Successful management of existing and emerging risks is critical to the long-term success of our business and to the achievement of our strategic objectives. In order to seize market opportunities and leverage the potential for success, risk must be accepted to a reasonable degree. Risk management is therefore an integral component of the Group’s Corporate Governance.

The current financial year has seen further maturity of the risk management system with additional focus on ensuring the effectiveness of mitigation to manage key business area risks in addition to regular testing of key financial controls occurring across all of our larger businesses. Cohesion between all risk & control functions (Risk, Financial Control, Compliance, IT Security and Health & Safety) continues to be a priority to support an integrated assurance process between all of the second lines of defense departments. Our risk governance framework is set out below:

Risk Governance

TUI Group Risk Management Roles & Responsibilities

Executive Board – Direct & Assure
With oversight by the Supervisory Board, the Executive Board determines the strategic direction of the Group and agrees the nature and extent of the risks it is willing to take to achieve its strategic objectives.

To ensure that the strategic direction chosen by the business represents the best of the strategic options open to it, the Executive Board is supported by the Group Strategy function. This function exists to facilitate the Executive Board’s assessment of the risk landscape and development of potential strategies by which it can drive long-term shareholder value. On an annual basis the Group Controlling function develops an in-depth fact base in a consistent format which outlines the market attractiveness, competitive position and financial performance by division and market. These are then used to facilitate debate as to the level and type of risk that the Executive Board finds appropriate in the pursuit of its strategic objectives. The strategy, once fully defined, considered and approved by the Executive Board, is then incorporated into the Group’s three-year roadmap and helps to communicate the risk appetite and expectations of the organisation both internally and externally.

Ultimately, accountability for the Group’s risk management rests with the Executive Board and therefore it has established and maintains a risk management system to identify, assess, manage and monitor risks which could threaten the existence of the company or have a significant impact on the achievement of its strategic objectives: these are referred to as the principal risks of the Group. This risk management system includes an internally-published risk management policy which helps to reinforce the tone set from the top on risk, by instilling an appropriate risk culture in the organisation whereby employees are expected to be risk aware, control minded and ‘do the right thing’. The policy provides a formal structure for risk management to embed it in the fabric of the business. Each principal risk has assigned to it a member of the Executive Committee as overall risk sponsor to ensure that there is clarity of responsibility and to ensure that each of the principal risks are understood fully and managed effectively.

The Executive Board regularly reports to the Audit Committee of the Supervisory Board on the adherence to both the UK and German listing requirements, the overall risk position of the Group, on the individual principal risks and their management, and on the performance and effectiveness of the risk management system as a whole.

Risk Oversight Committee – Review & Communicate
On behalf of the Executive Board, the Risk Oversight Committee (the ‘’ROC’’), a subset of the Executive Committee, ensures that business risks are identified, assessed, managed and monitored across the businesses and functions of the Group. Meeting on at least a quarterly basis, the ROC’s responsibilities include considering the principal risks to the Group’s strategy and the risk appetite for each of those risks, assessing the operational effectiveness of the mitigation in place to manage those risks and any action plans to further mitigate them, as well as reviewing the bottom-up risk ­reporting from the businesses themselves to assess whether there are any heightened areas of concern.

Senior executives from the Group’s major businesses are required to attend the ROC on a rotational basis and present on the risk and control framework in their business, so that the members of the ROC can ask questions on the processes in place, the risks present in each business and any new or evolving risks which may be on their horizon, and also to seek confirmation that an appropriate risk culture continues to be in place in each of the major businesses.

Chaired by the Chief Financial Officer, senior operational and finance management as well as all of the second lines of defense functions are represented on the committee. The director of Group Audit also attends as an independent member.

The ROC reports bi-annually to the Executive Board to ensure that it is kept abreast of changes in the risk landscape and developments in the management of principal risks, and to facilitate regular quality discussions on risk management at the Executive Board meetings.

Group Risk Department – Support & Report
The Executive Board has also established a Group Risk department to ensure that the risk management system functions effectively and that the risk management policy is implemented appropriately across the Group. The department supports the risk management process by providing guidance, support and challenge to management whilst acting as the central point for coordinating, monitoring and reporting on risk across the Group. It also supports the ROC in fulfilling it’s duties and the reporting to both the Executive and Supervisory Boards. Additionally, Group Risk is responsible for the operation of the risk and control software that underpins the Group’s risk reporting and risk management process.

