We identify and control risks comprehensively, taking into account both financial and societal values.
APG Integrated Risk Management
APG’s Integrated Risk Management (AIR) comprises risk governance and policy, the risk culture, the risk appetite, the risk management process (supported by the risk and control framework), and risk reporting.
Risk governance and policy
The roles and responsibilities for managing and controlling risks are based on the generally accepted “Three lines” model. The risk committees of the business units and the Executive Board, as well as the Supervisory Board’s Audit and Risk Committee, see to it that overall integrated responsibility for risk management is assured and incorporated in the business plan cycle.
In 2021, the Risk and Compliance Policy frameworks were updated. APG wants to control its risks within these frameworks. They guide the business units and staff departments, within the limits of their own responsibility, in incorporating risk management in their regular business operations. Such frameworks have for instance been created for the risk taxonomy. Risk taxonomy comprises five risk categories. Each category sets out the principal risks associated with APG’s activities and is in line with the regulations set by the regulators. This is common practice in the pension industry. The risk taxonomy is updated every year. Furthermore, frameworks are prepared for controlling the various risk categories and implementing the risk management process.
A sound and effective risk management depends above all on promoting a culture of risk awareness. This includes using our risk appetite to weigh opportunities against risks as part of the day-to-day activities at all levels of the organization. Within the frameworks and this risk culture, attention is also paid to reporting and detecting possible cases of fraud. For example, within APG’s incident procedure, fraud as a source of an incident is taken into account. There is a regulation for reporting abuses anonymously and we operate a fraud desk where further investigation into possible cases of fraud takes place.
Risk appetite is the degree and type of risk that APG is prepared to accept in the pursuit of its strategic objectives and associated value creation. It specifies where opportunities can be seized, but also the required degree of risk mitigation in case of unwanted risks.
The Executive Board defines the strategic risk appetite for seven elements that are affected by risk: continuity; reputation; relationships; solvency; integrity; services, and customer satisfaction. Aside from that, the risk appetite is also defined for each risk arising from the risk taxonomy. This is referred to as “tactical risk appetite.”
Risk management process
The risk management process allows us to monitor the development of the risk profile relative to our risk appetite and, where necessary, to avoid or mitigate risks more effectively. This continuous process involves identifying, evaluating, controlling, and monitoring risks. The second-line risk management and compliance functions play an independent and critically challenging role in the risk management process.
In this context, changes in legislation and regulations are also looked at periodically in advance. Compliance indicates these changes in its compliance report. It is the responsibility of the business units to incorporate these changes in laws and regulations into processes and control measures. The risk and control framework helps us make to ensure that we stick to our desired risk profile: we do not take unnecessary or unwanted risks. It also gives us insight into the effectiveness of our critical control measures. We take appropriate measures if necessary.
We continuously monitor risks in five risk categories: strategic risk; operational risk; reporting risk; compliance risk, and financial reporting risk. Each year APG updates a set of sub-risks within these risk categories. These arise from external developments and APG’s strategy and operations. Each calendar quarter, we report on the current risk profile to APG’s risk committee and to the Audit and Risk Committee of the Supervisory Board.
As part of the operational risk control process, we must be demonstrably “in control,” both internally (corporate) and externally (on behalf of the pension funds). APG prepares reports on these matters in conformity with the ISAE 3402 and 3000A standards. The reports on pension management and asset management processes are intended for the eight pension funds for which we work, among others.
In 2021, APG’s risk exposure remained within the established tolerance limits. In a number of areas, there were increased risks.
Below, we will discuss the principal risks that occurred in 2021, for each of the principal groups of major stakeholders.
Risk management - general
Although, just as in 2020, APG had was faced with the consequences of COVID-19, this did not adversely impact our operations. Anticipated risks did not materialize. In early 2021, the risk analysis method was reviewed. However, this did not lead to materially different insights. Our stakeholders (pension funds and regulators) were notified of the developments and the identified risks. Based on our risk analysis and the above review, we consider the following risks as the most significant:
Information Risk Management
To gain access to organizations, cybercriminals are launching phishing campaigns in ever-growing numbers. They increasingly use social engineering techniques for this, for example by installing ransomware. These programs are specifically designed to tempt e-mail users to click on URLs. These URLs look legitimate, but are in fact malicious. Via a variety of awareness campaigns we continuously make all employees aware of this risk. They also take training courses in compliance and cybersecurity.
