Risk management is an essential and integral part of strategic business planning and decision making that assists in achieving objectives and strengthens the ability to respond to the challenges faced.
Risk is inherent in everything we do and Noventiq as a global and growing organization must be aware of its risks in order to be successful and sustainable. To be effective, the organization must evaluate the uncertainties and implications within options as well as manage impact once choices are made. When done well, effective risk management can also give us a competitive edge; our customers are looking for a partner they can trust to help them manage their own risks, so if we can manage risk better than our competitors, it can help us to capitalize on growth opportunities.
As with all aspects of good governance, the effectiveness of risk management depends on the individuals responsible for operating the systems put in place. Our risk culture encourages openness, support transparency, welcome constructive challenge and promote collaboration, consultation and co-operation.
2. Scope of Enterprise Risk Management
Enterprise risk management should be considered in relation to strategic, tactical and operational objectives. It will therefore include external factors such as natural disasters and the regulatory environment, and internal factors such as our leadership and service delivery as listed below.
- Emerging risks
- Risks from partners, vendors & customers
- Intellectual property Agreements
- Contracts etc.
- Systems, e.g. Information Security, Supply Chain, Financial
3. Purpose of this Document and Audience
The purpose of this document is to set out the key requirements for Noventiq’s risk management with the focus on the enterprise risk management and framework. The document is intended for
- Executive and Non-Executive members of Board of Directors
- Audit Risk Committee members
- Ethics & Compliance Business Partners
- Risk Practitioners
- Policy leads & etc.
Whilst the key stakeholders identified above are key to effective management and leadership of risk everyone in Noventiq, regardless of seniority, should think about risk management being an important aspect of their role and of the culture of Noventiq.
4. Terms and Definitions
Any defined terms in this Policy are in bold. The defined terms used in this Policy shall have the following meanings.
Risk is the ‘effect of uncertainty on objectives. The effects can be negative, positive or both. Risk is usually expressed in terms of causes, potential events and their effects.
Risk Management is a process applied in strategy-setting and across the enterprise, designed to: (i) identify potential events that may affect the organization and lead to significant losses; (ii) manage prioritized enterprise risks to be within its risk appetite; (iii) provide reasonable assurance regarding the achievement of company’s objectives to internal and external stakeholders.
Enterprise Risk is a risk or combination of risks that can seriously affect the performance, future prospects or reputation of the organization.
Enterprise Risk Management’s objective is the continuous improvement that enables organization to achieve its strategic objectives, meet regulatory requirements & protect reputation via: (i) enterprise oversight of organization’s health; (ii) effective decision making (iii) providing strategic direction to manage enterprise risks effectively across the organization; (iv) driving accountability and performance
Framework is the collection of information and principles that form the structure of an organization’ approach to run systemic processes.
Risk Mitigation Strategy involves taking action to reduce an organization's exposure to potential risks and reduce the likelihood that those risks will happen again.
Governance is the system by which the organization is directed and controlled. It is concerned with structure and processes for decision making, accountability, control and behavior at the top of the organization.
Committee is a group of persons convened for the accomplishment of some specific purpose, typically with formal protocols.
Global Business Unit in Noventiq is a part of an organization that represents a specific line of business and is part of a company’s value chain of activities including operations, accounting, human resources, marketing, sales, and supply-chain functions (e.g. CIS, CEE, LATAM). There are further regional, country and/or cluster structures underneath those Global Business Units.
Noventiq means Noventiq Holdings plc (or any successor) and any entity, operation or investment more than 50% owned by Noventiq Holdings plc directly or indirectly.
5. Enterprise Risk Management Framework
The risk management framework supports the consistent and robust identification and management of opportunities and risks within desired levels across an organization, supporting openness, challenge, innovation and excellence in the achievement of objectives. For the risk management framework to be considered effective, the following principles shall be applied:
A. Risk management shall be an essential part of governance and leadership, and fundamental to how the organization is directed, managed and controlled at all levels.
B. Risk management shall be an integral part of all organizational activities to support decision-making in achieving objectives.
C. Risk management shall be collaborative and informed by the best available information and expertise.
Risk management processes shall be structured to include:
a. risk identification and assessment to determine and prioritize how the risks
should be managed;
b. the selection, design and implementation of risk treatment options that support achievement of intended outcomes and manage risks to an acceptable level;
c. the design and operation of integrated, insightful and informative risk monitoring; and
d. timely, accurate and useful risk reporting to enhance the quality of decision-making and to support management and oversight bodies in meeting their responsibilities.
e. Risk management shall be continually improved through learning and experience.