Businesses & Functions – Identify & Assess
Every business and function in the Group is required to adopt the Group Risk Management policy. In order to do this, each either has their own risk committee or includes risk as a regular agenda item at their Board meetings to ensure that it receives the appropriate senior management attention within their business. In addition, the businesses each appoint a Risk Champion, who promotes the risk management policy within their business and ensures its effective application. The Risk Champions are in close contact with Group Risk and are critical both in ensuring that the risk management system functions effectively, and in implementing a culture of continuous awareness and improvement in risk management and reporting.

Risk Reporting

The Group Risk department applies a consistent risk reporting methodology across the Group. This is underpinned by risk and control software which reinforces clarity of language, visibility of risks, mitigation and actions and accountability of ownership. Although the process of risk identification, assessment and response is continuous and embedded within the day-to-day operations of the businesses and functions, it is consolidated, reported and reviewed at varying levels throughout the Group on at least a quarterly basis.

Risk Identification: Management closest to the risks identify the risks relevant to the pursuit of the strategy within their business area in the context of four risk types:

  • Longer-term strategic and emerging threats;
  • Medium-term challenges associated with business change
  • Short-term risks triggered by changes in the external and regulatory environment; and
  • Short-term risks in relation to internal operations and control.

A risk owner is assigned to each risk, who has the accountability and authority for ensuring that the risk is appropriately managed.

Risk Descriptions: The nature of the risk is articulated in line with best practice, stating the underlying concern the risk gives arise to, identifying the possible causal factors that may result in the risk materializing and outlining the potential consequences should the risk crystalise. This allows the businesses, functions and the Group to assess the interaction of risks and potential triggering events and / or aggregated impacts before developing appropriate mitigation strategies for causes and / or consequences.

Risk Assessment: The methodology used is to initially assess the gross (or inherent) risk. This is essentially the downside, being the product of the impact together with the likelihood of the risk materializing if there is no mitigation in place to manage or monitor the risk. The key benefit of assessing the gross risk is that it highlights the potential risk exposure if mitigation were to fail completely or not be in place at all. Both impact and likelihood are scored on a rating of 1 to 5 using the criteria shown below / on the right:

Impact Assessment

Impact on

  • Financials (Sales and / or Costs)
  • Reputation
  • Technology reliability
  • Compliance
  • Health & Safety standards
  • Programme Delivery
  • Financials (Sales and / or Costs)
  • Reputation
  • Technology reliability
  • Compliance
  • Health & Safety standards
  • Programme Delivery
  • Financials (Sales and / or Costs)
  • Reputation
  • Technology reliability
  • Compliance
  • Health & Safety standards
  • Programme Delivery
  • Financials (Sales and / or Costs)
  • Reputation
  • Technology reliability
  • Compliance
  • Health & Safety standards
  • Programme Delivery
  • Financials (Sales and / or Costs)
  • Reputation
  • Technology reliability
  • Compliance
  • Health & Safety standards
  • Programme Delivery

Likelihood Assessment

RARE < 10 % Chance
UNLIKELY 10 – < 30 % Chance
POSSIBLE 30 – < 60 % Chance
LIKELY 60 – < 80 % Chance
ALMOST CERTAIN ≥ 80 % Chance

The next step in the risk reporting process is to assess and document the mitigation currently in place to reduce the likelihood of the risk materializing and / or its impact if it does. Consideration of these then enables the current (or residual) risk score to be assessed, which is essentially the reasonably foreseeable scenario. This measures the impact and likelihood of the risk with the mitigation in place and effective. The key benefit of assessing the current risk score is that it provides an understanding of the current level of risk faced today and the reliance on the mitigation in place.

Risk Response: If management are comfortable with the current risk score, the risk is accepted and no further action is required to further reduce the risk. The mitigation continues to be operated and management monitor the risk, the mitigation and the risk landscape to ensure that it remains at an acceptable level.

If management assesses that the current risk score is too high, an action plan will be drawn up with the objective of introducing new or stronger mitigation that will further reduce the impact and / or likelihood of the risk to an acceptable level. This is known as the target risk score and is the parameter by which management can ensure the risk is being managed in line with their overall risk appetite. The risk owner will normally be the individual tasked with ensuring that this action plan is implemented within an agreed timetable.

Each business and function will continue to review their risk register on an ongoing basis through the mechanism appropriate for their business e. g. local Risk Committee.

This bottom-up risk reporting is considered by the ROC alongside the Group’s principal risks. New risks are added to the Group’s principal risk register if deemed to be of a significant nature so that the ongoing status and the progression of key action plans can be managed in line with the Group’s targets and expectations.

