RISK MANAGEMENT, THE ARCADIS WAY
The Arcadis Way is to embed risk management in our working practice, as effective risk management and risk intelligence assessment of opportunities are essential for helping us achieve our business objectives.
In a competitive, ever-changing business environment, it is only by being agile and entrepreneurial, and by having a deep understanding of our clients and the markets in which they operate, that we will continue to be successful. This way of operating is enabled by setting clear risk boundaries for the operating entities in our regions, through our various policies that aim to identify, assess and manage our risk. Through the risk management framework, we seek to strike a balance between business opportunities and strategic and operational risk.
The main areas of assessment of risk appetite are:
Our global Enterprise Risk Management (ERM) system (which is based on COSO), the Arcadis Business Control Framework (ABC), sets out the key controls, which are classified into zero, critical and balanced tolerance, indicating the level of risk appetite considered acceptable for each control.
Our core business is Design & Consultancy for natural and built assets. The fee arrangements of the contracts that we enter into can be grouped into two broad categories:
Major turnkey projects with higher risk are pursued under the premise that we have the technical and project management skills to adequately control the risk. Our policy is not to take equity stakes in projects, and only by exception and for specific reasons would we deviate from this starting point. We maintain insurance covering professional liability and claims involving bodily injury and property damage.
RISK MANAGEMENT AND INTERNAL CONTROL
Arcadis’ risk management policies aim to identify, assess and manage risks that may arise through our day-to-day business operations. In addition, we are regulated in a number of our operational fields, and the regulatory and reporting framework applicable to our operations requires effective risk management. The ABC Framework provides a structured, consistent and transparent approach to identify, assess and manage the risks that may impact our business operations. It comprises global governance standards and global and operating company policies and standards. It applies to all the business regions and the operating companies within those regions and represents the minimum requirements that the Arcadis operating companies have to meet.
RESPONSIBILITY FOR RISK MANAGEMENT
The Arcadis Supervisory Board oversees and advises the Executive Board, which has overall responsibility for risk management. In the regions and operating companies, management teams are responsible for operational performance and effectiveness and for managing the associated risk within the framework of the ERM system.
A critical element of ERM is identifying the various risks that Arcadis faces in the pursuit of its strategy. The main risks were selected following comprehensive discussions that included the likelihood of their occurrence and their potential impact. The Executive Board, Audit and Risk Committees and the Supervisory Board review the identified strategic and operational risks annually.
The Risk Management Committee oversees the effectiveness of the risk management framework. It is chaired by the Chief Financial Officer and the other members are representatives from the Legal, Risk Management and Internal Audit functions and from business operations. In 2015, the Committee met on three occasions. Matters considered by the Committee included:
o Roles and responsibilities
o Metrics and reporting
o IT solutions;
o 29 workshops across the regions
o 502 leaders and managers participating;
The Executive Board is supported in performing its risk management tasks by the Corporate Risk Management function, amongst others. To further strengthen the Corporate Risk Management function, and to support our ambition of capitalizing on rewarded risk while ensuring full focus on unrewarded risk, two appointments were made in the third quarter of 2015: a Chief Risk Officer and a Chief Compliance and Privacy Officer. The core corporate risk team is supported in the regions by Risk Managers who work with the regional management teams to actively manage identified risks in the operating companies. Across the seven Arcadis operating regions there are some 22 people in risk management roles.
Internal Audit reports directly to the Chief Executive Officer with a functional line to the Chief Financial Officer and has a reporting line into the Audit Committee. The Executive Board and Audit Committee approve the annual audit plan and quarterly updates to reflect changes in the risk profile of Arcadis.
The Internal Audit function was strengthened in the course of 2015 reflecting the increase in global footprint and risk profile of Arcadis. Extensive IT capabilities and business experience were added to the team in addressing the need for assurance by the Executive Board. A risk based internal audit plan was executed with the focus on assessing and improving the quality of governance, risk management and controls within Arcadis by performing independent assessments on the effective embedding of the Arcadis Business Control framework in the business operations. The Executive Board and Audit Committee received an overview of the main reported control weaknesses, recommendations for improvement and the quality of management follow-up on previously reported findings on a quarterly basis.
