Bouwinvest is well aware that it invests the money of third parties. The organisation is compact and client centric. We add value by doing business on the basis of a sound vision of the developments in various real estate markets. Risk management plays a key role in this vision. For one, so we can handle the money of third parties with all due care and secondly for the realisation of our ambitions. In addition, we want to avoid any unnecessary or unwanted risks.
Risk management is the process of understanding the risks to which Bouwinvest and its clients are exposed and then managing those risks effectively within certain defined tolerances. For this purpose, we have an effective and efficient system of control measures we use to measure and monitor the degree of risk management at every level.
Bouwinvest believes risk management must contribute to the creation, optimisation and protection of the value of the company. We do this by managing the risks integral to all activities of the management organisation, the Dutch funds and the international mandates. We do this at a strategic, tactical and operational level.
Lines of defence
Bouwinvest has opted for an effective structure and permanent monitoring of its internal risk management and control systems and a solid reporting system for same. These systems have to provide the management with insight into the nature of the risks (both retrospective and prospective) and into which control measures are being taken in terms of both substance and procedure. In addition, we require a clear understanding of the remaining risks, so we can decide whether any additional control measures are required.
Bouwinvest’s risk and governance structure is based on the three lines of defence model. This structure is focused on the monitoring of the processes and achieving the company’s strategic and operational targets. Within the governance structure, we recognise the following components (the lines of defence):
Executive Board of Directors and Managers (1st line) – primarily responsible for the risks inherent in the day-to-day business;
Risk Management and Compliance (2nd line) – responsible for providing support and advice on the quality of the risk management carried out by the first line;
Internal Audit (3rd line) – oversees the performance (soundness and effectiveness) of internal control mechanisms in the first and second lines.
Risk Management function
The Risk Management department is responsible for the design, the implementation and the effectiveness of the risk management within the organisation and the monitoring of the first line of defence. It does this by continuously identifying, measuring, managing and monitoring risks, but also by facilitating and monitoring the implementation of the processes. In addition, the so-called second line monitors the compliance with risk limits, the effective operation of internal controls, the accuracy, completeness and timeliness of reports and the timely identification of and mitigation of incidents or issues. The department’s other responsibilities include advising the Executive Board of Directors regarding the integrated risk controls for the three-fold scope (Bouwinvest as management organisation, the Dutch funds and the international mandates).
The Risk Management department’s role is focused on obtaining a complete overview of how risks are managed, at strategic, tactical and operational levels. To be able to meet this obligation, the Risk Management department should collect all risk-related disclosures and reports, consolidate these at Bouwinvest level and provide an opinion on same.
With respect to risk management, Bouwinvest distinguishes the risk areas shown in the Risk Taxonomy below. The risk management of the main risks is explained in the risk matrix below this Risk Taxonomy.
Bouwinvest’s growth ambitions are putting ever higher demands on the maturity of its risk management. In 2019, the Risk Management department, together with other departments (including Compliance and Internal Audit), focused on the renewal of the integrated risk management policy. This resulted in a tightened integrated Risk Management Framework, Risk Appetite Statement and Risk Taxonomy. The activities required to realise the continued growth in risk maturity were included in the Risk Roadmap. In 2019, we took a significant first step in the execution of the Roadmap and the implementation of this roadmap in the organisation. This will contribute to the further professionalisation of Bouwinvest’s risk management. This has strengthened the foundation that will enable us to firmly embed risk management within the Bouwinvest organisation.
For 2020, we have defined the following spearheads:
The continued structuring of a robust integrated Risk & Control Framework
The continuous improvement of adequate accounting and management information
The continued professionalisation of the three lines of defence.
These are both important and ambitious spearheads that will help us take the step to Next Level Risk Management. In view of the continued developments on the laws and regulations front and the attendant requirements, we will continue with the implementation of our Next Level Risk Management plan in 2021. This will include the ‘Risk Way of Working’ initiative, which we use to continuously raise the risk awareness our employees and embed integrated risk management as a part of our regular processes.
Monitoring and reporting
The Executive Board of Directors oversees the risks related to its various activities and the funds and mandates Bouwinvest manages. To support this and to optimise risk transparency, the Risk Management department, where necessary with input from the Compliance department, draws up a quarterly risk report. This report covers the (management and development of) risks in the risk taxonomy, business incidents and issues and developments in the field of laws and regulations based on an integrated risk management policy.
