RISK MANAGEMENT HANDBOOK Carlsberg Group December 2010 Approved by EB December 2010 Version 1.1 Carlsberg Group Risk Management Handbook Chapter 1: Introduction to Risk Management in Carlsberg Group .................................3 1.1 What is Risk and Risk Management?.............................................................................3 1.2 What does Risk Management mean for Carlsberg Group? ............................................3 1.3 What does Risk Management mean for our entity?........................................................4 1.4 Risk Management Approach ..........................................................................................4 1.5 Corporate Governance structure ....................................................................................6 1.6 Risk management maturity.............................................................................................8 1.7 Risk appetite...................................................................................................................9 Chapter 2: The Risk Management Process – A Practical Guideline .............................10 2.1 Risk Management workshop process...........................................................................10 2.2 Carrying out the Risk Management process.................................................................11 Appendix I – Glossary of terms ..........................................................................................18 Appendix II – Risk Management Policy..............................................................................20 Appendix III – Risk Management workshop templates.....................................................23 Appendix IV – Additional risk list .......................................................................................30 2 Chapter 1: Introduction to Risk Management in Carlsberg Group 1.1 What is Risk and Risk Management? Risk ‘An event that, if it happens, may have an impact upon the ability of Carlsberg Group to achieve its defined objectives'. Risk therefore includes a level of uncertainty of outcome (whether positive outcome or negative threat). Risk is ever present and some amount of risk taking is inevitable if Carlsberg Group is to achieve its objectives. However, Carlsberg Group needs to be aware of what these risks are and to put measures in place to reduce them to an acceptable level. This process is defined as "Risk Management". Risk Management Risk management involves: • • • • Having processes in place to identify, analyse, evaluate, monitor and record/report risks; Having access to up to date and reliable information about risks; Ensure the right balance of mitigation is in place to deal with risks; A decision making process that is supported by a framework of risk assessment including risk identification, analysis and evaluation. 1.2 What does Risk Management mean for Carlsberg Group? In Carlsberg Group risk management is relevant because: • • • • Carlsberg Group operates in an uncertain world; Change brings even more uncertainty than normal; Uncertainty brings risk; Risks need to be effectively managed to ensure that the Carlsberg Group achieves the positive aspects of change; • Carlsberg Group owes it to the stakeholders to effectively manage the risks that are taken on their behalf and will be judged on their ability to do so. In order to reduce uncertainty, achieve the Group's strategic objectives and ensure value creation for all stakeholders, Carlsberg views effective risk management as an integral part of running its business operations. Risk is viewed as something that can and should be managed and managed risks are viewed as something that can be turned into opportunities. 3 1.3 What does Risk Management mean for our entity? Risk Management provides the following benefits to an entity: • • • • • • • • Supports strategic and business planning at an entity level; Supports the effective use of resources; Promotes continuous improvement; Fewer shocks and unwelcome surprises; Quick grasp of new opportunities; Enhances alignment between the local entity and the Group; Provides reassurance to stakeholders; Helps to focus on issues to the entity; 1.4 Risk Management Approach Carlsberg Group's approach to risk management is summarised below: “Risk management involves the identification, assessment and economic management of those risks which might prevent the Carlsberg Group from achieving its objectives”. An improved and more formal approach to risk management has been developed to: • Ensure risk is identified and managed, and in a more inclusive way; • Send messages both internally and externally that the Carlsberg Group takes risk • • • • • • management seriously; Provide a framework for the cascade of risk management throughout the Carlsberg Group; Provide a structure for people to work to and learn from; Ensure consistency and co-ordination in the Carlsberg Group; Supplement and evidence instinct and professional judgement; Provide a sounder basis for decision making; Demonstrate effective risk management and corporate governance. Benefits of effective Risk Management • Risk Management will alert the Board of Directors and management within the Carlsberg Group to the major risks faced, enabling a proper and clear focus on the issues that really matter; • It will contribute to better decision making, and the process of achieving objectives. When embedded within existing planning and decision taking, risk management provides a basis for ensuring implications are thought through, the impact of other decisions, initiatives and projects are considered, and conflicts are balanced. This will influence success and improve company performance; 4 • It will provide assurance to the Board of directors and management as to the adequacy of arrangements for the conduct of business and the use of resources. It will demonstrate openness and accountability to all major stakeholders; • It will lead to greater risk awareness and an improved control environment, which should mean fewer risk incidents and other control failures. This will lead to a better and more efficient achievement of our business objectives throughout Carlsberg Group; These are not intangible benefits. By identifying risks earlier, by making sure processes are not over engineered and are fit for purpose, and achieving a behavioural shift, risk management will be a process that will pay for itself many