control, the main focus in addressing this risk is identifying and discussing possible changes and alerting and preparing the organisation. This is realised through our multiple contacts with the sector association IVBN and contacts with city councils, politicians, developers, etc. Where relevant, we take the effect of potential changes in laws and regulation into account in our business planning, including impact analyses and stress testing, where relevant.
With respect to the risk related to rental regulation, we take an active role in the affordability debate, together with the IVBN. We believe it is important to behave as a socially responsible investor and to highlight the role we have in responsibly investing pension savings and insurance premiums entrusted to us by our participants in residential real estate for middle-income tenants.
We execute stress tests to calculate the impact of (potential) new regulation on Vesteda’s portfolio and rental income.
Risk: Homes are not compliant with legislation
Our homes cannot meet all requirements set by (EU) legislation with respect to climate mitigation and sustainability.
Vesteda has implemented a number of internal controls for this specific risk, the most important of which are:
An investment programme to improve the energy labels of our homes. Please see the Environmental section of this report.
Vesteda has a ‘Policy on the integration of sustainability risks and factors into the investment decision-making process’ providing insight into which potential sustainability risks Vesteda has identified and how these risks and principal adverse impacts on sustainability factors are integrated in investment decisions related to new acquisitions or renovation projects.
Sustainability and climate risks form an important part of Vesteda’s investment decision process for new acquisitions and renovation projects. Vesteda applies its technical standards to assess whether new (potential) investments comply with Vesteda’s sustainability and technical requirements (which focus on climate change mitigation and adaptation). Vesteda uses an ESG framework to determine a sustainability impact score for each project to provide a broader scope on relevant sustainability risks and factors and to ensure new projects meet the applicable ESG requirements to qualify as sustainable.
Risk: Climate incidents
Climate incidents affecting our portfolio, such as flooding, heat stress, earthquakes, etc.
This is also a risk that is largely beyond Vesteda’s direct control. However, in terms of mitigating the impact of climate incidents, Vesteda has taken the following measures:
A climate risk scan for the entire portfolio. We give specific attention for the risks of heat stress and flooding in our long-term maintenance programme per building complex. Please see the Physical climate risks paragraph in the Environmental section of this report.
Risk: Affordability under pressure
Affordability of housing is under pressure due to high energy prices and inflation.
Vesteda is taking several measures to manage and improve the affordability of housing. We invest in the sustainability of our assets and inform tenants about energy saving possibilities, to lower energy costs. We also invest in new build projects in the mid-rental segment, to add affordable homes to the housing market. Furthermore, by monitoring our tenants' payment behaviour, we can take action, for example by offering more affordable housing to tenants in difficulty.
Strategic risks, potential medium to high impact, reasonable or high level of controls possible on risk occurring
Risk: Investors seek other investment opportunities
Investments in Vesteda (residential real estate) become less attractive for potential new and current investors (primarily as a result of an imbalance between return and risk).
Each year, participants have to approve the Business Plan, which includes the strategy to achieve the targets as set out in the Investment Guidelines of the Terms and Conditions. For example, the outperformance of the three-year MSCI index and a target for the TER. The achievement of the targets is monitored on a monthly, quarterly and annual basis.
During the Business Plan period, management focuses on stable direct returns and increasing dividend yield, providing an inflation hedge for the existing participants and an interesting proposition for potential new investors with a low-risk profile.
We have frequent meetings with participants, at which we communicate market developments and the progress of the strategy implementation. In the current market environment, with political discussions on affordability, the impact of rent increases and (potential) new legislation on rent increases, we believe it is important to discuss Vesteda’s strategy as a socially responsible investor, especially when this pertains to decisions regarding tenant satisfaction, rent increases and sustainability.
Risk: Disruptive technology
Vesteda’s business model is disrupted by new innovative technology.
Digital technology provides the residential investment industry (and adjacent sectors) in general and Vesteda specifically with new resources to create and capture value for all stakeholders. This may, for example, mean that a residential property also functions as a platform for the sale of additional goods and services to its users, thereby increasing the tenant's perception of value and willingness to pay for it. As a result, boundaries between sectors may blur and young, agile and cost-efficient companies may become a competitor for existing players in the relatively traditional housing market. Digital technology may also be a source of optimised rental income streams and structural savings in general, operational and capital expenditures, while at the same time improving sustainability, tenant satisfaction and the risk profile of the investment.
Exploiting the full potential of digital technology requires a deep understanding of the opportunities and risks associated with it and requires a holistic vision on digital technology as a key resource for strategy definition and execution. Vesteda is already applying digital technology in several parts of its business model and processes, and is increasingly working on incorporating digital technology in strategy definition and organisational design. Failure to keep up with these developments may have a negative effect on Vesteda's competitive position in the longer term and access to new investment product. Vesteda mitigates this risk today by recognising both the opportunities and the risks of digital technology and improving its business model and organisation in phases using digital technology.