OUR MAIN RISKS
Our main risks are those that threaten our ability to deliver our strategy. An overview of these risks and how we manage them is set out below. This should not be considered an exhaustive list of our risks; other risks and residual risks could have a similar or more severe impact on our operations. As risks vary, regular assessments are made of the risk proportion in certain areas, which relates to the growth of the company, its geographical presence, activities and general risk trends. Risk was assessed to have increased during 2015 from our exposure to more volatile emerging markets, where payment behavior also worsened. We continuously update our risk-control measures to mitigate our evolving risk profile.
Information security continues to grow in importance with the increased visibility and global footprint of Arcadis. In 2015, clients increasingly asked about the information security practices within Arcadis and the controls in place to protect client data. Activity of outside parties seeking to obtain information from Arcadis through false emails (‘phishing’) and telephone calls directly to employees (‘social engineering’) increased significantly during the year. Increased employee awareness and technological controls have reduced the impact of these efforts, including improved advanced threat protection for high-risk email accounts and anti-phishing education and testing systems. Enhanced capabilities for vulnerability and penetration testing were developed and utilized during the year, providing security assurance in a variety of areas. Information security staff were identified and developed in several regions during the year, with additional regional resources to be identified in early 2016. Advanced security features available through Oracle, AT&T and Microsoft initiatives will also enhance the security posture in the coming months and years, including updated firewalls and enhanced network intrusion detection and monitoring.
The table that follows outlines the principal risks, the likely impact should they arise and the mitigating activities that Arcadis takes in respect of each of them.
MERGER AND ACQUISITION RISK
Growth through acquisitions is part of our strategy. This entails a number of specific risks related to the preparation and execution of an acquisition and subsequent integration.
Items such as balance sheet misrepresentations, insufficient backlog, client issues, and unforeseen or undisclosed claims may have an adverse effect on revenues and margins. Integration issues and a lack of retention of key people may also negatively impact our performance.
RISK MITIGATING ACTIONS
Major acquisition processes are managed centrally and include a thorough analysis of and due diligence on the strategic fit, fit with our business principles, management and reputation, culture, financials and policies and procedures. Whenever possible, purchase agreements include customary representations, warranties and indemnities while employment agreements and non-compete clauses, as well as restricted share units or stock options, are used for retention purposes. In larger privately-held company acquisitions, we may pay part of the purchase price in Arcadis shares to promote the alignment of the former owners with our long-term interests. Our post-merger integration processes help us to focus on market and organizational integration, and include implementing Arcadis’ ABC Framework which includes a schedule with immediate focus on zero-tolerance issues and a phased approach for other risk categories. Larger acquisitions are evaluated after three years and reviewed with the Supervisory Board.
To properly fund its business, invest in innovation and organic growth and complete acquisitions, Arcadis needs access to capital.
Restrictions in access to or lack of capital may limit Arcadis’ ability to fulfil its obligations in delivering solutions to its clients. Lack of capital for acquisitions may weaken our relative position in our rapidly consolidating industry.
RISK MITIGATING ACTIONS
Arcadis has access to credible sources of funding and has long-term financing arrangements with relationship banks to fund its daily capital needs. A well-spread debt maturity schedule is maintained and in recent years, Arcadis has diversified its sources of funding by attracting capital through both US Private Placements and German Schuldschein debt for longer periods from institutional investors and other banking institutions. Arcadis has a well-developed working capital management system and centralized cash management approach, limiting capital costs. We focus on maintaining a solid financial performance in the short- and long-term, with debt levels that stay well within our loan covenants, transparent reporting and a proactive investor relations program.
Arcadis has a strategic ambition to be seen as the best in everything it undertakes, which includes attracting and retaining the best people and creating an environment that enables them to reach their full potential. In addition, we strategically rely on collaboration to leverage our capabilities and global footprint to bring the best of Arcadis to better serve our local, national and global clients.
Failure to develop a balanced culture focused on performance and collaboration that embodies our core values of Integrity, Client Focus, Collaboration and Sustainability may negatively impact our ability to successfully pursue work and provide leading-edge solutions for our clients. This, in turn, can lead to loss of opportunities, client relationships and ultimately loss of revenues.
