As an international operator in a fast-moving sector, the CANCOM group faces many risks and opportunities, which may have consid- erable impact on CANCOM’s business performance, and thus also on its financial and assets position and profits. There are always certain risks associated with business opportunities. CANCOM’s aim, therefore, is to achieve a sustainable increase in the value of the company for our stockholders by means of an optimal balance between the risks and opportunities.
Risk and opportunity management
One of the basic principles of responsible business management based on stockholder value maximization is that management should exploit business opportunities while at the same time anti- cipating and controlling the associated risks.
CANCOM’s management closely monitors market trends and assesses the competitive situation, using the information it finds to identify potential opportunities in the relevant business areas and set appropriate targets and measures at annual planning meetings with the Executive Board and operational management.
Ongoing risk management, on the other hand, is necessary for efficient monitoring and early identification of risks and is thus also an integral component of the strategic and business develop- ment as well as the internal monitoring and control system of the CANCOM group. CANCOM’s risk management system is aimed at identifying as early as possible any risks that could endanger the future of the company as a going concern, and/or substantial business risks, and dealing with them in a responsible way.
Risk management system
The internal control and risk management system in relation to the group accounting process
The internal control and risk management system at CANCOM in relation to the (group) accounting process includes guidelines, procedures and measures intended to ensure that the accounting process complies with the relevant laws and standards. The main features of the system are as follows:
• CANCOM has a clear management and corporate structure, in addition to a schedule of responsibilities. Cross-departmental key functions are centrally controlled by CANCOM SE. • The functions of the business areas with the greatest invol-
vement in the accounting process are clearly divided. The areas of responsibility are clearly allocated.
• Integrity and responsibility in regard to finance and financial reporting are safeguarded by a commitment made to this effect in the company’s internal code of conduct.
• CANCOM takes care to analyze new laws, accounting stan- dards and other announcements, as failure to comply with them would pose a major risk to the correctness of CANCOM’s accounting processes.
• Appropriate facilities are in place in the IT department to pro- tect CANCOM’s financial systems against unauthorized access. Where possible, standard software is used in the financial systems.
• There is an integrated approach to corporate governance, in which all elements – risk management, compliance manage- ment, the in-house audit department and the internal control system (ICS) – influence each other. The effectiveness of the various elements is regularly checked.
• An appropriate system of guidelines (for example payment and travel cost guidelines etc.) is in place, and is continuously up- dated. The main assets of all the companies are regularly tested for impairment, and there is a manual that covers the checking of all accounting-related processes.
• All accounting-related processes are subject to cross-checking.
• Accounting-related processes are inspected by the in-house audit department, which is independent of these processes.
• Both the risk management system and the internal control sys- tem (ICS) have appropriate measures for the control of accoun- ting-related processes.
• Departments and divisions involved in the accounting process are equipped with appropriate resources, in terms of both quan- tity and quality.
• Accounting data received and passed on is continually checked in order to ensure it is complete and correct. This is done by me- ans of spot checks, among other methods. There is a three-stage system for checking the correctness of financial statements. First, single-entity financial statements are generated by the fi- nancial accounting department. In a second control stage, group accounts are prepared and consolidated figures produced; and in the third stage a review is carried out by managerial staff of the finance department.
The internal control and risk management system with regard to the accounting process is intended to ensure that company data is always correctly recorded, processed and acknowledged in the balance sheet, and included in the financial statements.
A proper, consistent and continuous accounting process is depen- dent on skilled and qualified staff, the use of appropriate software, and clear legal and corporate guidelines. A well-defined demar- cation of responsibilities and various controlling and checking mechanisms, as described above (especially plausibility checks and cross-checking), ensure that accounting is carried out correctly and responsibly.
In particular, the process creates the necessary organizational structure for recording, processing and documenting business transactions and entering them immediately and correctly in the accounts in compliance with the legal requirements, the by-laws and the internal guidelines. At the same time the process provides for assets and liabilities in the annual and consolidated financial statements to be accurately recognized, reported and valued, and for comprehensive, reliable and relevant information to be made available quickly.
Risk identification, analysis and documentation
To identify risks and ensure that the risk control system is ad- equate, the Executive Board has formulated risk principles and appointed a central risk officer to monitor and evaluate risks. One of the prime objectives of risk management is the early identifica- tion of major risks and those that might jeopardize the future of the company as a going concern, as well as the initiation of appro- priate measures as part of the risk control process to minimize or prevent any loss caused to the enterprise when a risk materializes. CANCOM has put together a risk manual, which documents the organizational rules and measures for risk identification, analysis, evaluation, quantification, management and control. The manual also describes the appropriate way to handle business risks at CANCOM.
CANCOM’s risk evaluation process starts by grouping the identi- fied risks into thematic clusters. The probability that these risks will materialize is then assessed and the potential loss determined. All the risks identified become the responsibility of a special appointee. If the risks are quantifiable, they are measured with the aid of appropriately defined key figures. If no precisely defined ratios are available, the risks are assessed by the special appointee. Three categories are used to distinguish between the levels of probability that a risk will materialize: low, medium and high. The severity of the potential loss associated with the individual risk is also ranked according to these categories. The individual risks are arranged in a risk matrix, where they are allocated to various risk classes according to the above dimensions. The tables below outline the two dimensions and show the resulting risk matrix.