We are committed to ensuring all our activities are executed within a defined risk management framework that has been approved by the Managing and Supervisory Boards.
In this section we describe this framework, including the improvements made to further enhance its effectiveness and the most important developments in our risk appetite and profile.
LeasePlan uses the Enterprise Risk Management (‘ERM’) Framework and principles of the Committee of Sponsoring Organisations of the Treadway Commission (‘COSO’) updated in 2017, as its reference model. The COSO definition of ERM is ‘a process affected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives’.
The ERM Framework is about managing risks while supporting the realisation of the entities’ targets. The Framework addresses ‘the evolution of enterprise risk management and the need for organisations to improve their approach to managing risk to meet the demands of an evolving business environment’.
At LeasePlan, risk management and control are closely linked with LeasePlan’s strategic aims. We consider controlled and balanced risk taking – accommodated by a strong risk organisation and risk governance, and supported by a clear direction from our senior management – key elements in driving our strategy. Using COSO ERM (2017) as a reference model, LeasePlan has introduced a Risk Management Cycle that links the various building blocks of the risk process and risk governance.
Risk management cycle
01. Lines of defence
LeasePlan’s control framework includes three lines of defence supported by investments in information technology and people.
This model distinguishes among functions that own and manage risks (first line), functions that oversee and advise on risk management practices (second line) and functions that provide internal assurance (third line).
The three lines of defence model is illustrated below.
The following overview outlines the composition and responsibilities of the key parties involved in executing the three lines of defence with the Group:
Local & corporate management
Local & corporate management (‘the business’) have full ownership of all risks at entity level and are responsible for complying with Group policies and standards and for the management of risks encountered while performing the business. Risk management activities include identifying and assessing potential risks, taking steps to mitigate negative influences tin order to adhere to the applicable risk limits and tolerance levels. Furthermore, local management is responsible to complete and accurately register all risks, potential incidents and threats in a timely fashion. It also includes maintaining a comprehensive risk management system that covers all risks inherent to the business. As such, local & corporate management are considered the first line of defence.
The Strategic Finance department is responsible for the overall liquidity management and funding strategy within LeasePlan. Strategic Finance is considered a first line of defence, and as such in a similar way is responsible for risk management as described above.
Local management, in close consultation with Group Risk and Group Privacy & Compliance, ensures the set-up of an independent risk function and an independent privacy & compliance function at entity level. These functions are considered part of the second line of defence, which coordinate, oversee and challenge the execution, management, control and reporting of risks.
The three lines of defence
|1st line of defence||2nd line of defence||3rd line of defence|
|Local & Corporate Management||Risk Management||Group Audit|
|Strategic Finance||Privacy & Compliance|
Group Risk and the independent risk function at entity level
Group Risk and the independent risk function at entity level, are jointly referred to as Risk Function. Group Risk challenges and creates awareness around risk within LeasePlan and is responsible for coordinating and executing the Risk Management Cycle and the Risk Decision Framework. Group Risk ensures that the Managing Board and the Supervisory Board, are made aware of all material risk developments. Within LeasePlan, the risk types as included in the Risk Type Universe, are considered on an integrated basis. The Risk Function is responsible for aggregating these risk types and providing an integral view.
The Risk Function, which co-operates with all relevant disciplines within LeasePlan, is independent from the business functions and is represented by the Chief Risk Officer (CRO) at the Managing Board level.
Group Audit Department
LeasePlan’s Group Audit Department (GAD) provides internal audit services and is recognised as the third line of defence for LeasePlan’s risk management. GAD conducts independent audits of LeasePlan’s activities and provides independent assurance by assessing the effectiveness of governance, risk management and internal control processes. GAD reports its findings to the Managing Board and provides quarterly updates to the Supervisory Board Audit Committee.
02. Risk appetite
During 2018 we managed our risk appetite based on the following pillars:
- Long-term debt rating (stand-alone);
- Financial return on risk-adjusted capital (i.e. economic return);
- Diversified share of funding layers.
An institution’s target credit rating is an indication of the overall risk appetite a company may have and the level of capital it will need to hold. In addition, a specific risk appetite has been set for each underlying risk category.
The Supervisory Board approves LeasePlan’s risk appetite annually based on the recommendation of the Risk Committee, and approves any changes required throughout the year.
Depending on the risk metric, compliance with the risk appetite statement is monitored on a daily, monthly or quarterly basis and non-compliance is reported to the risk committees, the Managing Board and the Risk Committee of the Supervisory Board. The principal financial risks inherent to our business activities are discussed further in the Financial Risk Management section of the Financial Statements on page 90.
