The Dutch Corporate Governance Code requires boards to include a statement in their management reports about the operation of their internal risk management and control systems (often referred to as the in control statement).

The 2022 update to the Code brought certain clarifications to ensure that the statement better aligns with existing practice. (See for more information this article). Before and after the 2022 Code was published, several parties noted the need for a more far-reaching risk management statement (verklaring omtrent risicobeheersing – VOR). The issue was also on the political agenda, with a motion being passed in the lower house of parliament for the Minister of Finance to encourage the inclusion of the requirement of a VOR in the Code.

To accommodate these requests, a working group, including the Code's "supporting" parties and the Institute of Chartered Accountants (NBA) reached an agreement on the form of the VOR, and proposes including the requirement of the VOR in the Code. Drawing up a VOR would lead to increased responsibilities for the management board, regarding operational and compliance risks, and sustainability reporting.

The working group aims to have companies issue a VOR for the first time by financial year 2025.

Main proposed changes to the Code

The main proposed additions to the Code include:

• a statement about the level of certainty the internal controls provide on the effective management of operational and compliance risks;
• a statement that the internal controls provide limited assurance that the (CSRD) sustainability reporting does not contain material inaccuracies;
• an explanation of how the assessment of the effectiveness of the internal controls with regard to operational, compliance and reporting risks has taken place

Statement on management of operational and compliance risks

The working group proposes that the management board report on the level of certainty the internal controls provide on the effective management of operational and compliance risks. Systems will have to be set up in a way that makes it possible to provide such a statement. The explanatory notes to the working group's proposal allow for a company-specific interpretation, explaining that the intention is not to refer to the concept of "assurance" used by auditors, nor to require companies to use a fixed framework with levels of certainty.

If a board concludes that certain risks by their nature cannot be effectively controlled, or if the effectiveness of the risk management and control systems cannot be determined, the board can comply with this provision by declaring this to be the case and explaining why it is so.

Statement on sustainability reporting

In addition to the Code's best practice provision 1.4.3, the text proposes that the management board declare that the systems provide limited assurance that the sustainability reporting does not contain any material misstatements. This requirement is related to the CSRD requirement that auditors (or possibly independent other parties) provide (for now) limited assurance on the CSRD reports of companies. (See on the CSRD assurance this article). The proposed explanatory notes clarify that the company may provide a higher level of assurance if it wants to.

Accountability on assessment of internal controls' effectiveness

The working group further proposes supplementing existing best practice provision 1.4.2 with the requirement that the management board account for how the effectiveness of the internal risk management and control systems with respect to operational, compliance and reporting risks has been assessed. In the explanatory notes, it is recommended that the board indicate which framework (for example, the COSO framework for internal control) was used.

Further proposed amendments

In addition to the main amendments above, the working group suggests further additions to the Code and the explanatory notes.

The explanatory notes recommend that the statement includes the following information: (i) the responsibilities of the management board regarding the internal risk management and control systems; (ii) the objectives of these systems; (iii) the features of these systems, and (iv) the inherent limitations of these systems.

With regard to strategic risks, the explanatory notes distinguish between (i) decision-making on the strategy, and (ii) implementation of the strategy, which translates to operational, compliance and reporting risks. As far as the proposal is concerned, the risk management systems cover only the implementation of the strategy.

Finally, the working group proposes amending the best practice provisions related to the audit committee to align with the new reporting requirements.

Comply-or-explain

Of course, the principle of comply-or-explain also applies to the VOR, meaning that the company is allowed to deviate from the requirement to publish the VOR, provided that this deviation is substantiated in the management report.

Next steps

The chair of the working group, Jaap van Manen, has sent the VOR text proposal to the Ministers of Finance, Economic Affairs and Climate Policy, and Legal Protection, asking the government to respond to the text proposal and the accompanying letter. In addition, the chair has requested the necessary follow-up steps to ensure that the proposed changes are included in the Code.

The working group aims to have companies issue a VOR for the first time by financial year 2025.

It remains to be seen how the government intends to take the proposal forward.