Risk management is ingrained in Vesteda’s strategic and operational processes. We have defined our risk management policy and implemented a risk management framework in line with the core fund risk profile, as defined in the Terms and Conditions of Vesteda Residential Fund, extending to all levels of the organisation and all lines of business.
Vesteda has developed its internal risk management framework on the basis of the recommendations of the Committee of Sponsoring Organisations of the Treadway Commission (COSO), the aim of which is to create a reasonable level of assurance on the achievement of organisational targets. Vesteda’s internal control systems include various measures for achieving adequate segregation of duties, prompt recording of significant transactions and data security. Internal accountability and management reports, management reviews and other internal research into the design and operation of the internal controls are an integral part of the internal control systems.
The INREV core fund risk profile implies that Vesteda has a relatively low risk profile since it typically invests in income producing real estate investments. Vesteda employs relatively low levels of leverage and has limited exposure to real estate development. A significant and stable proportion of its returns are generated through rental income. Overall, Vesteda has a relatively low risk appetite. We refer to Note 27 in the section Notes to the consolidated financial statements for a description of our financial risk management objectives and policies.
Vesteda’s risk management framework
Vesteda’s risk management framework is described in the section below.
Vesteda’s risk management activities are overseen by the Risk Committee. The Committee’s tasks include (but are not limited to):
Advising the Management Board and the Management Team on risk management
Designing and maintaining the strategic risk management policy
Advising and facilitating the design and maintenance of the operational risk management policy
Ensuring the appropriate yearly review of the risk management policy by the Management Board and the Management Team
Increasing awareness of risk management throughout Vesteda
Monitoring the effectiveness of key controls related to strategic risks, compliance risks and operational risks
Reporting on risk management to the Management Board and the Management Team, the Audit Committee and the Supervisory Committee
The Risk Committee is chaired by the CFO, who is already charged with risk management at Vesteda. Other members of the Risk Committee include the director Operations, the Corporate Secretary/General Counsel, the Manager Business Control and the Compliance Officer. The Internal Auditor also joins the meetings of the Risk Committee but is not a member of the Risk Committee itself. A Risk Charter defines the roles and responsibilities, the tasks, authorities and reporting requirements of the Risk Committee. The Audit Committee approved the Risk Charter in November 2017.
The scope of risk management
Vesteda distinguishes the following three main risk areas:
1. Strategic risks relating to risks with respect to the strategic targets of Vesteda as defined in the five-year business plans
This relates to specific risks regarding tenants, portfolio, participants (equity funding), organisation and debt funding.
2. Operational risks relating to failure of systems and processes
Operational risk management is part of the business processes and is governed by specific guidelines, policies and key controls designed to manage these operational risks, which are subject to internal reviews and external audits where appropriate.
Each year, Vesteda’s external auditor provides assurance with respect to the design and effective operation of controls based on the International Standards on Assurance Engagements (ISAE), Standard 3402, type II. The relevant controls to be audited and concluded upon in the assurance report are selected by Vesteda and relate to key controls within the most important business processes, primarily Acquisitions, Property and Portfolio Sales and Operations.
3. Compliance risks related to non-compliance with legislation and regulations
Vesteda has a dedicated Compliance Officer who reports on a quarterly basis to the Management Board and Supervisory Committee. The scope of the work of the Compliance Officer is set out in a Compliance Charter, which was approved by the Management Board in May 2017. Both internal and external developments, such as trends, risk-increasing developments, incidents and new or changed laws and regulations, can lead to the (partial) revision or adjustment of an established programme. The Compliance Officer constantly monitors these developments, responds to them and discusses them (where necessary) in the quarterly consultation or on an ad hoc basis with the Management Board and/or the Supervisory Committee. If necessary, the Compliance Officer adjusts its activities (advice, monitoring) accordingly. The annual compliance programme therefore has a dynamic character. It is also possible that the results of an (un)planned compliance monitoring gives cause to prioritise a topic, while this was not previously planned. The compliance charter gives substance to this dynamic of compliance activities in various areas. For more detailed information, please see the Compliance and Integrity section of this report.
The Risk Committee, as described above, focuses on providing support and advice with respect to strategic risks and defining the policy framework for operational risk management. Operational risk management continues to be the responsibility of the business. The Risk Committee monitors the effectiveness of operational controls and compliance.
Strategic risk analysis
In 2017, Vesteda conducted an extensive risk analysis based on Vesteda’s strategy (see section Strategy and long-term objectives of this report), focusing on the risks associated with Vesteda’s strategic objectives relating to tenants, portfolio strategy (including corporate sustainability and social responsibility), organisation (including HR and information technology), participants and funding. Vesteda conducted an assessment of the risks that the strategic objectives may not be met within a time horizon of three years for each these strategic building blocks.
For each risk identified, the following analysis was performed:
The gross risk: the inherent risk related to the specific strategic building block
The likelihood that the risk will occur within the time horizon
The control measures taken to mitigate and/or prevent the risk
An evaluation as to whether and to what extent the current control measures are sufficient to mitigate and/or prevent the risk, which results in the net risk
The impact of the risk if the risk actually occurs. The impact depends on the specific risk and was measured against strategic targets (e.g. performance against MSCI benchmark, participant and tenant satisfaction, GRESB score, etc.) or was expressed in financial terms (e.g. percentage of group equity, impact on rental income, etc.)
