Bouwinvest Real Estate Investors wants to operate on the basis of a healthy balance between risk and return and strives to take risks in a conscious and sustainable manner in the interests of its shareholder and investors. Integrated risk management is a key mechanism to achieve this goal. The mechanism provides for the identification, assessment and understanding of risks inherent in Bouwinvest's services, products, support activities, processes and systems.
To apply integrated risk management in an adequate manner, Bouwinvest has implemented a risk governance model. And a methodology that aims to match risk appetite to the risk profile of Bouwinvest and its funds and mandates, and to make it possible to measure the applicable risk exposures. The risk appetite determines the maximum acceptable risk that may be taken and is aimed at optimising the risk/return ratio.
To ensure adequate decision-making, Bouwinvest has a risk governance and decision-making model. Risk management-related roles and responsibilities have been allocated using the Three Lines Model (in accordance with the IIA model).
The Three Lines Model creates a clear structure for everyone, which helps raise awareness of everyone's role and responsibility on the risk management front.
As risk owner, the first line is primarily responsible for the execution of the processes assigned to it. The first line is also responsible for the effective and efficient management of the risks associated with the execution of these processes, as well as acting in line with the applicable policies.
The second line (Risk Management and Compliance) is responsible for setting frameworks and advising the first line, monitoring and reporting on the quality of risk management and ensuring that the first line takes risk ownership.
The third line is Internal Audit, which independently assesses the adequacy of the risk management and control processes as implemented in the first and second lines. Internal Audit makes recommendations where possible and monitors the adequate follow-up of these recommendations.
The Executive Board of Directors is ultimately responsible for risk management and is supposed to provide the organisation with guidance on how to remain within the established risk appetite at strategic, tactical and operational levels. The Supervisory Board is responsible for supervising the Executive Board of Directors.
In the interests of its shareholder and investors, Bouwinvest uses a risk management framework to manage its risk profile and that of its funds and mandates. This framework helps the organisation to identify and manage all material risks at strategic, tactical and operational levels.
The risk taxonomy is a list of the material risks to which Bouwinvest is or may be exposed and which arise from its business activities. Drawing up the risk taxonomy ensures that Bouwinvest has insight into all relevant material risks and is able to manage these risks adequately. Bouwinvest has drawn up product-specific risk taxonomies for the funds and mandates it manages.
Bouwinvest updates its risk taxonomy on an annual basis. If Bouwinvest is potentially exposed to a new or evolving type of risk, the risk taxonomy is updated more frequently.
The main risks Bouwinvest recognises are market risk, credit risk, liquidity risk, business risk, operational risk and compliance risk. These main risks are subdivided into sub-risks, for which Bouwinvest has defined risk indicators. Bouwinvest’s has defined its risk appetite with respect to the main risks in the risk appetite statement.
Bouwinvest’s risk appetite determines the level of risk it is prepared to accept at an aggregate level in order to achieve its strategic objectives. Bouwinvest constantly monitors its risk appetite using a risk indicator framework based on quantitative and/or qualitative variables. The risk indicator framework is continuously monitored by means of a risk indicator framework based on quantitative and/or qualitative variables to measure whether Bouwinvest remains within its own defined risk appetite on a constant basis. The risk indicator framework consists of statements for each material risk as included in the risk taxonomy. Each risk indicator has a limit that is used within the current risk profile. In addition, Bouwinvest has early warning limits in place so it can intervene in a timely fashion to prevent itself from exceeding its defined risk appetite. Bouwinvest has defined product-specific risk appetites for the funds and mandates it manages.
The Executive Board of Directors discusses Bouwinvest’s compliance with its risk appetite and its outlook with the Supervisory Board on a quarterly basis. Each quarter, Bouwinvest informs its Investors about compliance with the risk appetite for the funds and mandates via individual fund and mandate reports.
Each year, Bouwinvest evaluates and sets its risk appetite and the associated limits of its risk indicator framework. The risk appetite is recorded in a risk appetite statement. This statement is drawn up by the Executive Board of Directors. Bouwinvest determines the risk appetite for the individual funds and mandates annually in the shareholders meeting and records this in the relevant fund and mandate documentation.
