• Home
  • Management Board Report
  • Risk management and control

Risk management and control

TomTom has implemented comprehensive and structured risk management and internal control systems helping us to achieve our business objectives. Our approach to risk management, the main risks per category and actions to manage, control and mitigate the risks are, among others, described in this section.

3.8.1 Approach to risk management

Senior management together agrees on the risk management priorities for the group. The group risk profile is discussed and agreed with the Management Board. A single owner is assigned responsibility for each risk, which helps to ensure clear accountability for the mitigating actions. The Business Assurance department facilitates the annual assessment of business risks to achieve an appropriate level of objectivity in our assessment of risks. We update our group risk profile every year in order to manage our most important risks. Over the year, we monitor the mitigating actions in relation to each risk and the trend for each risk. The business risk profile is taken into account when establishing our strategy, annual business plans and budgets.

In 2016, we further strengthened our control environment with the Internal Control department driving risk and control ownership by business process owners (BPOs) as well as upgrading the tools used to monitor our IT general controls. Additionally, BPOs gained better insight into their processes and associated control environment through enhanced dashboards. We also continued to align risk management and control related efforts within the organisation. This allowed Internal Audit to make a more informed decision on what areas to audit and gain more value from our internal audits. The result has been value adding audits with recommendations that where welcomed by the business and strengthened our overall control environment.

3.8.2 Control framework

TomTom follows a top-down approach whereby management identifies the major risks that could affect the company's business objectives - and assesses the effectiveness of the processes and internal controls in place to manage and mitigate those risks. These internal controls are contained and maintained in the Internal Control Framework. Assurance on the effectiveness of controls is obtained through management reviews, monitoring dashboards, self-assessments, internal audits and testing of certain aspects of our internal financial control systems by the Internal Control team. This, however, does not imply that certainty as to the realisation of our business and financial objectives can be provided, nor can the approach of the company to control its financial reporting be expected to prevent or detect all misstatements, errors, fraud or violation of law or regulations.

The key features of the systems of our Internal Control are as follows:

  • Defined lines of accountability and delegation of authority are in place, together with reporting and analysis against budgets;

  • Minimised operating risk by ensuring that the appropriate infrastructure, controls, policies, systems and people are in place throughout the business;
  • Maintain organisational design that supports business objectives and a culture that encourages open and transparent communication;
  • Maintain a financial shared service centre with a centralised Enterprise Resource Planning (ERP) environment which allows us to monitor our business throughout all regions and apply a consistent level of control;
  • Centralised Treasury operations manage cash balances and exposure to credit default and currency risks through treasury policies, risk limits and monitoring procedures; and
  • Ensure the Code of Conduct is accessible to all staff via the intranet, which includes whistleblowing facilities.

3.8.3 Risk appetite and impact

Our willingness to assume risks and uncertainties (the risk appetite) differ for each category. The level of the company's risk appetite gives guidance as to whether TomTom would take measures to control such uncertainties. The overview table shows the appetite and the expected impact on the group's achievement of its strategic, operational and financial objectives if one or more of the main risks and uncertainties were to materialise. The likelihood of the risk taking place is also disclosed. The risks are shown net. This means that the risks are described after taking the risk response into consideration.


3.8.5 Group Risk Profile

Below is an overview of the risks that we believe are most relevant to the achievement of our strategy. The sequence of risks below does not reflect an order of importance, vulnerability or materiality. This overview is not exhaustive and should be considered in connection with forward-looking statements. There may be risks not yet known to us or which are currently not deemed to be material.

3.8.6 Strategic risks Failure to establish a multi-product Consumer business

Although the PND market shows a declining trend, a significant part of our revenue is still derived from PNDs and we expect this to remain a meaningful category in its own right for the upcoming years. If we are unable to successfully launch new Consumer products and fail to adapt our organisation to remain competitive this could have a material adverse effect on our business and TomTom's financial condition, results of operations and liquidity.

Many of our current competitors are large, well-known organisations with greater financial, technical and human resources than ours. They may have greater ability to fund product research and development and capitalise on potential market opportunities. New competitors interested in the same markets and products may also emerge. Industry consolidation may also result in increased competition.

risk response

We aim to continuously develop new innovative products in the Sports category and establish ourselves as a credible sports and fitness consumer electronics brand. Next, we aim to grow Drive specialist product sales in the niche markets whilst extracting value from the PND category. Failure to grow our Automotive business

We might be unable to pursue new automotive opportunities and lose market share versus competition. Also, new map and navigation providers may choose to enter the automotive market, which could increase the level of competition we face. There could be additional operational and technical challenges in growing our Automotive business and maintaining profitability over the longer term in such a rapidly evolving environment. If we are unsuccessful in maintaining and growing a profitable Automotive business, our financial condition, results of operations and liquidity may be materially adversely affected.

risk response

We believe TomTom is well positioned to address the future needs of our customers and to successfully pursue Automotive opportunities. With our technological innovation we continuously develop new product and service offerings in the area of navigation, traffic and maps. We believe these innovations will allow us to remain competitive in the automotive market. Reputation damage

All our products and services are brought to market under one brand. This leads to brand concentration risk. Brand value can be severely damaged, even by isolated incidents affecting the reputation of our business or our products and services. Some of these incidents may be beyond our ability to control and can erode customer confidence in our products or services.