Ad Hoc Risk Reporting
Whilst there is a formal process in place for reporting on risks on a quarterly basis, the process of risk identification, assessment and response is continuous and therefore if required, risks can be reported to the Executive Board outside of the quarterly process, should events dictate that this is necessary and appropriate. Ideally such ad hoc reporting is performed by the business or function which is closest to the risk, but it can be performed by the Group Risk department if necessary.

Entity Scoping
A robust exercise is conducted each year to determine the specific entities in the Group which need to be included within the risk and control software and therefore be subject to the full rigour of the risk reporting process. The scoping exercise starts with the entities included within the Group’s consolidation system, and applies materiality thresholds to a combination of revenue, profit and asset benchmarks. From the entities in the consolidation system, this identifies the levels at which these entities are operationally managed and therefore need to be included in the risk and control software itself to facilitate completeness of bottom-up risk reporting across the Group. This ensures that the risks are able to be captured appropriately at the level at which the risks are being managed.

Principal Risk Heat Map

Effectiveness of the risk management system
The Executive Board regularly reports to the Audit Committee of the Supervisory Board on the performance, effectiveness and adherence to listing requirements of the risk management system, supported by the ROC and the Group Risk department. Additionally, the Audit Committee receives assurance from Group Audit through its audit plan over a selection of principal risks, processes and business transformation initiatives most critical to the Group’s continued success.

The conclusion from all of the above assurance work is that the risk management system has functioned effectively throughout the year and there have been no significant failings or weaknesses identified. Of course there is always room for improvement, and the Risk Champions and the Group Risk department continue to work together to enhance the risk management and reporting processes. Broadly this concerns ensuring consistency of approach in assessing risk scores, clearer identification of mitigation currently in place as well as any action plans to introduce further mitigation, and ensuring that risk identification has considered all four risk types.

Finally, in accordance with Section 317 (4) HGB (German Commercial Code), the auditor of TUI AG has reviewed the Group’s early detection system for risks in place as required by Section 91 (2) AktG (German Stock Corporation Act) to conclude, if the system can fulfill its duties.

Principal Risks

The principal risks to the Group are either considered to be ‘Active’ or ‘Monitored’.

Active principal risks are those that we have to actively manage in order to bring them into line with our overall risk appetite. We have action plans in place to increase or strengthen mitigation around each of these risks and reduce the current risk score to the target level indicated in the heat map diagram.

Monitored principal risks are those generally inherent to the tourism sector and faced by all businesses in the industry. For these, we have controls, processes and procedures in place as a matter of course that serve to mitigate each risk to either minimize the likelihood of the event occurring and / or minimize the impact if it does occur. These risks remain on our risk radar where we regularly monitor the risk, the mitigation and the risk landscape to ensure that the risk score stays stable and in line with our risk appetite in each case.


FY 2019 Principal Risks

With the UK Government formally triggering Article 50 of the Treaty on European Union (’EU’) of Lisbon on 29th March 2017, Brexit continues to remain an active principal risk. Brexit has an impact both on existing principal risks (e. g. Customer Demand and Input Cost Volatility, particularly for the UK market through the uncertainty it has introduced to prospects for future growth rates in the UK economy and the depreciation of sterling since the referendum result in 2016) as well as its own class of principal risk due to the direct potential impact it could have on specific areas of our business model.

With regard to the UK’s potential exit from the EU in 2020, the main concern remains whether our airlines will continue to have access to EU airspace. We are continuing to address the importance of there being a special and comprehensive agreement for aviation between the EU and the UK post Brexit to protect consumer choice with the relevant UK and EU decision maker, and are in regular exchange with relevant regulatory authorities. We continue to develop scenarios and mitigating strategies for various outcomes, including a ‘hard Brexit’, depending on the political negotiations, with a focus to alleviate potential impacts from Brexit for the Group.

The estimated cost impact relating to the Boeing 737 Max aircraft remaining grounded until early 2020 as well as potentially throughout the financial year has been reflected within our FY 2020 underlying EBIT guidance, however we continue to monitor the risk of the aircraft remaining grounded beyond this period. From a principal risk perspective, the assessment remains part of the Supplier Reliance monitored risk.

With the Group’s continued focus on ensuring that we have the right people in order to deliver our strategy, the Executive Board agreed to include Talent & Leadership Development as a monitored principal risk in FY 2019. Further details of the risk and the mitigation in place are included in the table below.

If the risk detail in the subsequent tables does not suggest otherwise, the risks shown below relate to all segments of the Group. The risks listed are the principal risks to which we are exposed but are not exhaustive and will evolve over time due to the dynamic nature of our business.