As part of its integrated risk management, Bouwinvest focuses continuously on risk awareness as an integral part of its company-wide risk culture. It does this via communications, risk awareness sessions, as well as the inclusion of risk management targets in the individual targets of its employees. This is how Bouwinvest emphasises risk management as a key component of its remuneration policy.
Employees are also expected to be aware of the risks inherent in the processes they perform or for which they are responsible, the risks they may take, and are expected to act in accordance with the code of conduct applicable within Bouwinvest.
Looking back and looking ahead
In 2021, Covid-19 once again had a major impact on a global scale and more specifically on the Dutch economy and society. Bouwinvest implemented a number of internal measures to minimise the impact of Covid-19 on its staff and business operations. The Business Continuity Team also continuously monitors (signs of) potential negative effects. In 2021, there were no incidents that endangered the company’s daily operational management due to failing processes, systems and/or external threats. In addition, in line with the figures in 2020, absenteeism among employees was historically low and staff working partly or entirely from home has not prevented Bouwinvest from meeting its operational, tactical and strategic objectives. As long as the situation continues and the future is uncertain, Bouwinvest will remain on high alert and the Business Continuity Team will remain active.
In 2021, Bouwinvest made a number of improvements to its risk management maturity level. Bouwinvest implemented a risk management framework, supporting all risk management activities (financial and non-financial), executed within the Three Lines Model, and supporting Bouwinvest's sustainable achievement of its strategic objectives. Bouwinvest developed and implemented risk reports, including indicators and limits. In addition to the existing ISAE framework, Bouwinvest performed Risk Self Assessments (RSA) to identify the main risks, measure the degree of risk control, and raise risk awareness. These RSAs are performed with the various process and chain owners within Bouwinvest. To support the first-line risk management, in early 2021 Bouwinvest added two senior risk managers in the field of financial and non-financial risks to the second line of risk management. To support risk management and to help the organisation perform its risk management activities, Bouwinvest started preparations for the implementation of a GRC (Governance, Risk and Compliance) tool in late 2021.
In the 2021 risk management programme, Bouwinvest devoted a great deal of attention to increasing risk awareness within the organisation. We defined and implemented a soft control framework, and included a number of elements of this framework in the individual targets (2022) of management and employees. Bouwinvest also organised various workshops and risk management knowledge sessions for its management and employees. During the knowledge, culture and dilemma sessions on risk, a great deal of attention was devoted to the influence of attitude and behaviour (soft controls) on individual decision-making. Bouwinvest also presented a large number of information security and cybersecurity-related e-learning sessions/knowledge bites to the entire organisation. Bouwinvest will continue the risk awareness programme in the future and this will retain a prominent place within risk management.
The ongoing shift towards organisations (partly) outsourcing their processes and services, and the related exposure to outsourcing risks, has prompted regulators and supervisory bodies to impose additional requirements on these organisations. Bouwinvest is also very much aware of this risk exposure and worked hard in the past year to carefully frame and make transparent the risks associated with outsourcing and contractual relationships with third parties. This resulted in a sound outsourcing policy, in line with applicable requirements and market practices, and the resultant internal processes that should help Bouwinvest to remain in control of its outsourcing relationships and outsourced processes. This covers the entire process, from entering into an outsourcing relationship and the operational status of the relationship through to the termination of the relationship.
On the ESG risk management front, in 2021 Bouwinvest actively started a process to add structure to its ESG risks, including the development of the ESG risk taxonomy, as well as the determination of the impact on the existing risk taxonomy of the real estate portfolios and the management organisation. The process started in 2021 and will continue through 2022.
Physical climate risks
In the final quarter of 2021, Bouwinvest performed the annual update of the physical climate risk assessment for almost all the assets in its real estate portfolios. Bouwinvest also made an active start on the assessment of physical climate risks. For the Dutch real estate portfolios, Bouwinvest launched a pilot to map out the net risk from the identified gross risks on the basis of location, using building characteristics. These risks are heat stress, flooding, heavy rainfall and subsidence. Bouwinvest expects to complete the pilot in Q1 2022. We will use the results to determine the methodology best suited to the funds' expectations and criteria.
