Successful management of existing and emerging risks is critical to the long-term success of our business and to the achievement of our strategic objectives. In order to seize market opportunities and leverage the potential for success, risk must be accepted to a reasonable degree. Risk management is therefore an integral component of the Group’s Corporate Governance.

The current financial year has seen further maturity of the risk management system with the introduction of an aligned operational controls testing process in addition to regular testing of key financial controls occurring across all of our larger businesses. Further cohesion between all risk & control functions is being implemented to support an integrated assurance process between all of the second lines of defense departments. Our risk governance framework is set out below:

Risk Governance

TUI Group Risk Management Roles & Responsibilities

Executive Board – Direct & Assure
With oversight by the Supervisory Board, the Executive Board determines the strategic direction of the Group and agrees the nature and extent of the risks it is willing to take to achieve its strategic objectives.

To ensure that the strategic direction chosen by the business represents the best of the strategic options open to it, the Executive Board is supported by the Group Strategy function. This function exists to facilitate the Executive Board’s assessment of the risk landscape and development of potential strategies by which it can drive long-term shareholder value. On an annual basis the Group Strategy function develops an in-depth fact base in a consistent format which outlines the market attractiveness, competitive position and financial performance by division and market. These are then used to facilitate debate as to the level and type of risk that the Executive Board finds appropriate in the pursuit of its strategic objectives. The strategy, once fully defined, considered and approved by the Executive Board, is then incorporated into the Group’s three-year roadmap and helps to communicate the risk appetite and expectations of the organisation both internally and externally.

Ultimately, accountability for the Group’s risk management rests with the Executive Board and therefore it has established and maintains a risk management system to identify, assess, manage and monitor risks which could threaten the existence of the company or have a significant impact on the achievement of its strategic objectives: these are referred to as the principal risks of the Group. This risk management system includes an internally-­published risk management policy which helps to reinforce the tone set from the top on risk, by instilling an appropriate risk culture in the organisation whereby employees are expected to be risk aware, control minded and ‘do the right thing’. The policy provides a formal structure for risk management to embed it in the fabric of the business. Each principal risk has assigned to it a member of the Executive Committee as overall risk sponsor to ensure that there is clarity of responsibility and to ensure that each of the principal risks are understood fully and managed effectively.

The Executive Board regularly reports to the Audit Committee of the Supervisory Board on the adherence to both the UK and German listing requirements, the overall risk position of the Group, on the individual principal risks and their management, and on the performance and effectiveness of the risk management system as a whole.

Risk Oversight Committee – Review & Communicate
On behalf of the Executive Board, the Risk Oversight Committee (the ROC), a subset of the Executive Committee, ensures that business risks are identified, assessed, managed and monitored across the businesses and functions of the Group. Meeting on at least a quarterly basis, the ROC’s responsibilities include considering the principal risks to the Group’s strategy and the risk appetite for each of those risks, assessing the operational effectiveness of the controls in place to manage those risks and any action plans to further improve controls, as well as reviewing the bottom-up risk reporting from the businesses themselves to assess whether there are any heightened areas of concern.

Senior executives from the Group’s major businesses are required to attend the ROC on a rotational basis and present on the risk and control framework in their business, so that the members of the ROC can ask questions on the processes in place, the risks present in each business and any new or evolving risks which may be on their horizon, and also to seek confirmation that an appropriate risk culture continues to be in place in each of the major businesses.

Chaired by the Chief Financial Officer, other members of the Committee include the CEO Aviation, the directors of Strategy, Financial Accounting, Treasury & Insurance and Group HR. In addition to these, all of the second lines of defense functions including Risk, Financial Control, Legal Compliance, IT Security and Health & Safety are represented on the committee. The director of Group Audit attends as an independent member and therefore is without voting rights.

The ROC reports bi-annually to the Executive Board to ensure that it is kept abreast of changes in the risk landscape and developments in the management of principal risks, and to facilitate regular quality discussions on risk management at the Executive Board meetings.