6. Noventiq’s Enterprise Risk Management Governance Requirements
Board of Directors (BoD)
BoD is in charge of the management of the organization's business by: (i)making the strategic and operational decisions, (ii)ensuring that Noventiq meets its statutory obligations.
Audit & Risk Committee (ARC)
Audit and Risk Management Committee is responsible for assisting the Board of Directors monitoring the overall risk management framework, the financial reporting, ethics and compliance processes, the performance of auditors and overseeing the audit program.
Risk Oversight Compliance Committee (ROCC)
The key role of ROCC is to promote, oversee and further improve a culture of adherence to the organization’s standards of Enterprise Risk Management, Ethics & Compliance within Noventiq:
- Every year, the ROCC reviews external, internal operational, legal and compliance risks facing Noventiq and agrees a list of the most significant “Enterprise Risks”.
- Enterprise risk strategies are maintained for those risks identified by the ROCC requiring particular coordination across Noventiq. Each Enterprise Risks has a designated senior leader as the Enterprise Risk sponsor who will be responsible for the following:
- Establishing the governance structure
- Sponsoring, establishing and managing the Enterprise Risk mitigation strategy
- Approving or seeking approval from ROCC of the respective written standards and
- Oversight of risk mitigation strategy delivery against a clear timeline o Report the status of risk mitigation strategy
- Enterprise Risk Sponsor will subsequently identify senior Responsible Person who will:
- Establish and manage the Enterprise Risk mitigation strategy
- Own the risk mitigation strategy and delivery against clear timelines
- Support/manage the governance structure
- Written standards & controls: creation/update, communication & training o Engages with the business and functions to assess the risk
- Manage and monitor the status of mitigation strategy for reporting
- The ROCC has the mandate to oversee the risk management and internal control systems for our Enterprise Risks. This includes ensuring a robust process exists for the business to identify the risks that are significant to the Company and monitor the effectiveness of internal controls implemented to manage those risks.
- The ROCC ensures timely and appropriate reporting and escalation of risks to the Noventiq’s Board of Directors via Audit and Risk Committee.
- Significant business challenges should be considered as part of the annual planning processes (e.g. strategy, financial) including any impact these plans might have on the management of Enterprise Risks.
- Further details are included into the Risk Oversight Compliance Committee Terms of References.
Risk Management & Compliance Committee
- Global Business Units are accountable for setting up the most effective hierarchical structure of Risk Management and Compliance Committees, e.g. regional and/or country and etc. to ensure appropriate risk management and implementation of internal controls for relevant Enterprise Risks within their scope of accountability, including assessment and monitoring of controls effectiveness.
- RMCCs may choose to assign Risk Owners for each applicable Enterprise Risk and align
their activities to support enterprise risk strategies. RMCCs review each applicable
Enterprise Risk at least once a year.
- RMCCs meet at least quarterly to review mitigation of applicable risks and discuss
emerging risks in the external or internal environment.
- RMCC membership must include representation for all the major parts of the business
operating units, e.g. Commercial, IT, HR, Finance & etc. as agreed with their Compliance
Business Partner and respective ROCC member (as needed).
- The framework includes a mechanism to ensure that employees take accountability for
identifying and escalating encountered risks so they can be appropriately managed.
- Global Business Unit Heads report to the ROCC and/or Audit Risk Committee annually in regard to their oversight, including how their activities support applicable enterprise risk strategies.
Global Ethics and Compliance & Enterprise Risk Management
Global Chief Compliance Officer compiles an annual report on the implementation of risk management and internal control for ROCC, Board of Directors via Audit Risk Committee and this report shall be used as the input into the Noventiq’s Annual Risk Report intended for regulators and investors.
Head of Enterprise Risk Management who reports into the Global Chief Compliance Officer defines the company’s risk management framework upon consultation with the senior business leaders and the steps of risk assessment (identification, analysis and evaluation), appropriate risk treatment in line with the risk posed, and monitoring and review of risks to assure the risk is adequately mitigated.
Ethics and Compliance Business Partner will support the business in the implementation of robust system of risk management and internal control.
7. Revision history
Summary of Changes
Change to reflect Noventiq updates