Risk management & internal control
The aim of our risk management system is to enable the company to identify risks in a proactive and dynamic way; and manage or mitigate risks to an acceptable level wherever possible.
- Carry out a risk scan to identify all significant risks (financial and non-financial)
- Detail each risk on an “uncertainty sheet” outlining potential impact, likelihood, status of management action or mitigation, and ownership
- Report bottom up to the Executive Committee member responsible for that business unit
Each business unit operates in an environment which carries specific growth expectations and differing degrees of market and technological uncertainty that could impact strategic objectives. As such, the primary source of risk and opportunity identification lies within the business units. Similarly, each business unit is responsible for mitigation of its own risks. Mitigating actions are systematically reported corresponding to the respective strategic objectives and identified risks. Specific corporate departments are also tasked with managing and mitigating certain risks under the auspices of the Executive Committee. These risks cover Group-wide elements that extend beyond the purview of individual business units. These include environmental risks, financial risks etc.
OUR INTERNAL CONTROL SYSTEM
Internal control mechanisms exist throughout Umicore to provide management with reasonable assurance of our ability to achieve our objectives. They cover:
- Effectiveness and efficiency of operations
- Reliability of financial processes and reporting
- Compliance with laws and regulations
- Mitigation of errors and fraud risks
Umicore adopted the COSO framework for its Enterprise Risk Management and has adapted its various constituents within its organization and processes. “The Umicore Way” and the “Code of Conduct” are the cornerstones of the Internal Control environment; together with the concept of management by objectives and through the setting of clear roles and responsibilities they establish the operating framework for the company. Specific internal control mechanisms have been developed by business units at their level of operations, while shared operational functions and corporate services provide guidance and set controls for cross-organizational activities. These give rise to specific policies, procedures and charters covering areas such as supply chain management, human resources, information systems, environment, health and safety, legal, corporate security and research and development.
Umicore operates a system of Minimum Internal Control Requirements (MICR) to specifically address the mitigation of financial risks and to enhance the reliability of financial reporting. Umicore’s MICR framework requires all Group entities to comply with a uniform set of internal controls in 12 processes. Within the Internal Control framework, specific attention is paid to the segregation of duties and the definition of clear roles and responsibilities. MICR compliance is monitored by means of selfassessments to be signed off by senior management. The outcome is reported to the Executive Committee and the Audit Committee.
Out of the 12 control cycles, 4 cycles (Internal Control Environment, Tax, Inventory Management and Hedging) were reviewed and assessed in the course of 2019 by the 99 control entities currently in scope. The Minimum Internal Control Requirements in Information Technology Management have been reviewed and updated. The assessment of this cycle is planned for the year 2020. Risk assessments and actions taken by local management to mitigate potential internal control weaknesses identified through prior assessments are monitored continuously. The Internal Audit department reviews the compliance assessments during its missions.