Exposure to risk is unavoidable in pursuit of Arcadis’ strategy. Well controlled risks can present new opportunities, resulting in value creation, however, uncontrolled risks can hinder the achievement of long-term strategic objectives and Arcadis’ ability to succeed.
Arcadis’ risk and control framework enables a culture of risk awareness across the organization by identifying risks and defining controls which mitigate or manage these risks in line with Arcadis’ risk appetite. It helps Arcadis’ leadership identify, evaluate, communicate, and address risks.
The Changing Risk Universe
Arcadis’ Executive Board is responsible for maintaining a comprehensive system of risk management and internal control, and for regularly reviewing its effectiveness. Each year the Executive Board performs a review of Arcadis’ risk universe and the risk and control framework and makes adjustments as conditions change. Following this review, the Arcadis Risk & Control Framework (the ARC Framework) is updated and communicated to the wider leadership team.
The ARC Framework identifies fifteen key risks, divided into three risk categories – Strategic, Operational and Compliance. It includes the business controls which are supported by policies, standards, procedures and guidelines, all of which target risk mitigation in accordance with Arcadis’ risk appetite and the successful pursuit of the three pillars from Arcadis’ strategy: People & Culture, Innovation & Growth and Focus & Performance. ARC is the cornerstone of Arcadis’ risk management approach and supports Arcadis in embedding a more risk conscious way of working in all layers of the organization.
The ARC framework is embedded into how Arcadis does business, managing its risk exposure in accordance with its risk appetite whilst remaining competitive in a rapidly evolving business environment. This has allowed the company to evolve business models in line with our risk appetite, execute on the Top 10 priorities in a controlled manner and experience less surprises in business performance.
Arcadis Risk and Control Framework
Responsibility for risk management
In addition to creating and maintaining an internal risk and control system, the Executive Board is responsible for ensuring that such a system is integrated and embedded into the Arcadis Way of working. The Executive Board is supported in this by the ELT members. In order to strengthen risk oversight at a functional level, each ELT member is given overall responsibility for one or more of the fifteen key risks in the ARC Framework.
The Risk Management function, headed by the Chief Risk Officer (CRO) and supported by a Corporate Risk Management team and Regional Risk Managers, provides guidance and assistance to the Executive Board. This includes driving risk awareness across the organization and supporting the assessments of the operation and effectiveness of the ARC Framework in the regions (see section ‘Arcadis Risk Assurance Program’ below).
The Risk Management function provides both risk assurance and proactive risk support to the business. Risk Management contributes to the business through playing an increasingly active role in Pursuit Boards which ensure the selection of the clients and opportunities are line with the strategy, engaging Senior Leadership across the organization to identify, evaluate and mitigate enterprise risks and identifying and assessing risks in new delivery models that emerge as a result of the execution of Arcadis’ digital models.
The quarterly Risk Management Committee, chaired by the Chief Financial Officer (CFO), advises the ELT and the Executive Board on strategic, operational and global risk matters in the context of Arcadis’ risk appetite. It assesses from time to time whether Arcadis has identified and mitigated or managed known and emerging risks to ensure that robust risk management is in place across Arcadis. The Chair nominates the other members of the Risk Management Committee, to include (at least) five members: Senior Business Representative(s) from one or more regions, Arcadis NV General Counsel, Head of Internal Audit, Group Executive Project Services and the CRO. Their appointment is confirmed by the Executive Board/ELT.
The ARC Framework balances risk and opportunity and clearly sets out the Executive Board’s appetite for risk. To facilitate the communication of the risk appetite to the business, Key Risk Indicators, based on both qualitative and quantitative metrics, were developed for each of the fifteen key risks.
The Key Risk Indicators are monitored on a periodic basis to provide an early warning as to where exposure to risk may be exceeding appetite. Where exposure is outside of appetite range, existing controls may have more focus placed on them, alternatively the introduction of additional or revised controls may be considered. The Key Risk Indicators are reported to both the ELT and Audit and Risk Committee on a quarterly basis.
Arcadis’ risk appetite changes over time reflecting developments in society, legislation, geopolitics, the client landscape and changes within Arcadis.
