On 20 March 2025, the new Corporate Governance Code Monitoring Committee, chaired by Rob van Wingerden, presented an update of the Dutch Corporate Governance Code by including an enhanced risk management statement (known in the Netherlands as verklaring omtrent risicobeheersing or VOR) in the Code.

According to the Monitoring Committee, the Code's supporting parties, CNV, Eumedion, Euronext, VEB, VEUO and VNO-NCW, have repeatedly explicitly asked to integrate the VOR in the Code as soon as possible after its appointment without a consultation process with other stakeholders. Also taking into account that the proposal for a VOR was supported by all supporting parties, the new Monitoring Committee decided to respect the supporting parties' wishes by fully incorporating the VOR proposal, as published by the VOR working group, in the Code.

We briefly highlighted this new development after it became public on 20 March 2025. Below is a more in-depth analysis of the new best practice provisions on the VOR in the 2025 Code.

Disclosures under 2022 Code

The 2022 Code required management boards of listed companies to include certain statements in their management report, namely that:

1. the management report provides sufficient insights into any failings in the operation of the internal risk management and control systems related to strategic, operational, compliance and reporting risks;
2. these systems provide reasonable assurance that the financial reporting does not contain any material inaccuracies;
3. it is justified to prepare financial reports on a going-concern basis; and
4. the management report mentions the material risks and uncertainties that are relevant in the coming twelve months.

In its explanatory notes, the Van der Meer Mohr Monitoring Committee mentioned that the management board should generally address the potential impact of the material risks and uncertainties identified for the company. Furthermore, it explained that statements (1) and (4) are not limited to financial risks, and encouraged companies to anticipate the development of integrated reporting.

Recommendations of VOR working group

Recent years have seen a push towards broadening the scope of the statements on risk management. The former Monitoring Committee however decided that this topic went beyond the scope of the 2022 Code update and left it to the next committee to address. Soon after, the topic was added to the political agenda with the passing of a motion in the lower house of parliament encouraging the inclusion of a VOR requirement in the Code. In 2023, to accommodate this situation, a working group was set up, led by Jaap van Manen and including the Code's supporting parties and the Institute of Chartered Accountants (NBA). In December 2023, the VOR working group reached agreement on what the VOR should look like and proposed including the VOR in the Code.

In March 2024, the Minister of Finance responded positively, stating that it would be up to the new Monitoring Committee to include the proposal in the Code. Shortly after being appointed, the new Monitoring Committee included the VOR in the updated Code in line with the working group's proposals.

Enhanced risk management statement in 2025 Code

How will the VOR provisions in the Code impact listed companies in the Netherlands?

Issue a more comprehensive statement

The VOR implies a broader statement by the management board on the company's operational and compliance risks and on its sustainability reporting. In their management report for the 2025 financial year, management boards will have to start:

• Reporting on the level of certainty that the internal control system provides on the effective management of operational and compliance risks

The Code's explanatory notes allow for a company-specific interpretation: the intention is not to refer to the concept of "assurance" used by auditors or require companies to use a fixed framework with levels of certainty. "Effectiveness'' is also not intended to be linked to the similar term in the U.S. Sarbanes-Oxley Act (best practice provision 1.4.3 (iv) of the Code and explanatory notes).

• Declaring that the internal control systems provide limited assurance that the company's sustainability reporting does not contain any material inaccuracies

This element relates to the CSRD requirement that auditors provide limited assurance on the sustainability statements of companies (best practice provision 1.4.3 (iii) and explanatory notes).

• Explaining how the effectiveness of the internal control systems with respect to operational, compliance and reporting risks has been assessed

The explanatory notes appear to recommend that the board indicate which framework (for example, COSO) is used (best practice provision 1.4.2 (iii) and explanatory notes).

The Code's explanatory notes also recommend that the statement include:

• the management board's responsibilities regarding the internal risk management and control systems
• the objectives and features of these systems
• the inherent limitations of these systems

According to best practice provision 1.2.1 the management board must identify and analyse the risks associated with the strategy and activities of the company and its affiliated enterprise. The explanatory notes to this provision in the 2025 Code add that regarding strategic risks, a distinction is made between: (i) decision-making on the strategy, and (ii) implementing the strategy, which translates to operational, compliance and reporting risks. The risk management systems to be covered in the VOR only relate to the implementation of the strategy.

The Code's principle of comply-or-explain also applies to the VOR, meaning that the company may deviate from the requirement to publish the VOR, provided it explains this in the management report.

Amend internal procedures and activities

The company may need to align its existing procedures and activities with the new VOR.

Annual report

Companies' annual reports already contain a number of disclosures on risks and risk management. These disclosures include: risk appetite (sometimes by risk category); the risks undertaken and faced by the company; and the internal controls and risk management systems the company has in place. Companies will need to identify the extent to which these disclosures meet the requirements of the new VOR, such as that the annual report provides insight into how the effectiveness of internal controls and risk management systems is assessed.

Many annual reports do not currently include a statement on the level of certainty provided by the internal controls and risk management systems on the effective management of operational and compliance risks. This is likely to be the most impactful addition to the Code.

Audit committee

The tasks and responsibilities of the audit committee are also expanded to align these with the new reporting requirements. Due to a combination of statutory duties and duties under the Code, the audit committee already plays an important role in the company's governance, having frequent contact with the board, the internal audit function and the external auditor. This role will only gain importance with the introduction of the VOR.

Conclusion

Companies will have to issue a VOR from the 2025 financial year onwards. The reason behind requiring a VOR is to provide more transparency and more insight for stakeholders by issuing a company-specific statement on risk management. The enhanced risk management statement also emphasises the responsibility of the management board, the supervisory board and the audit committee for the annual assessment and improvement of the internal risk management and control systems.