Risk management has been ingrained in Vesteda’s strategic and operational processes. We have defined our risk management policy and implemented a risk management framework in line with the core fund risk profile, as defined in the Terms and Conditions of Vesteda Residential Fund, extending to all levels of the organisation and all lines of business.
Vesteda has developed its internal risk management framework on the basis of the recommendations of the Committee of Sponsoring Organisations of the Treadway Commission (COSO), the aim of which is to create a reasonable level of assurance on the achievement of organisational targets. Vesteda’s internal control systems include various measures for achieving adequate segregation of duties, prompt recording of significant transactions and data security. Internal accountability and management reports, management reviews and other internal research into the design and operation of the internal controls are an integral part of the internal control systems.
The INREV core fund risk profile implies that Vesteda has a relatively low risk profile since it typically invests in income producing real estate investments. Vesteda employs relatively low levels of leverage and has limited exposure to real estate development. A significant and stable proportion of its returns are generated through rental income. Overall, Vesteda has a relatively low risk appetite. We refer to Note 26 in the section 'Notes to the consolidated financial statements' of this report for a description of our financial risk management objectives and policies.
Evaluation and adjustments to the risk management framework
Vesteda evaluates its internal risk management and control system at least annually. Until 2017, Vesteda’s risk management framework, designed in 2014, was based on sixteen risk areas that were considered the most relevant and significant risk areas for Vesteda. Feedback from the business, the internal auditor and the Managing Board in early 2017, indicated the need to address risk management on a more strategic level and to simplify the risk reporting process by aligning the various internal controls within the business processes and the reporting in same. Following this feedback, we implemented a revised risk management framework as described in the section below.
As part of the new risk management approach, a Risk Committee has replaced the former Risk Management Officer function. The Committee’s tasks include (but are not limited to):
Advising the Managing Board and the Management Team on risk management
Advising and facilitating the design and maintenance of the operational risk management policy
Ensuring the appropriate yearly review of the risk management policy by the Managing Board and the Management Team
Designing and maintaining the strategic risk management policy
Increasing awareness of risk management throughout Vesteda
Monitoring of the effectiveness of key controls relating to strategic risks, compliance risks and operational risks
Reporting on risk management to the Managing Board and the Management Team, the Audit Committee and the Supervisory Committee
The Risk Committee is chaired by the CFO, who is already charged with risk management at Vesteda. Other members of the Risk Committee include the director Operations, the Corporate Secretary/General Counsel, the Finance & Control Manager and the Compliance Officer. The Internal Auditor will also join the meetings of the Risk Committee but is not a member of the Risk Committee itself. A Risk Charter defines the roles and responsibilities, the tasks, authorities and reporting requirements of the Risk Committee. The Audit Committee approved the Risk Charter in November 2017.
The scope of risk management
Vesteda distinguishes the following three main risk areas:
1. Strategic risks relating to risks with respect to the strategic targets of Vesteda as defined in the integrated strategic framework and the five-year business plan
In the second half of 2017, Vesteda reviewed the most relevant and significant strategic risks. This is described in more detail below in the section Strategic risk analysis.
2. Operational risks relating to failure of systems and processes
Operational risk management continues to be part of the business processes and is governed by specific guidelines, policies and key controls designed to manage these operational risks and that are subject to internal reviews and external audits, where appropriate.
Each year, Vesteda’s external auditor provides assurance with respect to the design and effective operation of controls based on the International Standards on Assurance Engagements (ISAE), Standard 3402, type II. Vesteda selects the relevant controls to be audited and concluded upon in the assurance report. In 2017, based on a recommendation by Vesteda’s internal auditor, Vesteda changed the scope of the ISAE 3402, type II audit to a more limited number of revised and improved key controls within the most important business processes. These processes and key controls also include the internal control measures relating to the strategic building blocks of Acquisition, Property Sales and Operations, which building blocks were therefore not part of the separate strategic risk analysis performed in 2017.
3. Compliance risks related to non-compliance with legislation and regulations
Vesteda has a dedicated Compliance Officer, recruited in 2017, who reports on a quarterly basis to the Managing Board and Supervisory Committee. The scope of the work of the Compliance Officer is set out in a Compliance Charter which was approved by the Managing Board in May 2017. Both internal and external developments, such as trends, risk-increasing developments, incidents and new or changed laws and regulations, can lead to a once-established programme (in parts) to be revised or to be adjusted. The Compliance Officer constantly monitors these developments, responds to them and discusses them (where necessary) in the quarterly consultation or on an ad hoc basis with the Managing Board and/or the Supervisory Committee. If necessary, the Compliance Officer adjusts its activities (advice, monitoring) accordingly. The annual compliance programme therefore has a dynamic character. It is also possible that the results of an (un)planned compliance monitoring gives cause to prioritise a topic where this was not planned before. The compliance charter gives substance to this dynamic of compliance activities in various areas.
The Risk Committee, as described above, focuses on providing support and advice with respect to strategic risks and defining the policy framework for operational risk management. Operational risk management continues to be the responsibility of the business. The Risk Committee will monitor the effectiveness of operational controls and compliance.
