Softline Global Policy on Enterprise Risk Management
Risk management is an essential and integral part of strategic business planning and decision making that assists in achieving objectives and strengthens the ability to respond to the challenges faced.
Risk is inherent in everything we do and Softline as a global and growing organization must be aware of its risks in order to be successful and sustainable. To be effective, the organization must evaluate the uncertainties and implications within options as well as manage impact once choices are made. When done well, effective risk management can also give us a competitive edge; our customers are looking for a partner they can trust to help them manage their own risks, so if we can manage risk better than our competitors, it can help us to capitalize on growth opportunities.
As with all aspects of good governance, the effectiveness of risk management depends on the individuals responsible for operating the systems put in place. Our risk culture encourages openness, support transparency, welcome constructive challenge and promote collaboration, consultation and co-operation.
2. Scope of Enterprise Risk Management
Enterprise risk management should be considered in relation to strategic, tactical and operational objectives. It will therefore include external factors such as natural disasters and the regulatory environment, and internal factors such as our leadership and service delivery as listed below.
Risks from partners, vendors & customers
Intellectual property Agreements
Systems, e.g. Information Security, Supply Chain, Financial
3. Purpose of this Document and Audience
The purpose of this document is to set out the key requirements for Softline Group’s risk management with the focus on the enterprise risk management and framework. The document is intended for
Executive and Non-Executive members of Board of Directors
Audit Risk Committee members
Ethics & Compliance Business Partners
Policy leads & etc.
Whilst the key stakeholders identified above are key to effective management and leadership of risk everyone in Softline, regardless of seniority, should think about risk management being an important aspect of their role and of the culture of Softline.
4. Terms and Definitions
Any defined terms in this Policy are in bold. The defined terms used in this Policy shall have the following meanings.
Risk is the ‘effect of uncertainty on objectives. The effects can be negative, positive or both. Risk is usually expressed in terms of causes, potential events and their effects.
Risk Management is a process applied in strategy-setting and across the enterprise, designed to: (i) identify potential events that may affect the organization and lead to significant losses; (ii) manage prioritized enterprise risks to be within its risk appetite; (iii) provide reasonable assurance regarding the achievement of company’s objectives to internal and external stakeholders.
Enterprise Risk is a risk or combination of risks that can seriously affect the performance, future prospects or reputation of the organization.
Enterprise Risk Management’s objective is the continuous improvement that enables organization to achieve its strategic objectives, meet regulatory requirements & protect reputation via: (i) enterprise oversight of organization’s health; (ii) effective decision making (iii) providing strategic direction to manage enterprise risks effectively across the organization; (iv) driving accountability and performance
Framework is the collection of information and principles that form the structure of an organization’ approach to run systemic processes.
Risk Mitigation Strategy involves taking action to reduce an organization's exposure to potential risks and reduce the likelihood that those risks will happen again.
Governance is the system by which the organization is directed and controlled. It is concerned with structure and processes for decision making, accountability, control and behavior at the top of the organization.
Committee is a group of persons convened for the accomplishment of some specific purpose, typically with formal protocols.
Global Business Unit in Softline Group is a part of an organization that represents a specific line of business and is part of a company’s value chain of activities including operations, accounting, human resources, marketing, sales, and supply-chain functions, e.g. Softline Russia & CIS, Softline International & Axoft. There are further regional, country and/or cluster structures underneath those Global Business Units.
5. Enterprise Risk Management Framework
The risk management framework supports the consistent and robust identification and management of opportunities and risks within desired levels across an organization, supporting openness, challenge, innovation and excellence in the achievement of objectives. For the risk management framework to be considered effective, the following principles shall be applied:
A. Risk management shall be an essential part of governance and leadership, and fundamental to how the organization is directed, managed and controlled at all levels.
B. Risk management shall be an integral part of all organizational activities to support decision‑making in achieving objectives.
C. Risk management shall be collaborative and informed by the best available information and expertise.
Risk management processes shall be structured to include:
A. risk identification and assessment to determine and prioritize how the risks should be managed;
B. the selection, design and implementation of risk treatment options that support achievement of intended outcomes and manage risks to an acceptable level;
C. the design and operation of integrated, insightful and informative risk monitoring; and
D. timely, accurate and useful risk reporting to enhance the quality of decision-making and to support management and oversight bodies in meeting their responsibilities.