Climate transition risks
On the energy transition risk front, Bouwinvest expects to see the introduction of new legal and regulatory requirements to combat further global warming and to phase out the use of Dutch natural gas. Bouwinvest is monitoring upcoming legal and regulatory requirements and will actively adjust assets to comply with these requirements. Bouwinvest also set up a Paris Proof programme to manage this risk. Bouwinvest's goal is to achieve a natural gas-free portfolio with low energy consumption, in accordance with the Actual Energy Intensity Indicator (WEii) protocol. Bouwinvest also mapped the Paris Proof net-zero carbon commitments of all its core investments and summarised the net-zero carbon strategy of the investments. The investments based on the so-called Paris Proof roadmaps have now been included in the long-term maintenance budgets for all the Dutch funds. Bouwinvest then made a start on drawing up a long-term Paris Proof programme. As part of this programme, Bouwinvest is drawing up specific tailor-made plans per asset and carrying out the related activities.
All these activities should lead to a thorough understanding of the impact of the above risks on the existing real estate portfolios and the management organisation and to compliance with SFDR level 2.
Bouwinvest Security Awareness Programme
In 2021, Bouwinvest devoted a great of attention to information security. Given the increasingly dominant role of IT in society and business, and the constant application of new technologies, the likelihood and impact of cybercrime will also continue to grow. Reason enough for Bouwinvest to continue to improve in this area and to draw the attention of its staff to the risks of cybercrime. With the support of an external party, the Bouwinvest Security Awareness Programme was rolled out in 2021. Based on case studies, this clarified the roles and responsibilities of employees on the cybersecurity front, as well as how people are supposed to act in the event of a potential threat. Bouwinvest periodically monitors and evaluates the results of the awareness programme. Bouwinvest will continue with the roll-out of the programme in 2022.
In the third quarter of 2021, Bouwinvest started the SOC/SIEM process. SIEM (Security Incident & Event Management) ensures that the logging of various IT environments can be aggregated, while the SOC (Security Operations Centre) ensures the follow-up to any alerts. The implementation of the SOC/SIEM service will raise security maturity at Bouwinvest to a higher level. The planned deadline for the project is the end of the third quarter of 2022.
At year-end 2020, an external party gave Bouwinvest a lower score than the required DNB Good Practice Information Security standard in eight domains. As part of this exercise, the external party also formulated the improvement actions required to meet the standard. Bouwinvest followed up on these improvement actions in 2021. Bouwinvest also implemented a new approach, in which the key controls of the DNB framework are assessed twice a year, with one of these tests run on all controls. This resulted in the elimination of four of the eight gaps by mid-2021. By the end of 2021, all the gaps had been eliminated and Bouwinvest now meets the DNB standard in all domains. The Data & System Ownership and Manage Data domains still lagged slightly and Bouwinvest will work on these domains in 2022.
The conditions on the Dutch labour market, the so-called war for talent, make it challenging to attract high-quality staff for positions in Risk Management, Compliance and IT. Bouwinvest sees this reflected in the lead times of its vacancies and the limited numbers of candidates applying for these positions. This trend is expected to continue in 2022. To fill these positions in the interim, Bouwinvest is using a flexible layer consisting of qualified external staff, who support the day-to-day processes and ambitions within the various focus areas.
In the fourth quarter of 2021, an external party conducted a satisfaction survey among Bouwinvest employees. The response rate of the survey was 90.5% and it showed consistently high scores across the board: from the content of the work to the employer. Points of attention at Bouwinvest level will be included in the collective targets for 2022.
At Bouwinvest, Compliance is embedded in the Three Lines Model. This means that the first line is primarily responsible for compliance with legal and regulatory requirements, internal policy and the code of conduct, and for managing compliance risks. The Compliance department is an independent second-line function. This department supports the organisation on the compliance front by translating regulator-related legal and regulatory requirements into organisational measures, providing solicited and unsolicited advice, assisting in the execution of risk analyses and monitoring compliance with regulator-related legal and regulatory requirements and internal policy. Another important part of its task is to strengthen integrity awareness and promote the desired behaviour within Bouwinvest by providing training courses.
The compliance cycle below is used to manage the compliance function.
The department reports to the CFRO on a monthly basis. The Executive Board of Directors also receives these monthly reports. In addition, the compliance function reports on a quarterly basis to the Executive Board of Directors and the Audit, Risk & Compliance committee of the Supervisory Board.
