Doing business inherently involves taking risks. ASMI strives for a culture of openness and transparency in which identified risks are disclosed pro-actively and unexpected events are reported as soon as they occur. The following is an overview of ASMI’s approach to risk management and control systems. Also, we include an assessment of the key strategic, operational, financial and compliance risks that we consider currently impact ASMI.
Undertaking business activity inevitably leads to the taking of risks. ASMI’s risk appetite is primarily established based on the defined and agreed strategy and the individual objectives within this strategy. Risk appetite is further supported by our code of ethics as well as detailed policies and procedures.
Risk Management and Control System
A comprehensive Risk management and Control framework, based on the 'three lines of defense model', has been established that allows the Audit Committee and the Management Board a clear overview of the effectiveness of internal controls and risk management. Within the framework the Management Board is responsible for designing, implementing and operating an adequately functioning Internal risk management and Control framework in the Company. The objective of this framework is to identify and manage the strategic, operational, financial, financial reporting and compliance risks to which the Company is exposed, to promote effectiveness and efficiency in the Company’s operations, to promote reliable financial reporting and to promote compliance with laws and regulations. The Management Board is aware that such a framework can neither provide absolute assurance that its objectives will be achieved, nor can it entirely prevent material errors, losses, fraud and the violation of laws and regulations.
Supporting the Management Board are the following three pillars:
- Business & Operations management. These management functions own and manage risk, and are responsible for maintaining effective controls and for executing risk and control procedures on a daily basis. This involves identifying and assessing risks being undertaken and establishing appropriate controls to mitigate the risks. There are adequate management controls in place to monitor ongoing compliance and to highlight control breakdowns;
- Oversight functions. These management functions support Business & Operations management and help ensure that the risk and control procedures are operating as intended;
- Internal audit. This function provides independent objective assurance on the effectiveness of governance, risk management and internal controls including the manner in which Business & Operations Management and the oversight functions manage and control risk. Internal audit brings a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
Our Internal risk management and Control framework is based on the framework in Internal Control - Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission ('COSO'). The Framework aims to provide reasonable assurance regarding effectiveness and efficiency of an entity’s operations, reliability of financial reporting, prevention of fraud, and compliance with laws and regulations.
We have embedded an Internal risk management and Control framework in the Company. Within the Framework, we continue to enhance our identification and assessment of our strategic, operational, financial, financial reporting and compliance risks, and continue to expand our risk management policies. We have documented our internal controls for all significant risks and continuously assess such internal controls. We have identified key controls over financial reporting and embedded these in common business and financial reporting processes to provide further assurance for the reliability of our financial reporting.
The internal audit function of ASMI forms one of the key elements to address the topics of risk management and internal control over financial reporting as required under the Code and the Sarbanes-Oxley Act, respectively. To ensure the independence of this function, the Director Internal Audit reports to the Management Board and the Audit Committee. The Audit Committee is involved in drawing up the work schedule and audit scope of the internal auditor. The internal auditor regularly provides updates on its findings to the Audit Committee.
Control Effectiveness Statement
The Internal risk management and Control framework and the evaluation of the effectiveness of our internal controls and areas for improvement are regularly discussed with the Audit Committee and Deloitte Accountants, our external auditor. The Audit Committee reports on these matters to the Supervisory Board.
The Management Board conducted an evaluation of the effectiveness of our internal control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15(d)-15(f)) based on the Internal Control – Integrated framework issued by the Committee of Sponsoring Organizations of the Treadway Commission ('COSO'). Based on this evaluation of the effectiveness of the Company’s internal control over financial reporting, in accordance with the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 ('SOX 404'), all members of the Management Board concluded that, as of December 31, 2014, the Company’s internal control over financial reporting was effective and provides reasonable assurance for the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. In addition, to the best of the knowledge of the Management Board, the management report includes a fair review of the development and performance of the business and the position of the Company and the undertakings included in the consolidation as a whole, as well as a description of the principal risks and uncertainties that the Company faces. No changes to the Company’s internal control over financial reporting have occurred during 2014 that have materially affected, or are reasonably likely to materially affect, the Company’s internal control over financial reporting.
All internal control systems, no matter how well designed and implemented, have inherent limitations. Even systems determined to be effective may not prevent or detect misstatements or fraud and can only provide reasonable assurance with respect to disclosure and financial statement presentation and reporting. Additionally, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate because of changed conditions and that the degree of compliance with the policies or procedures may deteriorate.
In view of all of the above, the Management Board believes that it complies with the requirements of rule II.1.5 of the Code.