Risk Management

Risk management

Risk management overview

The dynamic management of risk and opportunity is at the heart of our business planning and value creation processes. We have adopted a strategic enterprise-wide risk management approach that provides a common, integrated framework to manage risks and leverage opportunities across the Group.

We believe that enterprise risk management is a strategic advantage for our company – we selectively seize opportunities because of our enhanced opportunity to exploit risks. We’re building enterprise risk management into our company’s culture and social fabric.

We continuously identify, assess, manage and escalate risks and opportunities, following a rigorous cyclical process that we evaluate against the risk universe in which we operate. We seek to minimise our exposure to unforeseen events and identified risks and create a stable environment for delivering on our strategic objectives.

In addition, we actively review our environment to identify emerging risks that may not be impacting our business now but have the potential to do so in the future. Identifying and evaluating emerging risks early enables us to make more informed decisions and to turn potentially negative events into opportunities.

Our risk management system

The key features of our enterprise-wide risk management system are:

  • Group statements on strategic direction, ethics and values
  • Clear business objectives and business principles
  • A formalised risk management policy
  • A clearly defined risk universe aligned to our strategic growth pillars:
    1.   Leverage our unique 24/7 Portfolio
    2.   Win in the marketplace
    3.   Fuel Growth through Competitiveness and Investment
    4.   Cultivate the Potential of Our People, and
    5.   Earn our License to Operate
  • Integration of risk management into our business planning processes, including project management and new product development
  • A structured and continuous process to identify and evaluate significant risks to the achievement of business objectives
  • Implementation and oversight of management processes to mitigate significant risks to an acceptable level
  • Implementation of strategies to further embed risk management into the cultural fabric of the business
  • Continual monitoring of our internal and external environment for factors that may change our risk profile
  • Identification, evaluation and monitoring of emerging risks
  • Integration of risk management into our third-party management processes, which includes a comprehensive due diligence process for compliance matters in connection with mergers, acquisitions, JVs, partnerships and other investments, aimed at reviewing policies and procedures, including relevant monitoring and enforcement activities, current and past, which the target entity has in place. This concerns any legislation relating to:
    • Anti-bribery and Corruption,
    • Sanctions and Export Controls,
    • Anti-money laundering,
    • Supply chain due diligence,
    • Human rights including modern slavery, human trafficking and child labour 
  • A regular review of both the type and the amount of external insurance we purchase and the role of our captive insurance entity, with reference to the availability of cover and cost (this is measured against the likelihood and magnitude of the identified risks)

Risk management process

Our robust risk framework is both top down and bottom up, ensuring that we identify, review and escalate, where appropriate, any risks arising from or impacting on our business activities.

The Board is ultimately responsible for the Group’s risk management and internal control systems, and for reviewing their effectiveness. The Board defines the Group’s risk appetite and monitors risk exposure to ensure that the nature and extent of the significant risks facing the company are managed in alignment with our goals and objectives.

While responsibility for overseeing these processes rests with the Audit & Risk Committee, the Board as a whole is informed of outcomes and all significant issues.

Process overview

Monthly risk discussions and reviews are an established part of senior leadership routines in all of our business units. The outcome of these discussions is reflected in a central risk register that is maintained and reviewed by the Group Business Resilience Team. The Group Chief Risk Officer (CRO) regularly sits in on these monthly meetings to support the process and to ensure management teams are reviewing and assessing a sufficiently broad range of risks, including emerging risks.

Risks are aggregated and analysed by the Group Business Resilience Team and significant operational risks and actions as well as trends and emerging risks are discussed at bi-annual reviews conducted by the CRO with the Regional Directors and their teams and the Chief Operating Officer.

In addition, the CRO conducts quarterly risk reviews with Group function heads to update strategic risks and identify and evaluate emerging risks. These are aggregated and discussed at quarterly meetings of our Group Risk and Compliance Committee (GRCC), our independent risk review forum and strategic think-tank on risk and compliance comprising senior leaders in the business. This ensures a cross-functional perspective on our strategic risks.

It also ensures appropriate attention is given to the assessment and management of strategic risks that may not have an immediate operational impact but may have a longer-term impact on our business including sustainability and climate change, human rights and modern slavery as well as consumer and commercial trends and emerging risks.

