The Corporate Risk Manager supports the Management Board in taking their responsibility for maintaining and continuously improving this framework. The business units and the holding company go through a systematic process of identifying and evaluating risks and controls and, where necessary, improving the way in which risks are managed.
In the above described reports and consultative structures, business units and staff functions report on their activities, including on the effectiveness of their risk management activities. Twice a year, business unit management signs a letter of representation that contains financial reporting statements and other statements regarding risk management, corporate social responsibility, integrity and compliance with the code of conduct, the accounting manual, statutory provisions and compliance with other rules and regulations. The outcomes of the internal risk and control evaluation process and the letter of representation process are discussed in the Management Board and reported to the Audit Committee.
In 2013 an Internal Audit function was established. The scope of Internal Audit encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of Corio’s governance, risk management, and internal controls. The annual Internal Audit plan is risk-based and is approved by the Audit Committee after consultation with the Management Board and the external auditor. The Head Internal audit leads the internal audits, and works in conjunction with other Holding or BU functions. Findings and recommendations from the internal audits are discussed with the audittees, who then develop action plans and set deadlines to address these points. The internal audit reports are submitted to the Management Board and the Audit Committee. Progress with the action plans is monitored through periodic follow-up audits.
The aforementioned processes make the risks and the areas requiring improvement in the internal control systems transparent. It is always possible, however, for circumstances to arise in which unidentified risks become apparent or in which the impact of identified risks is greater than originally estimated.