Risks & opportunities
An important success factor in reaching our goals is how we consciously deal with risks. We balance risks and their impact with the opportunities and advantages that they offer, based on which we determine our risk strategy.
Risks can occur anywhere in the organization. That is why it is important that every Coolbluer is aware of risks and can identify them. For this reason, every Coolbluer is responsible for managing their own risks, with the Management Board bearing the ultimate responsibility. They are not alone in this, as they are supported by our Risk & Compliance, Tax, Security & Fraud, Tech Security, Finance, and Legal departments. This approach allows us to create a risk culture in which risk management stays top of mind throughout the organization and in which risks are managed when and where they occur.
To provide Coolbluers with the means to decide how to go about a risk, we have various internal policies in place, which are in part based on external regulation. These policies are written in an honest, direct, and open manner and are easily available to every Coolbluer in multiple languages. We periodically review these policies to ensure they continue to meet legislative demands. Examples of our internal guidelines are:
- Workguide (employee guidebook);
- Friend Code (code of conduct);
- How to blow a whistle (whistleblower policy);
- Being open, honest, and direct (anti-fraud policy);
- Sticking to Coolblue agreements(disciplinary policy).
In 2021, we continued to increase awareness about risk management among Coolbluers. For example, we further defined our information security policy. We also expanded our risk workshops to provide insight into the rapidly evolving threat landscape and continued to offer e-learning modules and training courses that address topics such as the GDPR, labor law, competition law, and integrity.
Risk profile summary
We identified and listed the risks that can impact the realization of our strategic goals. These risks can be divided into categories and have each been given their own risk profile.
Risk identification & assessment
Our risk management focuses on 4 categories: strategic risks, operational risks, finance & reporting risks, and compliance risks. To create a risk profile for each risk, we conduct various top-down and bottom-up risk assessments. We have prioritized the most relevant risks in the Management Team’s yearly Strategic Risk Assessment. The results are discussed with both the Audit Committee and the Supervisory Board.
In total, we identified and profiled 11 risks in 2021. This means that our general risk profile is virtually unchanged compared to 2020. However, scale adjustments for individual risks have been made.
The first scale on which we rate a risk, is the likelihood of occurrence within a set time frame. We assign a rating on a 5-point scale.
Impact forms the second scale on which we rate a risk. Here, we assess the extent to which a risk would negatively affect the achievement of our goals, promises, and ambitions.
The third and final scale, risk appetite, is based on the former 2. It defines our willingness to run or take a risk. The lower the appetite, the better our risk management has to be arranged. On the other hand, a higher risk appetite is at times required to achieve our strategic goals.
Coolblue has a strong reputation. We want to uphold this reputation and prevent any damage to it, as this could negatively influence our business. During the 22 years that Coolblue has existed, we have grown immensely. We have entered new markets and have expanded internationally. The effect of this growth on risks is twofold. On the one hand, new risks are introduced, for example by new or changing legislation. On the other hand, the risks we already identified could have a larger impact on our reputation, as our brand becomes increasingly well-known.
In the assessment of this risk, it became apparent that the overarching risk remained unchanged in 2021. Coolblue is a strong brand that delivers on its promise and has earned the customer’s trust by doing so. To safeguard our reputation, we closely monitor external influences, such as press coverage, and protect ourselves and our customers from parties that unlawfully use our name.
We operate in highly competitive markets. We have a relatively high risk appetite in this respect, because we see it as an opportunity to go the extra smile for our customers. Additionally, we believe that the way we identify and provide for underlying customer needs does not limit itself to a single market or country. It provides us with a strong competitive advantage. This has enabled us in recent years to successfully cross the language barriers into Wallonia and Germany, extend our offering tailored to business customers, and expand our services to the energy and mobility sectors. Through growth, we fortify and safeguard our position in the market and make more customers happy every day.
3. Health crisis
This strategic risk has had the most tangible influence over the past 2 years. When it first presented itself in 2020, this risk had a significant impact on our stock management, delivery propositions, and operations in our stores and warehouse. It also affected other risks, such as supply chain continuity, financing, and health, safety, and environment. We took what we learned from 2020 and further applied and improved this throughout 2021. Because of the flexibility of our systems and employees, we are increasingly better equipped to decrease the impact of this risk within our organization.
4. Information security & data privacy
Safeguarding our data and technology is vital to Coolblue. We constantly improve our IT security measures and do everything in our power to secure our data, prevent data leaks, and minimize the impact a leak may have. This applies to both data we generate ourselves and information that customers provide us with, for example when they place an order. We have improved our access structure for all data and further enforced access on a need-to-know basis. Through periodic review of this structure, we ensure that Coolbluers only have access to the data they need to perform their tasks.
We have a cloud-first strategy in which all systems and applications are moved to the cloud if possible. This guarantees the continuity and scalability of our IT landscape. As Coolblue grows and cybersecurity attacks become more advanced every day, our exposure to this risk and its impact increase. To counteract and stabilize this, we continuously evaluate and improve our security policy and standards. We do this with advanced tooling which employs Artificial Intelligence and Machine Learning. We also hire ethical hackers and award bug bounties if vulnerabilities are reported to us.
5. Availability of systems & critical processes
We constantly apply optimizations in our processes and operations, such as mechanization in our warehouse. This means that our dependency on systems increases. Moreover, because we continue to operate from a single warehouse for all our business and open new locations, our supply chain becomes increasingly complex. To minimize the chance of a disruption in our operations due to unavailability of a system, such as our automated picking process, we have identified our critical operations and risks. In addition, we continue to identify the various scenarios that can occur during such unavailability, so that we can maintain and restore critical operations.