E. Risk management shall be continually improved through learning and experience.
BoD is in charge of the management of the organization's business by: (i)making the strategic and operational decisions, (ii)ensuring that Softline Group meets its statutory obligations.
6.2 Audit & Risk Committee (ARC)
Audit and Risk Management Committee is responsible for assisting the Board of Directors monitoring the overall risk management framework, the financial reporting, ethics and compliance processes, the performance of auditors and overseeing the audit program.
6.3 Risk Oversight Compliance Committee (ROCC)
The key role of ROCC is to promote, oversee and further improve a culture of adherence to the organization’s standards of Enterprise Risk Management, Ethics & Compliance within Softline:
Every year, the ROCC reviews external, internal operational, legal and compliance risks facing Softline Group and agrees a list of the most significant “Enterprise Risks”.
Enterprise risk strategies are maintained for those risks identified by the ROCC requiring particular coordination across Softline. Each Enterprise Risks has a designated senior leader as the Enterprise Risk sponsor who will be responsible for the following:
Establishing the governance structure
Sponsoring, establishing and managing the Enterprise Risk mitigation strategy
Approving or seeking approval from ROCC of the respective written standards and controls
Oversight of risk mitigation strategy delivery against a clear timeline
Report the status of risk mitigation strategy
Enterprise Risk Sponsor will subsequently identify senior Responsible Person who will:
Establish and manage the Enterprise Risk mitigation strategy
Own the risk mitigation strategy and delivery against clear timelines
Support/manage the governance structure
Written standards & controls: creation/update, communication & training
Engages with the business and functions to assess the risk
Manage and monitor the status of mitigation strategy for reporting
The ROCC has the mandate to oversee the risk management and internal control systems for our Enterprise Risks. This includes ensuring a robust process exists for the business to identify the risks that are significant to the Company and monitor the effectiveness of internal controls implemented to manage those risks.
The ROCC ensures timely and appropriate reporting and escalation of risks to the Softline’s Board of Directors via Audit and Risk Committee.
Significant business challenges should be considered as part of the annual planning processes (e.g. strategy, financial) including any impact these plans might have on the management of Enterprise Risks.
Further details are included into the Risk Oversight Compliance Committee Terms of References.
6.4 Risk Management & Compliance Committee
Global Business Units are accountable for setting up the most effective hierarchical structure of Risk Management and Compliance Committees, e.g. regional and/or country and etc. to ensure appropriate risk management and implementation of internal controls for relevant Enterprise Risks within their scope of accountability, including assessment and monitoring of controls effectiveness.
RMCCs may choose to assign Risk Owners for each applicable Enterprise Risk and align their activities to support enterprise risk strategies. RMCCs review each applicable Enterprise Risk at least once a year.
RMCCs meet at least quarterly to review mitigation of applicable risks and discuss emerging risks in the external or internal environment.
RMCC membership must include representation for all the major parts of the business operating units, e.g. Commercial, IT, HR, Finance & etc. as agreed with their Compliance Business Partner and respective ROCC member (as needed).
The framework includes a mechanism to ensure that employees take accountability for identifying and escalating encountered risks so they can be appropriately managed.
Global Business Unit Heads report to the ROCC and/or Audit Risk Committee annually in regard to their oversight, including how their activities support applicable enterprise risk strategies.
6.5 Global Ethics and Compliance & Enterprise Risk Management
Global Chief Compliance Officer compiles an annual report on the implementation of risk management and internal control for ROCC, Board of Directors via Audit Risk Committee and this report shall be used as the input into the Softline’s Annual Risk Report intended for regulators and investors.
Head of Enterprise Risk Management who reports into the Global Chief Compliance Officer defines the company’s risk management framework upon consultation with the senior business leaders and the steps of risk assessment (identification, analysis and evaluation), appropriate risk treatment in line with the risk posed, and monitoring and review of risks to assure the risk is adequately mitigated.
Ethics and Compliance Business Partner with the business shall implement a robust system of risk management and internal control.