• Governance

Enterprise Risk Management at Arcadis

Balancing risk and reward to achieve Arcadis’ strategic objectives

INTRODUCTION

Intelligent risk management plays a vital role in enabling Arcadis to achieve its long-term strategic objectives. It is also important to Arcadis’ stakeholders. The Arcadis Business Control Framework (the ABC Framework) is Arcadis’ internal risk and control system, designed and implemented based on the identified twelve key risks which could have an impact on Arcadis’ achievement of its strategic goals. The twelve key risks are divided into four risk categories: Strategic, Operational, Health & Safety and Compliance. Governance standards, global policies and global guidelines are included in the framework, providing a road map for the management of risk on a day to day basis, assisting value creation and promoting the long-term success of the company. 

RESPONSIBILITY FOR RISK MANAGEMENT

The Executive Board has overall responsibility for identifying, analyzing and managing the risks associated with Arcadis’ strategy and activities, including establishing the risk appetite, designing, implementing and maintaining the internal risk and control system, and monitoring its performance. The Executive Board has established a Risk Management function to provide support and assistance with the effective discharge of these responsibilities. The Risk Management function is headed by the Chief Risk Officer, supported by a Corporate Risk Management team and Regional Risk Managers.

The Risk Management Committee assists the Executive Board with striking the right balance between risk and reward by providing global oversight on risk topics. The Risk Management Committee advises the Executive Board, as needed, in ensuring that a robust risk management framework exists across Arcadis. 

RISK PROFILE, RISK CAPACITY AND RISK APPETITE

To achieve its strategic objectives, Arcadis needs to take a considered amount of risk. The amount of risk Arcadis chooses to take in relation to each key risk is expressed as its appetite. Appropriate controls are designed and implemented for each key risk to bring Arcadis’ risk exposure within appetite.

Arcadis’ risk appetite in 2017 ranged from averse to high. All controls are carefully designed, implemented and regularly monitored to reduce Arcadis’ risk exposure.  A ‘high’ risk appetite indicates that Arcadis chooses to accept a high level of exposure to a certain risk.  Where the appetite for risk is ‘averse’, Arcadis seeks to significantly reduce its risk exposure. An appropriate level of assurance is applied to ensure that Arcadis stays within the defined risk appetite.

In 2017, the Risk Management function worked closely with the Executive Board and the businesses to translate its appetite for its Strategic, Operational, Health & Safety and Compliance risks into concrete key risk indicators. These enable Arcadis to clearly communicate its risk appetite, risk capacity and overall risk profile to the business. They also provide a tool for monitoring Arcadis’ risk exposure which will help it to maintain a risk profile which does not adversely impact its profitability or value, or pose a threat to its continuity. In certain instances, conscious, informed risk taking can aid the creation of value.

RISK MANAGEMENT IN ACTION

Risk Management in Arcadis can only be effective with a strong commitment from regional executive management to drive a culture where the regions own and manage risk on a day to day basis.

In its three-line defense model, Arcadis’ operating entities are the first line of defense:  they are accountable for risk management at an operational level. Risk Management is amongst the functions that make up the second line (others include Legal, Health & Safety, Finance and Information Security), assisting and supporting the first line of defense with identification and analysis of key risks (including the likely impact and probability of the risks arising), the development of mitigating controls and monitoring their effectiveness. The third line, Arcadis’ Internal Audit function, provides independent assurance on governance, risk management and internal controls.

The Risk Management function assists the Executive Board in assessing the effective implementation of the ABC Framework on an annual basis.  The Corporate Risk Management team oversees assessments in the regions – known as “management testing”. The results from the annual management testing are analyzed and discussed initially with Regional management, and then with the Executive Board, the Supervisory Board and the Audit and Risk Committee. Where necessary, improvements to the design or the implementation of the controls are recommended. All reported findings and recommended improvements (including those from Internal Audit and External Auditors) are captured in an Action Tracker. Recommended improvements are actioned by the business, monitored and supported by the Corporate and Regional Risk Management Teams. The Chief Risk Officer periodically reports to the Executive Board on the status of the improvement items.

INTERNAL AUDIT

Arcadis’ Internal Audit function operates under the responsibility of the Executive Board. Its objective is to enhance Arcadis’ performance through assurance. Internal Audit deploys a systematic and disciplined approach to evaluate and improve Arcadis’ governance, risk management and control environment. This approach complies with the Standards of the Institute of Internal Auditors. The Head of Internal Audit has direct access to the Executive Board and attends Audit and Risk Committee meetings.

