This website uses cookies to remember your personal preferences and gather statistics. Click here for more information about cookies.

Yes, I agree No, I do not agree X

Internal controls and risk management

Risk management

Bouwinvest is well aware that it invests retirement assets. The organisation is compact and client centric. We add value on the basis of a sound vision of the developments in real estate markets. Risk management plays a key role in this vision.

Risk management is the process of understanding the risks to which Bouwinvest and its clients are exposed and then managing those risks effectively within certain tolerances. For this purpose, we have an effective and efficient system of control measures we use to measure and monitor the degree of risk management at every level.

We look at risks at strategic, tactical and operational levels, as shown in the image below:

Risk management levels

Lines of defence

Bouwinvest recognises the importance of choosing an effective structure and permanent monitoring of its internal risk management and control systems and a solid reporting system. These systems have to provide the management with insight into the nature of the risks (both retrospective and prospective) and which control measures are being taken (in terms of both substance and procedure). It should also be clear what the independent opinion is on the remaining risks and whether additional control measures are needed, from a prospective view of the risks taken.

Setting up such a framework requires a structured approach. The COSO framework is the global standard on this front. Bouwinvest’s risk management model is based on COSO II, or the Enterprise Risk Management Framework (ERMF). Departments including Compliance, Business Control, Risk Management and Internal Audit have all been structured in line with this model. Bouwinvest has integrated Compliance and Risk Management in such a way as to meet all the requirements of regulatory bodies, shareholders and the outside world, while making the execution of the supervisory functions as effective and efficient as possible.

Bouwinvest defines ‘lines of defence’ as follows:

  1. Line management – responsible for the risks inherent in day-to-day business operations.

  2. Compliance, risk management and business control – responsible for safeguarding the effective performance of the risk control/management by the first line of defence.

  3. Internal Audit – supervises the functioning (soundness and effectiveness) of the internal control mechanisms.

  4. Supervisory Board and external auditor – the Supervisory Board supervises the identification and management of the risks related to the strategy and Bouwinvest’s business operations and the structuring and operation of the internal risk management and control systems.

Risk Management

The Risk Management team plays a coordinating role in providing an integrated overview of all risks within Bouwinvest and the portfolios it manages. Risk Management is responsible for risk taxonomy, draws up the integrated risk policy and plays a coordinating role when it comes to the risk policy of the other departments. Where necessary, Risk Management consults with external stakeholders. Its primary task consists of identifying risks and determining the potential impact of those risks. The department plays an evaluative role when it comes to timeliness, correctness and completeness; both in prospective and in retrospective terms, and both in substantive and procedural terms. Risk Management makes recommendations for risk management measures in line with the management’s intended risk appetite.

Risk Management uses a risk management cycle to determine how risk management targets are set and achieved. This cycle is shown below.

Bouwinvest recognises the following areas in terms of risk management:

  • Strategic & Business risks

  • Financial risks

  • Operational and IT risks

  • Integrity and compliance risks


In 2018, the Risk Management department focused primarily on the overall risk policy, taking into account the developments in laws and regulations and the requirements of regulators. This has resulted in streamlined Lines of Defence, Risk cycle and Risk taxonomy, which has given us a stronger foundation to embed risk management across Bouwinvest’s operations. Based on this revised strategy, we have made a start on the more detailed formalisation and documentation of risk strategy and associated control measures and processes in sub-areas. For instance, in 2018 we took a closer look at the insurance risks in the property portfolios. And in the field of risk governance, we formulated a charter for the Risk Management department in line with the existing Compliance charter.

Risk matrix



Control measures

Continuity risk

The continuity risk is the risk that the management organisation can no longer meet the terms of its agreements with bpfBOUW, other clients, its own employees and the organisation.

• Bouwinvest business plan
• Framework letters
• Investment plan and fund plans
• Annual plans of the business units and departments
• Reporting process
• Annual ISAE 3402 type II audit
• Business continuity plan
• Service Level Agreements with outsourcing partners
• Data security policy (COBIT)

Integrity risk

Integrity risks are related to non-compliance with laws and regulations (such as fraud and cyber crime) or transparency requirements of Bouwinvest, its employees or any party with whom Bouwinvest is conducting business

The Compliance policy and the measures are explained in the following section.

Quality risk

This is the risk that the management organisation delivers poor quality, as a result of which Bouwinvest is unable to meet the terms of its agreements with its clients.

• Framework letters
• Investment plan and fund plans
• Investment Committee
• Due diligence of business partners
• Internal (process) control framework in accordance with ISAE 3402 type II
• External auditor
• Business incidents procedure
• Pricing & Valuation Committee

Key people risk

This is the risk that the organisation does not have employees with the right skills and qualities.

• Transparent culture and remuneration policy
• Measures to safeguard a high level of employee satisfaction
• Succession and promotion policy
• Building and retention of a good reputation on the employment markets

Legal and liability risk

The risk of threats to the legal position of the organisation, including the risk of the possibility that contractual provisions cannot be enforced or are not correctly documented.

