Risk management resposibility

Identifying and responding to potential events and risks that may significantly affect the Group’s strategy or continuity is something that we focus on constantly. This is reflected in our structured approach to identifying and managing the risks associated with the Group’s strategy, activities and objectives. 

It is our conviction that risk management needs to be part of all our employees’ day-to-day thinking and working, not because the law requires it to be, but because it feels natural and is the right thing to do.
 

Model

The Executive Board has ultimate responsibility for ‘being in control of the Group’, and therefore also for risk management. In this respect, the Executive Board is supported by the International Board, Group Control, the Compliance Officer, the Corporate Information Security Officer, the Data & Privacy Officer and the Internal Auditor. The Executive Board identifies and
assesses the opportunities and threats in the markets in which we operate, as well as their impact on our business model, and reports to the Supervisory Board to assist the members in their supervisory role.

Risk & Control, the ESG team, Internal Audit, the Compliance Officer and the CISO all work closely together with supporting departments such as Legal, IT, Finance, and Programme and Process Management.

model

Risk management and control systems

In recent years, we have made progress in professionalising our risk management processes and our control system, in line with our internal ambitions and the revision of the Corporate Governance Code. In doing so, we have always retained a good balance between formalising processes on the one hand and preserving our company’s (informal) hands-on entrepreneurial spirit on the other. After all, we want our people to continue to think for themselves, carry on identifying risks and opportunities and not to rely blindly on checklists. Thankfully, this is embedded in our culture, and we therefore consider our culture the main soft control that protects us from the inside against many risks and forms of fraud.

Main risks

In line with the 2026-2030 multi-year plan, the International Board also identified, at the end of 2025, the key risks that could have an impact on the achievement of the associated objectives.

Taking into account market developments, global trends and business objectives, the main risks have been identified and categorised as strategic, operational, compliance and financial risks, and, where applicable, linked to the relevant objectives. Compared with last year, this has led to a partial change in the risks. This change is linked, on the one hand, to the development of the Group’s multi-year objectives and, on the other hand, to external developments that could potentially have an impact on our business operations.

In our 2025 annual report, we provide a detailed description of the key risks, the control measures in place, and the opportunities and potential they present.