Factors that negatively affect our reputation or brand image, such as adverse consumer publicity, inferior product quality, late delivery of customer commitments or poor service, could have a material adverse effect on our financial condition and results of operation.

risk response

TomTom employs a rigorous continuous quality management process for its products and services before they are entered into the market. Additionally, TomTom's Customer Care department aims to provide quality, fast response customer service and proactively monitors various digital platforms for customer feedback and issues. Furthermore, internal policies, governance teams and our Code of Conduct are designed to further mitigate the risk of incidents that could result in reputation or brand damage. Failure to increase productivity and scalability to our mapmaking process while shortening cycle times

The competitive environment requires continuous investment in new technology for creating and updating map databases. Maps need to be continuously updated for changes in the environment and we are continuously adding new geographies and attributes to our map database to enable us to meet the needs of existing and new customers, bring out new products and expand into new markets. If we are unable to invest sufficiently to compete with other global map providers in terms of both the quality and coverage and to modernise our map delivery platforms, our business, our financial condition, results of operations and liquidity may be materially adversely affected.

risk response

Over the last few years, we have invested significantly in developing a new Content Production Platform. This transactional mapmaking platform will strengthen TomTom’s competitive positioning by moving away from traditional batch processing towards a continuously updated real-time map. Additionally, we have made some changes to the structure of our mapmaking organisation to maximise the productivity and drive a much higher level of automation. Also, we have developed several strategic partnerships to develop technologies to support Autonomous Driving.

3.8.7 Operational Risks Inability to attract, develop and retain talent

Our markets are characterised by rapid technological change, which challenges us to deliver highly competitive products and services on an ongoing basis. In order to be a market leader in our industry, we need to have the most talented people working effectively together.

We aim to employ highly talented people in our organisation. Having the best people enables us to create and deliver highly innovative products and services to our customers. If we are unable to attract, develop and retain the right people, our ability to operate our business successfully could be significantly impaired.

risk response

In our ambition to be the employer of choice in technology, our rigorous recruitment process aims to attract the best talents. We monitor the organisational health of the company and have programmes in place to retain and keep (key) employees engaged. Ongoing significant investments are made in understanding what our employees need and want so we can offer customised experiences. We invest in our increasingly agile and talented workforce and in ensuring that we have the right employer brand strategy in place to attract and retain the talent we need. For example, we continuously invest in and develop our software engineering and product management capabilities through initiatives such as our World Class Software Development Programme as described in the section Human Resources. Unavailability of online services

We provide a variety of customer-facing online services on a 24/7 basis. These include fleet management services, live traffic information, location-based services and sales via our website. To provide these services to our customers we rely on our own, as well as outsourced, information technology, tele- communications and other infrastructure systems. A significant disruption to the availability of these systems could cause interruptions in our service to customers that may cause reputational damage for TomTom and could trigger contractual penalties, which could have a material adverse effect on our financial condition and results of operations.

risk response

We have established a process in relation to business continuity for internal infrastructure including full redundancy for key services such as fleet management, location-based services and some traffic delivery platforms. We also agreed minimum service levels with relevant outsourced service providers. Continuous monitoring of system availability is in place. Failure to recover from a disaster

Unforeseen business disruptions could affect our service to customers and cause loss of, or delays in TomTom's critical business systems, our research and development work and/or product shipments. Any permanent or temporary loss of these systems could result in reputational damage, loss of revenue and liabilities to our clients. In the case of a catastrophic disaster, our company's success rests on our ability to restore our critical data and rebuild our IT business systems.

risk response

We have business continuity and disaster recovery planning in place for business critical systems and various eventualities. However, we are unable to plan for every possible disaster or incident. A major failure of a business critical system from which we are not able to quickly recover, could have a material adverse effect on our financial condition, results of operations and liquidity.

