• Governance

Risks and Risk Management

RISK MANAGEMENT, THE ARCADIS WAY

The Arcadis Way is to embed risk management in our working practice, as effective risk management and risk intelligence assessment of opportunities are essential for helping us achieve our business objectives.

In a competitive, ever-changing business environment, it is only by being agile and entrepreneurial, and by having a deep understanding of our clients and the markets in which they operate, that we will continue to be successful. This way of operating is enabled by setting clear risk boundaries for the operating entities in our regions, through our various policies that aim to identify, assess and manage our risk. Through the risk management framework, we seek to strike a balance between business opportunities and strategic and operational risk.

RISK APPETITE

The main areas of assessment of risk appetite are:

  • Strategic: we take strategic risks in pursuit of profitable growth in mature and emerging markets. Given the volatility of the markets and economic climates within which we operate, the adaptability of our people, the solutions we offer and our infrastructure play a key part in enabling us to identify and seize opportunities.
  • Operational: we take a balanced approach to operational risk, meaning that we consider both the risk and the reward in taking business decisions.
  • Compliance: we consider adherence to laws and regulations to be fundamental in enabling us to provide our clients with exceptional outcomes. Compliance is strongly embedded in the culture of the company, with integrity chosen as number one of our four core values, our license to operate. We take a zero-tolerance approach to breaches of integrity.
  • Financing & Reporting: we take controlled risks in this area by maintaining a prudent financing strategy, including when undertaking major acquisitions.

Our global Enterprise Risk Management (ERM) system (which is based on COSO), the Arcadis Business Control Framework (ABC), sets out the key controls, which are classified into zero, critical and balanced tolerance, indicating the level of risk appetite considered acceptable for each control.

Our core business is Design & Consultancy for natural and built assets. The fee arrangements of the contracts that we enter into can be grouped into two broad categories:

  • Time and materials; and
  • Fixed-price – if the scope of a project with a fixed-price contract changes, or unforeseen conditions arise, these contracts are typically subject to price adjustments. 

Major turnkey projects with higher risk are pursued under the premise that we have the technical and project management skills to adequately control the risk. Our policy is not to take equity stakes in projects, and only by exception and for specific reasons would we deviate from this starting point. We maintain insurance covering professional liability and claims involving bodily injury and property damage.

RISK MANAGEMENT AND INTERNAL CONTROL

Arcadis’ risk management policies aim to identify, assess and manage risks that may arise through our day-to-day business operations. In addition, we are regulated in a number of our operational fields, and the regulatory and reporting framework applicable to our operations requires effective risk management. The ABC Framework provides a structured, consistent and transparent approach to identify, assess and manage the risks that may impact our business operations. It comprises global governance standards and global and operating company policies and standards. It applies to all the business regions and the operating companies within those regions and represents the minimum requirements that the Arcadis operating companies have to meet.

RESPONSIBILITY FOR RISK MANAGEMENT

The Arcadis Supervisory Board oversees and advises the Executive Board, which has overall responsibility for risk management. In the regions and operating companies, management teams are responsible for operational performance and effectiveness and for managing the associated risk within the framework of the ERM system.

A critical element of ERM is identifying the various risks that Arcadis faces in the pursuit of its strategy. The main risks were selected following comprehensive discussions that included the likelihood of their occurrence and their potential impact. The Executive Board, Audit and Risk Committees and the Supervisory Board review the identified strategic and operational risks annually.

The Risk Management Committee oversees the effectiveness of the risk management framework. It is chaired by the Chief Financial Officer and the other members are representatives from the Legal, Risk Management and Internal Audit functions and from business operations. In 2015, the Committee met on three occasions. Matters considered by the Committee included:

  • The Business Blueprint Project – this embeds the Arcadis Way of working across the enterprise. Key business elements will be standardized:

o Roles and responsibilities

o Metrics and reporting

o IT solutions;

  • Information security;
  • Risk management training:

o 29 workshops across the regions

o 502 leaders and managers participating;

  • Project management controls, including the introduction of a Global Project Watch List;
  • Soft control survey results – the program of soft control surveys initiated in 2014 and continued in 2015, with the North American region and CallisonRTKL participating in the 2015 surveys. The output of the soft control surveys is used to develop and tailor risk management training;
  • Working capital – a program to ensure systematic improvement of working capital was introduced in 2015;
  • Arcadis General Business Principles (AGBP) induction for colleagues joining Arcadis via acquisition (Hyder & Callison).