times over. Objectives of an effective Risk Management system • • • • • • Integrate risk management into the culture of the Carlsberg Group so that identifying, assessing and managing risks are a part of day to day operations. It is imperative that risk management is built into the Carlsberg way of doing business and not simply ‘bolted on’ as an additional business process. In this way, risks identified at the annual Risk Management workshop, can be integrated into the business planning process and annual budget process; Manage risk in accordance with best practice in a systematic and structured way thereby creating value for the Group; Anticipate and respond to changing social, political, environmental and legislative requirements; Prevent injury, damage and losses and reduce the cost of risk; Raise awareness of the need for risk management within the organisation; Ensure there are adequate arrangements for reporting on risk management arrangements; These objectives will be achieved by: • • • • • Establishing clear roles, responsibilities and reporting lines within the Carlsberg Group for risk management; Providing opportunities for shared learning on risk management across the Carlsberg Group; Incorporating risk management considerations into all levels of business and service planning; Monitoring risk management arrangements on an ongoing basis; Incorporating risk management considerations into partnership working and any contractual arrangements that Carlsberg Group may have. 5 1.5 Corporate Governance structure The Corporate Governance structure for Risk Management within the Carlsberg Group is as follows: Each function and business unit within the Carlsberg Group has an important part to play in the Risk Management process. In order to ensure that the Risk Management process functions in a logical manner, a framework has been developed within the Carlsberg Group that assigns roles and responsibilities to each part of the organisation. The agreed roles and responsibilities are outlined in the table below. 6 Group / Individual Role and Responsibility Board of Directors (via the Audit Committee) • Responsible for monitoring the effectiveness of Risk Management within the Carlsberg Group. Executive Committee (ExCom) • Monitor the effectiveness of Risk Management arrangements, based on regular reports on Risk Management that include the actions taken to manage risks. To assist with the ongoing development and review of the corporate risk management strategy and methodology. Ensure that the Risk Management policy provides a structured basis for protecting the shareholders investments and the Group's assets. Review and approve any changes made to the Risk Management Policy. Identify strategic risks at a Group level and develop action plans to effectively mitigate those risks. Delegate the operational responsibility to monitor and control the risk to a risk owner (risk responsible individuals) at a Group level who must take ownership, prepare action plans and be accountable to ExCom for the management and reporting of the risks. To advise Group Internal Audit of new and emerging risks at an ExCom level (see escalation procedures) • • • • • • Risk responsible (ExCom) • A member of ExCom or local management who has the responsibility to ensure that risk reducing activities have been implemented to a satisfactory level. Risk owner (ExCom) • Has the operational responsibility to monitor and control the risk. The person must take ownership and be accountable for the management and reporting of the risk. Business Unit (Local) • Identification, evaluation, qualification, recording and reporting the management of risk at a local business unit level. Appoint a risk officer as the person responsible for the risks that have been identified and the subsequent follow up of action plans. • Risk officer (Local – appointed by the local entity) • • • Group Internal Audit (HQ) • • • Responsible for holding risk management workshops for each department or function e.g. finance, sales, marketing etc. and aggregating those risks into an entity heat map. Has the operational responsibility to monitor and control the business unit risks. The person must take ownership and be accountable for the management and reporting of the risk. To advise Group Internal Audit of new and emerging risks at a local level (see escalation procedures) Collection and aggregation of risks identified at a Group or local level follow up on the action plans and deadlines agreed upon and reporting of the status of such risks. Provide quarterly and yearly reports on Risk Management to Audit Committee and ExCom Update of the Risk Management handbook and policy. 7 1.6 Risk management maturity Risk Management Maturity is “the extent to which a robust risk management approach has been adopted and applied, as planned, by management across the Group to identify, assess, decide on responses to and record/report on opportunities and threats that may have an impact on the achievement of Carlsberg Group's objectives.” The level of risk maturity is considered in the following terms: • Basic - The business does the minimum to remain in line with the expectations of internal and external stakeholders. • Developed - Additional activities and techniques are employed to increase the confidence of the Board and ExCom that risk is being managed within operations and in order to protect the bottom line. • Advanced - Risk Management is seen as a strategic tool to support the top line and is of core value to the business. The following framework provides a more detailed explanation of the key differences between each maturity level. Framework element High-level definition Risk governance Risk assessment Risk qualification Monitoring and reporting Risk and control optimisation Basic Developed Advanced The business does the minimum to remain in line with the expectations of internal and external stakeholders Additional activities and techniques are employed to increase the confidence of the Board and ExCom that risk is being managed within operations and protecting the bottom line Risk Management is seen as a strategic tool to support the top line and is a core value in the business A central risk management policy to support listing compliance A risk management structure with clear accountability to support risk management objectives Risk management accountability integrated with performance management and a central value of the organisation Annual