3.8.8 Legal and Compliance risks Intellectual property claim

We rely on a combination of trademarks, trade names, patents, confidentiality and non-disclosure agreements, copyrights and design rights, to defend and protect our trade secrets and the intellectual property in our expanding range of products. We may be faced with claims that we have infringed the intellectual property rights or patents of others, which if asserted against us may result in us being ordered to pay substantial damages or forced to stop or delay the development, manufacturing or sale of infringing products. Any such outcome could have a material adverse effect on our financial condition, results of operations and liquidity. Furthermore, even if we were to prevail, any litigation could be costly and time-consuming.

risk response

We have a dedicated Intellectual Property team responsible for the protection of TomTom's products and services against unauthorised use by third parties. By obtaining and enforcing intellectual property rights, such as patents and trademarks, TomTom can prevent the competition from reproducing our unique products. TomTom has built a substantial prior art portfolio and has a reputation for strongly defending its position in all intellectual property litigation, including against non- practicing entities (NPE). Privacy of customer data risk

We provide location-based and fitness products and services to individual customers and as there is growing public awareness and increased scrutiny by regulatory authorities, this means that compliance with privacy regulations and customer expectations is increasingly important in maintaining our competitive position. Next to this, various governments across the globe are implementing legislation allowing law enforcement and intelligence services bodies direct access to data held by businesses. Depending on country and cultural background, this could raise additional concerns regarding the use of our products and services. Our reputation and brand may suffer and regulatory sanctions may be imposed if we fail to comply with privacy laws and regulations or otherwise fail to meet our customers' expectations in relation to privacy matters.

risk response

Inherent in the design and operations of our products and services we apply 'privacy-by-design' to ensure that TomTom's own Privacy Principles as well as obligations from applicable privacy laws and regulations are structurally adhered to in the design of our products and services and throughout our operations. Information security risk

Our business operations and reputation are substantially dependent on our ability to maintain confidentiality, integrity and availability of information regarding customers, employees, suppliers, proprietary technologies, intellectual property and business processes. Additionally, the volume and sophistication of information security ('cybersecurity') threats continue to grow. The inadvertent disclosure of confidential information, unauthorised access to our systems and networks, defective products and sanctions potentially imposed by regulators could adversely affect our business, our reputation and could have a material adverse effect on our financial conditions, results of operations and liquidity.

risk response

We structurally deploy and maintain information security governance, controls, processes and tools in our engineering, operations and products using a risk-based approach, based on ISO information security standards.

3.8.9 Financial risks Unfavourable movements in foreign currencies

The group operates internationally and conducts business in multiple currencies. Revenue is earned in euro (EUR), GBP, USD and other currencies, and do not necessarily match cost of sales and other costs which are largely in EUR and the USD and to a lesser extent in other currencies. Foreign currency exposures on commercial transactions relate mainly to estimated purchases and sales transactions that are denominated in currencies other than reporting currency - EUR (€). Unfavourable foreign currency movements such as a strengthening of the USD will have a negative impact on our profitability.

risk response

We manage foreign currency transaction risk through options and forward contracts to cover forecasted net exposures. All such transactions are carried out within the guidelines set by our Corporate Treasury Policy. Furthermore, we try to temper any negative foreign currency effect by conscious and calculated pricing of TomTom products and services to combat the negative impact of the exchange rate movement. For additional information, see note 28 to the consolidated financial statements.

3.8.10 In control and responsibility statement

The Management Board is responsible for TomTom's risk management and internal control systems. The Management Board believes that the company maintains an adequate and effective system of risk management and Internal Control that complies with the requirements of the Dutch Corporate Governance Code (the Code).

The internal control systems are designed to manage, rather than eliminate, the risk that we fail to achieve our business objectives and can provide reasonable, but not absolute, assurance against financial loss or material misstatements in the financial statements. The Management Board reviews the effectiveness of TomTom's systems of internal control relative to strategic, financial, operational and compliance risks and discusses risk management and internal controls with the Audit Committee on at least a quarterly basis.

 The Management Board believes, based on the activities performed in 2016 and in accordance with best practice provision II.1.5 of the Code, that the risk management and control systems with regard to the financial reporting risks have functioned effectively in 2016, and that the risk management and control systems provide a reasonable assurance that the 2016 financial statements do not contain any errors of material importance. With reference to section 5.25c paragraph 2c of the Financial Markets Supervision Act, the Management Board states that, to the best of its knowledge:

  • The annual financial statements give a true and fair view of the assets, liabilities, financial position and profit or loss of the company and the undertakings included in the consolidation taken as a whole; and that
  • The Management Board Report includes a fair review of the development and performance of the business and the position of the company and the undertakings included in the consolidation taken as a whole, together with a description of the principal risks and uncertainties that the company faces.

Amsterdam, 8 February 2017

The Management Board
Harold Goddijn/Chief Executive Officer
Taco Titulaer/Chief Financial Officer
Alain De Taeye/Member of the Management Board