6. GENERAL DISCRIPTION OF THE INTERNAL CONTROL ENVIRONMENT AND RISK MANAGEMENT
The law of 6 April 2010 on the reinforcement of corporate governance makes it mandatory for listed companies to provide a description of the most important characteristics of the internal control and risk management systems related to its financial reporting process.
GENERAL FRAMEWORK
Through the years VPK Packaging Group NV has recorded a strong growth, as well autonomously as following different successful take-overs. This rapid growth resulted in a strong need for fundamental and effective internal control and risk management systems. To develop a clear company structure the entire group has been split up in three operational segments and another, i.e. unallocated activities.
Only financial management, ICT and risk management in its broadest sense are centralized and organized and managed at group level. The other management areas are organized at a decentralized level in order to be able to sufficiently take into account the specific characteristics that are particular for the respective operational segments. The operational managers with final responsibility have a fixed contact person in the executive committee. This enables both control as well as a swift and rapid flow of relevant information.
Accounting
VPK Packaging Group NV provides all necessary means to support the financial reporting process in an optimal way. It does so with the ambition to strive for a well-performing and transparent financial reporting ensuring mutual comparability between all group companies. To this end all guidelines with regard to management reporting and external financial reporting have been described in detail in the Group Accounting Manual. The accounting principles mentioned in this internal manual are in accordance with the International Financial Reporting Standards (IFRS) and are respected by all group companies of the consolidation scope.
Amendments to the international financial reporting standards which are relevant for the group are followed in detail by the company and are analysed, in function whereof the Group Accounting Manual is amended.
Periodically, all staff members closely involved in the financial reporting process deliberate upon this matter in order to solve new accounting or financial topics in a structural way. Those initiatives, such as for instance the organisation of the annual Finance Day gathering all financial staff, must enable VPK Packaging Group NV to identify and fundamentally analyze new risks with regard to the financial reporting process in due time, taking into account their probability and possible impact on the company.
Subsequently these risks are taken into consideration at the occasion of developing management policy and are also defining the agenda of the internal audit department.
If an amendment to the current accounting principles becomes necessary based on a modified market situation and/or an amendment to the legislative framework, this modification is always adopted by the financial direction.
Controlling
VPK Packaging Group NV has chosen to manage accounting as much as possible at group level. That way, it can better control compliance with internal procedures with regard to financial reporting in order to guarantee uniformity of financial data. All operational staff with final responsibility is assisted by business analysts, having a controlling as well as a contributing role. These business analysts are the link between the operational side and the financial side of business. The company’s choice to organize the activities of the business analyst at a decentralized level is inspired by the conviction that specific local knowledge offers a particular added value allowing the analysis of financial data with more accuracy. The contribution of the local analysts must enable the company to manage its business in a proactive way and consequently anticipate market trends and local opportunities.
In order to ensure a structural and consistent approach by the local analysts, they report to the group controller, coordinating the activities and objectives of the local business analysts. The group controller also takes on the responsibility op adopting amendments to the information and/or reporting systems whenever specific legislation, guidelines, recommendations of controlling bodies or circumstances demand it.
Control
The control of the procedures with regard to risk management related to the financial reporting process are organized within the company at different levels and different moments. Such control activities indeed rest with the internal audit department on the one hand, and the group controller on the other hand.
On an ongoing basis, the group controller ensures strict compliance of the group companies with the rules defined by the group. A second control is taken on by the internal audit department that will compare the financial reporting of a specific group company in detail with the rules defined by the group, on a periodical basis.
The findings and recommendations of the internal audit department are communicated throughout the year to the members of the executive committee, in order to make the required amendments. At least twice a year, the findings and recommendations are also reported to the audit committee, in turn informing the board of directors. Follow-up of these findings is controlled by the operational managers with final responsibility on a quarterly basis.
These complementary controls, executed by two separate and mutually independent departments, must enable the company to ensure compliance with the rules on financial reporting defined by the group. Moreover, all key processes, contributing in a significant way to the accounting and financial reporting, are subject to one or more internal control mechanisms tailor-made for the company, and that take into account the specific risks related to the management process under review.