Group Risk Department – Support & Report
The Executive Board has also established a Group Risk department to ensure that the risk management system functions effectively and that the risk management policy is implemented appropriately across the Group. The department supports the risk management process by providing guidance, support and challenge to management whilst acting as the central point for coordinating, monitoring and reporting on risk across the Group. It also supports the ROC in fulfilling it’s duties and the reporting to both the Executive and Supervisory Boards. Additionally, Group Risk is responsible for the operation of the risk and control software that underpins the Group’s risk reporting and risk management process.

Businesses & Functions – Identify & Assess
Every business and function in the Group is required to adopt the Group Risk Management policy. In order to do this, each either has their own Risk Committee or includes risk as a regular agenda item at their Board meetings to ensure that it receives the appropriate senior management attention within their business. In addition, the businesses each appoint a Risk Champion, who promotes the risk management policy within their business and ensures its effective application. The Risk Champions are in close contact with Group Risk and are critical both in ensuring that the risk management system functions effectively, and in implementing a culture of continuous improvement in risk management and reporting.

Risk Reporting

The Group Risk department applies a consistent risk reporting methodology across the Group. This is underpinned by a risk and control software which reinforces clarity of language, visibility of risks, controls and actions and accountability of ownership. Although the process of risk identification, assessment and response is continuous and embedded within the day-to-day operations of the businesses and functions, it is consolidated, reported and reviewed at varying levels throughout the Group on at least a quarterly basis.

Risk Identification: Management closest to the risks identify the risks relevant to the pursuit of the strategy within their business area in the context of four risk types:

  • Longer-term strategic and emerging threats;
  • Medium-term challenges associated with business change
  • Short-term risks triggered by changes in the external and regulatory environment; and
  • Short-term risks in relation to internal operations and control.

A risk owner is assigned to each risk, who has the accountability and authority for ensuring that the risk is appropriately managed.

Risk Descriptions: The nature of the risk is articulated in line with best practice, stating the underlying concern the risk gives arise to, identifying the possible causal factors that may result in the risk materializing and outlining the potential consequences should the risk crystallise. This allows the businesses, functions and the Group to assess the interaction of risks and potential triggering events and / or aggregated impacts before developing appropriate mitigation strategies for causes and / or consequences.

Risk Assessment: The methodology used is to initially assess the gross (or inherent) risk. This is essentially the worst case scenario, being the product of the impact together with the likelihood of the risk materializing if there are no controls in place to manage, mitigate or monitor the risk. The key benefit of assessing the gross risk is that it highlights the potential risk exposure if controls were to fail completely or not be in place at all. Both impact and likelihood are scored on a rating of 1 to 5 using the criteria shown on the right:

Impact Assessment



(< 35 m €)

Minimal impact on

  • Global reputation
  • Programme delivery
  • Technology reliability
  • Health & Safety ­standards
MINOR 3 – < 5 % EBITA*
(35 – < 60 m €)

Limited impact on

  • Global reputation
  • Programme delivery
  • Technology reliability
  • Health & Safety ­standards
MODERATE 5 – < 10 % EBITA*
(60 – < 120 m €)

Short term impact on

  • Global reputation
  • Programme delivery
  • Technology reliability
  • Health & Safety ­standards
MAJOR 10 – < 15 % EBITA*
(120 – < 180 m €)

Medium term impact on

  • Global reputation
  • Programme delivery
  • Technology reliability
  • Health & Safety ­standards


( ≥ 180 m €)

Detrimental impact on

  • Global reputation
  • Programme delivery
  • Technology reliability
  • Health & Safety ­standards

* Budgeted underlying EBITA for the financial year ended 30 September 2018

Likelihood Assessment

RARE < 10 % Chance
UNLIKELY 10 – < 30 % Chance
POSSIBLE 30 – < 60 % Chance
LIKELY 60 – < 80 % Chance
ALMOST CERTAIN ≥ 80 % Chance

The next step in the risk reporting process is to assess and document the controls that are currently in place to reduce the likelihood of the risk materializing and / or its impact if it does. Consideration of these then enables the current (or residual) risk score to be assessed, which is essentially the reasonably foreseeable scenario. This measures the impact and likelihood of the risk with the implemented controls in operation. The key benefit of assessing the current risk score is that it provides an understanding of the current level of risk faced today and the reliance on the controls currently in place.