Risk: Unable to invest in attractive acquisitions
Vesteda is unable to invest in new attractive acquisition opportunities.
Dutch residential investments are seen as a safe haven with an attractive risk/return profile, due to the scarcity in supply and high demand. Vesteda is active throughout the value chain: Vesteda is proactively interacting with developers, contractors and local authorities using our in-depth knowledge of local markets and developments and positioning itself as a solid long-term partner. While the market is currently experiencing headwinds, we aim to stay in the market, since a modest but constant inflow level increases the quality of our portfolio. We will continue long-term business partnerships, to be able to benefit from potential market opportunities in the future.
As part of our acquisition policy, we have also implemented a range of internal controls, including:
Monitoring of acquisition leads funnel and conversion of leads;
Yearly evaluation of IRR requirements;
Performance analyses of realised acquisitions compared with investment proposals;
Yearly approval by participants of the Business Plan, which includes the acquisition strategy and funding of acquisitions.
Preventable risks, medium to low impact, high level of controls possible on risk occurring
Risk: Negative tenant experiences
Vesteda’s image and reputation is affected by negative tenant experiences, which may result in low(er) tenant satisfaction scores.
Vesteda measures tenant satisfaction continuously and this is one of Vesteda’s major key performance indicators. It is included in the annual targets for the Management Team, senior management, departments and employees. Please see the Tenant satisfaction paragraph in the Social section of this report.
In the event of tenant complaints, Vesteda strives to act and communicate quickly and transparently. Vesteda makes sure that cases are evaluated and that lessons learned are shared internally in order to improve future processes.
Risk: Irregularities in the letting process.
Vesteda’s image and reputation is affected by irregularities in the letting process.
Vesteda has implemented customer due diligence procedures to comply with anti-money laundering legislation related to tenants and others. Vesteda provides employees who are in charge of screening tenants with additional training and reference materials. The Compliance department has been expanded, providing more support in the letting process and the assessment of new tenants. In addition, Vesteda organises internal dilemma workshops. Please see the Compliance and integrity section of this report.
Risk: Insufficient experience and capabilities within the organisation
The risk that Vesteda cannot attract and retain the right talent to achieve its ambitions and the risk that Vesteda’s employees are less engaged and show a lack of performance (due to working from home).
Vesteda has a professional HR department in charge of attracting and retaining highly qualified staff, through recruitment procedures, talent management and training programmes. Please see the Workforce section of this report.
Vesteda aims to become a High Performance Organisation and focuses continuously on actions and milestones to achieve this goal. In order to monitor Vesteda’s status, we conduct a bi-annual survey among our employees. The results of the latest HPO survey shows that our employees are increasingly positive on our organisation and feel connected to the company, even though many employees continue to work from home part of the time at a time when there are no COVID-related lockdowns.
In addition, Vesteda plans to review and update its remuneration policy, which can help it to attract and retain staff.
Please see the Organisation section of this report.
The monitoring of the above-mentioned strategic risks and the effectiveness of internal controls, as well as the identification of new strategic risks is the responsibility of the Management Board and the Management Team and will be discussed at least quarterly in 2023.
Risk Committee activities in 2022
In the year under review, the Risk Committee frequently discussed Vesteda’s digital organisation and the risks related to our IT systems and possible cybercrimes and attacks with the D&I Manager. The Treasury Manager reported to the Risk Committee on a quarterly basis on the compliance with Vesteda’s funding targets, including stress tests on liquidity and financial covenants. The Internal Audit Manager reported to the Risk Committee on ISAE controls. Furthermore, the Compliance Officer reported on Compliance risks, including matters related to data protection. The Risk Committee currently puts more focus on sustainability risks and will continue to do so going forward.
Vesteda updated its Risk Management Policy and Risk Charter in 2022.
‘In control’ statement
The Management Board is responsible for implementing and maintaining adequate risk management and internal control systems and for assessing the effectiveness of these systems.
In the year under review, we evaluated and monitored our risk management and internal control systems, as further described in the above Risk management section of this report. Based on this assessment, we concluded with reasonable, but not absolute, assurance that:
The annual report provides sufficient insights into any failings in the effectiveness of the internal risk management and control systems;
The aforementioned systems provide reasonable assurance that the financial reporting does not contain any material inaccuracies;
Based on the current state of affairs, it is justified that the financial reporting is prepared on a going concern basis;
The annual report states those material risks and uncertainties that are relevant to the expectation of Vesteda’s continuity for the period of twelve months after the preparation of the report.
It is important to note that effective risk management, with embedded internal controls, no matter how well designed and implemented, provides the Management Board with only reasonable assurance regarding the achievement of Vesteda’s objectives. The achievement of objectives is affected by limitations inherent in all management processes. Therefore, in this context ‘reasonable assurance’ refers to the degree of certainty that would be satisfactory for a prudent manager in the management of their business and affairs in the given circumstances.