Risk management in action
Arcadis follows a three-line defense model. The operating entities are the first line of defense, embedding risk management as a formal part of all major decision making via tools such as risk registers, project watch lists and client and project Go/No Go assessments.
The Risk Management function is part of the second line of defense along with other enabling functions including Human Resources, Legal, Health & Safety, Compliance & Privacy, Finance and Information Security. These functions assist and support the first line of defense with identification and analysis of key risks (including the likely impact and probability of the risks arising), mitigation of risk through the introduction of policies, standards, procedures and guidelines, providing training and awareness, and with the periodic assessment of the design and operating effectiveness of risk mitigating controls. The function is led by the CRO, reporting directly to the CFO with a dotted line to the Group Executive Project Services. This allows the function to retain appropriate focus on project risks and financial reporting risks.
Arcadis’ Internal Audit function provides the third line of defense. Its role is explained in more detail below.
Arcadis’ Risk Assurance Program
A key part of Arcadis’ risk management process is the Risk Assurance Program which is designed to periodically and systematically assess whether the controls, as defined in the ARC Framework, are designed and operating effectively across the regions. Controls found not to be designed or operating effectively are remediated.
The Risk Assurance Program provides for a continuous annual cycle for testing the design and operation of the controls to ensure that the key risks are being effectively mitigated or managed. The Risk Assurance Program operates at both a Corporate and Regional level with each Region reporting the results of its annual assessment at the end of the financial year to the CRO and Group Controller.
Attention is given to observed weaknesses, instances of misconduct and irregularities, indications from whistle blowers, lessons learned and findings and recommendations from the internal audit department and external audit firm.
The Risk Assurance Program helps identify new and evolving risk causes which require the design of controls to be updated and/or strengthened. These changes will be actioned and communicated by Corporate Risk Management. Where remediations of the controls by the regions or functions are identified, these are captured in a tracker. The tracker is periodically monitored by Corporate Risk Management to ensure that the remediations are being actioned. Risk Management is working to further improve the clarity of these actions to ensure that they are specific and time-bound.
Each Regional CEO and CFO is required to sign-off an annual Letter/Document of Representation (DOR), which is addressed to the Group CEO and CFO. In addition, each ELT member is required to develop and sign off a Functional DOR in respect of the key risks in their areas of responsibility. They are supported in this by relevant functional leaders and Corporate Risk Management. The DORs include a statement regarding the design and operating effectiveness of controls.
Based on the Regional and Functional DORs, Arcadis NV issues a DOR (including an In Control Statement) to the external auditor.
Arcadis’ Internal Audit function acts as the third line of defense and operates under the responsibility of the Executive Board. Its objective is to enhance Arcadis’ performance through assurance.
The Head of Internal Audit has direct access to the Executive Board, Chairman of the Audit and Risk Committee and is a permanent invitee to the Audit and Risk Committee meetings.
The priorities for Internal Audit are defined in a dialogue with the ELT and the Audit and Risk Committee and are approved by the Executive Board and the Supervisory Board. They are based on the results of an overall risk assessment of Arcadis which focuses on the main risk management and internal control systems and the Top 10 strategic priorities of the organization. Additionally, the Internal Audit plan is discussed with the external auditor. Ongoing interaction exists between Internal Audit and the external auditor regarding the progress of execution of the plan and main results. The audit plan is reassessed quarterly against changes in the overall risk environment of Arcadis. The audits of Internal Audit are aligned with the second line functions.
Observations and recommendations as reported by Internal Audit are submitted to management of the operating entities or global functions including appropriate regional leadership and reported quarterly to ELT members. Regional leadership is responsible for executing and monitoring the progress of remedial measures put in place to mitigate and manage the reported risks.
The Executive Board and Audit and Risk Committee receive, on a quarterly basis, the results of audits and activities as performed by Risk Management, Internal Audit and the external auditor, and the main results and progress on actions are discussed. The role of the Audit and Risk Committee includes monitoring the progress of management follow up as a result of audits.
“The above statements are given on the basis that the ARC Framework is primary designed to bring Arcadis’ risk exposure within its appetite and cannot therefore provide full and complete assurance that all human error, unforeseen circumstances, material misstatements, fraud or non-compliance with laws and regulations will be prevented.”