2.3 Risk management
In 2015, the Board of Directors approved the amendment of the DIA Group’s Risk Management Policy which establishes the parameters and methodology for ensuring effective risk management while facilitating delivery of the business targets set by management.
DIA defines risk as any internal or external contingency that, if it were to materialise, would impede or hamper delivery of the targets set by the organisation.
The company has an enterprise risk management (ERM) model designed to ensure identification of the various classes of risk, financial and otherwise, to which the organisation is exposed, including within financial risks those related to tax, contingent liabilities and other off-balance sheet items.
Key risk management principles
The key defining principles underpinning DIA’s approach to risk management are:
1. Risks must be managed everywhere in the organisation, with no exceptions. The entire organisation needs to get involved in the risk management system.
2. The management of risk includes risk identification, assessment, responses, monitoring and reporting, in keeping with the procedures put in place to this end.
3. The model used must ensure the existence of appropriate measures for mitigating the impact of the identified risks in the event they materialise. Risks must be addressed in a consistent manner and mitigating measures should amply factor in business conditions and the economic environment.
4. DIA’s Executive Committee must evaluate DIA’s main risks, including tax risks, and review DIA’s risk tolerance levels at least annually, among other duties. The duties tasked to DIA”s Executive Committee are itemised in the Risk Management Manual.
5. DIA”s ERM must be monitored regularly and an account given of the risk identification, assessment, responses, monitoring and reporting activities carried out.
DIA’s risk management process is based on the COSO II standard, the risk management methodology widely accepted in the marketplace, tailored for DIA’s requirements. This methodology enables the company to pinpoint, create, capture and sustain the value deriving from risk management across the various levels of the firm.
The main elements of the risk management process at DIA are:
1. Internal environment: management establishes the risk management philosophy and determines risk tolerance thresholds.
2. Target-setting: it is crucial to understand the company’s objectives in order to identify the possible events that could thwart their delivery.
3. Event identification: identification of the possible events that could have an impact on DIA. Events mean the developments that could affect delivery of the company’s objectives, differentiating between those that pose a risk and those that represent an opportunity.
4. Risk assessment: the risks are analysed and their probability of occurrence and potential impact on target delivery quantified.
5. Risk responses: identification and evaluation of potential risk responses: avoid, accept, reduce or share.
6. Control activities: as a function of the defined risk responses, policies and procedures are put in place to ensure they are carried out.
7. Information and communication: the information resulting from this analytical process must be reported to the risk officers for implementation.
8. Supervision: the ERM is monitored continually so that it can be adapted in the event of changing circumstances.
The Board of Directors is responsible for approving and setting the risk management and control policy, while senior management is in charge of implementing it and establishing the strategy, culture, people, processes and technology comprising the company’s ERM model.
The Board of Director’s Executive Committee is tasked with setting acceptable risk tolerance thresholds. The Audit and Committee, meanwhile, has the power to regularly supervise and review the effectiveness of DIA’s internal control, internal audit and risk management procedures, verifying their suitability and comprehensiveness.
DIA has set up a Risk Committee at the corporate level and individual risk committees at the individual country level. The Risk Committee comprises a Risk Coordinator and a manager from each functional area (the area directors).
Should a risk materialise in a given area, the director of that area is responsible for managing it appropriately and setting in motion the mechanisms needed to minimise its impact.
The Risk Committee subsequently evaluates whether the response provided after the risk materialised was the correct one and determines the need for any new controls or response mechanisms.
In addition to approving this new Risk Management Policy, in 2015, the DIA Group worked on updating its risk map in keeping with business trends and developments, such as the strategic focus on e-commerce, the emergence of new businesses and regulatory changes, among others.