Risk management

Managing risks is explicitly on the agenda of management in order to protect the business from the effects of disasters, failures and reputational damage. Continuity and sustainability of the business is as important to the stakeholders as growing and operating it.

Risk management and control system

The Heineken risk management and control systems aim to ensure at a reasonable level of assurance, that the risks of the Company are identified and managed and that the operational and financial objectives are met, in compliance with applicable laws and regulations. A system of controls to ensure adequate financial reporting is included. Heineken’s internal control system is based on the COSO Internal Control Framework.

Risk appetite

The Company is recognised by its drive for quality, consistency and financial discipline. Entrepreneurial spirit is encouraged across the Group to seek opportunities supporting continuous growth (like business development and innovation), whilst taking controlled risks.

Risk profile

Heineken is a single-product company, with a high level of commonality in its worldwide business operations spread over many mature and emerging markets. The worldwide activities are exposed to varying degrees of risk and uncertainty, some of which, if not identified and managed, may result in a material impact on a particular operating company, but may not materially affect the Group as a whole. Compared to other leading beer companies, Heineken has a much wider spread of its businesses and risks across the globe.

Risk management

Doing business inherently involves taking risks, and by managing these risks Heineken strives to be a sustainable and performance-driven company. Structured risk assessments are part of, amongst others, change projects, business planning and performance monitoring process, common process and system implementations, acquisitions and business integration activities. The risk management and control systems are considered to be in balance with Heineken’s risk profile, although such systems can never provide absolute assurance. Following Heineken’s continuing growth and changing risk profile, the Company’s risk management and control systems are subject to continuous review and adaptations.

Responsibilities

The Executive Board, under the supervision of the Supervisory Board, has overall responsibility for Heineken’s risk management and control systems. Regional and operating company management are responsible for managing performance, underlying risks and effectiveness of operations, within the rules set by the Executive Board, supported and supervised by Group departments.

Heineken Company Rules

The Heineken Company Rules are a key element of the risk management system and are in place to set the boundaries within which operating companies should conduct their business. A governance procedure, and activities on continuous awareness and compliance are in place, managed by the Heineken Company Rules Network, which meets on a semi-annual basis. The Assurance Letter, signed annually by all Regional Presidents, General and Finance Managers worldwide, provides additional comfort on financial reporting and selected rules.

Business planning and performance monitoring

The main pillars of Heineken’s internal governance activities are the annual business planning and performance monitoring. Operating companies’ strategies, business plans, key risks and quarterly performance are discussed with Regional Management. Regional performance is discussed with the Executive Board. The approved business plans include clear objectives, performance indicators and target setting, which provide the basis for monitoring performance compared to business plan. These plans also contain an annual assessment of the main risks (including mitigation plans) and financial sensitivities, although these assessments require further improvement. Heineken made good progress on its Company-wide programme to create a more integrated management information environment for reporting to Regions and Group.

Internal control in operating companies

Heineken is progressing the Group-wide development and implementation of best practice processes supported by common IT systems. At the end of 2008, 69 per cent of Heineken’s operations (based on revenue) worked in accordance with the evolving Heineken Common System. Next to the Supply Chain area, also other functions work on improving documentation, measurement and performance of processes under the Business Process Management Initiative.

Best practice key control frameworks, to ensure the integrity of the information processing in supporting the day-to-day transactions and financial and management reporting, are embedded in developed common processes/systems. Internal Audit is strongly involved in monitoring controls based on a common audit approach, whilst plans are in preparation to strengthen controls monitoring by management.

IT

Heineken’s worldwide operations are highly dependent on the availability and integrity of its (common) information systems. IT processes and infrastructure are to a large extent centralised and outsourced to professional outsourcing partners. Structured monitoring processes are in place, which includes clear agreements on assurance from outsourcing partners. The harmonisation, centralisation and outsourcing of IT have a positive impact on the overall control environment.

Code of Business Conduct and Whistle-blowing

The Code of Business Conduct and Whistle-blowing procedure are applicable to all majority-owned subsidiaries. Compliance is supported through continuous monitoring of effectiveness, rotational audits and employee perception surveys. Employees may report suspected cases of serious misconduct to their direct superior, the local Trusted Representative or anonymously to an independently run confidential helpline. The Integrity Committee oversees the functioning of the Whistle-blowing procedure and reports bi-annually to the Executive Board and Audit Committee on reported cases and effectiveness of the procedure. Additional communication and training are planned for 2009 to reaffirm the importance of responsible conduct and compliance.

Supervision

The Executive Board oversees the adequacy and functioning of the entire system of risk management and internal control, assisted by Group departments. Group Internal Audit provides independent assurance and advice on the entire risk management and internal control system. The Assurance Meetings, at local and regional level, oversee the adequacy and operating effectiveness of the risk management and internal control systems in their respective environments. Regional Management and Group Internal Audit participate in the local meetings to ensure effective dialogue and transparency. The outcome and effectiveness of the risk management and internal control systems have been discussed with the Audit Committee.

Financial reporting

The risk management and control system over financial reporting contains clear accounting policies, a standard chart of accounts and ‘assurance letters’ signed by General and Finance Managers. The Heineken common systems and embedded control frameworks, as implemented in a large number of the subsidiaries, support common accounting and regular financial reporting in standard forms. Testing of key controls relevant for financial reporting are part of the Common Internal Audit Approach.

The worldwide external audit activities – which are based on local statutory materiality levels, and therefore more detailed than necessary for the audit of the Heineken N.V. consolidated financial statements – provide additional assurance on true and fair presentation of financial reporting on operating company level. Within the scope of their financial audit assignment, external auditors also report on internal control issues through their management letters and attend local and regional Assurance Meetings.

Special attention was given to the integration of financial reporting of the acquired businesses from former S&N and some other acquisition, including transfer to the Heineken Accounting Policies. In 2009, the Heineken standard chart of accounts will be implemented.

Considering Heineken’s risk management and control system described in this section, the financial reporting is adequately designed and worked effectively in the year under review in providing reasonable assurance that the 2008 financial statements do not contain any material misstatements. There are no indications that the risk management and control systems relating to financial reporting are not working properly in the current year.

This statement cannot be construed as a statement in accordance with the requirements of Section 404 of the US Sarbanes-Oxley Act, which is not applicable to Heineken N.V.