Our internal risk management and control systems are designed to reduce the probability of mistakes, of incorrect decisions and of surprises due to unforeseen circumstances as far as possible. No such system can guarantee complete protection, however. It is possible that we are exposed to risks which we are currently unaware of, or which are not considered important at this time. No internal risk management and control system can provide an absolute safeguard against failure to achieve corporate objectives nor prevent every single mistake, loss, fraud or transgression of rules and regulations.
To perform our duties with regard to internal risk management and control we use a coordinated range of instruments:
- risk management: the identification and analysis of strategic, operational, financial and compliance risks and the implementation and monitoring of control measures to mitigate those risks. We have set up a risk management system based on the recommendations of the reports entitled 'Internal Control - Integrated Framework' (COSO - IC) and 'Enterprise Risk Management - Integrated Framework' (COSO - ERM). Responsibility for risk management lies with line management. The line managers are all expected, as part of the day-to-day operations, to identify the risks affecting their specific field of activity and to implement appropriate control measures to manage them. They report on this to the Risk Committee twice a year, which includes the submission of 'in control' statements for each business area, service unit and corporate staff department. The Risk Committee is comprised of the four members of the Board of Management, the Corporate Auditor and the Corporate Controller;
- a formal planning and control cycle, including the preparation and approval of a long-term business plan, budgeting and monthly management information reports (financial and operational);
- procedure manuals and an integrated, detailed description of the accounting policies;
- quality management systems such as the Environmental Management System, and security management systems such as the Airside Security System and the Terminal Security System;
- the Security & Environment Board, chaired by the Chief Operations Officer, which measures the progress and results of the security and environmental management systems and is responsible for the direct appraisal of these systems;
- codes of conduct, a whistleblower scheme and regulations on how to deal with fraud;
- periodic follow-up meetings held by the Chief Financial Officer with operational and commercial managers and their controllers to discuss the audit findings reported by the internal and external auditors;
- internal letters of representation from the Business Area Managers and Business Area Controllers to the Board of Management;
- follow-up of the recommendations contained in the external auditors' management letter.
The Board of Management reports on and accounts for the internal risk management and control system to the Supervisory Board after discussion in the Supervisory Board's Audit Committee. The corporate auditor plays an important role in providing an objective view and ongoing confirmation of the effectiveness of the overall internal risk management and control system.
We believe, as regards the financial reporting risks, that the internal risk management and control systems offer a reasonable degree of assurance that the financial reporting does not contain any material misstatements, that regarding the financial reporting risks, the internal risk management and control systems functioned properly during the year under review and that there are no indications that the internal risk management and control systems will not function properly in 2008.
The principal strategic, operational, financial and compliance risks and uncertainties could lead to the actual results differing from the results which we have described in forward-looking statements.