Viability Statement

In accordance with provision 31 of the 2018 revision of the UK Corporate Governance Code, the Executive Board has assessed the prospect of the Company over a longer period than the twelve months required by the ’Going Concern’ provision. The Executive Board considers annually and on a rolling-basis a three-year strategic plan for the business, the latest was approved in December 2019 and covers the period to 30 September 2022. A three-year horizon is considered appropriate for a fast-moving competitive environment such as tourism.

It is also noted that the Group’s current € 1,535.0 m revolving credit limit, which expires in July 2022, is used to manage the seasonality of the Group’s cash flows and is reviewed on a timely basis. The three-year plan considers cash flows as well as the financial covenants which the credit facility requires compliance with.

Key assumptions underpinning the three year plan and the associated cash flow forecast is that aircraft and cruise ship finance will continue to be readily available, and that the terms of the UK leaving the EU are such that all of our airlines continue to have access to EU airspace as now.

The Executive Board has conducted a robust assessment of the principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity. Sensitivity analysis is applied to the cash flow to model the potential effects should certain principal risks actually occur, individually or in unison. This includes modelling the effects on the cash flow of significant disruption in the event of a major service failure by a key supplier.

Taking account of the company’s current position, principal risks and the aforementioned sensitivity analysis, the Executive Board has a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the three-year period of the assessment.

Key features of the internal control and risk management system in relation to the (Group) accounting process (sections 289 (4) and 315 (4) of the German Commercial Code HGB)

1. Definition and elements of the internal ­control and risk management system in the TUI Group
The TUI Group’s internal control system comprises all the principles, processes and measures that are applied to secure effective, efficient and accurate accounting which is compliant with the necessary legal requirements.

The internationally recognised framework of COSO (Committee of Sponsoring Organizations of the Treadway Commission) forms the conceptual basis for TUI Group’s internal control system, consisting of internal controls and the internal monitoring system. The Executive Board of TUI AG, in exercising its function of managing business operations, has entrusted responsibility for the internal control system in the TUI Group to specific Group functions.

The elements of the internal monitoring system in the TUI Group comprise both measures integrated into processes and measures performed independently. Besides manual process controls, e. g. the ‘four-eyes principle’, another key element of the process-related measures are automated IT process controls. Process-related monitoring is also secured by bodies such as the Risk Oversight Committee of TUI AG and by specific Group functions.

The Supervisory Board of TUI AG, in particular its Audit Committee, as well as the Group Auditing department at TUI AG are incorporated into the TUI Group’s internal monitoring system through their audit activities performed independently from business processes. On the basis of section 107 (3) of the German Stock Corporation Act, the Audit Committee of TUI AG deals primarily with the auditing of the annual financial statements, monitoring the accounting process and the effectiveness of the internal control and risk management system. In the Audit Committee Report the reliability of the financial reporting and the monitoring of the financial accounting process as well as the effectiveness of the internal control and risk management system are described.

The Group’s auditors have oversight of the TUI Group’s control environment. The audit of the consolidated financial statements by the Group auditor and the audit of the individual financial statements of Group companies included in the consolidated financial statements, in particular, constitute a key non-process-related monitoring measure with regard to Group accounting.

In relation to Group accounting, the risk management system, introduced as an Enterprise Risk Management System (ERM System) as a component of the internal control system, also addresses the risk of misstatements in Group bookkeeping and external reporting. Apart from operational risk management, which includes the transfer of risks to insurance companies by creating cover for damage and liability risks and also hedging transactions to limit foreign currency and fuel price risks, the TUI Group’s risk management system embraces the systematic early detection, management and monitoring of risks across the Group. A more detailed explanation of the risk management system is provided in the section on the Risk Governance Framework in the Risk Report.

2. Use of IT systems
Bookkeeping transactions are captured in the individual financial statements of TUI AG and of the subsidiaries of TUI AG, through local accounting systems such as SAP or Oracle. As part of the process of preparing their individual financial statements, subsidiaries complete standardized reporting packages in the Group’s Oracle Hyperion Financial Management (HFM) reporting system. HFM is used as the uniform reporting and consolidation system throughout the Group so that no additional interfaces exist for the preparation of the consolidated financial statements.

Nearly all consolidation processes used to prepare the consolidated financial statements of TUI AG, e. g. capital consolidation, assets and liabilities consolidation and expenses and income elimination including at equity measurement, are generated and fully documented in HFM. Virtually all elements of TUI AG’s consolidated financial statements, including the disclosures in the Notes, are developed from and validated by the HFM consolidation system. HFM also provides various modules for evaluation purposes in order to prepare complementary information to explain TUI AG’s consolidated financial statements.

