Mobiles Menu Mobiles Menu Close

(3) Risk Management System

Vonovia’s strategy has a sustainable and long-term focus. As a result, Vonovia pursues a conservative risk strategy in its business activities. This does not mean minimizing risks, but rather promoting entrepreneurial and responsible action and ensuring the necessary transparency with regard to any possible risks.

The risk management system supports all employees in their day-to-day work in accordance with Vonovia’s mission statement. It ensures the early identification, assessment, management and monitoring of all risks within the Group that exceed the short-term financial risks dealt with by the Performance Management pillar and could pose a risk not only to the company’s results of operations and net assets, but also to intangible assets.

The risk management system explicitly includes sustainability risks. These are assessed both in terms of their impact on Vonovia (outside-in perspective) and also – in line with the concept of ESG due diligence – in terms of their impact on the environment and society (inside-out perspective). This means that potential risks which might impair the value and/or development of the company, or the environment and society, can be identified at an early stage. The risk management system takes account of early warning indicators that are specific to the environment and the company, as well as the observations and regional knowledge of our employees.

In organizational terms, risk management is assigned directly to the Management Board. It has overall responsibility and decides on the organizational structures and workflows of risk management and provision of resources. The operational management of the risk management system falls within the remit of the Head of Controlling, who is responsible for Risk Controlling. The Head of Controlling reports to the Chief Financial Officer (CFO). Risk Controlling initiates the software-supported, periodic risk management process and consolidates and validates the risks reported. It is also responsible for validating the risk management measures and monitoring their implementation. Risk Controlling works with the individual risk owners to define early warning indicators that are used to monitor actual developments with regard to certain risks.

The risk owners are the managers at the level directly below the Management Board. They are responsible for identifying, evaluating, managing, monitoring, documenting and communicating all risks in their sphere of responsibility. They are also responsible for recording and reporting all risks in the company’s risk tool based on the defined reporting cycles.

Based on a half-yearly risk inventory taken in the first and third quarters of a fiscal year, Risk Controlling prepares a risk report for the Management Board and the Supervisory Board. It also simulates major risk developments and their impact on the corporate plans and objectives. The Management Board approves the documented risk management findings, takes account of them in steering the company and reports them to the Supervisory Board. The Audit Committee of the Supervisory Board monitors the effectiveness of the risk management system.

Should significant risks, i.e., risks with a considerable impact on economic development (risks entailing possible losses in Group FFO of more than € 40 million or a possible balance sheet loss of more than € 600 million) occur unexpectedly, they are reported directly to the Management Board and the Supervisory Board on an ad hoc basis.

As part of the process involved in preparing the annual financial statements, the risks identified in the third quarter are reviewed by Risk Controlling to ensure they are up-to-date and – if necessary – updated, with newly identified risks being added. New risks can arise in the context of the budget and five-year planning process. These are coordinated and evaluated bilaterally between Risk Controlling and the responsible risk owners as part of the planning process.

Vonovia’s risk management system includes a simulation model to calculate the company’s risk-bearing capacity. As part of this analysis, risk management evaluates the interdependencies between major risks on an annual or ad hoc basis and defines the parameters for risk aggregation. A Monte Carlo simulation model based on the statistical distribution functions relevant to the risks is used to determine the company’s overall risk position. The resulting overall risk position is compared to the company’s risk-bearing capacity with regard to insolvency and overindebtedness. Extreme scenarios for selected major risks are also simulated as part of the corporate planning process. The effects on the company’s performance indicators, as well as key figures related to financing, are always taken into account here. The results of the simulations are discussed with the Management Board. Planning and risk management are managed by the same area within Controlling.

The risk management system is updated and refined on a regular basis and is also adjusted to reflect changes at the company. The effectiveness of the risk management system is analyzed in regular audits.

The risk management system looks at all activities in the risk management process, i.e.,

Based on the COSO Framework, a risk space with the following four main risk categories has been defined to facilitate risk identification: strategy, regulatory environment and overall statutory framework, operating business and financing (including accounting and tax). A structured risk catalog has been assigned to each of these categories.

When it comes to assessing risk, a distinction is made between risks with an impact on profit and loss and those affecting the balance sheet. Risks with an impact on profit and loss have a negative effect on the company’s sustained earnings power and, as a result, on Adjusted EBITDA in the individual segments and Group FFO (Adjusted EBT in the future). In general, these risks also have an impact on liquidity. Risks affecting the balance sheet do not impact Group FFO, but they certainly do impact the assets and, in general, also profit for the period and the EPRA NTA. These risks can also not affect liquidity, e.g., because they only impact property values. 

If possible, risk assessments are always to be performed in quantitative terms. As a general rule, the risk assessment should always be based on a worst-case scenario. If this is difficult or impossible to achieve, a qualitative assessment is to be performed using a detailed matrix. The expected amount of loss is classified to one of five categories:

Classification of expected amount of loss




Impact on profit and loss*

Impact on statement of financial position*

Very high


Threatens the company’s existence

Possible loss of > € 750 million in Group FFO

Possible balance sheet loss of
> € 12,000 million



Dangerous impact on business development, previous business situation cannot be restored in the medium term

Possible loss of € 375 million to € 750 million in Group FFO

Possible balance sheet loss of
€ 6,000 million to € 12,000 million

Consid- erable


Temporarily impairs business development

Possible loss of € 150 million to € 375 million in Group FFO

Possible balance sheet loss of € 2,400 million to € 6,000 million



Low impact, possibly leaving a mark on business development in one or more years

Possible loss of € 40 million to € 150 million in Group FFO

Possible balance sheet loss of € 600 million to € 2,400 million



Minor impact on business development

Possible loss of € 5 million to € 40 million in Group FFO

Possible balance sheet loss of € 80 million to € 600 million

  1. * Understood as the possible financial loss over five years in accordance with the medium-term planning horizon.

Five clusters have been defined for the expected probability of occurrence.

Expected probability of occurrence





Very likely


It is to be assumed that the risk will materialize during the observation period.

> 95 %



The risk is likely to materialize during the observation period.

60–95 %



The risk could materialize during the observation period.

40–59 %



The risk is unlikely to materialize during the observation period.

5–39 %

Very unlikely


It is to be assumed that the risk will not materialize during the observation period.

< 5 %

The expected amount of loss and the probability of occurrence are classified within the set ranges before action (gross) and after action (net) for each risk, documented in a risk tool and transferred to a heatmap there. Risk reporting is based on the net assessment and the assignment of risks in the net heatmap, comprising five categories for both probability of occurrence and the amount of loss.

Net Heatmap

The term “top risks” refers to the risks assigned to the red and amber fields. These are reported to the Supervisory Board and published as part of the external reporting process. The risks assigned to the red fields are classified as threatening or endangering the company or its survival. The risks assigned to the amber fields are significant to the company. Red and amber risks are subject to intensive monitoring by the Management Board and the Supervisory Board. The risks assigned to the green fields are less significant to the current risk assessment.

As part of an active risk control process, the focus is on the major (red and amber) risks. Any necessary specific risk management measures were agreed and incorporated into a regular monitoring process to be conducted by Risk Controlling.

Regular risk monitoring by Risk Controlling ensures that risk management measures are implemented as planned.