Financial Calendar
The split of the responsibilities and deadlines as such are not recorded in the Group Accounting Manual, but as a listed company VPK Packaging Group NV has to respect a number of obligations with regard to communicating its financial information to the market. This financial calendar is published on the company website and in the annual financial report. Based on this financial calendar the internal tasks are assigned and the related deadlines are fixed.
The individual responsibilities are always communicated in a systematic and structured way via the communication channels organized to this end, allowing each staff member to exactly know what is expected of him/her. That way, the company wishes to structure the identified legal and regulatory framework with regard to the communication of risks related to the financial reporting process.
VPK Packaging Group NV’s Chief Legal Officer, also taking on the role of Investor Relations Manager, ensures compliance with legal external communication regulations and closely follows their amendments.
Board of directors and audit committee
The audit committee and the board of directors also take on a specific role within VPK Packaging Group NV with regard to the financial reporting process.
The audit committee ensures that the financial reporting presents a truthful, sincere and clear view of the situation and outlook of the company. At least once a year the audit committee will evaluate the internal control systems organized by the executive committee to check if the main risks have been efficiently identified, reported and managed.
The effectiveness and independence of the internal audit department are also periodically evaluated by the audit committee. Possible amendments to the current valuation rules, defined in 1998, are always discussed by the audit committee before they are presented to the board of directors.
Also in case certain financial overviews have to be published, they will first be discussed in the audit committee in order to ensure compliance with the defined accounting principles. Immediately after that, such financial statements and the related press release are discussed with regard to their content, and approved by the board of directors.
The board of directors pays a lot of attention to the net financial position of VPK Packaging Group NV and to the related consolidated cash flow statement. Whenever useful, an outlook with regard to the cash situation is presented.
Before information is finally made public, it is controlled internally as well as by the external auditor. It is the audit committee’s task to recommend on the selection, the nomination or discharge of the auditor, as well as on the degree of follow-up of the auditor’s recommendations by the executive committee.
INFORMATION & COMMUNICATION
Accounting and reporting systems
Following the rapid growth of VPK Packaging Group NV there was a growing need for a uniform accounting and reporting system. After a profound analysis of the specific needs of the company and the solutions offered, an ERP package was finally implemented to respond to the aforementioned needs. By choosing the SAP system the company has opted for the market leader in management software, with a sound experience in multinationals.
At the same time the management processes were closely monitored and, wherever needed, streamlined, simplified and made more efficient (‘Business Process Reengineering’). Within the framework of this project different procedures have been developed and implemented afterwards within the entire group.
Moreover, a uniform calculation method was developed, allowing an analytical approach and meaningful internal reporting. Thanks to these efforts the comparability (benchmarking) between similar units within the group is ensured.
As from 2002 the SAP system was adopted and rolled-out step by step in the entire group. In the meantime, the group has evolved towards a situation in which all units use the so-called FI-CO modules in SAP (accounting & controlling) in an optimal way. Furthermore the more operational SAP modules are used by many, though not yet by all, units.
ICT support
The servers supporting this ERP package are entirely centralized at VPK Packaging Group NV’s head office in Dendermonde (BE). Taken into account the centralization of the servers, the group is strongly dependent on continuity of service. Given its importance, electricity supply has been guaranteed, and a second data center has been created, sufficiently far from the first data center. Herein, essential software applications are mirrored. Physical access to the data center is protected by a fingerprint recognition system. Periodically a specialized audit is carried out to test the efficiency of these security measures. Despite the heavy related telecom costs, VPK Packaging Group NV is convinced that this is the best option to ensure a uniform, professional and permanent service. From this same point of view the ICT department, implementing the software as well as giving technical support to the local branches, has been systematically developed. This department currently employs 24 people, often assisted by external experts in the field, offering additional support for specific and specialized tasks.
VPK Packaging Group NV has concluded different Service Level Agreements with external ICT suppliers with whom the group cooperates. In this context, the company evaluates their operational safety, continuity and the quality of the services rendered. Furthermore the company wishes to build in enough flexibility in order to not become too dependent on these suppliers.
Data security
The access to different data and applications is protected by a system of user rights that has been set up with the assistance of external specialists. This system is permanently guarded and amended if necessary. The required anti-virus software has been installed at different levels. It is obvious that these applications are continuously up-to-date and that important information is backed-up daily.