The Executive Board is supported in performing its risk management tasks by the Corporate Risk Management function, amongst others. To further strengthen the Corporate Risk Management function, and to support our ambition of capitalizing on rewarded risk while ensuring full focus on unrewarded risk, two appointments were made in the third quarter of 2015: a Chief Risk Officer and a Chief Compliance and Privacy Officer. The core corporate risk team is supported in the regions by Risk Managers who work with the regional management teams to actively manage identified risks in the operating companies. Across the seven Arcadis operating regions there are some 22 people in risk management roles.

INTERNAL AUDIT

Internal Audit reports directly to the Chief Executive Officer with a functional line to the Chief Financial Officer and has a reporting line into the Audit Committee. The Executive Board and Audit Committee approve the annual audit plan and quarterly updates to reflect changes in the risk profile of Arcadis.

The Internal Audit function was strengthened in the course of 2015 reflecting the increase in global footprint and risk profile of Arcadis. Extensive IT capabilities and business experience were added to the team in addressing the need for assurance by the Executive Board. A risk based internal audit plan was executed with the focus on assessing and improving the quality of governance, risk management and controls within Arcadis by performing independent assessments on the effective embedding of the Arcadis Business Control framework in the business operations. The Executive Board and Audit Committee received an overview of the main reported control weaknesses, recommendations for improvement and the quality of management follow-up on previously reported findings on a quarterly basis.

OUR MAIN RISKS

Our main risks are those that threaten our ability to deliver our strategy. An overview of these risks and how we manage them is set out below. This should not be considered an exhaustive list of our risks; other risks and residual risks could have a similar or more severe impact on our operations. As risks vary, regular assessments are made of the risk proportion in certain areas, which relates to the growth of the company, its geographical presence, activities and general risk trends. Risk was assessed to have increased during 2015 from our exposure to more volatile emerging markets, where payment behavior also worsened. We continuously update our risk-control measures to mitigate our evolving risk profile.

Information security continues to grow in importance with the increased visibility and global footprint of Arcadis. In 2015, clients increasingly asked about the information security practices within Arcadis and the controls in place to protect client data. Activity of outside parties seeking to obtain information from Arcadis through false emails (‘phishing’) and telephone calls directly to employees (‘social engineering’) increased significantly during the year. Increased employee awareness and technological controls have reduced the impact of these efforts, including improved advanced threat protection for high-risk email accounts and anti-phishing education and testing systems. Enhanced capabilities for vulnerability and penetration testing were developed and utilized during the year, providing security assurance in a variety of areas. Information security staff were identified and developed in several regions during the year, with additional regional resources to be identified in early 2016. Advanced security features available through Oracle, AT&T and Microsoft initiatives will also enhance the security posture in the coming months and years, including updated firewalls and enhanced network intrusion detection and monitoring.

The table that follows outlines the principal risks, the likely impact should they arise and the mitigating activities that Arcadis takes in respect of each of them.

STRATEGIC RISKS 

MERGER AND ACQUISITION RISK

Growth through acquisitions is part of our strategy. This entails a number of specific risks related to the preparation and execution of an acquisition and subsequent integration.

POSSIBLE IMPACT

Items such as balance sheet misrepresentations, insufficient backlog, client issues, and unforeseen or undisclosed claims may have an adverse effect on revenues and margins. Integration issues and a lack of retention of key people may also negatively impact our performance.

RISK MITIGATING ACTIONS

Major acquisition processes are managed centrally and include a thorough analysis of and due diligence on the strategic fit, fit with our business principles, management and reputation, culture, financials and policies and procedures. Whenever possible, purchase agreements include customary representations, warranties and indemnities while employment agreements and non-compete clauses, as well as restricted share units or stock options, are used for retention purposes. In larger privately-held company acquisitions, we may pay part of the purchase price in Arcadis shares to promote the alignment of the former owners with our long-term interests. Our post-merger integration processes help us to focus on market and organizational integration, and include implementing Arcadis’ ABC Framework which includes a schedule with immediate focus on zero-tolerance issues and a phased approach for other risk categories. Larger acquisitions are evaluated after three years and reviewed with the Supervisory Board.

FINANCING RISK

To properly fund its business, invest in innovation and organic growth and complete acquisitions, Arcadis needs access to capital.

POSSIBLE IMPACT

Restrictions in access to or lack of capital may limit Arcadis’ ability to fulfil its obligations in delivering solutions to its clients. Lack of capital for acquisitions may weaken our relative position in our rapidly consolidating industry.

RISK MITIGATING ACTIONS

Arcadis has access to credible sources of funding and has long-term financing arrangements with relationship banks to fund its daily capital needs. A well-spread debt maturity schedule is maintained and in recent years, Arcadis has diversified its sources of funding by attracting capital through both US Private Placements and German Schuldschein debt for longer periods from institutional investors and other banking institutions. Arcadis has a well-developed working capital management system and centralized cash management approach, limiting capital costs. We focus on maintaining a solid financial performance in the short- and long-term, with debt levels that stay well within our loan covenants, transparent reporting and a proactive investor relations program.

PEOPLE RISK

Arcadis has a strategic ambition to be seen as the best in everything it undertakes, which includes attracting and retaining the best people and creating an environment that enables them to reach their full potential. In addition, we strategically rely on collaboration to leverage our capabilities and global footprint to bring the best of Arcadis to better serve our local, national and global clients.

POSSIBLE IMPACT

Failure to develop a balanced culture focused on performance and collaboration that embodies our core values of Integrity, Client Focus, Collaboration and Sustainability may negatively impact our ability to successfully pursue work and provide leading-edge solutions for our clients. This, in turn, can lead to loss of opportunities, client relationships and ultimately loss of revenues.

RISK MITIGATING ACTIONS

Arcadis manages the recruitment and selection of people based on job qualifications, but also on the ability to work in global teams and perform under pressure. In addition, Arcadis has a multitude of programs directed at improving collaboration and knowledge exchange around the world, including our Quest exchange program, Global Shapers engagement program, centers of excellence, and targeted education programs such as our Program Management, Project Management and Client Development Academies. In 2015, we launched the Arcadis Leadership Competency model to provide leaders with a transparent competency overview that provides clarity in how a leader in Arcadis can contribute to the success of Arcadis. It will be used in performance management reviews and to develop managers into leaders.

OPERATIONAL RISKS

CLIENT AND PROJECT RISK

Arcadis works on tens of thousands of projects annually for many different clients, and encounters a variety of risks. Client selection determines our ability to perform work effectively, while also impacting remuneration for the performance we deliver. Project selection is critical to our success as project demands need to match our ability to provide the right solutions and not introduce undue limitations or liabilities to our performance. The careful selection of our partners, whether for joint ventures, alliances or sub-contracting, is essential to successful project completions.

POSSIBLE IMPACT

Inappropriate client selection may expose Arcadis to risk with regard to its ability to be paid or unfavorable outcomes with regard to scope changes and other issues, resulting in lower margins. Improper project selection and management may lead to cost overruns, while contractual conditions may result in considerable liabilities, claims and loss of clients. Selecting inappropriate partners may result in design failures, project delays, conflicts of interest, again resulting in possible liabilities and negative effects on revenues and/ or margins.

RISK MITIGATING ACTIONS

An extensive and globally prescribed Go/ No go process prescribes client and project selection – the choice of which clients to work with and which projects to work on is carefully weighed against a broad set of risk assessments and within a prescribed authority matrix within the regions and operating companies. Our thorough review of contract conditions, regular project reviews, selection, training and performance reviews of people, quality management systems, and a global insurance policy also limit our project risk. Main project risks and claims are assessed quarterly and, if required, provisions are taken to cover risk. Projects which have a higher risk profile due to fee scales and/ or the nature of the work are tracked on a Global Project Watch List, which is reviewed quarterly at corporate level, with active interventions as required. In addition, all claims with a potential impact above a certain size are monitored at corporate level by the Executive Board.

REPORTING RISK

Arcadis is a global business, operating across many financial jurisdictions and has grown rapidly via significant acquisitions in recent years. Ensuring that all operating companies are reporting to the same financial policies and delivering the same quality of reporting with trained, experienced finance staff is essential.

POSSSIBLE IMPACT

A material misrepresentation of our financial performance, misjudgement of our backlog, or other management judgments with regard to our financial performance, may trigger the need for restatements, which can have a severe impact on a company’s reputation and stock market value.

RISK MITIGATING ACTIONS

Clear accounting policies, applicable to all operating companies, with central oversight, and standard reporting formats are key components of the risk management and financial control system for financial reporting. Rapidly integrating acquisitions into the Arcadis accounting framework is a key control. Regular project reviews are another control element with financial staff adding robustness to the review process by independently reviewing projects to assess matters such as revenue (including revenue recognition), profitability (including costs to complete), time recorded, work in progress and invoicing. The Regional CFOs report hierarchically to Arcadis’ Global CFO. The implementation of Business Blueprint will further embed the application of the accounting policies.

CAPACITY / CAPABILITY RISK

Employee utilization is a key driver for Arcadis’ financial success. More effective use of the time available from our experts can be a strong driver for our margin performance.

POSSIBLE IMPACT

A decrease in workload may reduce employee utilization. Experience indicates that a strong market downturn can cause a substantial decrease in annual revenues for the business in that market. Such conditions could seriously impact margins and profitability.

RISK MITIGATING ACTIONS

All operating companies monitor and report order intake and billability on a bi-weekly basis. In Europe, our policy is to have a certain percentage of our people on flexible contracts. Information on bookings and billability is used to decide on staff capacity adjustments. Additional mitigation is achieved through the use of Global Design Excellence Centers.

LIQUIDITY RISK

A free flow of capital is crucial to operate our business and for future success to fund our growth strategy. 

POSSIBLE IMPACT

Financial risks include credit, liquidity, currency and interest rate risks. Of these, our risk assessments have shown liquidity risks to be the most important. This includes the availability of sufficient financial resources to finance our strategy.

RISK MITIGATING ACTIONS

Liquidity risks are centrally managed by giving a high priority to working capital and cash flow, which are reported by all operating companies on a monthly basis to the Corporate Treasury department. More extensive information on financial risks (including sensitivity analysis), and the way these are managed can be found in note 28 to the Consolidated financial statements in this Annual Report.

INFORMATION TECHNOLOGY RISK

In Arcadis’ increasingly global operations, we rely on collaboration to win work and bring the best of Arcadis to clients, wherever they operate. Seamless communications and connectivity are paramount to that approach. An increased global presence also comes with greater cybersecurity challenges that requires Arcadis to constantly adapt to the accelerating pace of worldwide changes.

POSSIBLE IMPACT

Information Technology (IT) is fundamental to our daily operations and is critical to our supporting processes and portfolio of capabilities and we increasingly rely on providing services to clients with integrated applications or services (webhosting). Communication and collaboration requires operating information and communication technology systems that meet the needs of an increasingly mobile and socially connected workforce. Arcadis must guard against the risks of loss or corruption of critical, confidential, financial data and the disruption of productivity.

RISK MITIGATING ACTIONS

Mitigation efforts run across three areas: People, process/ structure, and technology. Risk awareness surrounding safe IT usage among our people, including the employees of partner companies with whom we collaborate on projects, is essential. This includes use of (social) networks, access such as password safety and information integrity. Processes/ structures and technology are set up to provide preventive and repressive controls, such as physical and logical security, backup of data, restoration testing and business continuity plans and disaster recovery testing.