RISK MITIGATING ACTIONS
Arcadis manages the recruitment and selection of people based on job qualifications, but also on the ability to work in global teams and perform under pressure. In addition, Arcadis has a multitude of programs directed at improving collaboration and knowledge exchange around the world, including our Quest exchange program, Global Shapers engagement program, centers of excellence, and targeted education programs such as our Program Management, Project Management and Client Development Academies. In 2015, we launched the Arcadis Leadership Competency model to provide leaders with a transparent competency overview that provides clarity in how a leader in Arcadis can contribute to the success of Arcadis. It will be used in performance management reviews and to develop managers into leaders.
CLIENT AND PROJECT RISK
Arcadis works on tens of thousands of projects annually for many different clients, and encounters a variety of risks. Client selection determines our ability to perform work effectively, while also impacting remuneration for the performance we deliver. Project selection is critical to our success as project demands need to match our ability to provide the right solutions and not introduce undue limitations or liabilities to our performance. The careful selection of our partners, whether for joint ventures, alliances or sub-contracting, is essential to successful project completions.
Inappropriate client selection may expose Arcadis to risk with regard to its ability to be paid or unfavorable outcomes with regard to scope changes and other issues, resulting in lower margins. Improper project selection and management may lead to cost overruns, while contractual conditions may result in considerable liabilities, claims and loss of clients. Selecting inappropriate partners may result in design failures, project delays, conflicts of interest, again resulting in possible liabilities and negative effects on revenues and/ or margins.
RISK MITIGATING ACTIONS
An extensive and globally prescribed Go/ No go process prescribes client and project selection – the choice of which clients to work with and which projects to work on is carefully weighed against a broad set of risk assessments and within a prescribed authority matrix within the regions and operating companies. Our thorough review of contract conditions, regular project reviews, selection, training and performance reviews of people, quality management systems, and a global insurance policy also limit our project risk. Main project risks and claims are assessed quarterly and, if required, provisions are taken to cover risk. Projects which have a higher risk profile due to fee scales and/ or the nature of the work are tracked on a Global Project Watch List, which is reviewed quarterly at corporate level, with active interventions as required. In addition, all claims with a potential impact above a certain size are monitored at corporate level by the Executive Board.
Arcadis is a global business, operating across many financial jurisdictions and has grown rapidly via significant acquisitions in recent years. Ensuring that all operating companies are reporting to the same financial policies and delivering the same quality of reporting with trained, experienced finance staff is essential.
A material misrepresentation of our financial performance, misjudgement of our backlog, or other management judgments with regard to our financial performance, may trigger the need for restatements, which can have a severe impact on a company’s reputation and stock market value.
RISK MITIGATING ACTIONS
Clear accounting policies, applicable to all operating companies, with central oversight, and standard reporting formats are key components of the risk management and financial control system for financial reporting. Rapidly integrating acquisitions into the Arcadis accounting framework is a key control. Regular project reviews are another control element with financial staff adding robustness to the review process by independently reviewing projects to assess matters such as revenue (including revenue recognition), profitability (including costs to complete), time recorded, work in progress and invoicing. The Regional CFOs report hierarchically to Arcadis’ Global CFO. The implementation of Business Blueprint will further embed the application of the accounting policies.
CAPACITY / CAPABILITY RISK
Employee utilization is a key driver for Arcadis’ financial success. More effective use of the time available from our experts can be a strong driver for our margin performance.
A decrease in workload may reduce employee utilization. Experience indicates that a strong market downturn can cause a substantial decrease in annual revenues for the business in that market. Such conditions could seriously impact margins and profitability.
RISK MITIGATING ACTIONS
All operating companies monitor and report order intake and billability on a bi-weekly basis. In Europe, our policy is to have a certain percentage of our people on flexible contracts. Information on bookings and billability is used to decide on staff capacity adjustments. Additional mitigation is achieved through the use of Global Design Excellence Centers.
A free flow of capital is crucial to operate our business and for future success to fund our growth strategy.
Financial risks include credit, liquidity, currency and interest rate risks. Of these, our risk assessments have shown liquidity risks to be the most important. This includes the availability of sufficient financial resources to finance our strategy.
RISK MITIGATING ACTIONS
Liquidity risks are centrally managed by giving a high priority to working capital and cash flow, which are reported by all operating companies on a monthly basis to the Corporate Treasury department. More extensive information on financial risks (including sensitivity analysis), and the way these are managed can be found in note 28 to the Consolidated financial statements in this Annual Report.