Furthermore, it has recently become clear that cybercriminals take advantage of vulnerabilities in software components to gain access to organizations’ information systems. We have responded pro-actively against these practices as well and have implemented measures to limit the effects and mitigate the risks. Nevertheless, the cybersecurity risk continues to be real.
From the start of the COVID-19 pandemic, sickness absenteeism among our staff showed a downward trend. However, this downward trend was not sustained as the crisis continued. We are aware of the adverse impact that COVID-19 is having on our staff. Working from home also impacts social contacts. Remote working can furthermore create feelings of loneliness. This is something that has our attention. It is also important that new hires are fully inducted into the APG culture, so that they are imbued with the norms and key strategic values that we stand for.
Risk management - clients
Both APG and its clients realize that our organization must be in control and that the principal risks are managed properly. To this end APG has set up the Three lines of defense (3LoD) model. This model is used to organize our processes in such a way that we are demonstrably “in control.” With respect to the administration of pensions this model has shown that our primary processes, and the monitoring and control measures they contain, need to be reinforced. This was confirmed in 2019 by DNB, the Dutch central bank, following an audit. We are hard at work making these improvements. In 2021, risk analyses were carried out for the primary pension administration processes. For most of these processes these analyses were completed in 2021.
The 3LoD model also produced findings concerning the functioning of monitoring and control measures that had already been implemented within APG. This relates to findings about the monitoring of work in progress and mandatory pension communications, from analyses of alignments and improbabilities, as well as findings relating to the incorrect or late execution of (dual control and other) checks and inadequate control measures for the timely revocation of authorizations. All the findings were analyzed, with the outcome being that these findings regarding the control measures have not led to systematically defective or unauthorized processing in our records or to activities being carried out late. Action was taken to define the control measures more strictly and logically and to monitor them, in order to prevent repetition.
In order to give our clients independent assurances about the organization and operation of our monitoring and control measures, we issue Standard 3402 and Standard 3000A reports about the services for pension management and asset management. The external auditor publishes these assurance reports. The findings from the 3LoD process have led the external auditor to issue a qualified opinion for 2021 with respect to APG’s Standard 3402 and Standard 3000A reports.
The turbulent global economy and the developments in the financial markets have led to an ongoing high demand from our clients for one-off analyses. This trend is reinforced by the current developments in the Dutch pension industry. In order to be able to make careful decisions, our clients require well-founded advice from us. To satisfy this need, which is complementary to the standard services we provide to the pension funds, we filled a number of vacant positions.
The implementation of the pension agreement signed by the Dutch government with the social partners in 2021 has been delayed. As noted earlier in this Report, the Pension of the Future program is looking into all associated aspects and risks. In future, we expect participants to be given more insight in their pension accrual. To do this, their basic data needs to be up to date. The risk posed by overdue changes is that the quality of the data does not satisfy APG’s standards. This can have consequences for the pension benefits. We have taken various control measures to prevent this. In 2021, we worked on improving the quality of the data, on data governance and on the accompanying risk management, and digitalized processes.
Since January 13, 2019, pension funds are required by law to notify DNB of all activities outsourced to third parties. In 2021, the regulator conducted an investigation into outsourcing by APG. Further to this investigation, initiatives have been taken to get a better grip on this process. This will ensure that the outsourcing risk is controlled and that the continuity, integrity and quality of our services are not adversely impacted by issues relating to outsourcing.
APG processes personal data on a large scale, both for its clients and as employer. We attach great value to the lawful, appropriate, and transparent processing and protection of personal data. There is a risk that we do not sufficiently demonstrably comply with privacy laws and regulations, in particular the General Data Protection Regulation (GDPR). It is taking longer than expected to fully implement the improvement points that APG had identified. This applies in particular to demonstrating that privacy-related control measures have been implemented.
Risk management - employees
Having robust and agile HR is a prerequisite for achieving our strategy for 2025. The Strategic Workforce Planning carried out in 2021 supports establishing competencies - e.g., participant focus and digitalization - needed to achieve the objectives for 2025. There is still a risk that the composition of the workforce is not a good fit with this strategy. Labor market scarcity makes it difficult for APG (and others) to recruit talent.