Strategic risk analysis
In the second half year of 2017, Vesteda conducted an extensive risk analysis based on Vesteda’s integrated strategic framework (see section Strategy and long-term objectives of this report), focusing on the risks associated with Vesteda’s strategic objectives relating to tenants, information technology, organisation, portfolio strategy, participants, funding and corporate sustainability and social responsibility.
This risk analysis was performed jointly by the Managing Board, the Management Team and various business and staff managers.
For almost all of the building blocks in our strategic framework an assessment was made of the risks that the strategic objectives may not be met within a time horizon of three years. Acquisitions, Property Sales and Operations were not included in the assessment, as these key operational processes are covered by ISAE (see also under Operational risks relating to failure of systems and processes).
For each risk identified, the following analysis was performed:
The gross risk: the inherent risk related to the specific strategic building block
The likelihood that the risk will occur within the time horizon
The control measures taken to mitigate and/or prevent the risk
An evaluation as to whether and to what extent the current control measures are sufficient to mitigate and/or prevent the risk, which results in the net risk
The impact of the risk if the risk actually occurs. The impact depends on the specific risk and was measured against strategic targets (e.g. performance against MSCI benchmark, participant and tenant satisfaction, GRESB score, etc.) or was expressed in financial terms (e.g. percentage of group equity, impact on rental income, etc.)
This risk analysis was performed jointly by the Managing Board, the Management Team and various business and staff managers. For the strategic areas where the net risk, in combination with the potential impact of the risk and the likelihood of occurrence, could be regarded as relatively high an additional review and evaluation of the control measures will be performed in 2018, including (if necessary) additional control measures to be taken. This pertains to the following risks:
Risks related to Information Technology (IT)
In 2018, Vesteda will be implementing a new ERP system, which will address the first IT risk and which will also be a platform for future IT related innovations. The second IT risk is partly mitigated by the outsourcing of our IT-service delivery function to a third party service provider, which is subject to a yearly ISAE 3402 Type II Service Organisation Control Report. The new ERP system, when implemented, will also reduce the risk of system failures, by reducing the number of legacy applications and applying more recent and stable technology. Additionally, we will review our information security processes and implement a new Information Security Policy in 2018.
Risks related to Portfolio Strategy
Recently, a number of city councils, such as Amsterdam and Utrecht, have announced proposals, plans and/or concrete measures to regulate the rental of residential properties, restricting rights of landlords to lease rental properties in the mid-rental or other segments by (among other things) capping the rents of new build residential properties, capping rent increases and prescribing a minimum amount of square metres for new build residential properties. Such increased regulation may have a negative impact on the realisation of Vesteda’s portfolio strategy.
We like to participate actively in negotiations with city councils and various representational bodies, such as Platform Amsterdam Middenhuur (PAM) and IVBN, to explain Vesteda’s view that maintaining a balanced residential supply, also in core urban regions, is to the advantage of all stakeholders.
Risks related to Corporate Sustainability and Social Responsibility (CSSR)
This is the risk that Vesteda is unable to meet its CSSR targets and ambitions.
Vesteda’s two ambitious CSSR targets are:
By the end of 2020, at least 80% of Vesteda’s homes will have energy label A, B or C; no more than 20% of Vesteda’s homes will have energy label D; and Vesteda will have no homes with labels E, F or G.
Vesteda aims to achieve a GRESB five-star rating in 2018 and a GRESB number three position in 2018
To mitigate the risk of Vesteda not meeting its CSSR’s ambitions (please refer to the section CSSR for more detailed information), Vesteda has implemented various control measures, such as:
Specific actions to further improve controls on CSSR in 2018 include a review of the various CSSR KPIs to improve reporting efficiency and effectiveness and the recruitment of a dedicated CSSR professional to assist and accelerate the realisation of the targets by the business.
‘In control’ statement
The Managing Board is responsible for implementing and maintaining adequate risk management and internal control systems and for assessing the effectiveness of these systems.
During the year under review, we evaluated and monitored our risk management and internal control systems, as further described in the above Risk management section of this report. Based on this assessment we have concluded with reasonable, but not absolute, assurance that:
the annual report provides sufficient insights into any failings in the effectiveness of the internal risk management and control systems;
the aforementioned systems provide reasonable assurance that the financial reporting does not contain any material inaccuracies;
based on the current state of affairs, it is justified that the financial reporting is prepared on a going concern basis; and
the annual report states those material risks and uncertainties that are relevant to the expectation of Vesteda’s continuity for the period of twelve months after the preparation of the report.
It is important to note that effective risk management, with embedded internal controls, no matter how well designed and implemented, provides the Managing Board with only reasonable assurance regarding the achievement of Vesteda’s objectives. The achievement of objectives is affected by limitations inherent in all management processes. Therefore, in this context ‘reasonable assurance’ refers to the degree of certainty that would be satisfactory for a prudent manager in the management of his business and affairs in the given circumstances.