The outcome of the GRCC meetings are presented by the CRO in a biannual strategic and principal risk report to the Executive Leadership Team (ELT) and the Audit & Risk Committee.

A cross-functional approach to risk

The Group Risk and Compliance Committee is our risk think tank and independent risk review mechanism. Its members, recruited from the most senior business leaders across all functions, contribute their experience and insight to the evaluation of the company’s risk and opportunities.

Roles and responsibilities

Business Unit level: identifies and evaluates risks and mitigation plans; monitors monthly as part of management meeting; updates risk register for Group Business Resilience review quarterly; evaluates and aligns risks to strategy

Regions: Business Unit risks aggregated and reviewed bi-annually by Regional leadership team and Chief Risk Officer; Regional reviews and key market (Nigeria, Russia, Italy) risk assessments reviewed with COO. This ensures independent assessment of country risks and mitigation plans

Group Risk and Compliance Committee: meets quarterly; reviews aggregated and escalated risks against broader Group objectives and ensures effective risk mitigation strategies are in place; identifies and evaluates emerging risks, prepares a bi-annual strategic risk opportunity summary for ELT and the Audit & Risk Committee and formulates principal risks

Executive Leadership Team (ELT): has overall responsibility for enterprise risk management; assigns risks against our strategic pillars; assigns accountable risk owners against our risk universe

Board: establishes risk appetite; oversees risk management systems, strategies and culture to ensure principal risks and opportunities are identified and managed; Audit & Risk Committee receives quarterly updates on strategic and emerging risks

This process ensures risks and opportunities are understood and visible across our business. The business context determines the level of acceptable risk and the controls required for management. We seek to continually improve by sharing best practice throughout the company, with The Coca‑Cola Company and other bottlers.

A Chief Information Security Officer has been appointed, reporting to the Chief Digital and Technology Officer, member of the ELT, and being responsible for establishing and maintaining the Group’s vision, strategy, and programme to ensure information assets, plants and technologies are adequately protected.

Principal risks and mitigations

Our strategic pillars - Leverage our unique 24/7 portfolio, Win in the marketplace, Fuel Growth through competitiveness & investment, Cultivate the potential of our people and Earn our license to operate - provide the context for guiding us in the management of the risks faced by our business.

We continuously validate our principal risks and update and report them regularly including in our Annual Report. This is achieved through our ongoing ability to aggregate and analyse risk, our functional collaboration and the think tank approach of the company's Group Risk and Compliance Committee.

Our Principal risks for the period ending December 2022 are:


The cost and availability of sustainable packaging

The management of risks associated with the cost and availability of sustainable packaging is intertwined with our future business strategy. 
2. Marketplace economic conditions Concerns relating to increases in inflation and interest rates across our markets.
3. Product relevance and acceptability Debates around sugar and sweeteners, as well as discussion on appropriate responses to key environmental, social and governance concerns increased the potential for regulatorychange and imposition of additional taxes.
4. Competing in the digital marketplace In 2022, the digital marketplace continued to evolve and remained highly competitive with new and existing companies seeking to take advantage of e-commerce growth. 
5. Commodity Costs  The risk of raw material pricing fluctuations, particularly resin, sugar, gasoil and aluminium

Foreign exchange fluctuations

The risk of foreign exchaA cyber-attack or data centre failure resulting in business disruption, or breach of corporate or personal data confidentiality. A Chief Information Security Officer has been appointed, reporting to the Chief Digital and Technology Officer, member of the ELT, and being responsible for establishing and maintaining the Group’s vision, strategy, and programme to ensure information assets, plants and technologies are adequately protected. nge volatility and rate fluctuations caused by uncertainty and complexity of macroeconomic environment and geopolitical developments, exacerbated by COVID-19
7. Cyber incidents  A cyber-attack or data centre failure resulting in business disruption, or breach of corporate or personal data confidentiality. A Chief Information Security Officer has been appointed, reporting to the Chief Digital and Technology Officer, member of the ELT, and being responsible for establishing and maintaining the Group’s vision, strategy, and programme to ensure information assets, plants and technologies are adequately protected.
8. Geopolitical and security environment  Volatile and challenging macroeconomic, security and geopolitical conditions. The risk of civil unrest and conflict with other countries
9. Managing our carbon footprint