Breaching of risk tolerance levels is always subject to a materiality check. If the breach is a non-material variation, then no specific management action is required. Examples of such non-material breaches are variations caused by a process timing issue or rounding.
Principal risks and uncertainties
Listed below are the main risk categories and opportunities known to LeasePlan, which could hinder the company in achieving its strategic and financial business objectives. This may, however, not include all the risks that may ultimately affect LeasePlan. For further analysis, please refer to the Financial Risk Management section of the financial statements.
- Strategic risks
- Operational risks
- Financial risks
- Financial reporting risks
- Strategic use of financial instruments
In addition to these risks, we have begun assessing the risks to LeasePlan and its stakeholders that are associated with the transition to zero emissions mobility. To this end, we are putting together a cross-functional team that will look at these risks and at following the recommendations of the Task Force on Climate-related Financial Disclosure (TCFD) set up by the Financial Stability Board (FSB).
03. Highlights 2018
In addition to its Car-as-a-Service and CarNext.com businesses, LeasePlan also has a banking licence and operates LeasePlan Bank. As such it is regulated as a financial institution by the DNB and the AFM. LeasePlan’s risk profile therefore differs from most other financial institutions due to the nature of its business.
The largest part of its portfolio consists of the operational leasing of vehicles, in which LeasePlan bears the residual value risk.
Risk Management highlights for 2018 include the following:
- We have continued to update our monitoring systems, sharing of best practices, training staff and the development of our statistical techniques. We put Local Technical Pricing Committees in place for matrix pricing. The Residual Value Risk Balance⁹ is used as a monitoring and measurement system for pricing and risk mitigation, while the Group Risk Committee defines the limits at the beginning of the year.
- We carried out a change process to reorganise the previous risk committee structure to ensure a proper fit with the current strategic and functional value drivers of LeasePlan. This change process resulted in the formation of four new risk committees; the Group Risk Committee, the Group Model Risk Committee, Group Tactical Risk, and Asset and Liability Committee (ALCO). These risk committees are mirrored at entity level. In addition, asset risk and pricing are discussed in a dedicated business committee.
- LeasePlan met the liquidity survival horizon at a minimum of nine months at all times. Prudent liquidity management and controls are in place to ensure compliance with regulatory requirements. Based on the 2018 Internal Liquidity Adequacy Assessment Process (ILAAP), we concluded that we are adequately funded and that our liquidity buffer is more than sufficient to meet internal and prudential requirements.
- Prudent capital management and controls are in place to ensure compliance with regulatory requirements. Based on the 2018 Internal Capital Adequacy Assessment Process (ICAAP), we concluded that we are adequately capitalised. The Common Equity Tier 1 capital increased in 2018 by EUR 182 million to EUR 3.03 billion resulting in a Common Equity Tier 1 ratio at year-end of 18.3%.
- As from 1 January 2018, LeasePlan adopted IFRS 9. This new reporting standard introduces the ‘expected credit loss’ model for the impairment of financial assets. It replaces the ‘incurred loss’ model of the previous standard IAS 39. Consequently, LeasePlan has significantly changed its use of estimation techniques and assumptions for the impairment of lease receivables and other debt financial assets.
- LeasePlan began a Definition of Default Project. The objective of this Project is to align the Definition of Default applied by LeasePlan with the Capital Requirements Regulation (‘CRR‘) and with the European Banking Authority (‘EBA‘) guidelines and standards. The Project mainly includes updating LeasePlan’s Definition of Default and related policies, updating and enforcing processes and procedures for all Local LeasePlan entities, updating LeasePlan’s AIRB models, updating where relevant IT-systems, and updating LeasePlan’s IFRS 9 Expected Credit Loss Models.
- We have continued to maintain a solid platform of diversified funding sources that include debt capital markets, securitisation, bank credit lines and an internet savings bank in the Netherlands and Germany. With this as an underlying strategy, we ensured the availability of funding to meet our ongoing liquidity needs and match our asset profile. Our liquidity position remained solid and we safely comply with CRR/CRD IV requirements.
- The DNB has reviewed and assessed the Advanced Measurement Approach (AMA) model in November. We have worked with the DNB to assess their findings and are preparing a plan with various scenarios to assess the best future option for LeasePlan. This planning takes into account that the Standardised Approach will replace AMA in the near future for all financial institutions with a banking license.
- We are enhancing our cyber security framework to protect, detect and respond to potential cybercrime threats. LeasePlan infrastructure relates to public networks and this introduces a constant threat of cybercrime. Examples of such threats are virus infection, computer hacking, denial of service attacks, fake emails (phishing) and malicious software (malware), the frequency and intensity of which are increasing on a global scale. LeasePlan’s information assets are appropriately secured to protect against the consequences of breaches of confidentiality, failures of integrity or interruptions to the availability of that information.
- Our remuneration framework continued to reflect the right incentives for managing risk and return in alignment with risk appetite objectives in a sustainable and healthy manner, while discouraging excessive risk taking. Risk is an essential building block in the Group Remuneration Framework, although balanced risk-taking is required to grow the business profitably.
- While the UK’s planned exit from the EU will inevitably create uncertainties, we expect the potential impact on our global business to be limited. Even so, we continue to monitor the associated risks. Our Brexit working group has developed plans for a range of scenarios to ensure LeasePlan as a whole is well placed to navigate any uncertainty. We are working with our supply chain to ensure that we understand the different scenarios for importing and exporting vehicles and components from and to the UK.
In 2019, LeasePlan will continue to shift its Risk Management from a decentralised function to a centralised integrated risk approach, which was started in 2018 with the implementation of a new Risk Charter. The Risk Charter describes the governance as of 2018. On several elements, this charter differs from previous practices. The Risk Charter defines the general principles, the mandate and key responsibilities of the Risk Function and the risk framework (at Group and entity level), which consists of the Risk Management Cycle and the Risk Decision Framework. The purpose of the risk decision framework is to provide clarity on the risk delegation within LeasePlan and to provide detailed Terms of Reference for risk committees.
Furthermore, the changing requirements arising from CRR / CRD IV are being taken in account in a timely way, and developments and changes will be monitored to ensure LeasePlan is well prepared for future regulatory changes.
LeasePlan will continue to allocate the necessary time, resources and investment to maintain and further strengthen its risk management framework, and support its business ambitions and regulatory compliance. To see a comprehensive overview of our risk management framework, including details on key risks inherent to our business activities, please refer to the Financial Risk Management section of the Financial Statements and the Pillar III Disclosures, which are available at https://www.leaseplan.com/corporate
9. The Residual Value Risk Balance is net of the average level of effective residual value pricing and the average level of effective residual value risk mitigation.
Privacy and compliance
LeasePlan operates in a complex regulatory environment in which trust and confidence are crucial.
Only by conducting our business based on high ethical standards and in compliance with applicable laws, directives and regulations will we win and retain trust, and succeed in our mission. By setting high standards, LeasePlan gives its clients, suppliers and business partners the confidence to work with LeasePlan. It is therefore essential to ensure the effective management of privacy and compliance risks.
Management and mitigation
The Managing Board is responsible for privacy and compliance risks, while Group Privacy & Compliance coordinates, oversees, controls and reports on these risks. As part of the CRO domain, Privacy & Compliance has the objective to support LeasePlan’s overall strategy by enabling controlled risk taking, utilising the ’Power of One LeasePlan‘ and ensuring our aim of making risk everyone’s responsibility under the banner ‘Just do the right thing!’.
The strategy of Privacy & Compliance is to safeguard LeasePlan’s integrity and reputation and to help protect against financial loss and reputational damage. This is achieved by integrating privacy and compliance in daily business activities and strategic planning within the set risk appetite, as well as challenging and assisting the business and promoting awareness at all levels within LeasePlan.
We do this by:
- Supporting LeasePlan to ensure a proper control environment is in place for complying with applicable laws, rules, regulations and LeasePlan’s internal standards
- Supporting the business with managing day-to-day Compliance Risks
- Helping to maintain the integrity of the products and services offered and received
The basis for mitigating compliance and privacy risks is the Privacy & Compliance Charter and Framework.
The Privacy & Compliance Function operates within the context of LeasePlan’s broader risk management framework. It is responsible for (parts of) the effective management of four related areas:
- Counterpart and external conduct, for risks of money laundering, terrorist financing and sanctions;
- Employee conduct and internal culture, for risks of internal fraud and bribery;
- Products and services, for risks of insufficient duty of care
- Organisation, for risks of breach of privacy or data protection
Our compliance risk appetite is set on a yearly basis (low in 2018) and an overall compliance risk assessment is executed twice a year. On that basis, we formulate further mitigating actions and key risk performance indicators for each area.
As of the first quarter of 2018, we prepared integrated quarterly reports for the Managing Board, the Supervisory Board and our external auditor to provide a holistic overview of the developments and topics within Legal, Privacy & Compliance and Risk.
