ESRS 2 Risk management and internal controls

The risk management and internal control system associated with the sustainability reporting process is integrated into FMO's comprehensive risk governance and risk management framework.

The governance of non-financial risk in FMO follows the three lines model.

• First line – Management monitors whether the (key) controls in their area of responsibility are functioning effectively or need any improvement. For this purpose, they assess through direct or indirect feedback and evidence the effectiveness of the (key) controls in place.

• Second line - For non-financial risk is performed by the Operational Risk Management team (ORM) and the Compliance department. They perform independent testing on an agreed subset of key controls. These tests verify if Control Monitoring activities have resulted in a correct assessment of the effectiveness of the controls.

• Third line – Internal Audit performs independent oversight over non-financial risk and internal control. The mandate and responsibilities of Internal Audit are described in the Audit Charter.

Control monitoring and testing is facilitated by ORM twice a year, in November and June. ORM provides guidance, training and sampling instructions, and reports the results of control monitoring and testing, as well as the progress of control remediation, to the Non-Financial Risk Committee (NFRC). Internal Control activities follow a yearly cycle and are aligned with the financial reporting process, because the results are used to substantiate the Management Board’s In Control Statement (ICS) in the annual report. Detailed information is provided in the 'Risk Management' chapter in the 'Risk governance' section and 'Non-financial risk' sub-chapter.

FMO’s approach to the annual reporting of findings of risk assessment and internal controls to administrative, management and supervisory bodies, can be found in the 'Risk Management' chapter, in the section 'Risk governance'.

The purpose of FMO’s annual report is to be compliant with existing regulations, and to meet additional external commitments, which are not prescribed by law but have been made on a voluntary basis. Through the annual report, FMO ensures that we report in line with sustainability reporting standards which include a compliant and timely report, as well as accurate and complete data and narrative. As such, when it comes to sustainability reporting, two layers of risks have been identified: the first level relates to key risks to process and content, while the second level goes with more granularity into the controls over the data and policies reported in our 'Sustainability statement'.

Four categories of key risks have currently been identified; two that address the process and two that address our sustainability-related data and narrative, included in our 'Sustainability statement'. 

1. Report is compliant with regulations and standards (process).

2. The report is on time (process).

3. Data is accurate and complete (content).

4. Narrative is accurate and complete (content).

For all identified key risks, controls and mitigation actions are in place. To ensure the sustainability report is compliant with regulations and standards, the Risk department actively monitors new regulations and identifies changes that need to be addressed. Checks are performed throughout the sustainability reporting process to make sure all applicable regulatory requirements are included. Timeliness of the report is managed as part of business-as-usual activities, adhering to an agreed-upon timeline with internal escalation routes in case of unexpected delays. For data accuracy and completeness, FMO has implemented manager approvals and four-eye principle checks as controls on data to the first level of risk. For the second level of risks, manager approval controls are in place, with an additional confirmation at the director level which is gathered during the process for the In-Control Statement – explained under the Dutch Corporate Governance Code section below. Additionally, to ensure the narrative's accuracy and completeness, the report undergoes multiple levels of review within FMO.

At FMO, risks are prioritized based on their severity, which is assessed using two factors: probability and impact. Probability measures how likely a risk event is to occur. Impact considers the potential consequences, which can include operational loss, financial errors, failure to meet business goals, regulatory issues, or damage to reputation.

Risk severity is assessed based on probability and impact, and classified as high, medium, or low. This corresponds to a 'Level of Concern' (LoC) rating: high (LoC 3), medium (LoC 2), or low (LoC 1). Depending on the severity, actions are required:

• High (LoC 3): Actions must be completed within 3-6 months.

• Medium (LoC 2): Actions should be completed within 6-9 months.

• Low (LoC 1): Actions are optional.

As the four risks identified as part of the first layer are key risks, they have a high LoC, while the risks in the second layer have been qualified with a medium LoC.

All risks, in the first and second layers, have controls in place that are regularly being monitored and tested by their designated owners, in line with FMO’s overall risk governance and risk management approach.

Dutch Corporate Governance Code

FMO adheres to the Dutch Corporate Governance Code (DGCC). The Monitoring Committee Dutch Corporate Governance Code has amended the Code in 2025 to include a ‘Verklaring omtrent Risicobeheersing’ (VOR). Companies following the DGCC are required to include for the first time in the annual report over 2025 a statement that the system of internal control over sustainability reporting provides at least limited assurance that the reporting is without significant omissions.

The Risk department, in cooperation with Compliance and Internal Audit, has incorporated these requirements in the ‘In Control Statement’ of the 2025 annual report (for further details, refer to the Non – Financial Risk section of the Risk Management Chapter). 

1. The updated DGCC requires the Board to state that the internal risk management and control systems provide at least limited assurance that the sustainability reporting is free from material misstatements. Limited external assurance on sustainability reporting is also required under the CSRD and the ESRS. The 2025 annual report meets this requirement, as it has been prepared in accordance with the ESRS. The process for obtaining management’s statement on the sustainability reporting is described further in this section.

2. Next to the management statement on limited assurance, the DGCC requires the management board to render account (in the risk management section of the management report) of its assessment of the effectiveness of internal risk management and control systems concerning operational, compliance and reporting risks (including sustainability reporting) during the past financial year. The Risk department proposes to deliver to the MB an ‘Assurance Map’ for this purpose. For each material risk (including sustainability reporting), this Assurance map will show an overview of relevant risk management and control systems and a conclusion. This will include for example  (not limitative) 1) results of control testing 2) results of recent internal audits 3) results of external audit 4) results from department director in control statements 5) any major failings (risk events) noticed in 2025.

The Risk department coordinates the proposal for the management statement and the proposal for the risk management section of the management report, and provides it to the MB.

FMO’s current sustainability reporting consolidates data from various sources, with most impact data governed by the Data Management Policy, while some HR, Compliance, and Internal Audit data are not yet fully governed but must still meet essential criteria for limited assurance. The sustainability reporting process includes sign-offs by data owners, and new controls are being introduced to ensure data accuracy and completeness. Control monitoring and testing are conducted biannually, and directors provide annual In Control Statements, which have been updated to reflect the new requirements for sustainability reporting assurance. Results are reported to the NFRC and MB, with directors required to submit departmental In Control Statements that now explicitly address sustainability reporting in line with the updated Dutch Corporate Governance Code.  This approach provides a foundation that auditors can rely on and help ensure reliable sustainability data.

Statement on due diligence 

FMO conducts due diligence guided by international standards such as the IFC Performance Standards, the UN Guiding Principles on Business and Human Rights, and the OECD Guidelines for Multinational Enterprises. These standards inform FMO’s governance, strategy, and business model, and are considered throughout the investment cycle—from ESG risk screening and action planning to monitoring, stakeholder engagement, and access to the Independent Complaints Mechanism (ICM) that applies to all of FMO’s material sustainability topics.

FMO seeks to incorporate stakeholder perspectives by engaging with affected communities, workers, and end-users to better understand their concerns and inform decision-making. Through its impact management framework, FMO assesses ESG risks, supports the development of ESAPs and CGAPs, and tracks progress using internal systems such as the Sustainability Information System (SIS) and periodic reviews. Performance is reviewed in relation to relevant standards, and FMO shares updates through stakeholder consultations, policy revisions, and the ICM to support continuous learning and improvement.

Table 14: Statement on due diligence