Risk Response: If management are comfortable with the current risk score, the risk is accepted and no further action is required to further reduce the risk. The controls in place continue to be operated and management monitor the risk, the controls and the risk landscape to ensure that they stay in line with management’s tolerance of the risk.

If management assesses that the current risk score is too high, an action plan will be drawn up with the objective of introducing new or stronger controls that will further reduce the impact and / or likelihood of the risk to an acceptable, tolerable and justifiable level. This is known as the target risk score and is the parameter by which management can ensure the risk is being managed in line with their overall risk appetite. The risk owner will normally be the individual tasked with ensuring that this action plan is implemented within an agreed timetable.

Each business and function will continue to review their risk register on an ongoing basis through the mechanism appropriate for their business e. g. local Risk Committee.

This bottom-up risk reporting is considered by the ROC alongside the Group’s principal risks. New risks are added to the Group’s principal risk register if deemed to be of a significant nature so that the ongoing status and the progression of key action plans can be managed in line with the Group’s targets and expectations.

Ad Hoc Risk Reporting
Whilst there is a formal process in place for reporting on risks on a quarterly basis, the process of risk identification, assessment and response is continuous and therefore if required, risks can be reported to the Executive Board outside of the quarterly process, should events dictate that this is necessary and appropriate. Ideally such ad hoc reporting is performed by the business or function which is closest to the risk, but it can be performed by the Group Risk department if necessary. 

Principal Risk Heat Map

Entity Scoping
A robust exercise is conducted each year to determine the specific entities in the Group which need to be included within the risk and control software and therefore be subject to the full rigor of the risk reporting process. The scoping exercise starts with the entities included within the Group’s consolidation system, and applies materiality thresholds to a combination of revenue, profit and asset benchmarks. From the entities this identifies, the common business management level at which those entities are managed is identified to dictate the entities which need to be included in the risk and control software itself to facilitate completeness of bottom-up risk reporting across the Group. This ensures that the risks and controls are able to be captured appropriately at the level at which the risks are being managed.

Effectiveness of the Risk Management System
The Executive Board regularly reports to the Audit Committee of the Supervisory Board on the performance, effectiveness and adherence to listing requirements of the risk management system, supported by the ROC and the Group Risk department. Additionally, the Audit Committee receives assurance from Group Audit through its audit plan over a selection of principal risks and ­business transformation initiatives most critical to the Group’s continued success.

The conclusion from all of the above assurance work is that the risk management system has functioned effectively throughout the year and there have been no significant failings or weaknesses identified. Of course there is always room for improvement, and the Risk Champions and the Group Risk department continue to work together to enhance the risk management and reporting processes. Broadly this concerns ensuring consistency of approach in assessing risk scores, clearer identification of controls currently in place as well as any action plans to introduce further controls, and ensuring that risk identification has considered all four risk types.

Finally, in accordance with Section 317 (4) HGB (German Commercial Code), the auditor of TUI AG has reviewed the Group’s early detection system for risks in place as required by Section 91 (2) AktG (German Stock Corporation Act) to conclude, if the system can fulfill its duties. 

Principal Risks

The principal risks to the Group are either considered to be ‘Active’ or ‘Monitored’.

Active principal risks are those that we have to actively manage in order to bring them into line with our overall risk appetite. We have action plans in place to increase controls around each of these risks and reduce the current risk score to the target level indicated in the heat map diagram.

Monitored principal risks are generally inherent to the tourism sector faced by all businesses in the industry. For these, we have controls, processes and procedures in place as a matter of course that serve to mitigate each risk to either minimize the likelihood of the event occurring and / or minimize the impact if it does occur. These risks remain on our risk radar where we regularly monitor the risk, the controls and the risk landscape to ensure that the risk score stays stable and in line with our risk appetite in each case.

In the heat map diagram, the assessment criteria used are shown on page 43. Note that the quantitative impact assessment is based on the budgeted underlying EBITA for the financial year ended 30 September 2018.

FY 2018 Principal Risks

With the UK government formally triggering Article 50 of the Treaty on European Union of Lisbon on 29th March 2017, Brexit continues to remain an active principal risk. Brexit has an impact both on existing principal risks (e. g. Macroeconomic and Input Cost Volatility, particularly for the UK market through the uncertainty it has introduced to prospects for future growth rates in the UK economy and the depreciation of sterling since the referendum result in 2016) as well as its own class of principal risk due to the direct potential impact it could have on specific areas of our business model.

The main concern related to Brexit continues to be whether our airlines will continue to have access to EU airspace. We will continue to address the importance of there being a special agreement for aviation to protect consumer choice with the relevant UK and EU ministers and officials, and are in regular exchange with relevant regulatory authorities. We are currently developing scenarios and mitigating strategies for various outcomes, including a ‘hard Brexit’, depending on the political negotiations, with a focus to ­alleviate any potential impacts from Brexit for the Group. Our Brexit Steering Committee continues to monitor external developments and coordinates measures to be taken ahead of March 2019, when the UK will be formally exiting the European Union. Beyond weekly meetings an the level of different internal Brexit work-streams, the topic is also regularly (bi-weekly / monthly) discussed in the TUI Group Executive Committee (GEC), and the Supervisory Board has been updated quarterly in 2018.

With the EU GDPR regulation being enforced in May 2018, whereby any data breaches may result in a significant financial penalty, the gross score of the Information Security principal risk has increased. Our mitigation strategy including making information security part of everyone’s job continues to focus on managing the likelihood of this risk materializing.

As the brand change program has been successfully implemented in all markets, the related risk is no longer considered principal to the Group.

If the risk detail in the subsequent tables does not suggest otherwise, the risks shown below relate to all segments of the Group. The risks listed are the principal risks to which we are exposed but are not exhaustive and will evolve over time due to the dynamic nature of our business.

Viability Statement

In accordance with provision C2.2 of the 2016 revision of the UK Corporate Governance Code, the Executive Board has assessed the prospect of the Company over a longer period than the twelve months required by the ’Going Concern’ provision. The Executive Board considers annually and on a rolling-basis a three year strategic plan for the business, the latest was approved in October 2018 and covers the period to 30 September 2021. A three year horizon is considered appropriate for a fast-moving competitive environment such as tourism.

It is also noted that the Group’s current € 1,535.0 m revolving credit limit, which expires in July 2022, is used to manage the seasonality of the Group’s cash flows and is reviewed on a timely basis. The three year plan considers cash flows as well as the financial covenants which the credit facility requires compliance with.

Key assumptions underpinning the three year plan and the associated cash flow forecast is that aircraft and cruise ship finance will continue to be readily available, and that the terms of the UK leaving the EU are such that all of our airlines continue to have access to EU airspace as now.

The Executive Board has conducted a robust assessment of the principal risks facing the company, including those that would threaten its business model, future performance, solvency or liquidity. Sensitivity analysis is applied to the cash flow to model the potential effects should certain principal risks actually occur, individually or in unison. This includes modelling the effects on the cash flow of significant disruption to a major destination in the summer season. 

Taking account of the company’s current position, principal risks and the aforementioned sensitivity analysis, the Executive Board has a reasonable expectation that the company will be able to continue in operation and meet its liabilities as they fall due over the three year period of the assessment.