• Internal Legal Affairs department
• External specialised law firms
• Various corporate and asset insurance policies (professional and directors liability)
• Risk checks on main assets
• Insurance manual

Fiscal risk

This is the risk that the organisation’s fiscal position is determined incorrectly, as a result of which the current and deferred tax (position) is depicted incorrectly.

• Internal Tax Affairs department
• (Structural) involvement of external tax specialist (who also plays an evaluative role)
• Tax policy principles

Funding risk

The risk that the funding position is not adequate and/or safeguarded, due to the fact that the growth of the organisation’s invested capital is not covered by the addition of new capital from investors.

• Investors Relations department's proactive approach to the acquisition of funding
• Clear annual funding statement in the fund plans
• Financing of a part of the investment proposal

Reputation risk

In the event that one of the above-mentioned risks occurs, (some) measure of reputation damage is inevitable.

• Transparent and frequent communications with clients
• Integrity risk analysis

Monitoring and reporting

The Board of Directors monitors the risks related to Bouwinvest's various activities and the funds it manages. To support this monitoring and to optimise risk transparency, the risk controller produces quarterly risk reports.

In 2018, three quarterly risk reports were produced:

  • Risk report for bpfBOUW portfolio

  • Business incident reports

  • Risk report as part of fund reports for AIF funds

The risk report for the bpfBOUW portfolio was adjusted further in line with the strategy and the risk reporting for the funds was tightened. The format for business incident reporting remained unchanged in 2018.


Bouwinvest has an independent compliance team that identifies, assesses and monitors the company’s compliance risks and advises and reports on same. The team uses the Bouwinvest Compliance Cycle for the planning, execution and reporting of all compliance activities. This cycle consists of a number of grouped activities. The first group of activities focuses on the identification and interpretation of existing and new legislation relevant to Bouwinvest and its stakeholders and the determination of its impact. Bouwinvest subsequently identifies and assigns scores to the relevant compliance risks. On the basis of same, we set priorities and translate the (amended) legislation and identified risks into policies, which we then implement.

The compliance team designs the processes, procedures and/or controls needed to execute the updated and new policies. Both during implementation of new policies and on a continuous basis, the members of the compliance team devote a great deal of effort to creating awareness and providing advice on relevant compliance risks and how to deal with them, which has helped us to reduce the number of incidents.

Bouwinvest’s compliance team supervises and monitors the effectiveness of the controls and initiates specific investigations when this is necessitated by incidents or findings from regular monitoring activities. In regular compliance reports, we report on any areas of potential improvement, as well as on any investigations initiated.


Creating risk awareness is one of the compliance department’s top priorities. As is making clear how employees can reduce or control those risks and what is expected of them in that context. Increasing risk awareness was once again a key focal point in 2018. The compliance team conducted a number of training courses and meetings on legal changes and amendments to procedures. Bouwinvest organises annual integrity workshops for its employees and participation is mandatory.

The compliance risk environment is extremely dynamic and legislation changes constantly. In 2018, the compliance team once again worked on the updating of a number of internal rules and regulations. Bouwinvest closely monitors relevant legislation and regulations and will continue to adapt and update its own internal compliance regulations in line with new or amended legislation.

Code of Conduct

Bouwinvest has a Code of Conduct that applies to all its employees. This code includes rules with respect to ethical conduct, conflicts of interest, compliance with laws and (internal and external) regulations, Corporate Social Responsibility, health and safety and requirements for our business partners. The Code also includes specific regulations for the Board of Directors and the Supervisory Board with respect to conflicts of interest and investments.

Bouwinvest has a whistleblower scheme in place with guidelines for reporting and investigating unethical behaviour.

Conflicts of interest

Bouwinvest has also drawn up a Conflicts of Interest policy, with the aim of ensuring that no material conflicts of interest occur that could inflict damage on our clients, our funds, or our management organisation. The policy also describes how Bouwinvest should act with respect to the allocation of different investment opportunities over the respective funds and clients. The policy is intended to supplement but not replace any applicable Dutch laws governing conflicts of interest.

‘In control’ statement

The Board of Directors has issued an in control statement on the financial reporting risks and strategic and operational risk management at Bouwinvest. The Board of Directors is responsible for proper risk management and internal control systems, as well as for the assessment of the effectiveness of same. On the basis of its assessment of the risk management and internal control systems, the Board of Directors believes that these systems provide a reasonable level of assurance that the financial reports contain no material errors. Bouwinvest has been ISAE3402 type II certified for its financial reporting processes since 2012, which shows these are in order.

In general, the risk management and internal control systems functioned properly in 2018 and there is no indication that these systems will not function properly in 2019. We did not identify any shortcomings that could have a material impact in these systems in 2018, nor up to the date this annual report was signed in 2019.

Furthermore, we did not identify any deficiencies in the internal control systems that could have a material impact on operational and compliance risks, nor on the financial reporting function and the functioning of the internal and external auditors.

  • Share this article