risk assessment with limited analysis and interpretation Frequent risk assessment in line with normal management reporting and including analysis Risk and control activities imbedded in business processes and supporting decision making Simple probability and impact descriptors without aggregation A range of qualitative and quantitative tools and techniques to provide robust views of risk levels Risk based capital allocation capabilities based on risk assessment information Business risk registers submitted to support external reporting requirements Extensive reporting to the Board and audit committee on current risk levels and future risk issues Use of KRI's, early warning mechanisms and risk dashboard to provide a comprehensive single view of risk A tick in the box supported by limited external reporting Risk information supports the modification of key controls to improve their effectiveness over time Risk-adjusted strategy and optimised control investment and approach 8 Carlsberg Group maturity level In respect of the Carlsberg Group, the maturity level is currently positioned between "Basic" and "Developed" (as denoted in the table above) but is moving towards a more developed approach. The Carlsberg Group has developed a top-down approach to risk management to ensure that risks are identified on both a strategic level (ExCom) and operational level (HQ functions and local entities) and that where possible risk reducing activities are in place to mitigate the risks. The Audit Committee and ExCom receive quarterly reports that evaluate and rate the level of focus on risk management within the Group. On an annual basis, ExCom reviews their attitude in relation to the maturity of the Risk Management model within the Carlsberg Group based upon a cost/benefit analysis. Carlsberg Group has not set up a target for a preferred maturity level but strives for risk management to be an integral part of the day to day business processes. 1.7 Risk appetite The risk appetite is “the amount of risk that the Carlsberg Group is prepared to accept, tolerate, or be exposed to at any point in time.” Risk appetite can be defined in the following categories: Risk averse Risk exposure must be managed down as soon as possible. Carlsberg will rather let an opportunity go than undertake an unmanaged risk. Competitors are allowed to move on evolving risks and opportunities in the market before Carlsberg to avoid unnecessary uncertainty. Risk exposures are maintained at a low level and with low tolerance for short term increases. Risk neutral Encourages decisions based upon calculated risks with a close focus on safe rewards. Carlsberg accepts a balanced risk and reward structure that allows them to maintain a more stable but slightly lower reward level. Carlsberg will seldom accept added risks above acceptable levels and only cautiously. Risk seeking The desire to be entrepreneurial and have the courage to choose options based upon potentially higher rewards. Carlsberg is prepared to accept the added risks that are inherent in our preferred way of doing business because they are determined to be effective in managing risk downwards to normal and acceptable levels. 9 The approach to risk appetite within the Carlsberg Group is set by the Board of Directors and implemented by ExCom and is dependant upon the type of risk under consideration. In respect of financial risks, the risk perception is to actively manage exposure through financial instruments, implying that no positions are taken on a purely speculative basis. In respect of operational and strategic risks, there is a consensus that the appetite for risk is increasing as ExCom is willing to take chances and pursue opportunities whenever considered reasonable and attractive. Overall, the risk appetite within Carlsberg is deemed to be risk neutral. As a general guideline Carlsberg Group operates with a risk limit of 1% net revenue (approximately DKK 600m). Any risk above this limit will be deemed to be critical to the business. Chapter 2: The Risk Management Process – A Practical Guideline The following section provides a practical guideline to the Risk Management process within Carlsberg Group and incorporates the following areas: • The Risk Management workshop process; • Carrying out the Risk Management process; 2.1 Risk Management workshop process Step by step guide for 2011 A local Risk Officer is appointed Risk Management workshop Information is distributed Individual department RM workshops are held and department heat maps are produced Risk Management workshop is scheduled Local management RM Workshop is held to consolidate the heat maps into an entitywide heat map incl. action plans The entitywide heat map and action plans are reported to Group Internal Audit 1. It is the responsibility of the Risk Officer to carry out risk workshops. If no risk officer has been appointed then it is the responsibility of local management to appoint a suitably qualified person to carry out this task; 2. The Risk Officer should send out the standard Carlsberg presentation (see appendix III) to provide employees and managers with more information on the Risk Management workshop and the Risk Management process prior to holding the workshop; 3. Once the presentation has been sent out, the Risk Officer should arrange a suitably convenient date with the respective employees and management to undertake the workshop and identify and evaluate risks in a heat map; 4. The Risk Officer should carry out a Risk Management workshop for each department in the organisation, e.g. finance, sales, marketing etc. together with departmental employees to identify risks and prepare a heat map in relation to their specific area of the business; 5. The purpose of the workshop is to identify, assess and evaluate risks within the relevant function to provide input to management in respect of major functional risks; 10 6. Finally, a Risk Management workshop should be held at an entity level with senior management e.g. CEO, CFO, and VP Sales etc. to consolidate all departmental heat maps into an entity-wide heat map; 7. The entity-wide heat map together with the risk action plans (see separate section) should be sent to Group Internal Audit in accordance with the timelines set; 8. The approach is both "bottom-up" and "top-down". On a "bottom-up" approach, risks should be identified at a departmental level and then escalated up to an entity level. On a "top-down" approach, strategic risks should be identified by management; 9. Action plans should identify the risk, the risk responsible person, risk owner, risk reducing activities and deadlines in respect of the risk. 2.2 Carrying out the Risk Management process Introduction This section gives a brief overview of what the risk management process within the Carlsberg Group should look like and is supplemented by more detail in appendix III (How to hold a Risk Management workshop). The main stages within the Risk Management process are as follows: • How to identify risks; • How to assess and rate risks; • How to map risks; • How to record and report risks; • How to develop and monitor risk reducing activities; • How to comply with the activity schedule. These stages are discussed in more detail below. How to identify risks The purpose of the exercise is to identify the major events that may have an impact on the entity's ability to achieve its objectives. Risks are events that, when triggered, cause problems. Hence, identification of the risk can start with the source of problems, or with the problem itself. 11 Risk Idenfication When either the source or problem is known, the events that a source or problem may trigger can be investigated. Source analysis Problem analysis the source of the risk may be internal or external to the entity, e.g. employees, customers, competitors, environment etc. risks are related to specific threats. For example: the threat of losing market share, the threat of abuse of confidential information or the threat of accidents and casualties. The threats may exist with entities, customers, suppliers and legislative bodies. Common risk identification methods are: • Objective-based - any event that may endanger achieving a strategic or business related objective identified in the business planning or budget process either partially or completely is identified as a risk. • Scenario-based - in this analysis different scenarios ("what if") are created. The scenarios may be alternative ways to achieve an objective, in, for example, a market. Any event that triggers an undesired scenario is identified as a risk. • Common-risk checking - in several industries, lists with known risks are available. Each risk in the list can be checked for application to a particular situation. See appendix IV for a detailed list applicable to the FMCG industry. To enable the risks to be clearly and properly identified they can be considered within the following categories (strategic, operational, financial and compliance), which are shown in more detail in the table below: 12 A more detailed list of examples within each category above is included within appendix III (Gross Risk List) and appendix IV (Further risks to consider). These risks in the attached appendices should not be considered as the total list of risks as additional risks may be present depending upon the environment in which individual entities operate. When holding the risk workshop and risk identification exercise, entities should have focus on: • Scope – Identify the major risks to the entity; • Timeframe – 1 year – focus on the impact to the business for the next 12 months; • Depth – Sufficient depth of detail for the reader to understand the risk and its impact on the business. How to assess and rate risks When assessing risk it is important that inherent risk is considered. The inherent risk is the risk to the entity in the absence of any risk reducing activities. It is important to first analyse the specific issue in terms of cause and effect. This will then allow the risk manager to carry out an assessment of impact and likelihood. Root cause is a term that reflects the facts that risks can also arise out of strengths and opportunities. It also reflects the fact that risks can arise out of external or internal situations. Once the root cause and effect has been considered, the relevant risks can be rated and assessed in terms of impact (on the business) and likelihood (probability). Carlsberg Group uses the following "traffic light" rating system to evaluate impact and likelihood: Impact guide Impact Descriptor 1 – Low Outcome from risk events that is unlikely to have a permanent or significant effect on the entity. 2 – Moderate Outcome from risk events that will have a significant impact on the entity in the short term but can be managed without a major impact in the medium to longer term. 3 – High Outcome from risk events that will require major effort to manage and resolve in the medium/long term or risk events that could threaten the existence of the local entity 13 As an example, ExCom uses the following approximate thresholds as a guideline to each impact level: • High impact: • Moderate impact: • Low impact: 1. 0% of net revenue ≈ DKK 600 m at a Group level Or > 10% EBITA ≈ DKK 570m at a Group level 0. 7% of net revenue ≈ DKK 400 m at a Group level Or 5-10% EBITA ≈ DKK 427m at a Group level 0. 3% of net revenue ≈ DKK 200 m at a Group level Or < 5% EBITA ≈ DKK 285m at a Group level Likelihood guide Description Likelihood 1 – Unlikely / Very low (0-10%) The risk event is unlikely to occur 2 – Low (11-25%) The likelihood of the risk event occurring is low but possible 3 – Likely (26-50%) The risk event is likely to occur 4 – Very likely (50%+) The risk event is very likely to occur The above percentages may be used as a guideline; however they may not be applicable to all entities whilst some risks can be difficult to quantify in monetary amounts. That is why each entity must individually evaluate which risks have a high, moderate or low impact on the entity's business and also the likelihood (probability) of the event occurring. 