Risk identification and prioritization

We identify compliance risks through several processes, including:

  • Enterprise Risk Management (see Risk Management)
  • Internal control self-assessments
  • Non-Financial Letter of Representation (NFLoR)
  • Monitoring of legal developments
  • SpeakUp! investigations
  • Compliance training
  • Supplier self-assessments
  • Internal audits
  • Business partner audits
  • Value chain due diligence

As part of the NFLoR process, every business and major function identifies its inherent and residual compliance risks and reports this in a Compliance Risk Overview to the relevant Executive Committee member as part of the newly introduced Risk Compliance and Control reporting process (see Governance and organization). In turn, the Executive Committee members report the compliance risks to the CEO.

In 2018, the top five inherent compliance risks were in the field of competition law, environmental law, bribery, fraud and data protection. Action plans are in place to mitigate these risks.