The risks and opportunities associated with reducing carbon emissions along our value chain

10. Water availability and usage  The risks related to water availability, water stress and water quality in our areas of operation, exacerbated by the effects of climate change and excessive water consumption in a catchment area leading to unsustainable water availability
11. Health and Safety  The risk to the health and safety of our people as a result of occupational workplace accidents, incidents and illnesses (including COVID-19 management).
12. People retention  Inability to attract, retain and engage sufficient numbers of qualified and experienced employees in highly competitive talent markets
13. Suppliers and sustainable sourcing  Inability to secure supply of key ingredients, packaging and services at a reasonable cost because of supply-demand imbalances and/or crop yields.
14. Ethics and compliance  The risk of fraud against the Company as well as risk of anti-bribery and corruption (ABAC) fines or sanctions if our employees, or the third parties we engage to deal with governments, fail to comply with ABAC requirements. The risk of inadvertent non-compliance with international sanctions in certain countries
15. Strategic stakeholder relationships  We rely on our strategic relationships and agreements with The Coca-Cola Company (including Costa Coffee), Monster Energy and our premium spirits partners.
smart-risk-programme-2022 smart-risk-programme-2022

Emerging Risks

There are some risks that we are not yet aware of, or about which there is a great deal of uncertainty. There may be some indicators that suggest changes are occurring and we may be able to identify what impact those changes may have.

Even risks that we know about may have unforeseen consequences. A good example is Covid-19. While pandemics have been on the risk register and included in the business continuity programme of many large companies for at least 20 years, no-one thought that a pandemic would have the global impact that Covid-19 has had.

While identifying, assessing and mitigating the risks we know about, as best we can, remains critical for our business, we also recognize that we must continually review our environment and identify risks that may impact us in the future.

Emerging risks are those that may have an impact on us in the future or over time but may not be having an impact on us now. To the extent we can identify, evaluate and prepare our business for these risks, the better we are able to prevent them from having a significant impact on us. We may even be able to turn them into an opportunity if we identify them early enough and develop action plans to take advantage of them.

CCHBC has incorporated the consideration of emerging risks into our established ERM process. We have done this by:

  • Encouraging all business units to include a discussion on emerging risks in their monthly management reviews. This is supported by regular involvement of the Group CRO in BU management meetings. The outcome of these discussions are included in the Regional Reviews with the Region Directors and their teams, and with the COO.
  • Including discussion on emerging risks into the Group CRO risk reviews with the Group Functions.
  • The creation of an emerging risk register to complement our strategic risk register
  • The outcome of these discussions is the identification of 3 emerging risks for discussion in our Group Risk and Compliance Committee meetings. The possible outcomes of these discussions include:
    • creation of a project team to conduct a deeper assessment,
    • identification of signals and agreement on monitoring for changes associated with the risk,
    • inclusion in our strategic risk register
  • Addition of emerging risk discussion in Group CRO’s reports to the Executive Leadership Team and the Audit & Risk Committee of the Board

In 2021, we identified the following key emerging risks:

Water Risk as a result of climate change

Description of the risk

Water is fundamental to our business. It makes up the largest percentage of our products and is a key part of our production processes. It is also critical for our suppliers of agricultural ingredients, and for the local communities in which we operate. Maintaining high quality, reliable watersheds is not just critical for our business but also for our relationship with our communities and suppliers.

Climate change is expected to have a significant impact on watersheds around the world. According to the latest report from the Intergovernmental Panel on Climate Change (IPCC), more than half the world’s population faces water scarcity for at least one month every year and this will increase in the future.

During 2021, we conducted a detailed assessment of the potential impact of climate change on our business under two different climate scenarios (RCP4.5 and RCP8.5), including the availability (physical risk) and cost (physical and transition risk) of water by 2030 and 2040.

Our assessment indicated that climate change is not currently having a significant impact on the availability and cost of water but is likely to do so by 2030 in the climate scenarios that we considered. This a result of an increase in the level of water stress particularly in areas that we have already determined are in water-stressed areas, which we refer to as “water priority” plants or locations. 

