Enterprise Risk Management Policy - EN

Page 1

Enterprise Risk Management Policy WDP Group


1.

Risk philosophy

The strategy of WDP is aimed at creating sustainable value for its clients, its shareholders and all its stakeholders. Whilst preserving the long-term value of its properties and solid operational and financial KPIs, WDP aimes to create a robust and growing income and dividend stream. WDP’s operations are exposed to a number of internal and external risks, or uncertainty factors that could impact the Group’s ability to achieve its overall strategic objectives. The Group's risk management focusses on risk awareness and on control and/or mitigation of real risks or threats whilst allowing controllable risks (combined with opportunities) in pursuit of generating and protecting value for its shareholders, clients and other stakeholders. This implies the Group has a rather low to medium appetite for risk, which is integrated in its decision-making processes in the execution of its strategic objectives. The Group is convinced that risk management should be an integral part of the culture of the organization to foster an environment in which people are movitated to identify and cope with risks and ensuring the necessary transparency with regard to any possible risks.

2.

Scope

The Group's enterprise risk management policy applies equally and fully to its entire operations (i.e. across all WDP entities, geographies, functions etc.).

3.

Methodology

When it comes to risk management, WDP applies an integrated approach based on the ‘three lines of defence model’. This model determines how specific responsibilities can be assigned within WDP’s organisation with a view to achieving WDP’s objectives and control of the associated risks. This approach contributes to reinforcing the risk culture, taking responsibility for managing risks and internal control and continued optimisation and integration of independent control functions (risk management, compliance, internal audit). • First line – ownership and management of risks and control Business itself is responsible for all risks of its own processes and must ensure their identification and effective controls. Here, business ensures that the right controls are conducted properly, that selfassessment by business is of adequate quality, that risk awareness is sufficient and that adequate capacity is allocated to risk matters. WDP NV | BE-REIT (Public RREC under Belgian law) | Blakebergen 15 | 1861 Wolvertem | Belgium | +32 (0)52 338 400 info@wdp.eu | www.wdp.eu | Company number: 0417.199.869 | VAT BE 0417.199.869 | RLE Brussels Dutch section

Enterprise Risk Management Policy | 2


Risk management is an integral part of running the Group. It ranges from day-to-day financial and operational management – including the four-eyes principle – analysis of new investment files and formulation of strategy and objectives, to strict and firmly established decision-making procedures. For this reason, risk management is the responsibility of the entire WDP Group, i.e. across all layers of the organisation, with different responsibilities at each level. • Second line – continuous monitoring of risks and control These functions offer support to business and management by applying expertise and formulating an opinion independently of business with regard to the risks facing WDP: risk management function, compliance function, financial control function, IT security function. These functions offer proper certainty that business itself (via first-line management) has its risks under control. Evidently, primary responsibility still lies with the first line. For this, the second line functions serve to identify, measure and report risks. • Third line – provision of an independent control system The internal audit can be understood as an independent assessment function embedded in the organisation, focusing on examination and evaluation of proper functioning, effectiveness and efficiency of the processes, procedures and activities of WDP. This may involve areas such as operational matters (quality and suitability of systems and procedures, organisational structures, policy lines and methods and resources used to meet objectives), financial matters (reliability of accounting, annual financial statements and the financial reporting process) and compliance with applicable accounting and other regulations, management matters (quality of the management function and staff services with respect to Group objectives), as well as the function of the compliance officer and the risk manager.

WDP NV | BE-REIT (Public RREC under Belgian law) | Blakebergen 15 | 1861 Wolvertem | Belgium | +32 (0)52 338 400 info@wdp.eu | www.wdp.eu | Company number: 0417.199.869 | VAT BE 0417.199.869 | RLE Brussels Dutch section

Enterprise Risk Management Policy | 3


4.

Governance

From a governance perspective, our integrated approach combines a top-down strategic view with a complementary bottom-up operation process.