6. Attract and retain qualified Coolbluers
Qualified and talented people are key to our success. We see that the competition for skilled personnel is becoming increasingly severe, in part because of the significant shift in market and employment conditions. To attract and retain qualified Coolbluers, we continue to expand our unique application journey and have several in-house training institutions that allow Coolbluers to shape and realize their career path within Coolblue. Additionally, we offer a unique company culture and competitive rewards. For some job roles, such as developers, we even attract talent from all over the world.
7. Stock management
Stock management risks come in 2 categories: excess stock and insufficient stock. We minimize these risks by applying algorithms that calculate the expected sales patterns every day and aligning our purchasing activities accordingly. To this end, we have mutually favorable agreements with our suppliers that allow us to quickly scale our purchasing. Moreover, our financial capacity allows us to guarantee a constant supply of products if we see that a shortage might arise. This way, we can order the optimal number of products at all times and closely monitor our stock health.
8. Supply chain continuity
The pandemic has caused a global shortage of materials and products. This also has an impact on the availability of a number of product types we sell, such as laptops and tablets. We make an effort to ensure continuous availability of these products. We do so by leveraging on our strong financial structure and by working very closely with our suppliers to guarantee a constant optimum supply of these products.
We have expanded our own delivery infrastructure in the Netherlands, Belgium, and Germany, by opening various depots and bike delivery hubs. Together with the collaboration with delivery partners such as PostNL, Budbee, bpost, and DHL, this ensures that we can live up to the promise we make in our delivery proposition.
9. Health, safety, and environment
The health and safety of our Coolbluers is of the highest importance. We have procedures in place that outline in detail how to act in certain situations, such as what to do in case of an emergency. We also have Safety Coordinators and Prevention Officers, who for example give health and safety courses to Coolbluers. Together, they ensure optimum safety under all working conditions.
Finance & reporting risk
10. Finance and liquidity
Our operations are financed by our operating cash flow, a negative working capital, and reinvestment of our profits. Because we continuously improve our underlying debtor management, stock management, and treasury processes, we are always able to meet our payment obligations. In addition, we have a long-term financing arrangement in place to provide us with additional liquidity to cover business continuity.
11. Regulatory compliance
The growth of our business and expansion into other geographies and markets, such as Germany and the Dutch energy market, introduces different types of legislation. We want to ensure our full compliance with all governing legislation, simply because it is the right thing to do. We implement regulatory developments that influence our operations, such as the GDPR, throughout our organization. Moreover, we are constructing an overarching internal control framework. It will provide a complete overview of all compliance-related risks, measures, and related subject matter within Coolblue. This framework is being built in such a way that we can act on both current and future regulations.
We have a zero-tolerance approach to bribery, corruption, fraud, and any other form of (illegal) misconduct. This is strongly highlighted in our code of conduct and other internal guidelines, which are made available to every Coolbluer. We also offer mandatory training courses that are geared to the relevant legislation within departments. This further ensures our consistent compliance.
Enhancement of our risk management system
We pay undivided attention to the improvement of our risk management operations. And as Coolblue grows, so do our Risk & Compliance, Tax, Security & Fraud, Tech Security, Finance, and Legal departments. To improve our risk management in 2021, we have implemented both risk-specific measures and enhancements on the internal control framework. These improvements are aimed at driving business involvement and ownership within the domains, in order to expand the integrated view of risks and controls.
To ensure that our risk control measures are applied consistently throughout the organization, we are transitioning from a multitude of risk control matrices to a singular control framework. This internal control framework will encompass the key risks and related controls of all processes. As a result, we can better identify and classify the main risks associated with the processes, test the implementation and operating effectiveness of controls, and determine the degree of control we have over them. A summary of the status of internal control and issue tracking will be reported to the Management Board and the Audit Committee.
Further formalizing our Compliance Management
The internal control framework will also contribute to the formalization of our Compliance Management. This will provide more insight into the risks that are mainly related to compliance with competition, financial services, privacy legislation, and health and safety. For compliance risks, relevant processes and controls are continuously implemented, tested, and monitored.
Another main point of focus has been the further enhancement of our Security policy. We have substantially increased our Tech Security team and unified the various standards that were applied across the domains. The result is a singular, comprehensive approach towards information security. Additionally, we have hired a Security Awareness Officer, who is tasked with improving organization-wide security awareness. Lastly, we have upgraded our control measures that deal with digital threats, such as DDOS attacks.
Fraud Detection and Prevention
In order to further prevent fraud throughout our organization, we have created and implemented fraud detection tooling which detects fraud using various patterns and analyses. This enables us to assess an order’s validity without blocking a legitimate sale, for example.
We are pleased with the steps we were able to take in 2021 in improving our risk management and internal control framework. They will form a solid basis for further enhancements we have planned for 2022.
Reinforcing internal control
We constantly build on our existing control environment to establish an even better insight into key risks and improve our ability to mitigate them. In 2022, we will do so by expanding our in-depth, end-to-end assessments of operational processes. The findings, along with resulting recommendations, will be reported to the relevant stakeholders.
We have an unceasing focus on the protection of data, both our own and our customers’. To ensure that this remains top of mind for each and every Coolbluer, we will continue to further develop existing educational courses and roll out training courses that are tailored to our specific domains. In addition, we will continue to monitor existing processes to identify potential improvements to further ensure the safety of information we store.
Enhancing our Cybersecurity posture
Cyber security is a dynamic and evolving field. To improve our company-wide efforts regarding security and privacy, we will continue to increase awareness through content that focuses on the specific threats of the respective domains. Examples hereof are training courses aimed at the handling of confidential data and incident exercises. Moreover, our recently expanded Tech Security team will continue to improve our security measures and safeguard the continuity of our website and logistical processes. With the growing complexity of our supply chain, we will also continue to improve our third-party risk management.