Potential Impact

  • If water availability decreases due to climate change or significant water withdrawal from upstream users, it also will lead to disruption of the water supply to our operations and to communities in which we operate.
  • If we use significant amounts of water from the local watershed, it may reduce the availability of water for local communities leading to community backlash.
  • We have assessed that climate change will lead to a 40% increase in our baseline water costs by 2030 and 42% by 2040 under an optimistic (RCP 4.5) climate scenario; and a 45% increase by 2030/41% increase by 2040 under a pessimistic (RCP 8.5) scenario.
  • In addition, we need to spend an additional €42million by 2030 and up to €78million by 2040 in one-off Capex in water infrastructure improvements.
  • For our suppliers, the water risk could lead to decreased crop yield, disruption of their supply process, issues with quality of the ingredients, decreased income, while for us it would lead to increased cost of ingredients, production disruption due to not available materials or quality issues.

For more details on our water risk assessment, please see page 71 of our 2021 Integrated Annual Report (IAR).

Mitigating the risk

We perform detailed risk assessments at water-shed level (“Source Vulnerability Assessments”) for all our manufacturing sites, regularly using 3rd party experts. Based on identified water risks, we develop detailed plans for improved water management, updated annually.

Efforts to address water risks could include watershed protection and restoration, rainwater harvesting, and infrastructure improvements to provide communities with greater access to water for drinking and sanitation.

We will continue to implement water usage reduction plans, using our true cost of water  methodology for water investments, and maintain certification for our plants under the Alliance for Water Stewardship (AWS) programme. AWS requires certified businesses to use as little water as possible, and to reduce water consumption where possible across the entire value chain. 

ESG risks in our supply chain

Description of the risk

There is an increasing demand for transparency in environmental, social and governance (ESG) performance as the potential impact of climate change becomes clearer and companies are increasingly held accountable to contribute to reducing the drivers of climate change. In addition, there are rightly expectations that companies identify and take action to ensure human rights, including appropriate working conditions and living wages, are respected and implemented throughout their value chains. These increasing demands are also being reflected in new regulations and directives such as the EU Mandatory Due Diligence regime and the revised GRI Universal Standards that we need to comply with.

While we have established clear expectations and goals for our own ESG performance and have a good understanding of ESG performance in our larger suppliers, we may increasingly be held responsible for the actions or lack of compliance of suppliers deeper in our supply chain where we currently have less visibility. In addition, we are expected to use our influence in the value chain of which we are part to drive change, recognising that some may not have the same access to knowledge and resources and therefore may need assistance to meet our and other stakeholders expectations. 

Potential Impact

  • We could be held responsible for suppliers involved in incidents of non-compliance which can lead to reputation risks, and fines as well as additional costs in finding alternative suppliers.
  • Additional due diligence requires additional management time and effort increasing our costs.
  • We may also have difficulty accessing ingredients that are impacted by climate change or we may have to pay more for those ingredients.
  • We may not meet our stated sustainability goals by 2025, and future sustainability goals as it relates to ingredient sourcing and climate change

Mitigating the risk

To ensure that we are able to meet increasing stakeholder and regulatory expectations, we will continue to build our relationships with suppliers through initiatives such as our supplier sustainability forums as well as greater engagement to ensure more sustainable sourcing (e.g. training, joint initiatives, joint sustainable goal setting etc.).

We have been making improvements to requirements for our suppliers, significantly strengthening the human rights, ethics and compliance practices we expect. Our buyers were retrained during the year on the sustainability risk assessment tools available for supplier selection and governance.

We will expand the use of the EcoVardis system to support our supplier ESG performance assessments for better, more objective supplier monitoring going forward and leverage our EcoVadis partnership across the Coca-Cola System to improve information sharing between bottlers. This will increase our visibility deeper into our supply chain.

As part of our climate risk assessment process, in consultation with our suppliers, we are conducting deeper assessments into the potential impact of climate change on our suppliers and the implications for our business. The impact on the cost and availability of ingredients has been identified as one of four Physical Risks we assess and monitor under our climate change risk program.

We will continue working with our suppliers to support them in setting and delivering on their sustainability goals, including setting science-based carbon reduction targets.