Risks and risk management
The risk management and internal control system
The Board of Executive Directors is responsible for the structure and functioning of the system of risk management and internal control that is applied within Océ. This system is focused on identifying and controlling the strategic, operational and financial risks and risks in the area of legislation and regulations so as to enable the Company’s objectives to be achieved. The system is based on the first reference model of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As regards information technology the reference model of the Information Technology Governance Institute (CobIT, Control objectives for Information and related Technology) has been applied.
Océ applies the structure of these models in the measures that have been taken to control its business processes and in the principal objectives for financial reporting. The details of the models are worked out centrally and are applied as consistently and clearly as possible in the various parts of the organization and legal entities. An overall risk analysis is anchored in the strategic business plans. during the year under review no material weaknesses were found in the internal structure for risk control.
During 2010, an analysis was made of the authorization design and implementation in Océ’s ERP solutions. It was found that the authorization rules (segregation of duties) are generally being respected and that agreed waivers and mitigating controls are in place for the exceptions. In a number of areas, however, the design of the standard business processes needs to be adapted in order to meet the needs of the business. These changes are foreseen for 2011.
Triggered by the change of control in March 2010, the largest Océ entities were included in the scope for the Canon Group Sarbanes-Oxley 0 compliance. Océ applies its risk management and internal control system to meet the Canon Group Sarbanes-Oxley 0 requirements.
Another aspect of the change of control is the fact that Océ changed its financial year, which has implications for the comparability of the financial information included in this Annual Report. The financial year 2010 consists of 13 months (from 1 December 2009 to 31 December 2010), as compared to the 12 months in the financial year 2009 (from 1 December 2008 to 30 November 2009).
|
| Internal risk control structure | Risk categories |
| (x means: is applicable) |
|
| | strategic
/operational | legislation &
regulations | financial |
| |
|
|
|
| Policy principles and procedures | x | x | x |
| Strategic plans and budgeting process | x | − | x |
| Organization structure and authorization manual | x | x | x |
| Supervisory Board | x | x | x |
| Audit Committee (AC) | − | x | x |
| Selection and Nomination Committee | x | x | x |
| Remuneration Committee | x | x | x |
| Information Manual (IM) | − | x | x |
| Letter of Representation (LOR) | x | x | x |
| Governance, Compliance and Risk Management (GCRM) | x | x | x |
| Disclosure Committee (DC) | − | x | x |
| Internal audits | x | x | x |
| Internal Controls Committee US (ICC) | − | x | x |
|
To provide an insight into the way in which Océ controls the relevant risks an overview is given on the previous page of the internal risk control structure and how it relates to the various risk categories.
Willingness to take risks Océ’s willingness to take risks is largely determined by the Company’s objectives.
The willingness to take risks with regard to research and development is relatively high. The resultant risks are managed within the structure of a project-based organization which brings together various disciplines of the Océ organization, such as research and development, marketing, manufacturing and controlling. The Board of Executive Directors is directly involved in monitoring the progress of the research and development projects.
Océ applies a neutral willingness to take risks with regard to operational risks that result from the business processes. Océ takes the view that these operational risks are inherent in the conduct of a business. The risks are managed at transaction level within the structure of Governance, Compliance and Risk Management. Endeavors are made to limit the consequences of operational risks as much as possible without causing unnecessary hindrance to the business processes.
With regard to the risks in the area of product safety and the environment Océ applies a low risk tolerance. Océ sets high requirements for the process quality via the Océ Technical Standards. In general terms it can be said that the Océ Technical Standards are more strict than external standards and norms. The process quality that is used to manage the product safety and environmental risks is certified at periodic intervals.
The risks that Océ is not willing to bear itself have been transferred to insurance companies. Examples include the insurance against fire and consequential losses and against transport damage. The insurance policy of Océ is comparable to that of other Dutch companies with international activities.
Internal risk control structure A brief explanatory description of the main elements of the internal risk control structure is given below.
Policy principles and procedures These form the basis for the internal risk control structure and are drawn up centrally by the Board of Executive Directors of Océ. All group companies must operate in accordance with these policy principles and procedures. They include the following elements:
- Océ policy principles
The policy principles provide a high level indication of the objectives of the Océ Group, how these should be achieved and the ethical criteria that should be complied with. The Board of Executive Directors communicates these principles to all employees and ensures that they are adhered to. The policy principles are reviewed at periodic intervals and amended where necessary.
- Whistle blowing procedure
In addition to the national legislation that is applicable to each separate group company, the Supervisory Board has formally approved a group procedure that has been implemented worldwide. The aim of the procedure is to ensure that within the whole Océ Group any infringement of legislation and of existing policy, principles or procedures can be reported without the person making such report suffering any adverse consequences in his or her legal position.