Technological challenges
In order to ensure that the entire ICT system keeps responding to the growing challenges due to the rapid evolution in the areas of technology and size of the company, the ICT manager is invited a couple of times a year by the executive committee for an internal discussion. During these gatherings proposals are discussed with regard to modernizing certain investments or further developing the IT equipment. That way, decisions are always made after some consideration and with expertise. The ICT manager also directly reports to a member of the executive committee allowing it to be updated with regard to technological progress without losing sight of the related costs.
INTERNAL CONTROL AND RISK MANAGEMENT SYSTEMS
Risk analysis
VPK Packaging Group NV’s strategy is translated by the board of directors and the executive committee into concrete and measurable objectives, both in the short and long term. Each of these objectives is characterized by the ongoing striving for internal growth and international expansion, and defines the risk proneness of the company. These objectives can indeed only be realized by taking specific calculated and well-considered risks.
The identified risks are analysed in function of the management objectives and are absolutely limited to an acceptable level. Via the standard internal communication channels the risks and corresponding risk management measures are communicated to the persons involved within the company. These persons obviously have the required knowledge and experience to deal with these risks in an appropriate way. The main risks the company is confronted with – without being exhaustive – can be summarized as follows:
Strategic risks
As is the case for each company with an international dimension, VPK Packaging Group NV is exposed to different risks inherent to a rapidly evolving and globalizing world. The main risks that have to be considered are the macro-economic evolutions, technological progress, (geo-)political developments and possible risks with regard to take-overs, divestments and joint ventures.
The vertical integration of the group, producing different forms of packaging for transportation (cores, corrugated and massive board boxes) and their required raw material (paper based on recycled paper), together with the internationalization (diversity of geographical market where the group operates) represent major factors of risk diversification and management.
Market risks
Old paper, energy and starch are the most important raw materials for the company. The price evolutions of these raw materials can have a significant influence on the company’s performance. The impact of possible unfavourable price trends, wherever possible and recommended, can be limited by concluding term contracts at a fixed price. Obviously, a negatively evolving market demand for paper and board can also have harmful consequences for the company.
Financial risks
The company is off course also confronted with certain financial risks, specific for trading in an international context. The most relevant financial risks for the company are further explained below.
Credit risk
Within every business environment a company is confronted with the risk of non-payment by customers, with regard to the sale of goods.
Taking into account this important risk, the company has developed a fundamental credit risk policy ensuring a large part of all receivables through credit insurance. Next to that, the spread of the customer portfolio results in a natural reduction of the credit risk. Furthermore, the evolution of outstanding receivables is closely followed-up by the credit & collection department, reporting on this matter on a monthly basis.
Provisions for un-collectable receivables are made in a timely manner and in a consistent way.
Interest rate risk
The company manages a portfolio of financial instruments to efficiently hedge risks with regard to interest positions from its management and financial activities.
VPK Packaging Group NV has adopted a clear policy not to engage in speculative or leverage transactions, nor holding or issuing financial instruments that are not based on real commercial and financial transactions.
To benefit from certain group synergies in an optimal way, the interest rate risk of all group companies is centrally managed by VPK Services GCV, a full subsidiary of VPK Packaging Group NV functioning as an ‘in-house bank’. Centralizing all transactions related to the interest rate risk is also limiting the risk. That way, the group is optimally using its specific internal financial knowledge to cover this risk in the best possible way.
Exchange rate risk
The exchange rate risk is defined to a large extent by the countries in which the company operates.
Periodically the group analyzes the current and future currency risks and takes up the required positions in order to hedge this risk in an appropriate way. On the one hand, this is by aiming at natural hedging, and on the other hand, by concluding term and currency swap contracts.
Liquidity risk
Backed by a strong balance sheet, the company has always succeeded in attracting sufficient and well-diversified financing sources.
Furthermore, the company has ample unused credit lines to guarantee the required liquidity for future operations.
Compliance risks
Within a company with the size of VPK Packaging Group NV individual actions of employees can lead to infringing financial, social or ethical standards, important to the company. This can influence its image as well as the value of the share in a negative way.
For specific items codes of conduct and protocols have been established by VPK Packaging Group NV.