Key features of the internal control and risk management system in relation to the (Group) accounting process (sections 289 (4) and 315 (2) no 5 of the German Commercial Code HGB)

1. Definition and elements of the internal control and risk management system in the TUI Group
The TUI Group’s internal control system comprises all the principles, processes and measures that are applied to secure effective, ­efficient and accurate accounting which is compliant with the necessary legal requirements.

The internationally recognised framework of COSO (Committee of Sponsoring Organizations of the Treadway Commission) forms the conceptual basis for TUI Group’s internal control system, consisting of internal controls and the internal monitoring system. The Executive Board of TUI AG, in exercising its function of managing business operations, has entrusted responsibility for the internal control system in the TUI Group to specific Group functions.

The elements of the internal monitoring system in the TUI Group comprise both measures integrated into processes and measures performed independently. Besides manual process controls, e. g. the ‘four-eyes principle’, another key element of the process-related measures are automated IT process controls. Process-related monitoring is also secured by bodies such as the Risk Oversight Committee of TUI AG and by specific Group functions.

The Supervisory Board of TUI AG, in particular its Audit Committee, as well as the Group Auditing department at TUI AG are incorporated into the TUI Group’s internal monitoring system through their audit activities performed independently from business processes. On the basis of section 107 (3) of the German Stock Corporation Act, the Audit Committee of TUI AG deals primarily with the auditing of the annual financial statements, monitoring the accounting process and the effectiveness of the internal control and risk management system. In the Audit Committee Report the reliability of the financial reporting and the monitoring of the ­financial accounting process as well as the effectiveness of the ­internal control and risk management system are described.

The Group’s auditors have oversight of the TUI Group’s control environment. The audit of the consolidated financial statements by the Group auditor and the audit of the individual financial statements of Group companies included in the consolidated ­financial statements, in particular, constitute a key non-process-­related monitoring measure with regard to Group accounting.

In relation to Group accounting, the risk management system, introduced as an Enterprise Risk Management System (ERM System) as a component of the internal control system, also addresses the risk of misstatements in Group bookkeeping and external reporting. Apart from operational risk management, which includes the transfer of risks to insurance companies by creating cover for damage and liability risks and also hedging transactions to limit foreign currency and fuel price risks, the TUI Group’s risk management system embraces the systematic early detection, management and monitoring of risks across the Group. A more detailed explanation of the risk management system is provided in the section on the Risk Governance Framework in the Risk Report.

2. Use of IT systems
Bookkeeping transactions are captured in the individual financial statements of TUI AG and of the subsidiaries of TUI AG, through local accounting systems such as SAP or Oracle. As part of the process of preparing their individual financial statements, subsidiaries complete standardized reporting packages in the Group’s Oracle Hyperion Financial Management (HFM) reporting system. HFM is used as the uniform reporting and consolidation system throughout the Group so that no additional interfaces exist for the preparation of the consolidated financial statements.

Nearly all consolidation processes used to prepare the consolidated ­financial statements of TUI AG, e. g. capital consolidation, assets and liabilities consolidation and expenses and income elimination including at equity measurement, are generated and fully documented in HFM. All elements of TUI AG’s consolidated financial statements, including the disclosures in the Notes, are developed from the HFM consolidation system. HFM also provides various modules for evaluation purposes in order to prepare complementary information to explain TUI AG’s consolidated financial statements.

The HFM reporting and consolidation system has an in-built workflow process whereby when businesses promote their data within the system, to signal that their reporting package is complete, they are then locked out from making any further changes to that data. This ensures data integrity within the system and also facilitates a strong audit trail enabling changes to a reporting package to be identified. This feature of the HFM system has been checked and validated by the TUI AG Group Audit department on several occasions since the system was introduced.

