July 14, 2026

3 lessons for boards: VOR risk management statement

The first full cycle of the VOR is behind us, and it showed there is room to grow.

The Verklaring Omtrent Risicobeheersing (VOR), the risk management statement added to the Dutch Corporate Governance Code, ran through its first reporting cycle in early 2026, when listed companies published their statements for the 2025 financial year. We are now well into financial year 2026, so the next round is already taking shape. Before boards get there, that first cycle is worth revisiting, because it shows clearly where the bar needs to move.

Here are three things worth carrying into the next VOR.

1. Most boards played it safe, and investors noticed

Eumedion, a Dutch platform whose members are institutional investors such as pension funds and asset managers, looked at the 28 companies that were first to publish their 2025 annual reports. Its read on that early batch was blunt. Most boards reached for cautious, legalistic wording, leaning on a "double-negative" phrasing that says, in effect, that the board is not aware of its systems failing to keep operational and compliance risks under control.

The contrast in the numbers is telling. Only a small handful of those boards chose a positive formulation, stating plainly that their systems offer sufficient comfort given the company's risk appetite and complexity. There was a similar split on scope, with more companies limiting their statement to a single point in time than committing to the full financial year.

That kind of careful wording keeps a board on safe legal ground. It also gives investors very little to work with, which cuts against the whole purpose of the VOR: transparency about how well your controls actually perform.

The pattern held on deficiencies too. Nearly every board confirmed reasonable assurance over its financial reporting, yet open disclosure of an actual control weakness was rare. Candor about a deficiency is exactly the kind of substance the VOR was designed to encourage, and in year one it was the exception rather than the rule.

A quick reminder of how we got here:

  • The VOR was added to the Code in March 2025.
  • It applies to financial years that start on or after January 1, 2025.
  • An Order in Council published in the Staatsblad in February 2026 gave the updated Code, and the VOR with it, a formal legal footing.

The takeaway for year two is straightforward. The first cycle set a low baseline. Boards that move beyond boilerplate and show genuine substance will stand out to investors, regulators and rating agencies.

2. The board owns this statement

One point still catches teams off guard. The Code does not give the external accountant an assurance role over the VOR. The statement belongs to the management board, so the board carries the full weight of standing behind it.

When a board declares that its internal controls work, it needs to be ready to show the reasoning and the evidence behind that claim. The audit committee, in turn, is expected to report to the supervisory board on how the statement was substantiated.

The VOR asks boards to account for a broad set of risks:

  • Operational risks and controls
  • Compliance risks and controls
  • Financial reporting controls
  • Sustainability reporting controls
  • Significant deficiencies and the remediation behind them
  • The level of assurance supporting each statement

There is room to interpret terms like "assurance" and "effectiveness" in a way that fits your organization. That flexibility helps, but it raises the stakes on your documentation, because your reasoning has to hold up under scrutiny.

3. A strong VOR is built all year long

Here is the practical challenge. When a board wants to prove that controls operated effectively, the supporting evidence often lives in scattered places:

  • Spreadsheets on individual desktops
  • Email threads
  • SharePoint folders
  • Standalone testing files
  • Audit documentation
  • Remediation trackers

Pulling all of that together at year-end is slow, stressful and easy to get wrong. Every scattered source is one more place where something can go missing at the worst possible moment.

Continuous control management changes that dynamic. Rather than reconstructing a year of activity under deadline pressure, a board gets an ongoing, live view of how risks and controls are managed throughout the year.

The Impero platform is built for exactly this kind of work. It brings compliance activity into one place, so a well-substantiated VOR becomes the natural result of good daily practice. That includes the ability to:

  • Centralize risk documentation
  • Map risks to controls
  • Automate and track control execution
  • Collect evidence as the work happens
  • Track deficiencies and remediation
  • Keep the audit trail behind every conclusion

When the audit committee wants to challenge or oversee the statement, the answers are already in place.

"The strongest statements come from boards that have been quietly gathering evidence all year, long before the annual report is due." – Tamara Berben, Consultant, Impero

Questions to pressure-test your readiness

Before your board signs off on its next statement, a few honest questions are worth asking:

  • Can we show how key risks are identified, assessed and monitored across the full year?
  • Is there a clear line connecting each risk to its controls and its assurance activities?
  • Do we have enough evidence to genuinely support the board's conclusions?
  • Can our audit committee effectively challenge and oversee the VOR?

Year one set a modest bar. Year two is the chance to raise it, and to treat the VOR as what it can be at its best: a way to strengthen governance, improve transparency and build real confidence among investors, regulators and other stakeholders.

How is your organization preparing for its next VOR? If you'd like to see how a single source of truth for risk and controls can take the pressure off year-end, learn more about the Impero platform.

Get the latest from Impero in your inbox.

Stay informed on all things Impero — webinar & event invites, exclusive content, product launches, and more! Or let us show you why Impero is the right choice for your risk and compliance needs.

You might also like...

Explore insights, product updates, and practical guidance to navigate the world of risk & internal controls.

Insights & Inspiration

Women leading the way: takeaways on the future of GRC

Read more

Insights & Inspiration

Webinar Recap: Are continuous controls the new baseline?

Read more

Insights & Inspiration

Refresh or retire your internal controls

Read more