INFORMATION TECHNOLOGY RISK
In Arcadis’ increasingly global operations, we rely on collaboration to win work and bring the best of Arcadis to clients, wherever they operate. Seamless communications and connectivity are paramount to that approach. An increased global presence also comes with greater cybersecurity challenges that requires Arcadis to constantly adapt to the accelerating pace of worldwide changes.
Information Technology (IT) is fundamental to our daily operations and is critical to our supporting processes and portfolio of capabilities and we increasingly rely on providing services to clients with integrated applications or services (webhosting). Communication and collaboration requires operating information and communication technology systems that meet the needs of an increasingly mobile and socially connected workforce. Arcadis must guard against the risks of loss or corruption of critical, confidential, financial data and the disruption of productivity.
RISK MITIGATING ACTIONS
Mitigation efforts run across three areas: People, process/ structure, and technology. Risk awareness surrounding safe IT usage among our people, including the employees of partner companies with whom we collaborate on projects, is essential. This includes use of (social) networks, access such as password safety and information integrity. Processes/ structures and technology are set up to provide preventive and repressive controls, such as physical and logical security, backup of data, restoration testing and business continuity plans and disaster recovery testing.
HEALTH & SAFETY RISK
Through our project engagements, our people may work in hazardous conditions or dangerous environments that may lead to accidents. Nevertheless, the office environment may also be risk prone if people are not properly aware of Health & Safety aspects.
Health & Safety (H&S) incidents may translate into project stoppages, loss of working hours, medical costs or, in worst case, loss of life. All of these incidents are associated with extra costs or liabilities and as a result may impact company performance.
RISK MITIGATING ACTIONS
Arcadis has a H&S First policy and culture and strives to provide a healthy and safe work environment for all of its employees, clients and subcontractors. In addition, our Global H&S Vision and Policy commits us to proactively identify and control the H&S risks of our work to prevent injuries and strive every day for zero incidents. Our Global H&S Management System prevents risks, and our behavior-based approach encourages continuous improvement of H&S performance.
As a global company, Arcadis operates in a world that is generally becoming increasingly regulated, and in geographies with different business practices and cultures. Areas of increasing focus include compliance with tax regulations, data protection & privacy laws and anti-bribery & corruption laws.
Failure to comply with applicable regulations could lead to fines, claims and reputational damage.
RISK MITIGATING ACTIONS
With Integrity as one of our core values, and our license to operate, Arcadis has a zero tolerance approach with regard to compliance issues. We have an integrity-focused compliance program, which aims to further improve awareness among our people on our policies and procedures and business dilemmas they may face.
Applicable policies and procedures include our General Business Principles, policies confirming procedures for issue reporting and content, policies with clear guidance on anticorruption and trading prohibitions. Specific training and awareness sessions are provided during the year. The compliance framework includes Compliance Officers and Compliance Committees in each region, a group Compliance Committee and, since October 2015, a global Chief Compliance Officer. An integrity phone line allows our people to report issues anonymously if they feel uncomfortable going to management or Compliance Officers. For additional information, refer to the Sustainability section.
ASSESSMENT OF INTERNAL CONTROL
The Executive Board has reviewed the effectiveness of internal risk management and control systems, based upon the following information:
The Executive Board is responsible for the design and performance of the internal risk management and control systems. Although such systems are intended to optimally control risks, they can never, however well-designed or performing, provide absolute certainty that human errors, unforeseen circumstances, material losses, fraud or infringements of laws or regulations will not occur. In addition, efforts related to risk management and internal control systems should be balanced with the costs of their implementation and maintenance.
Based on the approach outlined above, the Executive Board believes that, to the best of its knowledge, the risk management and control systems with regard to financial reporting risks worked properly in 2015 and provided a reasonable assurance that the financial reporting does not contain any errors of material importance.
In accordance with article 5:25c of the Financial Markets Supervision Act (Wet op het financieel toezicht), the Executive Board confirms that to the best of its knowledge:
The names and functions of the Executive Board members can be found here.
The world is a complex place, Arcadis helps you navigate this complexity by understanding the bigger picture. Click here to read some of our experts' latest thinking.
Arcadis is committed to providing a healthy and safe work environment for all our employees.