Annually, the priorities for Internal Audit are set in consultation with the Executive Board and the Audit and Risk Committee based on the results of an overall risk assessment of Arcadis. The audit plan is reassessed quarterly against changes in the overall risk environment of Arcadis.

In 2017, Internal Audit mainly focused its activities on the roll out of the Arcadis Way and business process audits in operating entities. Observations and recommendations from the audits are discussed with management of the operating entities and included in the Action Tracker. Regional management is responsible for executing and monitoring the progress of remedial measures put in place to mitigate the reported risks. The internal audit reports are submitted to the auditee, regional management and the responsible Executive Board member.

A summary of the results of audits undertaken and changes to the audit plan, if any, are reported to the Executive Board and the Audit and Risk Committee on a quarterly basis.

MAIN RISKS

STRATEGIC RISKS

MARKET RISK

Overall market volatility has decreased, and key geographical markets are expected to remain stable or grow for the foreseeable future. Uncertainty remains around matters such as Brexit and developments in the Middle East which could have a significant impact on key markets going forward. Arcadis’ competitive field has been consolidating with several large mergers and/or acquisitions in recent years. The increasing relative scale of competition presents a long-term risk for Arcadis’ ambition to remain a top three pure design and engineering firm. In addition, the industry is shifting to digitalization following years of low productivity and limited innovation. While this shift presents exciting opportunities to differentiate from the competition, it also brings new risks with regards to innovation choices. Arcadis is well diversified both geographically and with regard to the sectors in which it operates making it resilient to shocks in specific countries or sectors.

Specific Risk Mitigating Actions in 2017

  1. Arcadis’ new strategy was developed and launched. This identifies four industry specific megatrends and refocuses efforts where Arcadis can be a market leader.

  2. To respond to the industry shift to digital, Arcadis developed and launched a digital strategy and invested in a digital leadership team, including appointing a Chief Digital Officer.

Risk Appetite = Medium - High 

Risk Trend = Stable

Further activities planned for 2018

Further risk assessments of the digital strategy will be carried out as it evolves. There will also be focus on ensuring that there is sufficient resource to implement the new strategy.

REPUTATION RISK

The global reach of the Arcadis brand is a real strength – clients know that they enjoy the same level of innovation, client focus, and solutions driven approach globally. As with every strength, there is a corresponding weakness, and in this instance, it is that any reputational harm suffered in one area of Arcadis’ operations has the potential to reverberate throughout the organization.

Specific Risk Mitigation Actions in 2017

  1. Arcadis issued several large pieces of research which helped it establish a position as a thought leader, including the highly respected Sustainable Cities Mobility Index. These have received a great deal of positive press.

  2. A new global Human Rights and Labor Rights policy was introduced across the business.

  3. Arcadis UK was named as a ‘Superbrand’. ‘Superbrands’ is the definitive listing of the UK's strongest brands and Arcadis UK was independently chosen by a council of brand experts and around 2,500 business professionals.

Further activities planned for 2018

Arcadis’ new strategy and updated values are heavily focused on people and behaviours. This includes encouraging leaders to be role models and removing barriers to value-based behaviours to create a global Arcadis culture.

Risk Appetite = Averse – Low

Risk Trend = Stable

M&A RISK

In 2017, Arcadis' did not undertake any large mergers or acquisitions, rather the focus was on divestments, with the aim of bringing focus and reducing the risk profile.

Specific Risk Mitigating Actions for 2017

  1. Arcadis continued to cautiously look at smaller investments applying a diligent process for reviewing targets and assessing added value. Arcadis includes in its review the ability to finance acquisitions and the managerial capabilities required for integrating acquisitions.

  2. Arcadis continued to carefully monitor the integration and value creation of past acquisitions with a formal review of past acquisitions after three years. It applies lessons learned when integrating subsequent acquisitions.

Further activities planned for 2018

Ongoing portfolio re-focusing whilst considering right-fit acquisitions. 

Risk Appetite = Low – Medium

Risk Trend = Stable

FINANCING RISK

The excess liquidity seen in the capital markets and in banks in 2017 has had a positive effect on Arcadis’ ability to access capital from external sources. There are new banks interested in joining Arcadis’ banking syndicate and its current relationship banks remain willing to provide financial support. There is continued focus to reduce leverage, with lower debt and improved EBITDA the main drivers.

Specific Risk Mitigating Actions in 2017

  1. Potential new lenders were identified and a dialogue with them has started. Work was done on expanding non-core banking relationships.

  2. The decision was taken to develop scenarios for refinancing debt in 2018.

Risk Appetite = Low

Trend = stable

Further activities planned for 2018:

Continuous review of financing options.

PEOPLE RISK

Arcadis recognizes that its people and its culture are key to achieving it objectives and as such its new strategy focuses heavily on People and Culture. Having insufficient talent to win and deliver client projects is a risk and Arcadis’ ability to recruit and retain good people is key.  Arcadis continues to build its capabilities in the Global Excellence Centres and these remain a differentiator for Arcadis. 

Specific Risk Mitigating Actions in 2017

  1. In addition to the global learning and development programs offered (e.g. Global Shapers, the Advanced Management Program, etc.), every region has started to develop their specific line manager and middle manager training programs to enhance and skills and capabilities of this population and the way they manage their teams.

  2. More Project Managers were trained through the Arcadis Project Management Academy.

Risk Appetite = Low

Risk Trend = Stable

Further activities planned for 2018

A new performance management framework - 'Grow Perform Succeed' – has been developed and launched. The framework will bring a simple and streamlined process with more frequent and meaningful performance conversations that are focused on the future, growth and development. Grow Perform Succeed is a key pillar of the People and Culture aspect of the strategy and will foster employee engagement, retention and people capabilities.

OPERATIONAL RISKS

CLIENT & PROJECT RISK

Client buying patterns are changing: clients are looking for integrated thinking to solve complex problems in a sustainable way and are increasingly transferring risk to their supply chain.  Reflecting this trend, Arcadis is increasingly engaged by contractors, whose clients have procured services on a design and build basis. This trend and other market forces have resulted in increased exposure to Client & Project Risk. To bring exposure within appetite, several new mitigating actions were introduced.

Specific Risk Mitigating Actions in 2017

  1. Arcadis Way introduced a project review regime which is tailored to the project and the identified risks. There was also increased monitoring of project performance in the regions at corporate level.

  2. Collaboration Guidelines for cross border projects were updated.

  3. The on-going Client Focus program, prioritized dealing with changes in buying patterns and market uncertainty and the client development capability was significantly strengthened.

  4. Training on the risks associated with working directly with contractors in a design-build context was given to the Global Solutions Leaders, the Global Client Development Leaders and the Global Legal Team and to sector and solution leaders in a first wave of regions - the Middle East, Australia and Asia.

  5. A new Executive Sponsorship program was launched. Under it, leadership is assigned to specific clients, improving sight lines to market shifts and opportunities.

Risk Appetite = Low to Medium 

Risk Trend = Stable

Further activities planned for 2018

Every region will carry out an assessment on the way in which it manages projects. These assessments will be used as a starting point for putting improvements in place under an initiative: ‘Make Every Project Count’ which aims to improve the profitability of projects. Training on working directly with contractors will be presented in all regions. To improve client satisfaction, a ‘Client Experience’ tool which captures and analyses client feedback on a holistic (rather than project) basis will be piloted.

REPORTING RISK

As a globally operating publicly listed company, Arcadis is required to comply with financial and non-financial reporting requirements. Material misstatements in reporting could significantly affect Arcadis’ reputation and/or its stock market value. It is critical that all operating entities report to the same standards and deliver the same high quality of reporting, in line with accounting and reporting principles. In 2017 there were new reporting requirements under the Dutch Corporate Governance Code and the EU Non-Financial Reporting Directive. Arcadis has taken steps to ensure that it will be compliant with the new financial reporting standards which will be in force in 2018 (IFRS 9 and IFRS 15) and 2019 (IFRS 16).

Specific risk mitigation actions in 2017

  1. Roll-out of improved Group Accounting Manual and launch of a portal for finance team members, to access information easily, including further clarification on specific policies and on site and online training, including on the new reporting standards.

  2. Set up working groups and steering committees to address changes in financial reporting and non-financial reporting standards/laws and regulations.

  3. Developed Finance strategy 2020 aimed at improving and digitalizing the finance function.

  4. Continuation of PwC’s appointment as statutory auditor for the majority of its operating entities.

Risk Appetite = Averse

Risk Trend = Stable

Further activities planned for 2018

A redesigned financial reporting control framework (including Oracle related application controls) will be implemented. The implementation of the new financial and non-financial reporting standards will continue to be monitored by the working groups and steering committees set up in 2017 for this purpose. Further roll-out of the Arcadis Way, including one way of working, underpinned by a single ERP system (Oracle), standardized reporting, business intelligence and data analytics.

CAPACITY & CAPABILITY RISK

Competition for talent continues to be fierce and there is a risk that knowledge and technical capability and capacity of Arcadis’ employees does not always match prevailing market needs.

The on-going implementation of the Arcadis Way, with its associated resource management functionality, will allow for more efficient use of existing capability and capacity across Arcadis’ operations. The trend toward digitalization will result in a shift in some of the skills needed. Attracting sufficient, capable technical people remains a challenge.

Specific Risk Mitigation Actions in 2017

  1. Technical capacity in the Global Excellence Centres was increased by more than 500 people.

  2. A Digital Academy was added to the suite of Academy programs, focusing on the broader knowledge base of all Arcadians in this digital era.

Risk Appetite = Low to Medium 

Risk Trend = Increasing

Further activities planned for 2018

A further increase in the technical capacity of the Global Excellence Centers is planned for 2018. As part of the 2018-2021 strategy and 'Putting People First', Arcadis aims to become the Employer of Choice in every region in which it operates by encouraging leaders to be role models and by creating a safe, respectful and inclusive working environment where differences and innovation are valued. 

LIQUIDITY RISK

Having insufficient free cash flow would prevent Arcadis from being able to fund its operations. The Total Leverage Ratio is decreasing, with ongoing close monitoring of EBITDA performance.

Specific Risk Mitigating Actions in 2017

  1. In Q2 2017 all regions were given cash targets to minimize net debt. By the end of 2017, targets were achieved in the majority of the regions

  2. The global working capital management program, established in 2016, continued to be implemented.

Risk Appetite = Low

Risk Trend = Decreasing

Further activities planned for 2018

Arcadis will continue to track developments in net debt and EBITDA. Full implementation of the global working capital management program in certain sub-regions and countries has been identified as an opportunity for improvement and this will be a priority for 2018.

IT RISK

To further enable collaboration, supporting bidding and project delivery, within Arcadis, IT services have been centralized and harmonized. This however increases the risk of critical IT systems having restricted availability or being unavailable. And, as Arcadis increases it digital efforts, so too will the likelihood of threats and vulnerabilities which relate to the use of IT. Arcadis considers cyber-crime to be one of its biggest IT threats with cyber criminals becoming more sophisticated and increasingly active across the globe.

Specific Risk Mitigating Actions in 2017

  1. A new IT security framework has been drafted in line with ISO 27001. The aim is to have this implemented globally in 2018.

  2. Phishing email tests were sent out to assess the level of awareness of employees with regard to cyber risk. As a follow up to this assessment, ransomware training was developed and delivered.

  3. A comprehensive ongoing program of management testing around IT systems and processes, including detailed testing across the following areas: Strategy, Information Security, Change Management, Business Continuity, Backup and Retention, Operational Management, Software Assets and Vendor Management, is in place.

Risk Appetite = Averse

Risk Trend = Increasing

Further activities planned for 2018

To further improve IT security, multi-factor authentication for Office 365 will be introduced. Additional training and awareness campaigns are planned, including email security training. Arcadis’ IT experts will work with the Global Privacy Team to build privacy controls into IT systems (‘Privacy by Design’). Monitoring of network and connectivity resilience will be increased to ensure that warning signals are acted upon promptly.

HEALTH & SAFETY RISK

During 2017, the regions in which Arcadis does business and the type of services it undertakes have not significantly changed and therefore the risk of health and safety incidents occurring which adversely affect Arcadis or its employees, has remained stable. There has been an increased focus on the wellbeing aspect of health and safety in 2017.

Specific Risk Mitigating Actions in 2017

  1. The global Health & Safety strategy was updated to include a reference to the development (or enhancement) of an employee wellbeing program on a regional basis (in conjunction with HR).

  2. A new travel health, safety and security provider was retained to improve the implementation and adoption of Arcadis’ travel health, safety and security protocol. Arcadis transitioned to this provider and has seen increased adoption of the tools available to its employees which help them mitigate the risks associated with business travel.

Risk Appetite = Averse

Risk Trend = Stable

Further activities planned for 2018

Currently reactive data is collected to identify the root cause of incidents; however, this represents a relatively small data set, so trends are not readily identifiable. Arcadis has therefore been working towards implementing a data management system in some regions that will capture a much wider range of health and safety data. This will facilitate the identification of trends and preventative controls that can be implemented.

COMPLIANCE RISK

Arcadis does business in accordance with laws and regulations including labor laws, privacy regulations, accounting standards, tax laws, health and safety regulations, governance and periodic filing, applicable in the jurisdictions in which it operates. Functional heads (including HR, Privacy, Compliance, Finance, Tax, Legal, Sustainability and Health & Safety), together with business partners, are responsible for raising awareness of applicable laws and regulations. Local and global policies are developed and implemented to aide such compliance. All new and existing Arcadis employees undertake training on the Arcadis’ code of conduct (the Arcadis General Business Principles). This provides guidance on recognizing compliance issues and on raising actual or suspected misconduct or irregularities under the reporting procedure, through the use of dilemmas.

Specific Risk Mitigation Actions in 2017

  1. The focus of the global integrity and anti-corruption program in 2017 was on continuing to encourage management ownership of integrity (top level commitment).

  2. A third party due diligence initiative, focussed on a more consistent global approach, was started and will be further developed in 2018.

  3. Various new policies and updates of existing policies – Arcadis General Business Principles, Issue handling and reporting, Conflict of Interest, Competition were introduced.

  4. A Chief Privacy Officer was appointed at global level and a Global Privacy Program was developed. The European Data Protection Authorities approved the Privacy Codes as submitted by Arcadis in 2017.

Risk Appetite = Averse

Risk Trend = Stable

Further activities planned for 2018

The Global Privacy Program (referred to above) will continue to be implemented in the regions, with a specific focus on compliance with the EU General Data Protection Regulation for the processing of personal data of European citizens. Online refresher training on the Arcadis General Business Principles, which is mandatory for all employees, is scheduled for 2018.

THE CHANGING RISK UNIVERSE

In 2017, a comprehensive review of Arcadis’ risk universe was undertaken, recognizing the rapidly evolving world in which we operate, the transformation of our operations in recent years, and the update to Arcadis’ strategy which was announced on 21 November 2017. The review identified sixteen key risks which could impact on the achievement of Arcadis’ new strategic objectives. A revised risk and control framework will come into effect in 2018. This includes new control activities and revisions to existing controls, as appropriate.

MANAGEMENT STATEMENTS

As a result of the management testing carried out in 2017, the regions and operating companies issued signed Letters of Representation and In-Control statements to the Executive Board. The Executive Board has reviewed the Letters of Representation and In-Control statements, along with reports from Internal Audit and the Board Report from the external auditor. It has assessed the effectiveness of the design and operation of the ABC Framework in 2017 and has discussed this with the Audit and Risk Committee and the Supervisory Board.

During 2017, no major failings (i.e. no failings which resulted in material losses or impact) in the design or implementation of the controls under the ABC Framework were observed. Where a control has not worked as expected, areas for improvement were identified.

Based on the information referred to above and its assessment, the Executive Board believes that:

  1. The report provides sufficient insights into any failings in the effectiveness of the internal managements and control systems;

  2. The aforementioned systems provide a reasonable assurance that the financial reporting does not contain any material inaccuracies;

  3. Based on the current state of affairs, it is justified that the financial reporting is prepared on a going concern basis; and

  4. The report states those material risks and uncertainties that are relevant to the expectation of the company’s continuity for the period of twelve months after the preparation of the report.

In accordance with Article 5:25c of the Financial Markets Supervision Act (Wet op het Financieel Toezicht), the Executive Board confirms, to the best of its knowledge, that:

  1. the Consolidated financial statements give a true and fair view of the assets, liabilities, financial position and profit and loss of Arcadis and its consolidated companies;

  2. the Annual Report gives a true and fair view of the position as at 31 December 2017 and the developments during the financial year of Arcadis and its group companies included in the Consolidated financial statements; and

  3. the Annual Report describes the main risks Arcadis is facing.

The above statements are given on the basis that the ABC Framework is primary designed to bring Arcadis’ risk exposure within its appetite and cannot therefore provide full and complete assurance that all human error, unforeseen circumstances, material misstatements, fraud or non-compliance with laws and regulations will be prevented.