Verklaring Omtrent Risicobeheersing (VOR)

Defining Verklaring Omtrent Risicobeheersing (VOR)

The VOR is anchored in the Dutch Corporate Governance Code, which operates on a "comply or explain" basis. Listed Dutch companies either apply the relevant best practice provisions or explain in their board report why they have chosen to deviate from them. The updated Code was approved in March 2025 and published in the Government Gazette (Staatscourant), giving the VOR a formal anchor in Dutch governance practice.

Four best practice provisions in the Code are particularly relevant for the VOR:

• 1.2.1 clarifies how strategic risks relate to the operational, compliance and reporting risks that the risk management systems are expected to address.
• It is important to note that the VOR is a statement made by the management board. While external auditors may evaluate aspects of the underlying reporting and control environment, the VOR itself is not an independent assurance opinion issued by the auditor. Responsibility for the statement remains with the management board.
• 1.4.2 sets out what the management board must report on the design, operation and effectiveness of the internal risk management and control systems over the past financial year, including the frameworks applied.
• 1.4.3 requires the management board to declare, with clear substantiation, the level of assurance the systems provide for each risk category, any major shortcomings, and the basis for going concern. An important aspect of provision 1.4.3 is the expectation that material shortcomings in the internal risk management and control systems are transparently disclosed. Where significant deficiencies are identified, the management board should explain their impact and describe the remediation measures that have been implemented or are planned.
• 1.5.3 expands the audit committee's reporting duties, requiring it to report to the supervisory board on how the management board has substantiated its VOR statement.

Under provision 1.4.3, the required level of assurance is partly prescribed and partly a management choice. Financial reporting requires reasonable assurance and sustainability reporting requires at least limited assurance, while the management board itself determines the appropriate level of certainty for operational and compliance risks. The Code does not prescribe a specific framework either, which gives organizations the flexibility to choose one that fits their strategy, sector and risk profile. The COSO Framework is one of the most widely used reference points for internal control and is often cited in the context of the VOR, but companies are free to adopt a different framework as long as the management board can clearly justify and document its choice.

Who is subject to VOR requirements

The VOR is a requirement of the Dutch Corporate Governance Code, which applies on a "comply or explain" basis to listed Dutch companies. The most directly affected groups include:

• Dutch listed companies (beursvennootschappen) with shares traded on a regulated market, including those listed on exchanges outside the European Economic Area
• Multinational groups headquartered in the Netherlands, where the VOR sits alongside other governance and reporting obligations such as the Corporate Sustainability Reporting Directive (CSRD)
• Private Dutch companies preparing for an initial public offering (IPO), where alignment with the Code is often expected by investors and underwriters ahead of listing
• Subsidiaries within in-scope listed groups, which typically feed risk and control information into the parent company's VOR even when not directly in scope themselves

Even where the VOR is not formally required, many organizations choose to align with it voluntarily. For any company that wants to strengthen the link between its risk management activities and its external reporting, it is a useful benchmark and a clear way to show stakeholders that risk and control are taken seriously at board level.

While the Dutch Corporate Governance Code does not prescribe a specific template, many organizations structure their VOR around the following elements:

• Governance and responsibilities for risk management
• The risk management and internal control framework applied
• Operational risks and related controls
• Compliance risks and related controls
• Financial reporting risks and controls
• Sustainability reporting risks and controls
• Significant deficiencies and remediation actions
• The level of assurance provided by the systems
• The management board's going concern assessment

The exact format may vary by organization, but these topics commonly form the basis of a well-substantiated VOR.

Core elements supported by Impero

A credible VOR requires more than a year-end assessment. Management boards are expected to substantiate their conclusions with documented evidence demonstrating how risks were identified, monitored and controlled throughout the reporting period. This requires a structured approach to risk management, control execution, testing and remediation activities.

Impero supports the operational building blocks behind the statement:

• Risk documentation: maintain a central register of operational, compliance, financial reporting and sustainability reporting risks, with assessments of likelihood and impact.
• Risk and control mapping: link each risk to the controls designed to mitigate it, so the management board can clearly substantiate the level of assurance reported in the VOR.
• Control execution and sign-off: assign recurring control activities to responsible owners and capture evidence of completion in one place.
• Testing and deficiency tracking: record control testing results, flag deficiencies and track remediation actions for follow-up.
• Audit trails: keep a complete, time-stamped record of risk and control activities for the audit committee, internal audit and external auditors.
• Reporting: generate status overviews and dashboards that support the management board, audit committee and supervisory board in their VOR discussions.

How Impero can help

Substantiating a VOR across a complex organization – with multiple risk categories, control owners and reporting lines – is difficult to do well in spreadsheets. With Impero, you can bring your risk and control data into one platform and build the audit trail your management board, audit committee and external auditor will expect to see.

We help you document risks and controls in a structured way, assign clear ownership, automate recurring control tasks and track testing results over time. When the audit committee asks how a particular VOR statement is substantiated, you have the evidence ready, without pulling it together from different systems at year-end.

By digitizing your risk management and control activities, you reduce the administrative burden on your finance, risk and compliance teams and build a foundation that scales with the VOR and adapts as the Dutch Corporate Governance Code continues to evolve.

Get started with Impero

A well-substantiated VOR starts with knowing your risks, your controls and who is responsible for them. Impero gives you the tools to manage all of that in one place.

Get started with Impero today and take the first step toward a more transparent, well-governed risk management environment.