ESRS 2 Risk management and internal controls

The risk management and internal control system associated with the sustainability reporting process is currently partially integrated into FMO's comprehensive risk governance and risk management framework, with work being undertaken for full alignment. More details can be found in the 'Future actions' section.

The governance of non-financial risk in FMO follows the three lines model.

  • First line – management monitors whether the (key) controls in their area of responsibility are functioning effectively or need any improvement. For this purpose, they assess through direct or indirect feedback and evidence the effectiveness of the (key) controls in place.

  • Second line - for non-financial risk is performed by the Operational Risk Management team (ORM) and the Compliance department. They perform independent testing on an agreed subset of key controls. These tests verify if Control Monitoring activities have resulted in a correct assessment of the effectiveness of the controls.

  • Third line – Internal Audit performs independent oversight over non-financial risk and internal control. The mandate and responsibilities of Internal Audit are described in the Audit Charter.

Control monitoring and testing is facilitated by ORM twice a year, in November and in June. ORM provides guidance, training and sampling instructions, and reports the results of control monitoring and testing, as well as the progress of control remediation, to the Non-Financial Risk Committee (NFRC). Internal Control activities follow a yearly cycle and are aligned with the financial reporting process, because the results are used to substantiate the Management Board’s In Control Statement (ICS) in the annual report. Detailed information is provided in the 'Risk Management' chapter in the 'Risk governance' section and 'Non-financial risk' sub-chapter.

FMO’s approach to the annual reporting of findings of risk assessment and internal controls to administrative, management and supervisory bodies, can be found in the 'Risk Management' chapter, in the section 'Risk governance'. 

The purpose of FMO’s annual report is to be complaint with both existing regulations as well as additional external commitments which are not prescribed by law but have been made on a voluntary basis. Through the annual report FMO ensures that we report in line with sustainability reporting standards which include a compliant and timely report, as well as accurate and complete data and narrative. As such, when it comes to sustainability reporting, two layers of risks have been identified: the first level relates to key risks to process and content, while the second level goes with more granularity into the controls over the data and policies reported in our 'Sustainability statement'.

Four categories of key risks have currently been identified; two that address the process and two that address our sustainability-related data and narrative, included in our 'Sustainability statement'.

  1. Report is compliant with regulations and standards (process).

  2. The report is on time (process).

  3. Data is accurate and complete (content).

  4. Narrative is accurate and complete (content).

For all identified key risks, controls and mitigation actions are in place. To ensure the sustainability report is compliant with regulations and standards, the Risk department actively monitors new regulations and identifies changes that need to be addressed. Checks are performed throughout the sustainability reporting process to make sure all applicable regulatory requirements are included. Timeliness of the report is managed as part of business-as-usual activities, adhering to an agreed-upon timeline with internal escalation routes in case of unexpected delays. For data accuracy and completeness, FMO has implemented manager approvals and four-eye principle checks as controls on data to the first level of risk. Controls on data and policies for the second level of risks are currently being formalized. To ensure the narrative's accuracy and completeness, the report undergoes multiple levels of review within FMO.

At FMO, risks are prioritized based on their severity, which is assessed using two factors: probability and impact. Probability measures how likely a risk event is to occur. Impact considers the potential consequences, which can include operational loss, financial errors, failure to meet business goals, regulatory issues, or damage to reputation.

Risk severity is assessed based on probability and impact, and classified as high, medium, or low. This corresponds to a 'Level of Concern' (LoC) rating: high (LoC 3), medium (LoC 2), or low (LoC 1). Depending on the severity, actions are required:

  • High (LoC 3): actions must be completed within 3-6 months.

  • Medium (LoC 2): actions should be completed within 6-9 months.

  • Low (LoC 1): actions are optional.

As the four risks identified as part of the first layer are key risks, they have a high LoC, while the risks in the second layer have been qualified with a medium LoC.

The risks within the first layer have controls in place that are regularly being monitored and tested by their designated owners, in line with FMO’s approach. While for the second layer of risks related to data, controls are in place, but only some of them are being actively monitored as part of FMO’s overall risk governance and risk management approach. FMO is currently working on integrating the controls not regularly monitored and tested within the organization’s overall risk and management approach.

Future actions

FMO adheres to the Dutch Corporate Governance Code. The Code is maintained by the Monitoring Committee Dutch Corporate Governance Code and supported by the ‘schragende partijen’ (supporting parties) consisting of Eumedion, Euronext, FNV, CNV, Vereniging van Effecten Bezitters (VEB), de Vereniging van Effecten Uitgevende Ondernemingen (VEUO) and VNO-NCW.

The supporting parties and the Nederlandse Beroepsorganisatie van Accountants have suggested amending the Code to include a ‘Verklaring omtrent Risicobeheersing’ (VOR). According to this proposal, listed companies and other companies following the Dutch Corporate Governance Code will be required to include for the first time in the annual report on 2025 a disclosure statement on risk management and internal controls over sustainability reporting.

Although sustainability reporting guidelines such as CSRD / ESRS are not embedded in the Corporate Governance code yet, FMO would like to adhere to these requirements as soon as possible. ESRS calls for a connectivity between the 'Financial Statements' and 'Sustainability statement' both from the process perspective and disclosures perspective. As this is the first time reporting, FMO recognizes this as a point of attention.

It is up to the Monitoring Committee Dutch Corporate Governance Code to amend the Code to accommodate the VOR proposal. In a letter to the Dutch parliament, the minister of finance encourages the (to be appointed) Monitoring Committee to include the VOR.

Share this page: