Risk & Opportunity Management
An important success factor in reaching our goals is how we consciously deal with risks. Throughout Coolblue, you can find the words honest, direct, open written on the walls. This means we are upfront with each other about our expectations, which helps us avoid surprises and unnecessary risks.
We strive for a culture that promotes responsible risk management. In such a culture, ownership is key. For this reason, every Coolbluer is responsible for managing their own risks. Of course, they are not alone in this. They are supported by our Risk & Compliance, Security, Fraud, and Legal departments. This approach allows us to learn from our mistakes, so we can do a little bit better every day.
We communicate our internal policy and external regulations in an honest, direct, and open manner, using clear language, which we share with all Coolbluers. Examples of these guidelines are:
- Friend Code (code of conduct)
- How to blow a whistle (whistleblower policy);
- Being open, honest, and direct (anti-fraud policy);
- Sticking to Coolblue agreements (disciplinary policy).
We have developed and implemented various training courses that ensure Coolbluers adhere to our guidelines and become increasingly aware of risks. These courses consist of e-learning modules and workshops, and address topics such as the General Data Protection Regulation (GDPR), labor law, competition law, and integrity.
Risk profile summary
Identification & assessment of risks
There are several risks that can impact the realization of our strategic goals. Our risk management focuses on 4 categories: strategic, operational, finance & reporting, and compliance risks. In order to create a risk profile, we have conducted various top-down and bottom-up risk assessments. We have prioritized the most relevant risks in the Management Team’s yearly Strategic Risk Assessment. The results are discussed with the Audit Committee and Supervisory Board.
Each of the risks has been analyzed based on their likelihood, impact, and risk appetite. We define ‘likelihood’ as the probability of an event occurring and as such obstructing the realization of our strategic goals. ‘Impact’ indicates the extent to which the risk would negatively affect these goals. Lastly, ‘risk appetite’ is our willingness to take risks to achieve our goals. The lower the appetite, the better our risk management has to be arranged. On the other hand, a higher risk appetite is at times required to achieve our strategic goals.
In 2020, our general risk profile has undergone a revision in terms of the scales of the impact criteria. As a result, scores awarded to the risks in the table above may appear to differ from the risk profile reported in 2019, but this is not the case. Instead, we reassessed the impact to match our growth of turnover and EBITDA.
One risk that displayed a noteworthy increase was the Information security & data privacy risk, which can be attributed to Coolblue’s growth over the course of 2020. We also saw a decrease in terms of the risks associated with Qualified employees and Stock management.
Generally speaking, the rest of our risk profile remained the same, except for the addition of the new risk, ‘health crisis’. In the paragraphs that follow, we will describe for every risk respectively how it has developed over 2020 and what mitigating measures we have taken.
We are a large retailer with our own infrastructure. We offer various services, such as repairs in our physical stores and the installation of solar panels on the customer’s roof. Because of our large presence, we have to place a strong emphasis on protecting our brand reputation. Risks that could influence our brand reputation present themselves in various ways, such as the press coverage we face in relation to our business. Moreover, we have to protect ourselves and our customers from parties that unlawfully use our name. Lastly, we face risks that could damage our reputation that we could not take into account beforehand, such as a health crisis.
We operate in a highly competitive market. Despite the competition, we have a relatively high risk appetite in this respect: we see it as an opportunity to go the extra mile for our customers. We constantly improve our customer-centric product journeys by investing in the quality of our service and new propositions, which gives us a strong competitive advantage.
3. Health crisis
In 2020, a new risk, the health crisis risk, presented itself. It has affected several other risks, such as supply chain continuity, Financing, and Health, Safety, and Environment. The health crisis has had a significant impact on our stock management, stores, delivery propositions, and operations in our warehouse. The flexibility of our employees shows that we are able to quickly adjust to changed circumstances, both internally and externally.
4. Information security & data privacy
We do everything in our power to secure our data, prevent data leaks, and minimize their impact. For example, we do not save credit card details of our customers. Vulnerabilities in our own or leased software are automatically detected, which allows us to act timely and prevent potential problems. We also constantly make Coolbluers more aware of IT security and privacy risks. We have a cloud-first strategy in which all systems and applications are moved to the cloud if possible. This guarantees the continuity and scalability of our IT landscape. Additionally, we constantly improve our security measures, for example by testing them through penetration testing, vulnerability scanning and red teaming.