The Board of Directors has overall responsibility for oversight of risk and for maintaining a robust risk management and internal control system. The Board of Directors recognises the importance of identifying and actively monitoring market, strategic, operational, financial, compliance risks and other longer-term threats, trends and challenges facing the business. The Audit Committee supports the Board of Directors in the management of risk and is responsible for reviewing the effectiveness of the risk management and internal control processes during the year. The members of the Management Committee are responsible for the day-to-day management of risk within their respective business units. Therefore the members, together with their respective teams, identify the key and emerging risks and ensure ownership for the internal follow-up and monitoring of such risks. Next to that the Management Committee focusses on the evaluation of the proposed strategies for risk management, as well as on the design, implementation and evaluation of the internal control. WDP NV | BE-REIT (Public RREC under Belgian law) | Blakebergen 15 | 1861 Wolvertem | Belgium | +32 (0)52 338 400 info@wdp.eu | www.wdp.eu | Company number: 0417.199.869 | VAT BE 0417.199.869 | RLE Brussels Dutch section

Enterprise Risk Management Policy | 4


Executive and management personnel may also attend meetings of the Audit Committee or the Management Committee in order to provide relevant information and insights relating to their areas of responsibility. The role of risk manager within WDP is performed by the CFO. His function, which allows a global overview of the Group in all its facets, ensures the effective operation of the risk management activities. The risk manager performs this role by conducting an analysis of the risks facing the Group , broken down by category, both at regular intervals and on an ad-hoc basis. Such analysis is done in close collaboration with the compliance officer and the different risk ambassadors across the business. Furthermore, the risk manager is responsible for tasks such as drafting, developing, monitoring, updating and implementing the enterprise risk management. The risk manager oversees and provides support to the network of risk ambassadors across the business. When necessary, the risk manager facilitates risk escalations. For each business platform a risk ambassador has been appointed. The risk ambassadors should be considered as being the single point of contact for the WDP employees when they are in need to report a (potential) risk. To this end, a low threshold reporting system has been set up to enable every employee within #TeamWDP to report (potential) risks in an accessible and userfriendly way. The risk ambassador offers guidance in assessing and mapping the risk within the boundaries of the risk assessment tool. For each risk in the risk register, a non-exhaustive set of key risk indicators has been developed in order to serve as an early signal of increasing risk exposure and to provide concrete guidance for assessing risks. Next to this, the risk ambassadors are critical in promoting a positive risk culture across the business and raising risk awareness. Internal audit provides assurance to the Audit Committee in evaluating the design and the operating effectiveness of the risk management and internal control processes, through independent review (see the Corporate Governance Charter for more information on the internal audit function). Also, the risk management function is reviewed on a yearly basis by an independent consultant, the results of which are presented to the Board of Directors.

5.

Risk culture

WDP is convinced that embedding risk management in the day-to-day functioning of #TeamWDP will enable WDP to get the most out of its enterprise risk management. We strive for a risk culture where everyone within #TeamWDP understands WDP’s approach to risk, feels comfortable talking openly and honestly about risk, takes personal responsibility to manage risk in everything they do, involve others when that is the better approach and encourage others to follow. We therefore make sure that the risk infrastructure is in place and focus on the risk awareness within WDP through the roll-out of risk management training sessions, the availability of risk ambassadors, the commitment of the members of the Management Committee, the creation of a culture of constructive challenge.

WDP NV | BE-REIT (Public RREC under Belgian law) | Blakebergen 15 | 1861 Wolvertem | Belgium | +32 (0)52 338 400 info@wdp.eu | www.wdp.eu | Company number: 0417.199.869 | VAT BE 0417.199.869 | RLE Brussels Dutch section

Enterprise Risk Management Policy | 5


6.

Risk appetite

The Board of Directors determines the risk level acceptable to WDP in order to achieve its strategic objectives. At least on an annual basis the Board of Directors reviews the risk appetite of the business, reassesses the information available and the risk factors that are relevant. This dynamic approach ensures our risk exposure remains appropriate at any point in time. The risk dashboard – the reporting tool towards the Board of Directors – also sets out the risk appetite for each risk in a range going from near-zero tolerance over limited risk taking to an open risk appetite where potential losses would be accepted. The Group operates within a cautious to balanced overall risk range. The near-zero tolerance or cautious appetite relates to legal, regulatory, HSES, compliance as well as financial risks. A limited to balanced risk appetite applies to the Group's strive towards its strategic and operational objectives.

7.