Legal and regulatory requirements
Legal and regulatory requirements are constantly changing. The Compliance department monitors changes in regulator-related legal and regulatory requirements, assesses the impact of any changes with other relevant departments, and translates these legal and regulatory requirements into internal organisational measures.
In 2021, Bouwinvest made a start on a long-term programme for the implementation of the revised CDD policy, which will run until mid-2023. The policy will translate the obligations pursuant to the Dutch Prevention of Money Laundering and the Financing of Terrorism Act (Wwft) into measures within the Bouwinvest organisation. Bouwinvest has already implemented a part of the programme and the organisation is on schedule with the ongoing implementation. The programme relates to both new and existing business associates.
In 2021, Bouwinvest also worked within a project structure on the implementation of the Sustainable Finance Disclosure Regulation (SFDR), which came into force in March 2021. In addition, we made preparations for the implementation of the Regulatory Technical Standards related to the SFDR. The entry into force of the latter regulation has been delayed until January 2023. This is why preparations for the implementation are continuing in 2022. This also applies to related legislation such as the Corporate Sustainability Reporting Directive. You will find more information on the SFDR at Bouwinvest under the heading SFDR at bouwinvest.nl
Bouwinvest actively monitors other (European) legislative developments related to the AIFMD and IT, so we can determine the impact and implement any changes in a timely fashion.
Management of compliance risks
Risk management is a key part of conducting business in an ethical and controlled manner. As part of the second line, the Compliance Department helps the organisation to control any identified compliance risks. The first line is supported by increasing awareness of the risks, how they can be reduced or controlled and what Bouwinvest expects of employees in this regard.
An important annual activity in this context is the performance of the Systematic Integrity Risk Analysis (SIRA). In 2021, a large delegation from the organisation (55 people, including the Compliance Department) participated in this analysis. The purpose of the SIRA is to identify integrity risks, assess the effectiveness of the control of the risks and to identify points of attention in relation to risk management. In response to the outcome of the analysis, the Compliance department advised on improvements to risk management. In early 2022, the Compliance department will discuss the improvements in more detail with the organisation and reach agreements on their implementation, after which the Compliance department will monitor their follow-up.
Management of tax risks
In line with its tax policy, Bouwinvest has a framework for managing its tax risks, the Tax Control Framework (TCF). The TCF is an integral part of Bouwinvest's Risk & Control Monitoring Framework (RCMF). Bouwinvest has systematically mapped out its tax risks and set up measures to control the most significant risks. Bouwinvest periodically tests the effectiveness of these measures, and therefore also the TCF.
Training and awareness
Bouwinvest considers culture an important part of mitigating compliance risks. In this context, Bouwinvest values an open culture in which dilemmas can be discussed.
As part of the risk management programme, last year Bouwinvest devoted attention to the risk culture and the soft control framework. We will continue these efforts in 2022, in part via integrity workshops.
Bouwinvest revised various policy documents in 2021 an we organised additional awareness activities related to these subjects.
Reports and advice
In 2021, one incident occurred that led to a report to the regulator, the Dutch Financial Markets Authority (AFM). This was related to a report on the late notification to the depository of a new bank account.
No reports of corruption or fraud were received in 2021.
With respect to the processing of personal data (privacy), thirty-one data breaches occurred in 2021. Seven of these were reported to the regulator, the Dutch Data Protection Agency (DPA). One report was subsequently withdrawn. The causes of the data leaks included incorrectly sent e-mails. Some of the data leaks occurred at processors, such as property managers. All data leaks were investigated and, where necessary, additional control measures were taken.
In early February 2022, a report of a data breach was received from a software supplier used by Bouwinvest’s property managers. Bouwinvest reported this breach to the Data Protection Agency (DPA). The tenants of various Bouwinvest-managed funds were also informed of this data breach and the possible consequences for them. The data breach was the result of a cyberattack and the software supplier is investigating this attack.
In terms of advice, the compliance function was primarily consulted on the subjects of CDD, ancillary positions, gifts & events and privacy.
Investigations by regulators
Bouwinvest has a licence from the Dutch Financial Markets Authority (AFM) and is therefore subject to continuous supervision by the AFM. Last year, Bouwinvest received several questions/questionnaires relating to valuations and the SFDR. In addition, several clients received a request from the Dutch Central Bank (DNB) regarding climate risks related to real estate exposure.