5. Availability of systems & critical processes
A significant disruption to the availability of our systems or business processes can cause reputational and financial damage. We have identified our critical operations and risks, have created an escalation and communication plan, and are drawing up increasingly more plans for the various scenarios that can occur during a crisis to maintain and restore critical operations.
Business Continuity Management
Due to the events of 2020, we had to test our Business Continuity Management in practice. Constantly changing circumstances forced us to implement changes in our operations in a very short period of time. We had to adopt more flexible working policies that encourage remote working and virtualization. Within 2 weeks, all Coolbluers in office departments were working from home. We provided them with the right materials for a comfortable home office, such as desk chairs and monitors. We reinvented our warehouse to ensure that everyone there could continue to work safely and at a safe distance from each other. And we introduced pickup points in our stores as a creative solution to meet the customer demand.
6. Attracting and retaining qualified Coolbluers
Qualified and talented people are key to our success. In order to be an attractive employer, we offer long-term career opportunities with various training courses and next-step possibilities, on top of an unconventional company culture. We offer each target group a unique application journey, supported by large online and offline recruitment campaigns and masterclasses. Instead of limiting ourselves to the Dutch, Belgian, and German labor markets, we look for suitable candidates on a global scale.
7. Stock management
Stock management risks come in 2 categories: excess stock and insufficient stock. We minimize these risks by applying algorithms that calculate the expected sales patterns every day and aligning our purchasing activities accordingly. This way, we can make sure that we order the optimal number of products at all times and closely monitor our stock health.
8. Supply chain continuity
We work with multiple suppliers, based on mutually favorable agreements. On top of that, we enhance our supply chain management by using our own delivery services: CoolblueDelivers and CoolblueBikes. Because we do not depend on a single party and have full ownership of these services, we are able to minimize the amount of disruptions to our supply chain.
Finance & reporting risk
9. Finance and liquidity
Our operations are financed by our operating cash flow, a negative working capital, and reinvestment of our profits. We have implemented debtor management, stock management, and treasury procedures so that we are always able to meet our payment obligations.
10. Regulatory compliance
Our Risk & Compliance and Legal departments closely follow the developments in law and regulation, thereby assuring our compliance. We have a zero-tolerance approach to bribery, corruption, fraud, and any other form of (illegal) misconduct.
We assure our compliance with law and regulation for any internal developments, such as new business propositions. External developments that influence our operations, such as the GDPR or the upcoming ePrivacy Regulation, are also thoroughly implemented. All Coolbluers who work with personal data are required to follow our GDPR training, tailored to their role, during their onboarding. We monitor attendance of the course with our training tool.
11. Safety, health, and environment
We do everything in our power to ensure the safety of our customers and employees. Within our Safety, Health, Environment, and Quality department (SHEQ), we are constantly working on improvements regarding these topics. Coolbluers who work in our warehouse take health & safety courses, our solar panel installation experts are required to complete courses on working on rooftops, and our safety coordinators ensure optimum safety under all working conditions.
Enhancement of our risk management system
We continuously work on optimizing our risk management operations. Our Risk & Compliance, Fraud, Security, and Legal departments each have grown. Additionally, we have created more awareness of risks in 2020 through various initiatives, including the ones stated below.
Reinforced internal control environment
Improving our internal control environment is an ever-ongoing point of focus. We have included even more domains and processes in our risk assessment. As a result, we have better insight in the key risks and are able to mitigate them better, thereby strengthening our internal control environment.
Implemented physical security controls
We have a physical security policy in place to keep our customers, employees, and products safe using the latest professional security systems. The main principle of this policy is that we have a security blueprint in place for each of our locations. The blueprint and its procedures will be audited multiple times a year. With the professional security systems in place, we have taken another step in achieving our goal of having no security incidents and reducing fraud to an absolute minimum.
Improved Authentication and Authorization
To further improve our data security, we have increased the number of applications that use multi-factor authentication and single-sign on via our active directory. We have also improved our access-rights structure, thereby decreasing the number of users with privileged rights in our systems. This has helped us further enforce access on a need-to-know basis.