Bouwinvest consider integrity, transparency and corporate social responsibility important conditions in achieving its targets. In that context, Bouwinvest strives to do business in an ethical and controlled manner, in which Bouwinvest and its employees abide by laws and regulations and its own internal codes of conduct.
Bouwinvest has an independent compliance function that focuses on the supervision of compliance with laws and regulations and internal rules, the development of policy, monitoring the effectiveness of the compliance control measures, investigating integrity reports and providing (solicited and unsolicited) advice.
In addition to this, the compliance function focuses on raising integrity awareness and promoting desired conduct within the Bouwinvest organisation, including the organisation of training courses.
The compliance function reports to the Chief Executive Officer and also reports to the Supervisory Board’s Audit, Risk & Compliance committee on a quarterly basis.
In 2019, the compliance function intensified its cooperation with other departments, such as Risk Management, HR, Internal Audit and Corporate Communications. The need to intensify cooperation arose from the wish to take a more integrated approach to the likes of risk management and culture & conduct-related activities.
Laws and regulations
Laws and regulations are constantly changing. In 2019, the compliance function once again worked on regular updates to a number of internal rules and regulations.
Bouwinvest closely monitors the developments in laws and regulations and adjusts its internal policies in line with any new or amended legislation.
In 2019, Bouwinvest started a project related to the revision of its internal policy related to the implementation of the Dutch act on the prevention of money-laundering and the financing of terrorism Act (Wet ter voorkoming van witwassen en het financieren van terrorisme - Wwft).
Management of compliance risks
Bouwinvest uses the three lines of defence model for the management of its risks. In this model, the compliance function focuses on the management of compliance risks and plays a second-line role. The definition of compliance risks covers the main risk themes regulatory risk and integrity risk.
As part of its second-line role, the compliance function supports, advises, coordinates and monitors the first line of defence in the management of Bouwinvest’s identified compliance risks. This function supports the first line by raising awareness of risks and by making it clear how employees can reduce or control these risks and what Bouwinvest expects from them on this front. One important activity on this front is the annual Systematic Integrity Risk Analysis (SIRA), which involves a large part of the organisation. The aim of the SIRA is to map out compliance risks and assess the effectiveness of compliance control measures. The outcome of the SIRA is used as input for the compliance year plan for the year ahead.
As part of the continued development of the integrated risk management system, in 2020 the compliance function will continue its close cooperation with the Risk Management and Internal Audit departments.
Training and awareness
In the spring of 2019, the compliance function organised a number of integrity workshops. These workshops are mandatory for all Bouwinvest employees and are aimed at increasing awareness among employees by having them talk to each other about integrity-related issues.
In addition to significant compliance themes such as conflicts of interest, corruption, fraud and behaviour, these workshops also focused on moral courage. They were also used to discuss dilemmas that people may be confronted with in their day-to-day work.
Reports and advice
In 2019, there were no incidents that led to a report to the regulator, the Dutch Financial Markets Authority (Autoriteit Financiële Markten - AFM) and there were no well-founded reports of corruption. The compliance function did receive other kinds of reports. All reports were investigated and followed up according to internal policies. Where necessary, Bouwinvest took appropriate measures or initiated a dialogue with the employee(s) in question.
With respect to the processing of personal data (privacy), Bouwinvest experienced 10 data breaches in 2019. We reported one of these breaches to the regulator, the Dutch Data Protection Agency (DPA). Most of the cases involved an incorrectly sent e-mail. Some of the data breaches were at processors. We investigated all the data breaches and took additional measures when this proved necessary.
On the advice front, the compliance function is primarily consulted on issues such as business partner assessments, ancillary positions, gifts & events and privacy.
‘In control’ statement
The Executive Board of Directors has issued an in control statement on the financial reporting risks and strategic and operational risk management at Bouwinvest. The Executive Board of Directors is responsible for proper risk management and internal control systems, as well as for the assessment of the effectiveness of same. On the basis of its assessment of the risk management and internal control systems, the Executive Board of Directors believes that these systems provide a reasonable level of assurance that the financial reports contain no material misstatements. Bouwinvest has been ISAE3402 type II certified for its financial reporting processes since 2012, which shows these are in order.
In general, the Executive Board of Directors believes the risk management and internal control systems functioned properly in 2019. Nor is there any indication that these systems will not function properly in 2020. We did not identify any shortcomings that could have a material impact in 2019, nor up to the date this annual report was signed in 2020.
Furthermore, we did not identify any shortcomings in the internal control systems that could have a material impact on operational and compliance risks, nor on the financial reporting function and the functioning of the internal and external auditors.