In 2019, the Risk Committee continued to monitor the strategic areas where the net risk, in combination with the potential impact of the risk and the likelihood of occurrence, could be regarded as relatively high. This related to the following risks:
Risks related to Information Technology (IT)
The Risk Committee discussed and approved the Information Security Policy and related monitoring and improvement actions. This policy, based on ISO 27001 and ISO 27002, describes in detail the internal controls to ensure the continuity, integrity and confidentiality of our information. The Manager Digital and Innovation subsequently informed the Risk Committee in its meetings in Q3 and Q4 on the status of the implementation of improvement measures.
In 2018, Vesteda started with preparations for a new ERP system, which is expected to be fully operational in 2020. The new ERP system will reduce the risk of system failures, by reducing the number of legacy applications and applying more recent and stable technology. The implementation of this system is managed by a Steering Committee and a dedicated project team with specialists from various departments within Vesteda. Vesteda decided to postpone the go-live of the new system to mid-2020, due to the longer development lead time of some essential front office software modules.
Risks related to Portfolio Strategy
The issue of affordable housing will become increasingly important and we are convinced that the issue of affordability is here to stay for the foreseeable future. We believe that it is our responsibility to play an active role in addressing the issue of affordability, for example by voluntarily capping the annual rent increase in the past two years. Furthermore, we actively participate in discussions with government authorities, regulators and other parties, together with the Dutch Association of Institutional Property Investors (IVBN). New governmental regulation may be implemented and we therefore prepare for potential measures that may have an impact and at the same time recognise potential opportunities associated with these regulations. For example, we have embraced the regulated mid-market product as a new investment category.
Risks related to Corporate Sustainability and Social Responsibility (CSSR)
In 2019, the Programme Manager Sustainability presented the Risk Committee with the risks related to Vesteda’s label improvement targets, its GRESB ambitions, the energy transition from natural gas and, more specifically, the risks related to Vesteda’s assets as a result of global warming.
Due to the changing climate, we are faced with physical climate risks such as frequent droughts, extreme rainfall and rising water levels. The physical climate risks have an impact on the livability of our homes but also on our property as an investment. In 2020, we aim to gain more insight into the physical climate risks for our portfolio. We will use these insights into physical climate risks to develop a policy in this respect to evaluate new acquisitions and to mitigate and/or reduce the risks to our existing portfolio.
Further to the discussions in the Risk Committee, the climate adaption risks were discussed with the Supervisory Committee and during the meeting with participants in September 2019.
Other activities of the Risk Committee in 2019
In early 2019, Internal Audit reviewed the Risk Management function in the areas of ‘Governance and Organisation’, ‘Risk identification and evaluation’ and ‘Risk Monitoring and reporting’. The recommendations of Internal Audit as a result of this audit have been implemented or will be addressed in 2020, when we will implement a specific risk management software tool. This tool enables a structured process of recording and monitoring of strategic and other risks, related controls and the effectiveness of these controls. As part of this implementation, the (strategic) risks related to the Business Plan 2020-2024 (as approved by our participants in December 2019), Vesteda’s Management team is planning an in-depth discussion of Vesteda’s risk appetite and controls. This process will also include updating Vesteda’s Risk Management Policy.
During the year under review, Vesteda organised deep-dive sessions with the Investor Relations and Treasury departments to address the risks related to Vesteda’s equity and debt funding. The Treasury Manager reports on a quarterly basis to the Risk Committee on the compliance with Vesteda’s funding targets, including stress tests on liquidity and financial covenants. The Investor Relations Manager paid specific attention to the risks related to the attractiveness of the investment proposition for (potential) participants and the risk of redemptions.
The Risk Committee further discussed compliance with the Compliance Officer and specifically monitored GDPR compliance and the progress of the project to update Vesteda’s client due diligence policies and procedures. In addition, the HR manager provided the Risk Committee with a review of the HR-related risks and measures.
‘In control’ statement
The Management Board is responsible for implementing and maintaining adequate risk management and internal control systems and for assessing the effectiveness of these systems.
During the year under review, we evaluated and monitored our risk management and internal control systems, as further described in the above Risk management section of this report. Based on this assessment, we concluded with reasonable, but not absolute, assurance that:
The annual report provides sufficient insights into any failings in the effectiveness of the internal risk management and control systems;
The aforementioned systems provide reasonable assurance that the financial reporting does not contain any material inaccuracies;
Based on the current state of affairs, it is justified that the financial reporting is prepared on a going concern basis; and
The annual report states those material risks and uncertainties that are relevant to the expectation of Vesteda’s continuity for the period of twelve months after the preparation of the report.
It is important to note that effective risk management, with embedded internal controls, no matter how well designed and implemented, provides the Management Board with only reasonable assurance regarding the achievement of Vesteda’s objectives. The achievement of objectives is affected by limitations inherent in all management processes. Therefore, in this context ‘reasonable assurance’ refers to the degree of certainty that would be satisfactory for a prudent manager in the management of his business and affairs in the given circumstances.