In this respect there is the Protocol for the prevention of market abuse that each executive or employee who comes into contact with price-sensitive information has to subscribe when joining the company, and comply with.
As from this year, a Code of Conduct presenting an overview of the ethical standards and values that are essential to VPK Packaging Group NV, and of which it demands that this Code is strictly and faithfully respected by each employee within the group, will be adopted.
Next to that, the Corporate Governance Charter of VPK Packaging Group NV also comprises provisions with regard to the organization structure in order to reduce the company’s compliance risk to a minimum.
Regulatory risks
The development of the company’s operations always has to be carried out within a defined legal framework. VPK Packaging Group NV meticulously organizes the execution and development of its operations in full compliance with the aforementioned legal framework.
Also inspired by the values of the company and its desire to operate in a corporate socially responsible way, great importance is attached to strict compliance with the most stringent regulations with regard to safety and environment, by daily management.
An evolving environmental legislation in combination with an explicit ambition of the company to operate ecologically can however lead to specific challenges in matters of operations.
Because of the fact that the company develops an economic activity in different countries and regions it is inevitably exposed to certain regulatory risks that can strongly differ per country. The evolving national and international legislative framework should consequently be closely monitored in order to define the impact of these changes on the company and its national and foreign subsidiaries accurately and in a timely manner.
These regulatory risks are adequately overcome by the internal legal department, supported by local legal advisors, meticulously protecting the interests of the national and foreign group companies with regard to this matter.
Contractual risks
Certain group companies operate in a market segment characterized by sector specific contractual engagements. Prior to their signing, these contracts as well as any other contractual engagement that can have a significant operational or financial impact on VPK Packaging Group NV and/or its group companies, are read and commented by the internal legal department, communicating its advice to the executive committee and the operational managers with final responsibility.
The contractual engagements essential to VPK Packaging Group NV are recorded in the “Rules of Procedure”, stating the general framework of autonomy and independence of the operational managers with final responsibility. These “Rules of Procedure”, into force throughout the entire organization, are available at the company’s intranet. It is obvious that, when market situations significantly change after the signing of a contract, their execution can have a negative impact on the company results.
IT risks
Obviously, the company makes an appeal to different IT systems for supporting its operations.
This important dependency on hardware as well as software entails that technical failure and other possible defects can have an important impact on the company’s performance. In order to reduce such an impact to a minimum, the IT department has developed the required repair and back-up procedures.
Furthermore, this specialist department ensures the safety of company data and the protection of access to the internal network.
Extraordinary risks
The company can also be confronted with extraordinary events that can negatively influence the company’s performance. Such risks can be very diverse with regard to their nature and size.
It is obvious that for instance a fire with one of the group companies would temporarily limit the further development of this company. Other extraordinary risks then can occur at a large scale. Certain phenomena in nature or worldwide epidemics can indeed temporarily disturb the entire world economy.
Should such risks take place, this would undoubtedly have a significant impact on the company. Given the particular characteristics of these risks, it is most challenging to the company to adequately manage their impact.
RISK CONTROL PROCESS
The main risks the company is exposed to are closely analyzed in function of their probability and their possible impact on the company. This analysis is an ongoing process that is regularly amended based on past experience and/or changing circumstances, allowing a proactive approach of possible unfavourable evolutions.
From the ambition of reaching the company’s objectives, the most important management processes are closely examined on a periodical basis, in view of potential improvements. For certain initiatives a great deal of attention is paid to the significant risks identified by the company.
The correct implementation of the organized control mechanisms is verified by the internal audit department. The executive committee is kept up to speed by the internal audit department whenever key processes need to be amended because of their shortcomings in matters of risk management. Such findings are also communicated to the operational managers with final responsibility, who have to adjust if necessary.
Furthermore, the group tries to arm itself in the best possible way against global disasters and/or setbacks. This striving for risk reduction has taken a concrete form in the intensive collaboration with external engineers to reduce the risk of damage following for instance a fire, flood or machine failure, to a minimum. This collaboration is part of the Highly Protected Risk project for which factories have to meet stringent safety criteria.