14 How to map risks on a risk heat map Once risks have been identified and developed, every risk must be evaluated and mapped in the heat map according to the risk impact and likelihood assessment (see above). An example of the top 10 risks of an entity could be mapped as follows. In this example, risks 3, 5, 7 and 10 are regarded as high risks in that they have a moderate to high impact and a likelihood level of likely to very likely. How to record and report risks Once risks have been identified and assessed in the heat map above, they need to be recorded and reported. The identified high risks (per the heat map above) should be documented through action plans. The heat map and action plans should be reported to Group Internal Audit using the Group templates in appendix III. An example of an action plan is given below: Risk Responsible Owner 1. Loss of critical IT CFO IT Manager Risk reducing activities Deadline • Service Level Management 31.12.10 • IT disaster recovery plans Ongoing • Business continuity plans Ongoing • Backup and restore procedures Ongoing • IT Security Policy 31.03.11 15 How to develop and monitor risk reducing activities Each entity is responsible for keeping its own risk register and merely identifying, assessing and recording/reporting risks is insufficient. On a quarterly basis, risk owners (e.g. IT manager in the example above), will be required to review the risks for which they are responsible and to explain the status of risk reducing activities that are in place to manage these risks and are in accordance with the deadlines set. The risk responsible person (e.g. CFO) has the responsibility to ensure that risk reducing activities are acceptable in mitigating the risk identified. The entity will then be required to provide assurance to ExCom and the Audit Committee, via Group Internal Audit, that this is in fact the case in accordance with the activity schedule (see below). Risk Management activity schedule requirements Timing: Step: Description: 31/3/10 Quarterly update The risk owner needs to review the risks for which they are responsible, explain the status of the risk reducing activities and verify that they are in accordance with the deadlines set. The risk responsible person has to ensure that the activities are acceptable in mitigating the risk identified. Once this has been performed, details of the action plans need to be reported to Group Internal Audit. 30/6/10 Quarterly update The risk owner needs to review the risks for which they are responsible, explain the status of the risk reducing activities and verify that they are in accordance with the deadlines set. The risk responsible person has to ensure that the activities are acceptable in mitigating the risk identified. Once this has been performed, details of the action plans need to be reported to Group Internal Audit. 30/9/10 Yearly workshop / quarterly update Preparation and undertaking of Risk Management workshops. Following which, the entity wide heat map and action plans need to be reported to Group Internal Audit. 31/12/10 Quarterly update The risk owner needs to review the risks for which they are responsible, explain the status of the risk reducing activities and verify that they are in accordance with the deadlines set. The risk responsible person has to ensure that the activities are acceptable in mitigating the risk identified. Once this has been performed, details of the action plans need to be reported to Group Internal Audit. 16 The diagram below gives an overview of the ongoing Risk Management process in the entity: 1.Risk identification •Objective based •Scenario based •Common-risk checking 5. Risk monitoring •Quarterly review 2. Risk assessment •Impact •Likelihood 4. Risk recording •Action Plans 3. Risk Mapping •Heat map New and emerging risks – escalation procedure Any new and emerging risks (strategic, operational, financial or compliance) that occur after a Risk Management workshop has been held and before the next annual Risk Management workshop and which have a material impact upon the business must be identified, assessed and recorded/reported by the responsible business unit as soon as possible to Group Internal Audit. Group Internal Audit will co-ordinate this information and aggregate the new and emerging risk into a quarterly report to the Audit Committee and ExCom. If necessary, and at the discretion of Group Internal Audit, the issue will be raised to the Audit Committee and ExCom under separate notification. Link to the Carlsberg Group Risk Management Policy: http://www.carlsberg.net/enUS/Policies+and+Guidelines/Policy+Portal/All+Group+Policies.htm 17 Appendix I – Glossary of terms Below are stated some of the most common Risk Management definitions with a short explanation for each. This is to ensure that everybody within Carlsberg Group speaks the same language when addressing Risk Management issues. Risk An event that, if it happens, may have an impact on Carlsberg Group's ability to achieve its objectives. Risk Management The identification, assessment, and prioritization of risks (see definition above) followed by coordinated and economical application of resources to minimise, monitor, and control the probability and/or impact of unfortunate events or to maximise the realisation of opportunities. Risk Categories • Strategic – risks appertaining to the strategy of the business including: - Market development - Competition - Stakeholders - Political • Financial – risks relating to financial areas including: - Reporting - Investments - Capital structure - Market development • Operational – risks dealing with day to day operations including: - Technology - People - Processes - Infrastructure - Information • Compliance – risks in relation to legal, statutory, Corporate Governance including: - CSR - Legal - Tax Inherent (or gross) risk The level of risk before taking account of any mitigation put in place. Residual (or net) risk The remaining level of risk after risk treatment measures has been taken. If falling within the Group’s risk tolerance then residual risk is acceptable; if falling outside then other actions may need to be taken. 18 Risk appetite/tolerance The level of risk that Carlsberg Group is prepared to accept. This is likely to be different dependant on the area of the Group. Risk assessment Is the systematic three step process of risk identification, analysis and evaluation within the operational, financial, compliance and strategic areas of the business. Risk identification The process of determining what can happen, why and how. Risk mitigation The systematic process of identifying ways in which risks can be reduced. Risk escalation The process of raising the profile of a risk through predetermined channels to senior Group management. Risk register The formal process in which high risks issues are identified and monitored. Risk heat map The process by which identified risks are evaluated and mapped based upon a combination of impact and likelihood. Risk owner (both ExCom and local level) The individual responsible for monitoring and controlling the risk. Risk responsible (both ExCom and local level) The individual responsible for ensuring that risk reducing activities have been implemented to a satisfactory level. Risk officer (local level) The individual at a business unit level who is responsible for holding risk management workshops for department functions and aggregating those risks into a business unit heat map and monitoring and controlling the risk. Risk likelihood The number of times (probability) that an event will occur based upon expected norms. Risk impact The effect on the business based upon a percentage of turnover or absolute value. Risk reducing activities The process by which risks within a business are mitigated. 