Focus areas in 2018
GDPR / Privacy
In May 2018 the General Data Protection Regulation (GDPR) took effect impacting most of the markets in which LeasePlan is active. Even though GDPR resulted in a number of changes in data privacy management activities, it did not change LeasePlan’s approach when processing personal data. The basis for this had already been laid down in its group-wide Binding Corporate Rules, which will be further enhanced to continue operating along the following principles:
- Transparent: we help individuals understand how data is collected and used
- Privacy as starting point: we ensure our services are privacy friendly
- Control: we aim to provide easy ways to access, correct or delete data
- Safe with LeasePlan: we secure data as best as we can and personal data is only shared with third parties when necessary and under appropriate conditions.
- Innovating and responsive: we keep thinking of ways how to improve our services and privacy and are open for all suggestions and complaints
A project was set up to assess the impact of new requirements for following GDPR and to determine required actions for LeasePlan entities. To better manage privacy risks within acceptable risk levels, a Group Privacy Office (GPO) was established and the respective vacancies were filled. In addition, a single Data Protection Officer – within the meaning of GDPR – has been appointed and is reporting to the CRO.
The focus of the GPO has been to roll out a readiness project for the key requirements of GDPR and the enhancement of data management activities in alignment with local privacy officers in the entities and supervision by a steering committee, with the assistance of external consultants. These actions enable LeasePlan to set a consistent baseline for further implementation. In addition, LeasePlan obtained a license for a data privacy management tool allowing for the automation of a number of privacy management activities. The next phase mainly rolls over to 2019, utilising LeasePlan’s digitalisation strategy.
Several training and communication initiatives took place in 2018 to further increase awareness and knowledge on handling personal data. This also resulted in an increased involvement of the GPO and local privacy officers in a wide range of projects, as well as product development initiatives and closer alignment with HR regarding the handling of personal data of (future) employees.
Fight Fraud campaign
In order to increase awareness about Fraud, we launched a Global Anti-Fraud Campaign between February and July 2018.
The campaign focused on:
- Increasing awareness and understanding of Fraud risks
- Training LeasePlan employees on how to spot Fraud and identify the 'red flags'
- Making employees feel comfortable in talking about Fraud
The campaign comprised several modules and a variety of communication tools, such as articles, interviews on our global intranet, an online interactive game and an animation.
In addition, we published a Fraud Risk Management Framework and Fraud Risk Management Guidelines for governance and incident handling. Furthermore, an in-depth Fraud Risk Assessment was completed to identify areas of possible exposure, and assess the adequacy of our current measures for mitigating fraud.
Anti-Money Laundering and Counter Terrorism
LeasePlan began an Anti-Money Laundering and Counter Terrorism (AML, CFT) Project. Its main goals included:
- Ensuring compliance with the Dutch Wet ter voorkomen van witwassen en financieren van terrorisme (WWFT) which became effective per July 2018 and the EU Anti-Money Laundering Directive 4;
- Ensuring the company combats and lowers the risk of money laundering and terrorist financing that may occur through its business activities
The relevant LeasePlan Policy and Standard will be updated as part of these projects and a detailed Risk Analysis is being prepared, which includes, at a minimum, the relevant risk factors relating to LeasePlan products, counterparties and country risks.
Insurance Distribution Directive
The Insurance Distribution Directive (IDD) 2016/97/EU took effect in most of LeasePlan’s European markets in late 2018. The Directive introduces new rules in relation to the distribution of insurance, particularly in the areas of transparency, provision of information and business conduct. The Directive primarily aims to increase levels of consumer protection.
In preparation for this, we launched an IDD Project in 2017 to assess the impact of IDD on our European operating companies and their insurance operations, and to identify and take action where required at country level.
A central compliance team conducted the group gap analysis against the IDD Directive. This was cascaded down to the compliance functions of the European operating companies where local analysis was added with the assistance of local legal advisers and central compliance as appropriate. Required actions were identified and taken locally.
Next to the four themes mentioned, the following actions were taken:
- Implemented a new Anti-bribery and anti-corruption policy, with new KPIs/KRIs and monitoring plan
- Conducted the Global Integrity Survey to gain insight into the perception of Integrity within LeasePlan and if necessary take additional measures
- Updated the Compliance Risk Assessment on a bi-annual basis
- Appointed a DPO to the Group Privacy Office
- Updated several policies and governance-related documents including the Privacy & Compliance charter/framework, the Code of Conduct, the whistleblowing policy and multiple polices for privacy requirements
- Refined the risk appetite statement for compliance risks
- Updated the Compliance chart, which contains an overview of the applicable and relevant laws and regulations