To meet the changing demand for competencies, APG has initiated a number of HR-related improvement programs and initiatives. Leadership development is taking place at various levels and several programs are being offered that enable employees and managers to develop themselves further. This should enable us to create the necessary capabilities, competencies, and changes in the workforce. COVID-19 forced APG to focus even more on the labor situation. Being a Great Place to Work continues to be an important and clearly defined objective for APG.
Risk management - society
Vanuit het perspectief van risicomanagement blijft het beheersen van het politiek risico en het reputatierisico van groot belang voor APG. De inhoud van het publieke debat wordt gevoed door hoe het nieuwe pensioenstelsel wordt ingevuld. We volgen de ontwikkelingen op dit gebied.
Om het reputatierisico inzichtelijk te maken meten we de reputatiescore van APG. De score laat een stabiel positief beeld zien. De reputatiescore van onze grootste klant vertoonde een dalende trend. Dit werd veroorzaakt door diverse onderwerpen die de publiciteit trokken.
Risk management - shareholders
From the point of view of risk management, managing the political and reputational risks continues to be essential for APG. The public debate in this area is largely driven by the way in which the new pension system will be implemented. We are closely following the developments in this respect.
To gain insight into our reputational risk, we measure our reputation score. This score is both stable and positive. The reputation score of our most important client is declining, due to a number of issues that have attracted publicity.
APG has a positive solvency position. The risk that pension funds find themselves in a dire position, for instance because pension contributions remain unpaid or are not paid in time, has not materialized. This means that it has not impacted our services or financial result.
In 2021, we took further steps to turn the strategic plan 2021-2025 into specific strategic initiatives. To realize these strategic initiatives within the intended period, we adopted a Strategic Implementation Plan. Given the limited resources and the major strain that these initiatives make on the available capacity, it is essential to focus on the right areas. Therefore, choices have been made. For 2022, our priorities are a smoothly managed pension administration, the transition to the Pension of the Future, and continuing on the path of making APG a leading investor.
Financial reporting risks
APG’s risk management and control systems provide a reasonable degree of certainty that APG’s annual report does not contain any material misstatements. Their functioning is evaluated continually throughout the year. On the basis of these results, the Executive Board has declared that there are no material risks or uncertainties that may impact the “going concern” expectation for APG. See also the In Control Statement in the next paragraph.
In Control Statement
As Executive Board of APG Group NV, we are responsible for setting up, implementing, and operating the internal risk management and control systems. Aim of the internal risk management and control systems is to manage the strategic, financial, operational, compliance, and financial reporting risks associated when achieving our objectives. In the previous risk paragraph we have explained our principal risks, our internal risk management and control systems, and any possible shortcomings.
While the internal risk management and control systems were set up on the basis of internationally accepted and applied standards, they cannot provide absolute certainty that the financial reporting contains no material misstatements, nor that the systems will prevent all errors, incidents of fraud, or non-compliance with the relevant legislation and regulations.
The material risks and control measures have been identified and recorded in APG’s integrated risk framework. APG’s Executive Board monitors the effectiveness of the internal risk management and control systems and at least once a year systematically reviews the structure and effectiveness of the risk management and control systems. This review covers all material measures aimed at controlling strategic, operational, financial, compliance and reporting risks. This review considers, among other things, any identified weaknesses, wrongdoing and irregularities, concerns raised by whistleblowers, and findings of the internal audit function and external auditor. Where necessary, improvements have been made to the internal risk management and control systems.
Statement of the Executive Board of APG Group NV
The Executive Board of APG Group NV declares that:
- APG Group NV’s annual report provides insight into the principal shortcomings in the internal risk management and control systems;
- any improvements, both made and anticipated, have been explained;
- the risk management and control systems provide a reasonable degree of assurance that the APG Group NV annual report does not contain any material misstatements;
- the APG Group NV annual report has been prepared based on the “going concern” principle;
- there were no material risks or uncertainties relevant to APG Group NV’s going concern assumption for a period of 12 months from the preparation of the APG Group NV annual report.