The HFM reporting and consolidation system has an in-built workflow process whereby when businesses promote their data within the system, to signal that their reporting package is complete, they are then locked out from making any further changes to that data. This ensures data integrity within the system and also facilitates a strong audit trail enabling changes to a reporting package to be identified. This feature of the HFM system has been checked and validated by the TUI AG Group Audit department on several occasions since the system was introduced.

At their own discretion, TUI AG’s Group auditors select certain individual financial statements from the financial statements entered in the HFM reporting and consolidation system by the Group companies, which are then reviewed for the purposes of auditing the consolidated financial statements.

3. Specific risks related to (Group) Accounting
Specific risks related to (Group) accounting may arise, for example, from unusual or complex business transactions, in particular at critical times towards the end of the financial year. Business transactions not routinely processed also entail special risks. The discretion necessarily granted to employees for the recognition and measurement of assets and liabilities may result in further (Group) accounting-related risks. The outsourcing and transfer of accounting-­specific tasks to service companies may also give rise to specific risks. Accounting-related risks from derivative financial instruments are outlined in the Notes to the consolidated financial statements.

4. Key regulation and control activities to ­ensure proper and reliable (Group) Accounting
The internal control measures aimed at securing proper and reliable (Group) accounting ensure that business transactions are fully recorded in a timely manner in accordance with legal requirements and the Articles of Association. This also ensures that assets and liabilities are properly recognised, measured and presented in the financial statements and the consolidated financial statements. The control operations also ensure that bookkeeping records provide reliable and comprehensive information.

Controls implemented to secure proper and reliable accounting include, for instance, analysis of facts and developments on the basis of specific indicators. Separation of administrative, execution, settlement and authorisation functions and the implementation of these functions by different persons reduces the potential for fraudulent operations. Organisational measures also aim to capture any corporate or Groupwide restructuring or changes in sector business operations rapidly and appropriately in (Group) accounting. They also ensure, for instance, that bookkeeping transactions are correctly recognised in the period in which they occur in the event of changes in the IT systems used by the accounting departments of Group companies. The internal control system likewise ensures that changes in the TUI Group’s economic or legal environment are mapped and that new or amended accounting standards are correctly applied.

The TUI Group’s accounting policies together with the International Financial Reporting Standards (IFRS) in compliance with EU legislation, govern the uniform accounting and measurement principles for the German and foreign companies included in TUI’s consolidated financial statements. They include general accounting principles and methods, policies concerning the statement of financial position, income statement, notes, management report and cash flow statement.

The TUI Group’s accounting policies also govern specific formal requirements for the consolidated financial statements. Besides defining the group of consolidated companies, they include detailed guidance on the reporting of financial information by those companies via the group reporting system HFM on a monthly, quarterly and year end basis. TUI’s accounting policies also include, for instance, specific instructions on the initiating, reconciling, accounting for and settlement of transactions between group companies or determination of the fair value of certain assets, especially goodwill. At Group level, specific controls to ensure proper and reliable (Group) accounting include the analysis and, where necessary, correction of the individual financial statements submitted by the Group companies, taking account of the reports prepared by the auditors and meetings to discuss the financial statements which involve both the auditors and local management. Any further content that requires adjusting can be isolated and processed downstream. The control mechanisms already established in the HFM consolidation system minimize the risk of processing erroneous financial statements. Certain parameters are determined at Group level and have to be applied by Group companies. This includes parameters applicable to the measurement of pension provisions or other provisions and the interest rates to be applied when cash flow models are used to calculate the fair value of certain assets. The central implementation of impairment tests for goodwill recognized in the financial statements secures the application of uniform and standardized evaluation criteria.

5. Disclaimer
With the organisational, control and monitoring structures established by the TUI Group, the internal control and risk management system enables company-specific facts to be captured, processed and recognized in full and properly presented in the Group’s ­accounts.

However, it lies in the very nature of the matter that discretionary decision-making, faulty checks, criminal acts and other circumstances, in particular, cannot be ruled out and will restrict the efficiency and reliability of the internal control and risk management systems, so that even Group-wide application of the systems cannot guarantee with absolute certainty the accurate, complete and timely recording of facts in the Group’s accounts.

Any statements made relate exclusively to TUI AG and to subsidiaries according to IFRS 10 included in TUI AG’s consolidated financial statements.