Doing business inherently involves taking risks, and ASMI can be adversely affected by a variety of business risks and economic developments. A structured risk management process helps management to better understand how risks might impact the Company and to take appropriate risk mitigation initiatives. Deploying effective risk management is a key success factor for realizing our strategic objectives as it provides reasonable assurance to prevent material misstatements or losses. ASMI has implemented an internal risk management and control framework.
A comprehensive risk management and control framework, based on the 'three lines of defense model', has been established that provides the Audit Committee and the Management Board with a clear overview of the effectiveness of internal controls and risk management. Within the framework, the Management Board is responsible for designing, implementing, and operating an adequately functioning internal risk management and control framework within the company. The objective of this framework is to identify and manage the strategic, operational, financial, financial reporting, and compliance risks to which ASMI is exposed, to promote effectiveness and efficiency in our operations, to promote reliable financial reporting, and to promote compliance with laws and regulations. The Management Board is aware that such a framework can neither provide absolute assurance that its objectives will be achieved, nor can it entirely prevent material errors, losses, fraud, or the violation of laws and regulations.
ASMI’s strategy and objectives are described in the Mission, vision, strategy and focus areas section. During the objective and strategy setting process, the Management Board takes into account the company's known risks and opportunities, and its risk appetite. The objectives and strategy are discussed with the Supervisory Board.
ASMI strives for a culture of openness and transparency in which identified risks are disclosed proactively and unexpected events are reported as soon as they occur. ASMI has established a Code of Ethics (the Code). The Code applies to all ASMI employees and temporary staff. It describes how we work in an open, transparent, honest and socially responsible way. We communicate the Code on our corporate website and our intranet, while new or temporary employees also receive a copy of the Code on their first working day. Annually, via a mandatory online test, all our employees are made aware of the importance of our compliance environment. We have a stringent approach to bribery and corruption, fraud, and all other forms of (illegal) misconduct, including facilitation payments. As well as through the test mentioned, the effectiveness of, and compliance with, the Code is assessed by actively detecting and investigating any alleged misconduct and taking appropriate disciplinary action if misconduct is substantiated. To strengthen the tone at the top and in other management levels, we conduct annual fraud risk assessments. The business control framework contains all corporate policies and guidelines that are mandatory for all of ASMI's activities.
Undertaking business activity inevitably leads to taking risks. Each type of risk encountered is dealt with in a manner that matches the risk appetite of the Management Board. Risk appetite is the level of risk we deem acceptable to achieve our objectives. ASMI’s risk appetite is primarily established based on the defined and agreed strategy and the individual objectives within this strategy. Risk appetite is further guided by our Code as well as detailed policies and procedures. The risk appetite is the total residual impact of our risks that ASMI is willing to accept in the pursuit of its (strategic) objectives. The risk appetite per objective or risk area is determined annually by the Management Board. Overall, ASMI's risk appetite did not change materially compared to the previous year.
Our risk appetite differs per risk type:
ASMI has implemented an effective internal risk management and control system to manage its main risks.
The following systems are the main ways that we cover the most relevant risk areas for the Company:
|Control system||Control system objective|
|Product safety and EHS||ZERO HARM!|
|Compliance frameworks||Maintaining licenses to operate|
|IT security & continuity||Mitigating increasing cyber threats|
|Year plan & year outlook||Creating shareholder value|
|Financial framework||Maintaining sufficient liquidity for continuity purposes and shareholder returns|
Every year we assess the top risks at a consolidated level (top-down approach) and on segment level (bottom-up approach) and, if necessary, we implement countermeasures to mitigate the risks within the defined risk appetite. The business objectives are detailed in a strategic business plan. Every quarter, segments perform a 'most likely' forecast four to six quarters ahead on their main financials and key performance indicators (the rolling forecast). Each month, business management discusses their actual performance, including updates of the current and next quarter, with the Management Board.
ASMI has several business continuity plans in place to safeguard the continuity of activities to customers and critical systems and processes. We designed and maintained new control frameworks for safeguarding the reliability of non-financial KPIs, as senior management relies on these KPIs in their decision making. We continuously work on improving our services and processes. Risks related to climate change and compliance with new environmental legislations are incorporated in our risk management and control system. For example, environmental risks are managed in ASMI's business continuity strategy. Our main suppliers comply with the Supplier Code of Conduct. Via this code, suppliers confirm that they support and respect the protection of internationally proclaimed human rights and operate in the spirit of the Charter of the United Nations, for example by preventing discrimination, child labor or forced labor, and by recognizing and respecting the environment in their business operations.
ASMI's treasury department manages risks related to cash positions, finance agreements, credit ratings, and currency and interest exposures. The treasury department has defined policies with clear boundaries for these risks. Compliance with these policies is monitored frequently.
As part of ASMI's tax strategy, the tax department recommends the most tax-efficient and responsible approach in the interest of all stakeholders, while adhering to ASMI's tax policy and complying with all relevant tax laws and regulations. ASMI does not use artificial tax structures solely aimed at tax avoidance. ASMI proactively engages with tax authorities, and tax exposures (if any) are contained and under control.
Our financial control framework is designed to prevent and detect material misstatements in ASMI's financial statements in a timely manner. The internal audit department periodically assesses the overall effectiveness of the controls. A disclosure committee examines all reports and documents containing financial information that are intended for external publication, to ensure that these fairly present ASMI's financial position and results.
Business management provides the Management Board with a quarterly assurance letter regarding the reliability of their financial reporting, the effectiveness of their internal controls, risk management, and compliance with internal policies and other laws and regulations.
In the next section, we provide a summary of our main risks, the potential consequences and the mitigating measures. It lists the controls that ASMI has implemented to monitor the development of the risks and the realization of our risk appetite. The risks and controls are frequently monitored in regular Management Board meetings. During those meetings, improvement actions, where necessary, are also taken into account.
ASMI's internal audit function assesses the design and effectiveness of the internal risk management and control systems and provides assurance to both the Management Board and the Audit Committee concerning the 'in control' status of ASMI. Moreover, Internal Audit conducts ad hoc financial and operational audits and special investigations.
To ensure the independence of this function, the Director Internal Audit reports to the Management Board and the Audit Committee. The Audit Committee is involved in reviewing and approving the audit plan for the year which the internal auditor executes.
The internal auditor regularly provides updates on its findings to the Audit Committee.
Although the Management Board is ultimately responsible for risk management and compliance, the Management Board is supported by the following three pillars:
As set forth by principle 1.2 of the Dutch Corporate Governance Code and related best practice provisions, ASMI has designed and implemented internal risk management and control systems, to identify and manage the risks associated with the Company's strategy and activities. A summary overview of the main internal risk management and control systems was provided in the preceding paragraphs.
The Management Board is responsible for ASMI’s internal risk management and control framework. This system is designed to manage the main risks that may prevent ASMI from achieving its objectives. However, this system cannot provide absolute assurance that material misstatements, fraud, and violations of laws and regulations can be avoided. The internal risk management and control framework and the evaluation of the effectiveness of our internal controls and areas for improvement are regularly discussed with the Audit Committee and KPMG Accountants, our external auditor. The Audit Committee reports on these matters to the Supervisory Board.
The Management Board conducted an assessment on the design and operating effectiveness of the internal risk management and control systems. During the assessment, several weaknesses and improvement actions were identified. One of the findings related to the dilution effect of the associate ASMPT as disclosed in Note 29 to the Consolidated financial statements. None of the findings were classified as major failings as referred to in the best practice provision 1.4. Based on this evaluation of the effectiveness of the Company’s internal control over financial reporting, all members of the Management Board concluded that, as of December 31, 2017, the Company’s internal control over financial reporting was effective and provides reasonable assurance for the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. In addition, to the best of the knowledge of the Management Board, the management report includes a fair review of the development and performance of the business and the position of the Company and the undertakings included in the consolidation as a whole, as well as a description of the principal risks and uncertainties that the Company faces. No changes to the Company’s internal control over financial reporting have occurred during 2017 that have materially affected, or are reasonably likely to materially affect, the Company’s internal control over financial reporting.
All internal control systems, no matter how well designed and implemented, have inherent limitations. Even systems determined to be effective may not prevent or detect misstatements or fraud, and can only provide reasonable assurance with respect to disclosure and financial statement presentation and reporting. Additionally, projections of any evaluation of effectiveness to future periods are subject to the risk that controls may become inadequate due to changed conditions and that the degree of compliance with the policies or procedures may deteriorate.
In view of all of the above, the Management Board believes that it complies with the requirements of best practice provision 1.2 and 1.4 of the Dutch Corporate Governance Code.