In 2021, we want to further optimize our risk management operations. We will build on our documentation of processes, risks, and incidents, and continue to make this documentation as transparent as possible toward a more transparent documentation of processes, risks, and incidents.
Further expansion of Risk workshops
Our Risk & Compliance, Fraud and Security departments will further facilitate risk workshops for the relevant departments. Our goal is to identify and analyze the risks for our departments and use this information to set appropriate risk limits and controls. We plan to expand the risk workshop to our tech departments to increase the awareness and insight into our technology & cyber risks, for which the threat landscape has increased significantly.
Further formalizing our Compliance Management
We will further document and formalize our Compliance Management. The corresponding risk framework will oversee risks that are mainly related to compliance with competition, financial services, privacy legislation, and health and safety. For compliance risks, relevant processes and controls will be implemented, tested, and continuously monitored. On top of this, we are going to extend our company-wide information security policy. This also allows us to improve our control framework to verify processes, applications, and services on clearly defined standards.
Preparing for ePrivacy Regulation
In 2021, we will closely follow the developments around the announced ePrivacy Regulation because of its expected impact on direct marketing. As with the GDPR, we will prepare for this new regulation accordingly, so that we will meet the requirements on time.
Increasing IT security awareness
In 2020, we asked a group of ethical hackers to try to get access to the Coolblue network and systems. The lessons learned and awareness that this created within the Tech departments has proven to be very valuable. For this reason, we plan to carry out more tests like this in 2021.
Pieter Zwart B.V., HAL Investments B.V., and management are the shareholders in Mondhoekie B.V., the ultimate parent of Coolblue. Pieter has a majority share in the parent company. At the start of 2021, Coolbluers who will have been working at Coolblue for more than 12 months on 1 January 2021, will receive Friend Shares. These are depositary receipts for shares.
Coolblue Holding B.V., a private company with limited liability (besloten vennootschap) under Dutch law, is fully owned by Mondhoekie B.V. For the sake of transparency, we try to keep our corporate structure as simple as possible. The chart on the right shows an overview of the various group companies.
Coolblue’s Management Team is made up of the Managing Board and the 17 Heads of Department, such as Stores, Delivery & Installation, and Category Teams. The Managing Board consists of CEO Pieter Zwart and CFO Daphne Smit. They are both legally authorized to represent Coolblue.
The Management Team is responsible for the day-to-day operations of their respective domains and for Coolblue’s future development. They have the necessary means, along with the responsibility, to make their domain a little bit better every day.
We acknowledge the importance of diversity in a working environment, which is why we strive for an equal composition of men and women as members of the Management Board. However, when it comes to the selection criteria for candidates, competencies are key.
Working at Coolblue since: 1999
Education: Business Administration at Erasmus University Rotterdam.
Responsibilities at Coolblue: Category Teams, Customer Experience, Stores, Tech, Purchasing, Germany, Business Journeys, Solar Panels, Energy, Marketing and the website.
What can you do a little bit better since 2020? I have been practicing my soccer skills in FIFA, because I want to become Coolblue’s FIFA champion.
Working at Coolblue since: 2014
Education: International Business Administration at Erasmus University Rotterdam.
Prior to Coolblue: Trainee, Account manager, and Credit Analyst at Rabobank.
Responsibilities at Coolblue: Finance, Warehousing, Delivery & Installation, Returns & Repairs, Customer Service, Corporate Governance, and Human Resources.
What can you do a little bit better since 2020? I have been spicing up my cooking by trying out various new recipes. I am particularly proud of my creamy red curry.
The Management Board’s salaries are determined by the Supervisory Board. Members of the Management Team receive a fixed salary and are not entitled to bonuses, options, or shares in the company as part of their remuneration. CEO Pieter and CFO Daphne are shareholders in Mondhoekie B.V. Any shares they have acquired, have been acquired on commercial terms.
Corporate Governance Code
Although we are not legally obliged to follow the Dutch Corporate Governance Code, we acknowledge the importance of good governance. We actively monitor relevant developments in the Corporate Governance Code and incorporate the principles that are relevant to us as a private company.