Annual Report2013

2.4 // Risk management

Download pdf with SO indicators

An efficient system designed to manage uncertainty

DIA has a risk management model at the corporate and country levels. It is designed to enable the organisation to successfully manage uncertain scenarios. The system detects, evaluates, prioritises and manages the risks that could impede or hinder the company’s ability to deliver the strategic targets set. It relies on COSO II methodology and is supported by an advanced IT system.

DIA defines risk as any internal or external contingency that, if it were to materialise, would impede or hamper delivery of its targets. These risks are classified into four categories, depending on the targets they pose a threat to: strategic, operational, compliance and financial/reporting.

DIA’s risk management model is based on the COSO II standard, methodology widely accepted in the marketplace, tailored for DIA’s requirements.

The risk committee analyses the environment and any new projects that could influence DIA’s risk factors

Under this methodology, once the company’s risk management philosophy and targets have been set, management sets about identifying the possible events that could thwart their delivery. The risk factors so-pinpointed are then analysed and their probability of occurrence and potential impact assessed. Next the potential responses for addressing these risks are evaluated, as a function of which the policies and procedures for ensuring they are implemented are put in place. The information resulting from this analytical process is reported to the risk officers for implementation. The risk management model is monitored continually so that it can be adapted in the event of changing circumstances.

In order to put this complex methodology into practice, DIA has implemented an IT tool across its operating markets which standardises and facilitates risk management.

Key principles of risk management

In keeping with COSO II methodology, DIA’s risk management policy is governed by the following principles:

  1. Risks must be managed everywhere in the organisation, with no exceptions, if the group is to achieve its strategic targets. The entire organisation needs to get involved in the risk management system.

  2. The management of risk includes the identification, evaluation, remedying, monitoring and reporting of risk factors in keeping with the procedures put in place to this end.

  3. Risks must be addressed in a consistent manner and mitigating measures should amply factor in business conditions and the economic environment.

  4. The DIA Group’s Executive Committee must evaluate DIA’s biggest risks and review DIA’s risk tolerance levels at least annually, among other duties.

  5. Risk management shall include regular monitoring of the risk identification, evaluation, monitoring and reporting activities carried out, the results of which must be reported to the Audit and Compliance Committee and the Board of Directors.

Risk management responsibilities

The Board of Directors, the Audit and Compliance Committee and the Executive Committee are the governing bodies tasked with ensuring that the risk management model works as intended.

DIA also has a corporate risk committee from which it has appointed a corporate risk officer. In each jurisdiction the executive team forms a local risk committee and appoints a risk coordinator.

The risk committee analyses the environment and any new projects that could influence DIA’s risk factors. It also contemplates the addition of new risks to the model and the elimination of former risks as appropriate and recommends specific actions plans, programming their oversight and continuity.

Progress on internal controls

In September 2013 the group’s chief financial officers formally approved the internal control over financial reporting (ICFR) policy. This policy can be downloaded from the corporate intranet and has been distributed via e-mail to the implicated departments.

The policy provides a general description of the ICFR system and its objectives and addresses ICFR roles and duties, the methodology for carrying out the ICFR function and how financial reporting risks are managed.

Crime prevention plan in Spain

Elsewhere, in 2012 DIA implemented a crime prevention model with a view to establishing the optimal internal control procedures and policies for preventing the commission of white-collar crime and mitigating or exonerating the company from liability in the event of such acts in the wake of legislative amendments in this arena.

With this goal in mind, the company analysed the activities carried out by DIA’s various business units and assessed each activity’s risk in respect of the commission of potential crimes in terms of probability and impact, factoring in the controls already put in place by DIA to mitigate these risks.

The firm also appointed a person to champion crime prevention at the company; this person will report to the head of compliance and the corporate ethics committee and take responsibility for the adequate maintenance and operation of the white-collar crime prevention model.


Parque empresarial de las Rozas - Edif. TRIPARK
C/ Jacinto Benavente 2 A 28232 Las Rozas. Madrid - España

Production and coordination:
DEVA | Comunicación financiera y sostenibilidad

STROCEN.COM | New Corporate Design

Web development:
efe6 <Rebuilding ideas/>

Tara O’Donoghue

Jesús Umbría / DIA