Understanding what the VOR means for your organization

The VOR emphasis responsibility for boards towards assessment and disclosure of risk management and control systems, potentially indicating enhancement opportunities. A widescope internal control statement is required to be included in annual report from 2025. This counts for organizations subject to the Dutch Governance Code. 

The VOR should reflect the extent to which the risk management and control systems provide assurance that operations, compliance and reporting (financial and sustainability reports) are effective. With that the scope of the ‘in control statement’ is much wider than the current scope on financial reporting controls. 

The degree of assurance in the VOR with respect to reporting varies from ‘reasonable’ for financial reporting to ‘limited’ for sustainability reporting. For operations and compliance the degree of assurance is undefined, but alignment with the risk appetite is expected. 

The VOR is a principle-based statement that requires listed companies to regularly assess effectiveness of their risk management and control systems, and report on this annually. This includes evaluating operational, compliance, and (financial and sustainability) reporting risks. 

The VOR mandates that companies use a chosen framework, such as the COSO Internal Control Integrated Framework, to conduct these assessments. The results, including the level of assurance provided by these systems, must be transparently disclosed in the management report, thereby enhancing the quality and transparency of risk management practices within the organization.

What does the VOR mean for your organization? 

The responsibility of the management board for identifying and managing risks remains unchanged and also remains a key topic on the supervisory board agenda. The main change relates to the disclosure and is explained next. 

Clarification of Responsibilities: The management board must annually assess and disclose the effectiveness of risk management and control systems related to operational, compliance, and reporting (financial and sustainability reporting) risks, using a framework chosen by the company. 

Sustainability reporting: Risk management must now also cover sustainability reporting. Disclosure of ‘in control statement’ now also to cover operations, compliance and sustainability reporting. Previous ‘in control statement’ covered financial reporting only.

 Wider scope management Statement: The existing management statement on financial reporting must be extended to also cover a statement on the level of assurance in relation to operations, compliance and sustainability reporting. 

Expansion of the audit committee's report: with the extension of the VOR scope in the management report, also the scope of the assessment by the supervisory board’s audit committee and related reporting is widened.

Call to action 

From 2025, the annual report of organizations subject to the Dutch Governance Code needs to include the VOR or explain why it is missing. 

Start by understanding the new VOR requirements and assess the gaps with your current framework and approach. Identify areas that need improvement and enhance your risk management practices accordingly. Integrate sustainability risks into your control framework and perform regular assessments, while disclosing the results in your annual management report. By taking these steps, you'll be well-prepared to meet the VOR requirements. 

Start in time and ensure good coordination between the management board, assurance providers (2nd and 3rd line roles) and the supervision (i.e. audit committee).

How Forvis Mazars can help 

At Forvis Mazars, we understand the complexities and challenges that come with implementing the VOR. 

• Our experienced team is dedicated to providing comprehensive support to ensure your organization meets the new requirements effectively and efficiently. 
• With our expertise in governance, risk management, internal controls, CSRD and compliance, we will help you from initial assessment to full implementation.
• By providing expert guidance in selecting and applying the right risk management frameworks, and by conducting thorough gap analyses to identify areas needing improvement. We engage subject-matter experts, for example on cyber, CSRD, tax, privacy and financial crime.
• As a relatively new domain, our team assists in integrating sustainability reporting risks into your overall risk management approach and ensures risk management practices are robust and compliant. 
• We offer Internal Audit services to provide additional assurance on the adequacy of the Internal Risk & Control System (IRCS). Depending on the role of the Internal Audit function in relation to the VOR, we also provide broader support. Reference is made to a practice guide (in Dutch) issued by the Institute of Internal Auditors.