At their own discretion, TUI AG’s Group auditors select certain individual financial statements from the financial statements ­entered in the HFM reporting and consolidation system by the Group companies, which are then reviewed for the purposes of auditing the consolidated financial statements.

3. Specific risks related to Group Accounting
Specific risks related to Group accounting may arise, for example, from unusual or complex business transactions, in particular at critical times towards the end of the financial year. Business transactions not routinely processed also entail special risks. The discretion necessarily granted to employees for the recognition and measurement of assets and liabilities may result in further Group accounting-related risks. The outsourcing and transfer of accounting-­specific tasks to service companies may also give rise to specific risks. Accounting-related risks from derivative financial instruments are outlined in the Notes to the consolidated financial statements.

4. Key regulation and control activities to ensure proper and reliable (Group) Accounting
The internal control measures aimed at securing proper and reliable Group accounting ensure that business transactions are fully ­recorded in a timely manner in accordance with legal requirements and the Articles of Association. This also ensures that assets and liabilities are properly recognised, measured and presented in the financial statements and the consolidated financial statements. The control operations also ensure that bookkeeping records provide reliable and comprehensive information.

Controls implemented to secure proper and reliable accounting include, for instance, analysis of facts and developments on the basis of specific indicators. Separation of administrative, execution, settlement and authorisation functions and the implementation of these functions by different persons reduces the potential for fraudulent operations. Organisational measures also aim to capture any corporate or Groupwide restructuring or changes in sector business operations rapidly and appropriately in Group accounting. They also ensure, for instance, that bookkeeping transactions are correctly recognised in the period in which they occur in the event of changes in the IT systems used by the ­accounting departments of Group companies. The internal control system likewise ensures that changes in the TUI Group’s economic or legal environment are mapped and that new or amended ­accounting standards are correctly applied.

The TUI Group’s accounting policies together with the International Financial Reporting Standards (IFRS) in compliance with EU ­legislation, govern the uniform accounting and measurement principles for the German and foreign companies included in TUI’s consolidated financial statements. They include general accounting principles and methods, policies concerning the statement of financial position, income statement, notes, management report and cash flow statement.

The TUI Group’s accounting policies also govern specific formal requirements for the consolidated financial statements. Besides defining the group of consolidated companies, they include detailed guidance on the reporting of financial information by those companies via the group reporting system HFM on a monthly, quarterly and year end basis. TUI’s accounting policies also include, for instance, specific instructions on the initiating, reconciling, accounting for and settlement of transactions between group companies or determination of the fair value of certain assets, especially goodwill.

At Group level, specific controls to ensure proper and reliable Group accounting include the analysis and, where necessary, correction of the individual financial statements submitted by the Group companies, taking account of the reports prepared by the auditors and meetings to discuss the financial statements which involve both the auditors and local management. Any further content that requires adjusting can be isolated and processed downstream.

The control mechanisms already established in the HFM consolidation system minimize the risk of processing erroneous financial statements. Certain parameters are determined at Group level and have to be applied by Group companies. This includes parameters applicable to the meas-urement of pension provisions or other provisions and the interest rates to be applied when cash flow models are used to calculate the fair value of certain assets. The central implementation of impairment tests for goodwill recognized in the financial statements secures the application of uniform and standardized evaluation criteria.

5. Disclaimer
With the organisational, control and monitoring structures established by the TUI Group, the internal control and risk management system enables company-specific facts to be captured, processed and recognized in full and properly presented in the Group’s ­accounts.

However, it lies in the very nature of the matter that discretionary decision-making, faulty checks, criminal acts and other circumstances, in particular, cannot be ruled out and will restrict the efficiency and reliability of the internal control and risk management systems, so that even Group-wide application of the systems cannot guarantee with absolute certainty the accurate, complete and timely recording of facts in the Group’s accounts.

Any statements made relate exclusively to TUI AG and to subsidiaries according to IFRS 10 included in TUI AG’s consolidated financial statements.