In order to control the financial impact of the risks that the group cannot entirely manage or reduce, different insurance policies have been subscribed to in different areas. This is always done through renowned brokers that support the group in obtaining an optimal price-quality relation and that screen and evaluate the solvency of the insurance companies on an ongoing basis. Insurance policies that are mandatory in a certain country, are locally managed (for instance the insurance with regard to industrial accidents). The other insurance policies are concluded and managed at group level.
Furthermore the company attaches great importance to integrity and ethics and also tries to reflect this in its internal standards and values applicable within the company. Because of the group’s growth, as well in terms of size as geographically, it becomes more difficult to communicate the required moral behaviour standards to all employees in a direct and personal way.
To answer appropriately to this challenge, it was recently decided to develop a general code of conduct. This code will soon be implemented throughout all levels of the organization. This new step in the development of the internal control mechanisms entails that the company will systematically have to refer to this code of conduct in its current job descriptions to familiarize everyone with it and ensure that they formally recognize its existence.
That way it will also become clear that the code of conduct is part of the competencies and skills required for the appropriate execution of the different tasks specific to the function. Compliance with this code of conduct will also be part of the annual evaluations where is discussed in a constructive way how the employee takes on his/her responsibility with respect to the standards and values effective in the company. Should non-compliance with the code of conduct lead to a breach of confidence, appropriate measures will be taken.
These evaluations are also the ideal occasion to assess the training needs and possible promotion of the concerned employee. That way, the company can assess the competencies of the employees on an ongoing basis.
From a risk reduction perspective, the company applies the principle of separation of authorities as much as possible throughout the entire organization. Also in the group entities with a limited size, where it is not always easy to implement an adequate separation of authorities taking into account the operational restrictions, all required efforts are made in order to separate the authorities as much as possible. This principle is written down a.o. in the so-called “Rules of procedure” ensuring a clear and transparent delegation of responsibilities and authorities.
The principle of separation of authorities is also clearly expressed in the division of authorities between the board of direction and the executive committee.
The choice of the directors is mainly based on their specific knowledge and experience within a specific area. That way, the company can always rely on a diversity of relevant knowledge and experience.
In accordance with the applicable regulation, the board of directors organizes the different committees from within. These committees meet at regular times in order to deliberate. The chairman of each committee reports after each meeting to the entire board of directors that can demand the required comments or explanation. In the audit committee the external auditor as well as the internal auditor report on their activities.
The internal auditor also presents his audit plan for the next semester for approval, in order to amend it where necessary, in function of the priorities of the audit committee.
The Chief Legal Officer takes on the role as secretary of these committees and ensures that the agenda and documents for preparing the meetings are always communicated in a timely manner to the board of directors and the different committees, to enable their members to prepare themselves thoroughly, obviously adding value to their contribution.
The education and experience of the different members of the executive committee are also complementary and guarantee a balanced decision making process. At least four times a year the executive committee reports to the board of directors on its policy. Each year, the board of directors decides to give discharge or not to the executive committee for its policy during the pas financial year.
INFORMATION AND COMMUNICATION
The performance of the different operational units, grouped per segment, are evaluated on a monthly basis, based on the reporting systems available in SAP and they are compared to the budget, taking into account the economic climate and the market situation. This is primarily the task of the business analysts, who will report within short notice as well to the operational managers with final responsibility as to the executive committee.
The results of the different operational units with comparable activities are continuously compared in a detailed way. That way, so-called ‘best practices’, per criteria, can be shared with other units of the group. At least twice a year the operational managers with final responsibility meet to exchange their experience, discuss on specific matters and take appropriate measures.
At regular occasions, comparisons with competitors are made for the entire group. These comparisons are discussed in the executive committee as well as in the board of directors. Should such an exercise lead to important conclusions, these will immediately be communicated to the operational managers with final responsibility.
EVALUATION OF THE INTERNAL CONTROL MECHANISMS AND NOTIFICATION OF POSSIBLE SHORTCOMINGS
The company has an internal audit department charged with ensuring the efficiency of the internal control system. Thereto the executive committee has given the internal audit department sufficient authority and means.
Complementary to the activities of the internal audit department, the quality of and compliance with the internal control systems is also verified by the independent auditor of the company.
The recommendations of both the internal and external auditors are periodically communicated to the audit committee, that closely monitors if these recommendations are effectively implemented by the executive committee.
