Enterprise Risk Management

For the implementation of risk management, we use the PGGM risk framework to structurally provide insight into, monitor and report on risks. PGGM’s Risk Framework is based on the COSO Enterprise Risk Management methodology accepted internationally as standard. Risk management at PGGM is organized in accordance with the generally accepted ‘Three Lines Model’. Responsibility and primary risk management lie with line management (first line). Risk Management & Compliance (second line) supervise and report on the risks. Internal Audit (third line) assesses whether the management demonstrably complies with the different requirements stipulated in relation to risk management. 

Risk and risk appetite

With every decision, risks are taken, consciously and unconsciously, in order to realise certain objectives. In order to determine whether we are willing to run a particular risk, and to what extent, it is necessary to determine our risk appetite. If a risk is assessed as lying beyond the risk appetite, extra control measures are necessary in order to bring this risk within the limits of the risk appetite. The risks and the accompanying risk appetite are divided into three risk clusters: Corporate, Service Provision and Reputation. We have also made a distinction in relation to certain risks between risk appetite in a ‘running the business’ situation (execution) and risk appetite in relation to ‘changing the business’ situations. This is based on the thinking that continuity and reliability weigh the heaviest in the performance of our service provision, while major change programmes sometimes require more latitude for experimentation and learning, for example in the event of innovation. 

The risks identified are generally subject to a ‘low’ risk appetite. A different risk appetite is substantiated for specific risks. PGGM has a low risk appetite for fraud and integrity incidents. PGGM applies the PGGM Fraud Risk Management Framework to manage the risk of fraud. PGGM also conducts a systematic integrity risk analysis (SIRA) throughout the company each year. PGGM therefore has a well-formalised and measurable process for identifying and assessing the risks of fraud, including bribery and corruption.

A risk assessment is drawn up every quarter, which is then compared to the predetermined risk appetite. Operational incidents and other disruptions are also considered with the purpose of learning from them, discovering trends, and discussing underlying root causes. Based on the current risk assessment, it is determined whether additional measures are necessary and where future risks might occur. Line management (our investment teams) issues a quarterly In Control Statement (ICS)  about the pressing and current risks. Our annual target and ICS was issued every quarter in 2021. 

External developments affected the risk profile in 2021. Some of these risks were outside the risk appetite during the year (4 of the 17). Additional control measures have been identified for these risks and included in a risk plan. These results have been considered while determining the risk appetite for 2022, resulting in tightened defition and control instruments for a number of risks. 

Important to mention in this context is the current crisis between Ukraine and Russia. Currently geopolitical and global economic developments are anything but stable. This is expected to cause uncertainty and increased risks in various areas in 2022 and beyond. However, it is still too early to assess the extent and depth. PGGM Investments is monitoring developments closely and additional measures will be taken where necessary. Crisis teams are operational in both the financial and non-financial fields. Consultations are also taking place with our stakeholders, including our clients and DNB. 

Risk culture and assessment

A healthy risk culture is essential in effective risk management. Therefore, our risk culture focuses on risk-conscious actions in an open and honest environment. We hold each other accountable for responsibilities and results, but also reflect on behaviour in relation to our values, standards and objectives. An important tool for strengthening the risk culture and management is the introduction of management based on Objectives, Goals, Strategies, Measures (OGSM). This method is known to be useful for reaching higher levels of ownership and accountability, which translates into more specific quantitative and qualitative results and improvements, and greater risk awareness. In addition, the learning process has been partly formalised through the incident management process. This process aims at limiting the impact of incidents and learning from them, in order to help preventing the occurrence of similar incidents in the future.  
Please read more about the key risks and uncertainties in 2021 here