- Code of ethics for senior financial officers
This code is addressed to all members of the Board of Executive Directors and senior financial officers in the Océ Group and is aimed at emphasizing and promoting ethical and responsible behavior by this group of employees. The code is more detailed than the Océ policy principles and primarily deals with the financial processes and reporting systems
Strategic plans and budgeting process Strategic plans are drawn up for all parts of the Océ organization (operational and non-operational) and are converted into budgets. On a monthly basis the results actually achieved are evaluated in detail by the Strategic Business Units and the Board of Executive Directors and compared to the budgets. Cash flow management is an important part of this process.
Organization structure and authorization manual Within the organization the entire complex of tasks, responsibilities and powers is set out in the organization structure. The allocation of responsibilities and powers is laid down in detail in various authorization manuals. Océ ensures that all employees are aware of the organization structure and the sections of the authorization manuals that are of relevance to them.
Information Manual (IM) This contains a detailed description of the guidelines for management reporting and external financial reporting. External financial reporting is based on IFRS guidelines.
Letter of Representation (LOR) All Managing Directors and Controllers of the group companies submit a detailed declaration on a quarterly basis. This declaration states, among other things, that the financial reporting is reliable and complies with the IM. In addition, specific answers are given to various questions about potential risks. Important observations made in the LORs are reported to the Board of Executive Directors and the audit committee. The content of the LOR submitted by the management of the group companies is supported by a detailed risk analysis.
Governance, Compliance and Risk Management (GCRM) After the termination of Océ’s registration with the Securities and Exchange Commission in 2007, the internal control structure that existed for
compliance with the Sarbanes-Oxley Act 2002 - now called Governance, Compliance and Risk Management - is kept intact. The GCRM structure enables Océ to comply with the EU Transparency Directive, the national legislation and regulations relating to risk management and control systems in the countries in which Océ is active. In addition, Océ is applying the GCRM structure to meet the Sarbanes-Oxley requirements of the Canon Group.
GCRM ensures that the business processes are documented with the aid of models which describe the measures that have been taken to manage operational risks in the business processes and in the financial reporting at transaction level. The models have been drawn up centrally and are applied as unambiguously as possible in the various organizational units and group companies.
Within this structure a management assessment of the effective control of the financial reporting process takes place each year. This management assessment is conducted within Océ by the management of the group companies and group units designated for such purpose. The results of this assessment are reported to and discussed by the Board of Executive Directors and the Audit Committee. The internal audit department participates in this evaluation.
Disclosure Committee (DC) The DC consists of the Group Controller (chairman), representatives of operational group companies, the Corporate Supply Centers, the Strategic Business Units and Océ corporate staff departments (Investor Relations, Corporate Strategy, Group Finance & Administration), the Company Secretary & Chief Legal Officer, the Chief Information Officer (CIO), the Corporate Risk Officer and the Group Internal Auditor.
The DC evaluates the findings of the in-depth risk analyses that are conducted by all group companies. The results of this evaluation are initially reported to and discussed with the Board of Executive Directors and are subsequently discussed by the Audit Committee.
Internal audits The Group Internal Auditor reports to the Board of Executive Directors and has access to the Chairman of the Audit Committee and to the external auditors. Within the framework of control
mechanisms and assurance processes an audit plan is drawn up by the Group Internal Auditor each year. The internal audit plan is focused on the most important business processes and risks. The plan is discussed with the external auditors and is approved by the Board of Executive Directors and the Audit Committee.
The internal audits relate to financial reporting systems and the existence and proper functioning of operational processes, procedures and systems. The internal control framework is largely evaluated
as part of the activities of the internal auditors. The internal auditors report on the effectiveness of elements of the internal control framework. The findings of the internal auditors are discussed and
agreed with the relevant management. Subsequently the findings are discussed with the Board of Executive Directors, the external auditors and the Audit Committee.
Audit Committee (AC) The Audit Committee, which consists of three members of the Supervisory Board, independently monitors the process of risk management on the basis of the supervisory role fulfilled by the Supervisory Board. The Audit Committee focuses on the quality of internal and external reporting, on the effectiveness of internal controls with regard to processes and on the functioning of the external and internal auditors. The Audit Committee meets at least four times a year. The relevant financial officers and the external and internal auditors are generally invited to attend these meetings.
Internal Controls Committee US (ICC) Océ implemented an Internal Controls Committee (ICC) to monitor its business operations in the United States. The members of the Internal Controls Committee are the CFO of Océ-USA Holding, Inc., the CEO of Océ North America, Inc., the Presidents of the principal operating companies, the General Counsel and the Internal Audit Director in the United States, as well as the CFO of Océ N.V. (who also chairs the ICC).
External audit On 22 April 2010, the Annual General Meeting of Shareholders appointed Ernst & Young Accountants LLP as the external auditors of Océ N.V. The external auditors carry out the activities relating to the issue of an audit opinion on the annual Financial Statements. The external auditors focus on the financial reporting and take into consideration the systems that are intended to ensure reliable reporting. The external auditors report on any matters relating to internal control measures that have been identified during the auditing of the annual Financial Statements. The observations made by the external auditors are discussed in the Audit Committee.