Risk management approach
ASMI can be adversely affected by a variety of business risks and economic developments. A structured risk management process helps management to better understand how risks might impact the Company and to take appropriate risk mitigation initiatives.
Doing business inherently involves taking risks. ASMI strives for a culture of openness and transparency in which identified risks are disclosed pro-actively and unexpected events are reported as soon as they occur. The following is an overview of ASMI’s approach to risk management and control systems. Also, we include an assessment of the key strategic, operational, financial and compliance risks that we consider currently impact ASMI.
As per January 1, 2015, ASMI no longer applies requirements based on the US Exchange Rules Act. This has as a result that this Risk Management paragraph has been changed in its form, and also means that the risks mentioned in this paragraph now reflects the risks to be reported in accordance with the Dutch law and requirements – among others the Dutch Corporate Governance Code (Code) and IFRS. The requirements as provided for in the (US) Exchange Rules Act are no longer applicable and therefore certain risks may not be mentioned any more in this Statutory annual report, however these risks may still be relevant.
RISK MANAGEMENT framework
A comprehensive Risk Management and Control Framework, based on the 'three lines of defense model', has been established that allows the Audit Committee and the Management Board a clear overview of the effectiveness of internal controls and risk management. Within the framework, the Management Board is responsible for designing, implementing and operating an adequately functioning Internal Risk Management and Control Framework in the Company. The objective of this framework is to identify and manage the strategic, operational, financial, financial reporting and compliance risks to which the Company is exposed, to promote effectiveness and efficiency in the Company’s operations, to promote reliable financial reporting and to promote compliance with laws and regulations. The Management Board is aware that such a framework can neither provide absolute assurance that its objectives will be achieved, nor can it entirely prevent material errors, losses, fraud and the violation of laws and regulations.
Supporting the Management Board are the following three pillars:
- Business & Operations management. These management functions own and manage risk, and are responsible for maintaining effective controls and for executing risk and control procedures on a daily basis. This involves identifying and assessing risks being undertaken and establishing appropriate controls to mitigate the risks. There are adequate management controls in place to monitor ongoing compliance and to highlight control breakdowns;
- Oversight functions. These management functions support Business & Operations management and help ensure that the risk and control procedures are operating as intended; and
- Internal Audit. This function provides independent objective assurance on the effectiveness of governance, risk management and internal controls including the manner in which Business & Operations Management and the oversight functions manage and control risk. Internal audit brings a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
Our Internal Risk Management and Control Framework is based on the framework in Internal Control – Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The Framework aims to provide reasonable assurance regarding effectiveness and efficiency of an entity’s operations, reliability of financial reporting, prevention of fraud, and compliance with laws and regulations.
We have embedded an Internal Risk Management and Control Framework in the Company. Within the Framework, we continue to enhance our identification and assessment of our strategic, operational, financial, financial reporting and compliance risks, and continue to expand our risk management policies. We have identified key controls over financial reporting and embedded these in common business and financial reporting processes to provide further assurance for the reliability of our financial reporting.
Undertaking business activity inevitably leads to taking risks. Risk appetite is the level of risk we deem acceptable to achieve our objectives. ASMI’s risk appetite is primarily established based on the defined and agreed strategy and the individual objectives within this strategy. Risk appetite is further guided by our code of ethics as well as detailed policies and procedures.
Our risk appetite differs per risk type:
- Strategic risks: we aim to deliver on our strategic ambitions and priorities, and are willing to accept reasonable risks to achieve this;
- Operational risks: we face operational challenges which require an appropriate level of management attention. The overall objective is to avoid risks that could negatively impact our goal to achieve operational efficiency, while ensuring our quality standards are unaffected;
- Financial risks: our financial strategy is focused on a strong financial position and creating long-term value for our shareholders; and
- Legal and regulatory risks: we strive to be fully compliant with our code of conduct and national and international laws and regulations of the markets in which we operate.
The internal audit function of ASMI forms one of the key elements to address the topics of risk management and internal control over financial reporting as required under the Code. To ensure the independence of this function, the Director Internal Audit reports to the Management Board and the Audit Committee. The Audit Committee is involved in reviewing and approving the audit plan for the year which the internal auditor executes.
The internal auditor regularly provides updates on its findings to the Audit Committee.
CONTROL EFFECTIVENESS STATEMENT
The Management Board is responsible for ASMI’s Internal Risk Management and Control Framework. This system is designed to manage the main risks that may prevent ASMI from achieving its objectives. However, this system cannot provide absolute assurance that material misstatements, fraud and violations of laws and regulations can be avoided. The Internal Risk Management and Control Framework and the evaluation of the effectiveness of our internal controls and areas for improvement are regularly discussed with the Audit Committee and KPMG Accountants, our external auditor. The Audit Committee reports on these matters to the Supervisory Board.
The Management Board conducted an evaluation of the effectiveness of our internal control over financial reporting based on the Internal Control – Integrated Framework issued by the COSO. Based on this evaluation of the effectiveness of the Company’s internal control over financial reporting, all members of the Management Board concluded that, as of December 31, 2015, the Company’s internal control over financial reporting was effective and provides reasonable assurance for the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. In addition, to the best of the knowledge of the Management Board, the management report includes a fair review of the development and performance of the business and the position of the Company and the undertakings included in the consolidation as a whole, as well as a description of the principal risks and uncertainties that the Company faces. No changes to the Company’s internal control over financial reporting have occurred during 2015 that have materially affected, or are reasonably likely to materially affect, the Company’s internal control over financial reporting.
All internal control systems, no matter how well designed and implemented, have inherent limitations. Even systems determined to be effective may not prevent or detect misstatements or fraud and can only provide reasonable assurance with respect to disclosure and financial statement presentation and reporting. Additionally, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate due to changed conditions and that the degree of compliance with the policies or procedures may deteriorate.
In view of all of the above, the Management Board believes that it complies with the requirements of best practice provision II.1.5 of the Code.