HEALTH & SAFETY RISK

Through our project engagements, our people may work in hazardous conditions or dangerous environments that may lead to accidents. Nevertheless, the office environment may also be risk prone if people are not properly aware of Health & Safety aspects.

POSSIBLE IMPACT

Health & Safety (H&S) incidents may translate into project stoppages, loss of working hours, medical costs or, in worst case, loss of life. All of these incidents are associated with extra costs or liabilities and as a result may impact company performance.

RISK MITIGATING ACTIONS

Arcadis has a H&S First policy and culture and strives to provide a healthy and safe work environment for all of its employees, clients and subcontractors. In addition, our Global H&S Vision and Policy commits us to proactively identify and control the H&S risks of our work to prevent injuries and strive every day for zero incidents. Our Global H&S Management System prevents risks, and our behavior-based approach encourages continuous improvement of H&S performance.

COMPLIANCE RISK

As a global company, Arcadis operates in a world that is generally becoming increasingly regulated, and in geographies with different business practices and cultures. Areas of increasing focus include compliance with tax regulations, data protection & privacy laws and anti-bribery & corruption laws.

POSSIBLE IMPACT

Failure to comply with applicable regulations could lead to fines, claims and reputational damage.

RISK MITIGATING ACTIONS

With Integrity as one of our core values, and our license to operate, Arcadis has a zero tolerance approach with regard to compliance issues. We have an integrity-focused compliance program, which aims to further improve awareness among our people on our policies and procedures and business dilemmas they may face.

Applicable policies and procedures include our General Business Principles, policies confirming procedures for issue reporting and content, policies with clear guidance on anticorruption and trading prohibitions. Specific training and awareness sessions are provided during the year. The compliance framework includes Compliance Officers and Compliance Committees in each region, a group Compliance Committee and, since October 2015, a global Chief Compliance Officer. An integrity phone line allows our people to report issues anonymously if they feel uncomfortable going to management or Compliance Officers. For additional information, refer to the Sustainability section.

MANAGEMENT STATEMENTS

ASSESSMENT OF INTERNAL CONTROL

The Executive Board has reviewed the effectiveness of internal risk management and control systems, based upon the following information:

  • Reports of internal audits, including an evaluation and conclusions regarding internal control in the operating companies, based on operating company management reports on their testing of entity-level controls, general IT controls and (automated and manual) process-level controls. Internal Audit evaluated these reports, identified improvement areas and discussed findings with management. Subsequently, the operating company management signed a letter of representation for their reporting and an in-control statement for the primary and supporting processes;
  • Reports from Internal Audit on audits performed throughout the year. Findings and measures to address issues were discussed with local management, the Executive Board and the Audit and Risk Committee;
  • Board Report from the external auditor with findings and remarks regarding internal controls. This letter has been discussed with the Audit and Risk Committee and the Supervisory Board. 

IN-CONTROL STATEMENT

The Executive Board is responsible for the design and performance of the internal risk management and control systems. Although such systems are intended to optimally control risks, they can never, however well-designed or performing, provide absolute certainty that human errors, unforeseen circumstances, material losses, fraud or infringements of laws or regulations will not occur. In addition, efforts related to risk management and internal control systems should be balanced with the costs of their implementation and maintenance.

Based on the approach outlined above, the Executive Board believes that, to the best of its knowledge, the risk management and control systems with regard to financial reporting risks worked properly in 2015 and provided a reasonable assurance that the financial reporting does not contain any errors of material importance.

RESPONSIBILITY STATEMENT

In accordance with article 5:25c of the Financial Markets Supervision Act (Wet op het financieel toezicht), the Executive Board confirms that to the best of its knowledge:

  • the Consolidated financial statements give a true and fair view of the assets, liabilities, financial position and profit and loss of Arcadis and its consolidated companies;
  • the Annual Report gives a true and fair view of the position as per 31 December 2015 and the developments during the financial year of Arcadis and its group companies included in the Consolidated financial statements; and
  • the Annual Report describes the principal risks Arcadis is facing.

The names and functions of the Executive Board members can be found here.