Risk management process

7.1

General

The market environment and the overall statutory and regulatory conditions to which WDP is subject are constantly evolving. WDP has implemented a risk management system that ensures that the risks that are relevant to the Group can be identified, evaluated, managed and monitored. This reduces risk potential, supports its strategic development and promotes responsible entrepreneurial action. In 2021, the Group’s enterprise risk management policy was reviewed, enhanced and brought into line with the current complexity, dimension and strategic goals of WDP, as well as changing contexts such as regulation, ESG and climate change. •

• •

First of all, the risk manager has developed a risk register acting as a repository of the risks the business is facing. Risks are categorised and labeled (trend, term, source, type). This risk register has been challenged and validated by the Management Committee and the Audit Committee, before being presented to and approved by the Board of Directors. Following the approval of the risk register, the Board of Directors has determined the risk appetite for each of the risks and – after a risk assessment – defined the risk value of each risk. In addition, on an annual basis, the Board of Directors will perform an in-depth assessment on the Group’s enterprise risk management as such periodical review and monitoring ensures continuous improvement of WDP’s risk management (e.g. identification of new risks, enhancing WDP’s resilience, adjusting the risk appetite level, alignment between enterprise risk management and WDP’s strategic objectives, valuating the appropriateness of the risk assessment tool etc.). WDP NV | BE-REIT (Public RREC under Belgian law) | Blakebergen 15 | 1861 Wolvertem | Belgium | +32 (0)52 338 400 info@wdp.eu | www.wdp.eu | Company number: 0417.199.869 | VAT BE 0417.199.869 | RLE Brussels Dutch section

Enterprise Risk Management Policy | 6


The risk register divides WDP’s risks into five overall types of risk to facilitate risk identification: •

Market

Strategic

• • •

Operational Financial Compliance

7.2

Risks that are induced by external factors such as business, economic or interest rate cycles Risks that impact or are invoked by the Group's business strategy and objectives setting Risks inherent to business activity and operations Financial risks include liquidity, credit, valuation, budgeting and reporting risks Risks to legal and regulatory compliance as well as political and ethical risks

Risk identification

Given the fact that risks constantly evolve, increase, decrease and/or emerge in function of the external environment, as well as in function of the Group’s strategic objectives and performance, WDP considers the identifiction of risks to be a continual process. Therefore the network of risk ambassadors across the business, in conjunction with ongoing discussions with management, external advisors and stakeholders, is key to identify the risks WDP is facing throughout the year. This risk identification is performed at least on a quarterly basis by the risk ambassadors based on the input from #TeamWDP through the reporting tool or directly to a risk ambassador. Such input is discussed during dedicated risk ambassador meetings.

7.3

Risk evaluation

On a quarterly basis, the risk manager conducts an analysis and evaluation of the risks reported through the various departments and countries, with attention to the potential negative impact, the expected value in terms of materialisation of the risk, as well as the degree of control of the risk. This analysis is done in collaboration with the compliance officer and the different risk ambassadors across the business, supported where necessary by specialised (external) advisors. WDP uses a risk assessment tool to ensure risks are evaluated consistently. This tool considers on the one hand the likelihood and on the other hand the negative impact on WDP’s operations and processes, on its operating results, on its reputation, on the compliance of the Group (legal, healh & safety, ….). Both impact and likelihood are measured by preference in quantative terms and if not possible in qualitative terms, always corresponding to a scale of 1-5 (very low, low, medium, high, very high). By multiplying these two components (impact x likelihood) a risk value for each risk is determined. When evaluating the risks, we consider the inherent or the gross risk (the level of the risk before any mitigation action) and the residual or the net risk (the risk that remains after we consider the effect of mitigating actions and controls). The risks are assessed individually and collectively, and it is determined how well the Group controls these risks and what the action points should be in order to control them as well as in order to limit the residual risk as much as possible. WDP NV | BE-REIT (Public RREC under Belgian law) | Blakebergen 15 | 1861 Wolvertem | Belgium | +32 (0)52 338 400 info@wdp.eu | www.wdp.eu | Company number: 0417.199.869 | VAT BE 0417.199.869 | RLE Brussels Dutch section

Enterprise Risk Management Policy | 7


Within this context, a scenario analysis is also drawn up in function of the expected value of each scenario and the possibilities to avoid or remediate a risk, in so far as this can be influenced. Such sensitivity analysis and stress testing is currently performed on both financial (credit, liquidity, market) and non-financial risks (operational, regulatory, legal, solvency). In the near future WDP will also perform sensitivity analysis on the level of climate change risks (a.o. based on the reporting in line with the requirements of TCFD). This analysis also helps us identify high dependencies on internal controls (e.g. for relatively high gross risk and relatively low residual risk), which will underpin the focus of the work of the internal audit function.

