Risk Assessment

Walmart de México y Centroamérica performs a Risk Assessment with the purpose of identifying and reducing risks that could affect our operation. Every year, the Risk Assessment is performed by Global Audit Services following the methodology established by Walmart Inc., adapting it to the reality of Mexico and Central America.

External and internal risk factors are
taken into account, such as:

External Risk Factors

Internal Risk Factors

Financial markets, unemployment, mergers
& acquisitions

changes, laws and regulations


Natural Environment
Natural disasters such as hurricanes, earthquakes, global warming

Availability of assets

Emerging technologies that represent competitive advantage/disadvantage

Employee capability, fraud, health and safety

Shifts in demographics or social behaviors

Complexity, level of automation

Financial condition
and market share
of competitors, new market entrants

Systems and data
availability and integrity,
development and deployment

with laws and regulations, internal policies, and standards

Relevance of the eight major risk
categories is considered:

Regulatory compliance. Compliance with laws and regulations.

Strategic. Related to high-level goals, aligned with & supporting the entity’s mission/vision.

Customer trust. Actions or conditions that degrade customer confidence in our Company brand, mission, or our standing in the community.

Financial accuracy. Effectiveness of the entity’s financial reporting.

Core business operational impact. Loss (including risks for financial performance and condition) resulting from inadequate or failed internal processes, people, and systems that support core business functions.

Support business operational impact. Interruptions resulting from inadequate or failed internal processes, people, and systems within business support functions.

Internal compliance. Compliance with company policies and procedures, contracts, ethics and business conduct standards, and other voluntary corporate standards.

Efficiency and effectiveness. Optimization of Company resources to support the business mission and reward shareholders.

Also taken into consideration are risk factors that help define the magnitude and probability of losses caused by unfavorable events or activities, for example:

Operational disruption. Events such as natural disasters, terrorism, interruption by key suppliers, faulty process changes, system failures, and prolonged adverse weather conditions.

Impact on earnings. Competitive pressures, market economic conditions, financial governance, sustainability of the business model.

Impact on strategic initiatives. Changes in leadership, lack of access to capital or liquidity, actions of competitors, changes in broad economic conditions, and adverse actions by foreign governments.

Changes in leadership. Historical leadership change outcomes, succession planning, training and development

Level of automation. Business reliance on technology and systems, historical dependability, the ability to revert to manual alternatives, and the entity’s adoption rate of emerging technology.

Compliance requirements. The ability of the entity to comply with laws, regulations and policies; occurrence of fraudulent, illegal or unethical acts; changing laws; ongoing liabilities and disputes; unsafe products or handling, etc.

Changes in processes. Maturity of processes within the entity, process change management, quality assurance functions, process owner expertise, process documentation.

Historic audit results. Issues identified during previous audit activities that are relevant to the auditable group or component, management tone, status of remediation efforts.

Customer insights. Concerns expressed by business and technology leadership.

Other risk assessments. Results of assessments conducted by internal and external parties that are relevant to the auditable group or component.

GFT insights. Guidance provided by Global Functional Teams in the form of questionnaires, newsletters, interactive meetings, etc. (refer to Risk Assessment Tool Kit Connect site).

Considering market conditions and the risk factors described above, an overall risk rating of HIGH, MEDIUM or LOW is designated in the Risk Assessment for each Company area.

As a result of risk assessment
the following actions are carried out: