Exposure to risk is unavoidable in pursuit of Arcadis’ strategy with the level of general risk increasing in recent times due to the pandemic and geopolitical events. Emerging risks also present opportunities, which if well-managed, result in value creation. However, uncontrolled risks can threaten the achievement of long-term strategic objectives.
The Arcadis Risk and Control Framework
The Arcadis’ Risk and Control (‘ARC’) framework enables a culture of risk awareness across the organization by providing a standardized framework for identifying risks and implementing controls. The ARC framework identifies key risks, across three risk categories – Strategic, Operational and Compliance. It includes business controls which are supported by policies, standards, procedures and guidelines, all of which target risk mitigation in accordance with Arcadis’ risk appetite.
The ARC framework allows the company to evolve its business in line with its risk appetite, execute strategic priorities in a controlled manner and experience less surprises in business performance. The ARC framework is a cornerstone of Arcadis’ risk management approach and supports Arcadis in embedding a risk conscious way of working in al layers of the organization.
Management of Risk
Arcadis’ Executive Board is responsible for maintaining a comprehensive risk management and internal control system, and for regularly reviewing its effectiveness. Each year, the Executive Board performs a review of the risks that Arcadis is subject to and based on its risk assessment, the ARC Framework is updated and communicated to leadership. The Executive Board is also responsible for ensuring that the risk management and internal control system is integrated and embedded into the way Arcadis work. The Executive Board is supported in this by the ELT members. In order to strengthen risk oversight, each ELT member is given overall responsibility for one or more of the ARC framework key risks.
The Risk Management function, lead by the Global Risk Management Director and supported by a Corporate Risk Management team and GBA Risk Managers, provides guidance and assistance to the Executive Board and ELT. This includes driving risk awareness across the organization and supporting the assessments of the design and operating effectiveness of the ARC Framework across the global business (see section ‘Arcadis, Risk Assurance Program’ below). The Global Risk Management Director reports directly to the CFO with a dotted line to the COO.
The Risk Management function provides both risk assurance and proactive risk support to the business. Risk Management play an active role in Pursuit Committees, which seek to ensure that the selection of the clients and opportunities are line with the strategy. Additionally, Risk Management engage with leadership teams of GBAs and enabling functions to identify, evaluate and mitigate enterprise risks that may impact the achievement of strategic objectives.
The quarterly Risk Management Committee, chaired by the Chief Financial Officer (CFO), assesses risk in the context of Arcadis’ risk appetite and provides advices to the Executive Board/ELT. It assesses whether Arcadis has identified and mitigated or managed known and emerging risks to ensure that robust risk management is in place across Arcadis. The Chair nominates the other members of the Risk Management Committee, to include (at least) five members: at least one Senior Business Representative, the Global General Counsel, the Global Internal Audit Director, the Global Operations Project Services Officer, and the Global Risk Management Director. Their appointment is confirmed by the Executive Board/ELT.
Risk appetite and Key Risk Indicators
The ARC Framework balances risk and opportunity and helps define the Executive Board’s appetite for risk. Arcadis’ risk appetite changes over time reflecting strategic objectives and developments in society, legislation, geopolitics, the client landscape, and changes within Arcadis.
Key Risk Indicators (KRIs) are in place for each of the key risks. KRIs are measured and reported to the ELT and Audit and Risk Committee on a quarterly basis to provide an early warning as to where exposure to risk may be exceeding Arcadis' appetite. Where exposure is outside of the appetite range, existing mitigating actions controls may have more focus placed on them, additional controls may be introduced or Arcadis may choose to tolerate that the current level of risk is outside its appetite, in which case leadership is informed and monitors the situation closely.
Risk management in action
Arcadis adopts a three-lines of defense model to facilitate strong governance and risk management. The GBAs and certain enabling functions are the first line, embedding risk management as a formal part of all major decision making via tools such as risk registers, project watch lists and client and project Go/No Go assessments.
The Risk Management function is part of the second line of defense along with other enabling functions. These functions assist and support the first line with identification and assessment of key risks. Identified risks are mitigated through the introduction of policies, standards, procedures and guidelines, and by providing training and promoting awareness. Arcadis’ Internal Audit function provides the, reporting directly to the CFO with a dotted line to third line of defense. Its role is explained in more detail below. third line of defense. Its role is explained in more detail below.
Arcadis encounters risks during the implementation of its strategy, as well as through business integrations. Critical to managing these risks is a governance and risk management process which allows Arcadis to balance the benefits from strategic programs and integrations, investments required, and risks managed.
Arcadis’ Risk Assurance Program
The Risk Assurance Program provides for a continuous annual cycle for testing the design and operational effectiveness of the controls to provide assurance that the key risks are being effectively mitigated or managed. Each GBA, country and enabling function report the results of its annual assessment at the end of the financial year to the Global Risk Management Director and Group Controller.
Action plans for controls found not to be designed or operating effectively are formed with deadlines established for remediation to be complete.
The Risk Assurance Program helps identify new and evolving risk causes that require the design of controls to be updated and/or strengthened. Where needed, remediation of the controls is identified and, captured in an action tracker, which is periodically monitored by Risk Management to ensure that the remedial actions are on track, with regular status reports provided to the ELT.
Appropriate GBA, country and enabling function leadership are required to sign an annual Document of Representation (DOR), which is addressed to the Group CEO and CFO. In addition, each ELT member is required to sign an enabling function DOR respect of that addresses the key risks in their areas of responsibility. The DORs include a statement regarding the design and operating effectiveness of controls based on the results of the Risk Assurance Program.
Based on the combined DORs, Arcadis NV issues a Letter of Representation (including an In Control Statement) to the external auditor.
Internal Audit
Arcadis’ Internal Audit function operates under the responsibility of the Executive Board. Its role is to enhance Arcadis’ performance through assurance.
The Global Internal Audit Director has direct access to the Executive Board, Chair of the Audit and Risk Committee and is a permanent invitee to the Audit and Risk Committee meetings.
The priorities for Internal Audit are defined with the ELT and the Audit and Risk Committee and are approved by the Executive Board and the Supervisory Board. In 2022, Internal Audit updated its annual plan on a quarterly basis to respond to changes in the global risk and internal control environment. Changes have been approved by the Executive Board and Audit and Risk Committee on behalf of the Supervisory Board. Internal Audit continually interacts with the external auditor regarding the preparation and execution of the annual audit plan, changes to the audit plan and the main reported results.
Internal Audit governs itself by complying with the Standards of the Institute of Internal Auditors. It employs a systematic and disciplined approach to evaluate and improve the organization’s governance and risk management process. Observations and recommendations, as reported by Internal Audit, are submitted to management of the GBAs or enabling functions. Management is responsible for executing and monitoring the progress of remedial measures put in place to mitigate and manage the reported risks.
The Executive Board and Audit and Risk Committee receive, on a quarterly basis, the results of internal audits and an update on the progress of remedial actions. The role of the Audit and Risk Committee includes monitoring the progress of management follow up on audit findings.