19 Appendix II – Risk Management Policy RISK MANAGEMENT POLICY Author VIBEKE AGGERHOLM Document owner VP, GROUP INTERNAL AUDIT Introduction and purpose The Carlsberg Group Risk Management Policy (supported by the Risk Management Handbook) sets out the detailed requirements necessary to implement a risk management process within the Carlsberg Group. The policy covers the Carlsberg Group, all Group subsidiary companies and all Head Office functions. The policy is for internal purposes only. Taking and managing appropriate levels of risk is an integral part of the business activities. A proactive Risk Management approach will uncover both the risks and the opportunities and support the Carlsberg Group's corporate governance and the preservation and creation of shareholder value. Definitions Risk is defined as the product of likelihood and impact of events that may prevent achievement of the aims or goals of one or more key business or project stakeholders. Risk Management is a systematic process that protects business resources and income against losses so that the objectives of the Group can be achieved without unnecessary interruption. Risk Assessment is the systematic three step process of risk identification, risk analysis and risk evaluation within the operational, financial, compliance and strategic areas of the business. The Risk Management Handbook sets out the detailed guidelines by which the Risk Management process is implemented within the Carlsberg Group. Objectives and Commitment Carlsberg Group is committed to implementing appropriate strategies and processes that identify, analyse and manage the risks associated with the Group's activities as a means of managing the impact of undesired and unexpected events in order to add shareholder value to the Group. As a result, Carlsberg Group will therefore: • identify business objectives that reflect the interests of key stakeholders; • identify the threats to the achievement of those objectives; 20 • control and manage the exposure to risk by appropriate and cost effective risk reduction and mitigation actions; • regularly review the key risks the organisation faces as a result of the business activities and of the business and economic climate in which it operates; • regularly review key risk controls and key risk indicators to ensure that they are implemented in a timely manner and that they remain relevant, robust and effective; • educate and train Carlsberg employees in Risk Management; Carlsberg Group will demonstrate successful achievement of the implementation of the Risk Management Policy through its ability to influence the business strategy and planning process. This will be performed through the preparation of documented procedures, the reporting and review of risks at all levels of the Group and the implementation of an effective monitoring and audit review process. This is described in more detail in the Risk Management Handbook. Roles and Responsibilities The Carlsberg Group Board of Directors (through the Audit Committee) is responsible for overseeing the effectiveness of Risk Management within the Carlsberg Group. The Executive Committee (ExCom) of Carlsberg Group approves the Risk Management policy to ensure that it provides a structured basis for protecting the shareholders investments and the Group's assets. The Risk Management Policy will be reviewed for appropriateness on an annual basis with any changes reviewed and approved by ExCom. Group Level Risk ExCom is responsible for identifying strategic risks at a Group level and developing action plans to effectively mitigate those risks. ExCom delegates the operational responsibility to monitor and control the risk to individuals at a Group level who must take ownership, prepare action plans and be accountable to ExCom for the management and reporting of the risks. Local Entity Level Risk Senior local management is responsible for the identification, reporting and management of risk at a local level. For each entity, a risk manager is appointed as responsible for the risks that have been identified and the subsequent follow up of action plans. Group Internal Audit Group Internal Audit is responsible for the collection and aggregation of risks identified at a Group and local entity level, follow up on the action plans and deadlines agreed upon and reporting of the status of such risks. A more detailed description of roles and responsibilities is provided in the Risk Management Handbook. 21 Process Risk identification within the Carlsberg Group is founded on a combination of topdown/bottom-up approach in order to identify potential risks at both a strategic Group level and a local entity level. In order to identify the risks appertaining to the business, risk workshops will be held at appropriate intervals or at a minimum on an annual basis at both a Group (ExCom) level and entity level. At each level, risks will be identified and assessed utilising the appropriate qualitative or quantitative tools and grouped according to their likelihood and impact on a heat map. An action plan for all high risks identified will be developed that includes a description of the risk responsible individuals, risk owners and risk reducing activities assigned to measure and monitor the risks. The identified risks and action plans will be submitted to Group Internal Audit. The process is described in more detail within the Risk Management Handbook. Reporting All risk reporting will be timely, accurate and action orientated and in line with the risk management activity schedule defined in the Risk Management Handbook. Further, Group Internal Audit will: • Prepare a quarterly review of the risk reducing activities and action plans in respect of each of the high risk issues identified at the annual risk workshop at both a Group level and local entity level and present a report to ExCom and the Audit Committee. • Facilitate and provide to the Audit Committee, on an annual basis, an aggregated summary of all the major risks to enable them to gain assurance over the effectiveness of Risk Management within the Carlsberg Group; The detailed reporting process, including the aggregation of risk, reporting requirements, use of methodology, templates and reporting tools are described further within the Risk Management Handbook. 