7.4

Risk management

Based on the above evaluation, the implementation of risk management can be done through different methods: • Prevent (eliminate, withdraw from or not get involved in) • Mitigate (reduce or optimise) • Share (transfer - outsource or insure) • Retain (accept and budget) For example: • Take all reasonable steps to avoid the risk • Proactive response • Trying to turn risk into opportunity • Trying to influence the expectation value • Trying to change the outcome • Hedging against the consequences and/or shifting responsibility for consequences Ownership and management of the risks are assigned to members of #TeamWDP. They are responsible for ensuring the operating effectiveness of the internal control systems and for implementing risk mitigation plans.

7.5

Risk monitoring

Once risks are identified, assessed, and a response is decided upon, the risks are monitored to see what has changed and how it impacts the organization. The risk monitoring is embedded in the process of enterprise risk management and the responsibility for monitoring is at the different levels of the organisation: #TeamWDP, the Management Committee, the Board of Directors. This enables the Group to ensure that controls are effective and efficient in both design and operation, that emerging risks can be identified, that the process of risk assessment can be further improved, that changes in the external and internal context can be detected which may require a revision of certain mitigation actions or priorities set.

WDP NV | BE-REIT (Public RREC under Belgian law) | Blakebergen 15 | 1861 Wolvertem | Belgium | +32 (0)52 338 400 info@wdp.eu | www.wdp.eu | Company number: 0417.199.869 | VAT BE 0417.199.869 | RLE Brussels Dutch section

Enterprise Risk Management Policy | 8


7.6

Internal risk reporting

The result of the quarterly analysis, the evaluation of the risks as well as the formulation of concrete recommendations to the other departments of WDP, is formalised in a risk dashboard under the supervision of the risk manager, which is discussed in detail in the Management Committee. Based on the performed risk evaluation, taking into account the mitigating actions and controls, and the judgment of the risk manager, it is determined which risks are withheld for reporting through the risk management dashboard. Where necessary, the risk dashboard is further adjusted for subsequent submission by the risk manager to the Audit Committee and Board of Directors for pointing out the most significant risks affecting WDP’s strategic goals. The risk manager discusses also the main developments in the area of risk based on key metrics and supporting materials. Taking into account such input, the Audit Committee and the Board of Directors conduct quarterly evaluations of the risks to which the Group is exposed and take the necessary decisions based on these evaluations (such as with regard to setting the interest rate hedging strategy, evaluation of tenant risks, etc.).

8.

External risk reporting

WDP’s annual report includes a list of specific and material risk factors with their description and an estimate of the potential impact of these risks, as well as the mitigating factors and some examples of key risk indicators. WDP values transparency and thus communicates to its stakeholders on this topic of risk and risk management both on an ad hoc basis as through the periodic reporting in the quarterly press releases.

9. •

• •

Glossary Enterprise Risk Management Policy: the extensive description of how WDP handles the topic of risk within its organization stating WDP’s risk philosophy, risk approach, risk assessment; all this is formalized in the document/policy “Enterprise Risk Management Policy”. Risk philosophy: the set of shared beliefs and attitudes that characterise how risk is considered in our organizational activities. Risk register: a repository of the risks WDP’s business is facing. Such risks are categorised and labeled (trend, term, source, type). This non-exhaustive list is updated on a yearly basis based on an in-depth assessment and challenged and validated by the Management Committee and the Audit Committee. Finally it is submitted for approval to the Board of Directors. Risk assessment tool: assesment tool including the risk mapping criteria and the impact&likelihood matrix.

WDP NV | BE-REIT (Public RREC under Belgian law) | Blakebergen 15 | 1861 Wolvertem | Belgium | +32 (0)52 338 400 info@wdp.eu | www.wdp.eu | Company number: 0417.199.869 | VAT BE 0417.199.869 | RLE Brussels Dutch section

Enterprise Risk Management Policy | 9


• • •

Key Risk Indicator: an inidicator serving as an early signal of risk exposure and providing concrete guidance for assessing risks. Risk dashboard: reporting tool towards the Board of Directors and the Management Committee. Risk ambassadors: the single point of contact for the WDP employees when they are in need to report a (potential) risk. The risk ambassador offers guidance in assessing and mapping the risk within the boundaries of the risk assessment tool.

WDP NV | BE-REIT (Public RREC under Belgian law) | Blakebergen 15 | 1861 Wolvertem | Belgium | +32 (0)52 338 400 info@wdp.eu | www.wdp.eu | Company number: 0417.199.869 | VAT BE 0417.199.869 | RLE Brussels Dutch section

Enterprise Risk Management Policy | 10