How HEMA’s internal audit team adds value to the business

31 July 2023 Consultancy.eu 9 min. read

For nearly a century, HEMA’s mission has been to ‘make everyday life better in a more beautiful world’. Since the first store opened in Amsterdam in 1926, HEMA has been a household name in the Netherlands and beyond.

The merchandise retailer sells all kinds of everyday items – including 32,000 private-label products – in its around 750 stores in the Netherlands, Belgium, Germany, Luxembourg, France and Austria, as well as in the Middle East and Mexico through franchise partnerships.

Since February 2021, HEMA is co-owned by a consortium of Mississippi Ventures – the investment arm of the Dutch entrepreneurial Van Eerd family (owners of Jumbo Supermarkets) – and private equity firm Parcom. The owners are focused on long-term value creation and making sure HEMA remains futureproof.

How HEMA’s internal audit team adds value to the business

“Now, under our new management, the company has decided to rebuild its basics in governance, risk, internal control and audit,” says Berry Kok, Manager, Risk and Internal Audit at HEMA. This rebuild began in the fall of 2021, when HEMA started recruiting outside talent to reconstitute its risk and internal audit team. That’s when Kok joined HEMA, bringing extensive risk management experience from multiple industries including retail and consulting.

Kok reports functionally to HEMA’s audit committee and chief financial officer (CFO), and administratively to the chief executive officer (CEO) and management board.

Internal audit

HEMA's risk and internal audit function consists of seven full-time employees, including Kok. All staff work out of the company's headquarters in Amsterdam. The team has responsibility for multiple areas across the second and third lines of defence, including enterprise risk management (ERM), internal controls and internal audit.

Kok cites the function's “close collaboration with the many other second-line teams such as compliance, privacy, security, safety and cyber(security]” as a key factor in its success to date.

Kok outlines the team’s goals: “Our key short-term objective is to (demonstrate) control over the basic processes and IT systems through an action-driven risk approach. For the mid- and long-term, our goal is to continuously ensure that HEMA can effectively execute its business strategy in a controlled and timely manner. In practice, this means first focusing on the basics and operational risks, and gradually we will shift toward tactical and strategic risks.”

Back to basics

Under HEMA’s new corporate leadership, Kok says internal audit is placing considerable focus on the “fundamentals and prerequisites of a successful company – the ‘oiled retail machine’ as it is called within HEMA.”

This scrutiny includes heightened concentration on the firm's processes, systems and people, as well as on governance, internal control and risk management. To provide the company’s operations with what Kok calls a stable backbone, internal audit is helping to ensure the business is not “distracted by internal issues, unexpected risks, inefficiencies or other unwanted interference with strategy execution.”

“As a risk and internal audit team, we are very well-equipped, empowered and positioned at the centre of the organisation,” Kok says. “We bring specific knowledge, expertise and experience that no one else has in the organisation. In that sense, we add relevance and value to the organisation on both the operational and strategic levels.”

Less than two years after the change in ownership for HEMA, adding value entails proactively helping the business navigate evolving operational, competitive and regulatory climates by anticipating and addressing emerging risks, according to Kok. These risks currently include lingering supply chain issues; reputational risks, which, in consumer retail, frequently revolve around product quality and safety; along with macroeconomic and financial challenges, such as inflation and fluctuating currency exchange rates.

“Most of our products are private-label, so product quality and food safety are very important areas that can affect our reputation,” Kok says. “Those are key areas we focus on, along with cybersecurity and privacy because they could lead to data leaks that would also have a negative impact on our reputation.”

A pragmatic and supportive chameleon

For Kok, maintaining relevance is a crucial goal of the internal audit function. “As a risk and internal audit function, we aim to be a pragmatic and supportive chameleon that can adapt to each situation in a simple and agile way. We step in as a catalyst for change in the business, and we relish being part of the solution.”

In practice, that means maintaining a flexible and highly collaborative partnership with the function's stakeholders. “Our roles and responsibilities across the second and third lines are frequently discussed with the board, audit committee and our external auditor to ensure we all feel comfortable with them and the corresponding level of independence and objectivity.”

This flexible approach has already begun paying dividends during Kok’s short tenure with HEMA. The opportunity to rebuild the risk and internal audit function from the ground up has enabled risk and internal audit to begin “telling the story about the necessity and added value of internal control,” he says.

“We have worked hard to build the team, implement pragmatic, agile ways of working and show that we are capable of bringing new insights. We have successfully implemented ERM, determined our risk appetite, built and implemented internal control frameworks, and delivered insightful internal audit projects. The proof is that now we frequently receive requests from the business to support or perform risk reviews, audits and process reviews.”

Indeed, the risk and internal audit function at HEMA has recently participated in several cross-functional projects. Currently, it is leading a project in collaboration with IT, data analytics and business leaders in developing key risk indicator dashboards for specific business areas.

“We all bring our own expertise with the goal to make HEMA’s processes and risks more transparent and tangible,” Kok says. “In the end, all of us – from the first to the second and third lines – benefit from this. Being the core initiator of these projects that yield tangible added value really shows our relevance.”

“While the organisation is busy transforming, our relevance is clearly being recognised and appreciated. This wouldn't have happened if we didn't take a stakeholder perspective and focus on our relevance as a team.”

Technology as a catalyst for relevance

Technology – both traditional and emerging – is helping to facilitate risk and internal audit's transformation at HEMA. “Technology removes time-consuming administrative tasks and enables our team to spend more time with our stakeholders.”

Just as importantly, it is providing the function with “more and better insights,” he notes. Kok and his team have started using data and risk analytics and are in the process of implementing automated risk dashboards that will provide senior leadership, the executive board and all committees with access to overviews of major risk themes, relieving the audit team from having to frequently build PowerPoint decks with data acquired from multiple, disparate sources.

In addition to technology, Kok views cross-functional collaboration as a critical element for enabling the risk and internal audit team at HEMA to maintain their relevance and continue finding ways to provide value to the organisation. “We deliberately choose to have a relatively small risk and internal audit team and build more expertise in other second-line functions.”

“This helps to ensure that the ownership of risk management and internal controls is felt and kept within the first- and second-line teams. Through close collaboration and participation in joint projects, we ensure that we bundle our strengths.”

Connect the dots

“To stay relevant, it's important to carefully search for and select new team members that fit our team structure and objectives,” Kok says. “This has been quite difficult in the current tight labour market.”

Although Kok did recruit a few team members with specialised skills in IT risk management, data analytics and financial accounting into the growing department, he has focused primarily on attracting generalists with varied educational and experiential backgrounds and excellent communication skills.

“I want my team to become specialised in specific fields like analytics. But at the same time, I am looking for people who can connect the dots between the business and the boardroom. I want my team to be storytellers who can translate the details into a simplified, actionable report in the boardroom.”

“We specifically focus on professionals who aren't afraid of taking on big and complex challenges, have good social skills to build relations and trust across the business, and have a hands-on mentality. We have learned that it is not so much about selecting staff with retail or audit experience, but looking for those who demonstrate flexibility, diversity of approach and a positive mindset.”

To identify such talented generalists, Kok uses a case study approach in his job interviews, with a goal of identifying the interviewee's ability to translate challenging audit scenarios into concise insights for a senior-level audience.

“We don't care too much about CVs or backgrounds,” Kok says. “It’s more important to get an understanding of whether the individual is capable of managing complex situations. We give them a piece of the puzzle, some time to ask questions and come up with an elevator pitch, and then translate their findings into a five-minute breakdown using only two slides. Within five minutes, you know if somebody would succeed or fail in presenting their conclusions to the CFO or senior leadership.”

Embracing simplicity and pragmatism

To keep his team focused on continuous growth and relevance, Kok insists they think one step ahead and from the perspective of internal audit’s stakeholders. He explains, “I ask my team to relate to the HEMA values of being modern, open and brave, by being innovative, transparent, objective and direct, and not being afraid of bringing a hard message to senior stakeholders. Most importantly, they should embrace simplicity and pragmatism.”

At team meetings, Kok says his team “challenges each other on these elements,” and asks “whether what we do is really what we should be doing. In that sense, we are constantly working on our relevance – and with that, the branding and perception of our team.”

At HEMA, innovation is always a priority, which is why Kok says he pushes his team to explore new ways of achieving efficiency in their audit work, and how they deliver information to stakeholders. For example, the function is exploring the use of “video reporting to bring across our message in a stronger and more time-efficient way.”

“We will continue to be the pragmatic and supportive chameleon, providing structure, insights and feedback to the organisation,” he concludes.