22 Appendix III – Risk Management workshop templates Risk Management workshop 2010 • Identify important risks • Prioritize risks (mapping) • Assign ownership of identified risks • Risk action plans • Next steps 23 Purpose of the workshop Identifying, describing and mapping key financial and business risks within Carlsberg The result of the work will be risk action plans for top 10 risks Slide 3 Risk Management – in short • Risk is something to manage not something to fear • Managed risk = Opportunities • If you know neither the enemy nor yourself, you will succumb in every battle” Sun Tzu – ‘The Art of War’ • Risk is the probability (and possible effect) of some unfavorable event occurring or of some favorable event not occurring Slide 4 24 Why RM and the advantages Why? • Managing risks is common sense • Corporate Governance codes – new requirements and laws in 2009 • Stakeholders continue to demand greater disclosure on key risks and processes • Credit rating agencies apply Enterprise Risk Management as a section/factor in credit ratings Advantages • Clear picture of the most important risks and opportunities • Fewer shocks and unwelcome surprises • Keep it simple and get lots of benefits Slide 5 Risk Analysis In our world we use a risk analysis which is developed by dividing the risks in to four basic risk categories: • Financial risks deal with Market risks, Liquidity & Credit risks, Accounting & Reporting risks and Capital Structure risks. The majority of the mentioned risk types are related to the Group Treasury and Group Finance departments. • Strategic risks deal with Governance risks, Stakeholder risks and Market dynamics risks. These risk types are linked to the strategy defined by the executive management. • Operational risks deal with Value Chain risks, Physical Assets risks, People risks, Knowledge risks and Information Technology risks. • Compliance risks deal with Legal risks, Regulatory risks and compliance with Standard of Business Conduct risks. Slide 6 25 Risk Assesment and Rating: Heatmap Impact (Net profit or Brand/Image) 1. ???? 2. ???? 3. ???? 4. ???? 5. ???? 6. ???? 7. ???? 8. ???? 9. ???? 10. ??? High Moderate Low Likelihood Unlikely/ Very low Low Likely Very likely 1 2 3 4 5 6 7 8 9 10 Slide 7 Heatmap Impact (Net profit or Brand/Image) High Risks 5 High >10% EBITA 6 Moderate 3 10 4 5-10% EBITA Low <5% EBITA 7 2 1 1. ???? 2. ???? 3. ???? 4. ???? 5. ???? 6. ???? 7. ???? 8. ???? 9. ???? 10. ??? 9 8 Likelihood Unlikely/ Very low Low Likely Very likely Slide 8 26 Top 10 Risks Step 1 In advance of RM workshop • Identify the most significant risks (gross risks – i.e. before mitigating actions) relevant to your business unit (minimum 10 risks) - the Gross Risk list on the following three pages can be used for inspiration (this should be done on an individual basis) During the RM workshop • Presentation and discussion of Risks • Mapping (Impact and Likelihood) Slide 9 Gross Risk List - Strategic No. Risk Headline 1 2 3 Political stability of a country Taxes/duties Partnerships/JV´s 4 5 International regulation Terrorisme 6 7 Downturn in economy Pandemic 8 9 10 11 Marketing & Sales Competition Substitution New competitors 12 13 14 15 16 17 18 19 20 21 22 23 Country/industry dependence Abilty to retain existing business Customer preference Brands Co-branding (i.e. sporting events) Seasonality Investments/Divestments (M&A) Improvement of transformation initiatives Achievement of growth objectives Innovation Compliance to Corp. Governance principles Stakeholder relations 24 Ethics Rate TOP 10 TOP 10 RISK Tick 1 -10 ; 1= most important (tick X) Elaboration on risk and trigger Political instability of a country leading to risk of seize of assets, reduced ability to transfer funds, revoke of license to operate or general reduced ability to manage company/market. New taxes and/or duties enforced or increase in existing Financial difficulties with partner, disputes on how to operate, investments etc. I.e. acohol advertising ban, drinking age, smoking ban, legal restrictions on sale of beer, restriction in communication Terrorist attack on CB site leading to loss of assets or loss of life Decline in consumption or negative change in consumption patterns (a shift away from premium products) as a result of a recession Avian Flue outbreak, closing of borders Marketing spend, marketing quality not being effective enough to match competition and/or ComEx not meeting goals Wine, spirits and other beverages Entry of new competitors in local markets or on international scene The portfolio of brands/markets leading to a strong dependence on one or few markets and brands Consolidation of customers Strength of brands (gross profit vs. volume) Drug or doping of athletes sponsored or terrorist attack at sponsored event Reduced turnover as a result of bad weather, reduced summer temperatures etc. High acquisition price Excellence project objectives are not achieved Lack of innovation Media attack due to political, social or legal issues Behavior or lack of actions on ethical issues that damage the brand and name of Carlsberg, i.e beer girls, insider trading, bribery Slide 10 27 Gross Risk List - Financial No. 25 26 27 Risk Headline Equity/Debt level Accounting risks Impairment of goodwill 28 29 30 31 32 33 Management reporting Net debt Off balance sheet obligations Cash management Receivables Financial counterparty (banking/ credit) 34 Pension risk Rate TOP 10 TOP 10 RISK Tick 1 -10 ; 1= most important (tick X) Elaboration on risk and trigger Capital accessibility/availability Wrongful statement of financial statements based on accounting errors or misstatement Value of brand reduced leading to write-off on goodwill Unintentional misstatement or lack of relevant information in management reporting leading to delay in decisionmaking or bad decisions Default on loans, liquidity shortage Trade credits, on-trade financing structure Default on counterparts leading to losses The value of assets not meeting expected liabilities / life expectancy of employees increading liabilities vs. value of assets Slide 11 Gross Risk List - Operational No. 35 Risk Headline Price risk 36 38 39 40 41 42 43 Supply risk Fire, explosion and breakdown of production facility Serious injury or death involving Carlsberg employee Natural hazards Product quality Labour disputes Distribution relationships/Management Delivery bottlenecks 44 45 46 47 48 Violence due to drinking at sponsored event Pollution, contamination of soil Legislative & regulatory Contracts Violation of anti-trust laws /Competition 49 Liability 37 50 51 Intellectual property violations (both ways) Succession planning 52 Structure/Administration 53 Labour costs (incl. benefits) 54 55 Ability to attract and retain talent Organisational risk 56 Loss of critical IT systems/Data Breach of confidential info, leak, theft or espionage Insider trading or fraud by Carlsberg employee or manager 57 58 Rate TOP 10 TOP 10 RISK Tick 1 -10 ; 1= most important (tick X) Elaboration on risk and trigger Energy, malt etc. Unexpected price rises Dependency of suppliers, supplier relations, coca-cola/pepsi relations (concentrate price), major shortfall in supply due to lack of raw materials or packaging Fire or explosion, loss of power or utilities (steam, refrigeration, etc) on production site leading to loss of production capacity or loss of life, lack of water or quality of water Lack of Health & Safety procedures or other procedures or controls leading to accident involving a Carlsberg employee Windstorm, earthquake, flooding Accidental or malicious contamination leading to the recall of products Major strikes at one or more sites (production and/or distribution) Consolidation of wholesalers Competition in distribution Environmental liabilities, limitations in license to operate Raid by authorities (antitrust, bribery) Bad entry into or bad management of contracts Carlsberg causing serious injury or death to 3rd party or failure to satisfy contractual obligations Carlsberg being accused of violating 3rd party patent with new product or 3rd party violating Carlsberg patents or IP by use of name or design leading to lost marketshare and/or bad reputation Kidnapping, loss of key managers (i.e. airplane crash, car accident) Complexity of organisation or failure in how to manage people (hiring, dismissing, promoting) leading to harassment claims Salary costs, incl. pension costs increasing beyond expectations in the market leading to higher costs and loss of price competitiveness Lack of leaders and new employees to fill the gap of retirees and employees leaving for other companies Untimely or inaccurate disclosure of information Breakdown in critical IT (SAP, Hyperion, external data center, LAN, etc.) or malicious intrusion /hacking in IT system. Vital data deleted and/or distorted Untimely or inaccurate disclosure of important information to the stock exchange Slide 12 28 Step 2 – action required for High Risks Risk Responsible Owner Risk reducing activities Deadline 1. Loss of critical IT CFO IT Manager • Service Level Management 31.12.10 • IT disaster recovery plans Ongoing • Business continuity plans Ongoing • Backup and restore procedures Ongoing • IT Security Policy 31.03.11 Responsible is at local Management level. Owner has the operational responsibility to monitor and control the risk. The person must take ownership and is accountable for the management and reporting of the risk. Risk reducing activities are steps to mitigate the risk to an acceptable level. Please note that already existing risk reducing activities could be relevant to identify in order to limit the need for further actions. Slide 13 Next Steps • Agreed upon risk action plans, risk reducing activities and deadlines. • Completion of the action plans with all the inputs from today. Return to Vibeke Aggerholm, Group Internal Audit within 10 business days at vibeke.aggerholm@carlsberg.com • Appointment of a local Risk Management responsible person (point of entry) • Next RM workshop will be held in 2011 facilitated by local Risk Management responsible person. Slide 16 29 Appendix IV – Additional risk list Further risks to consider: - Ability to Attract & Retain Clients - Ability to Develop / Market New / Existing Products - Advertising, Marketing and Cross-Selling Success - Consumer Demands /Preferences - Effective Product Mix - Financial Planning / Strategy - Legal / Regulatory / Environmental Changes - Perception of product (customer problems, pricing, efficiency, safety) - Pricing of products /services - Risk-Based capital requirements / Management - Third party exposure (suppliers, vendors, manufacturers, distributors) - Ability to retain existing business - Adverting & Marketing expense /Success - Brand management / Divestitures / Image / Co-branding - Business model - International tariffs and other regulations - M&A Strategy /Execution /Integration - Product Supply (stability, sourcing, costs) - Tax Requirements / Tax treatment - Achievement of Growth Objectives - Asset Impairment / Material or Real Estate Dispositions - Cash Flow Management - Debt Level / Ability to Pay Down Debt - Economic Conditions /Trends - Operation and system risks - Competitive Actions (pricing, conveniences, services or amenities) - Distribution Relationship / Management - Partnerships / Joint Venture Investments - Achievement of Cost reduction Objectives or Synergies - Unanticipated Industry trends Assumptions used for pricing Business Conditions Capital Accessibility / Availability Environmental liabilities / Concerns General Risks to Strategies / Execution Increase in Operating costs Litigation /Intellectual Capital Issues Manage Volatility (hedging activities) Shareholder relationship Ability to Attract & Retain Talent Accounting policies (estimations, changes to rules/standards) Efficient manufacturing operations Impairment of Investment Portfolio Supplier relationship Contingent liabilities resolution Fair Value of investment assumption Franchises and Licenses Impairment of Goodwill Natural Disasters / Severe Weather Pension Fund obligations Assumptions used for defining liabilities /reserves Closing of land sale transactions Construction conditions Contractual provisions (failure to satisfy) Dependency on One or Two products /clients /suppliers Improvement /Transformation Initiatives Insurance cost Interruption of computer and communication systems Inventory management Labour costs (including benefits) Labour Disputes /Actions Price of crude oil, energy prices, commodities Seasonality /Cyclicality Technology