Exposure to risk is unavoidable in pursuit of Arcadis’ strategy with the level of general risk increasing in recent times due to the pandemic and geopolitical events. Emerging risks also present opportunities, which if well-managed, result in value creation. However, uncontrolled risks can threaten the achievement of long-term strategic objectives.
The Arcadis Risk and Control Framework
The Arcadis’ Risk and Control (‘ARC’) framework enables a culture of risk awareness across the organization by providing a standardized framework for identifying risks and implementing controls. The ARC framework identifies key risks, across three risk categories – Strategic, Operational and Compliance risks. It includes business controls which are supported by policies, standards, procedures and guidelines, all of which target risk mitigation in accordance with Arcadis’ risk appetite.
The ARC framework allows the company to evolve its business in line with its risk appetite, execute strategic priorities in a controlled manner and experience less surprises in business performance. The ARC framework is a cornerstone of Arcadis’ risk management approach and supports Arcadis in embedding a risk conscious way of working in al layers of the organization.
Management of Risk
Arcadis’ Executive Board (‘EB’) is responsible for maintaining a comprehensive risk management and internal control system, and for regularly reviewing its effectiveness. Each year, the EB performs a review of the risks that Arcadis is subject to and based on its risk assessment, the ARC Framework is updated and communicated to leadership. The EB is also responsible for ensuring that the risk management and internal control system is integrated and embedded into the way Arcadis works. The EB is supported in this by the ELT members. In order to strengthen risk oversight, each ELT member is given overall responsibility for one or more of the ARC framework key risks.
The Risk Management function, lead by the Global Risk Management Director, provides guidance and assistance to the EB and ELT. This includes driving risk awareness across the organization and supporting the assessments of the design and operating effectiveness of the ARC Framework across the global business (see section ‘Arcadis, Risk Assurance Program’ below).
The Risk Management function provides both risk assurance and proactive risk support to the business. Risk Management play an active role in Pursuit Committees, which seek to ensure that the selection of the clients and opportunities are line with the strategy. Additionally, Risk Management engages with leadership teams of the GBAs and enabling functions to identify, evaluate and mitigate enterprise risks that may impact the achievement of strategic objectives.
The quarterly Risk Management Committee, chaired by the CFO, assesses current and emerging risk in the context of Arcadis’ risk appetite and provides advice to the EB/ELT, assessing whether Arcadis has robust risk management is in place. The Chair nominates the other members of the Risk Management Committee, to include (at least) five members: at least one Senior Business Representative, Global General Counsel, Global Internal Audit Director, Global Operations Project Services Officer, and Global Risk Management Director. Their appointment is confirmed by the EB.
Risk appetite and Key Risk Indicators
The ARC Framework balances risk and opportunity and helps define the EB’s appetite for risk. Arcadis’ risk appetite changes over time reflecting strategic objectives and developments in society, legislation, geopolitics, the client landscape, and changes within Arcadis.
Key Risk Indicators (‘KRIs’) are in place for each of the key risks. KRIs are measured and reported to the EB, ELT and Audit and Risk Committee on a quarterly basis to provide an early warning as to where exposure to certain risks may be exceeding the appetite. Where risk exposure is outside of the appetite range, existing mitigating actions may have more focus placed on them, additional controls may be introduced or Arcadis may choose to tolerate that the current level of risk is outside its appetite, in which case leadership is informed and monitors the situation closely.
Risk management in action
Arcadis adopts a three-lines of defense model to facilitate strong governance and risk management. The GBAs and certain enabling functions are the first line, embedding risk management as a formal part of all major decision-making via tools such as risk registers, project watch lists and client and opportunity Go/No Go assessments.
The Risk Management function is part of the second line of defense along with other enabling functions. These functions assist and support the first line with identification and assessment of key risks. Identified risks are mitigated through the introduction of policies, standards, procedures and guidelines, and by providing training and promoting awareness. Arcadis’ Internal Audit function provides the, reporting directly to the CFO with a dotted line to third line of defense.
Arcadis’ Risk Assurance Program
The Risk Assurance Program provides for a continuous annual cycle for testing the design and operational effectiveness of controls to provide assurance that the key risks are being effectively identified, mitigated or managed within our risk appetite. Each GBA, country and enabling function reports the results of its Risk Assurance Program annual assessment at the end of the financial year to the Global Risk Management Director and Global Group Controller.
Action plans for controls found not to be designed or operating effectively are formed with deadlines established for remediation to be complete.
Risk Management monitors the progress of remedial actions and evaluates whether they are working appropriately before closing out the action. Regular status reports are provided to the business and to the ELT in terms of remedial action progress. The Risk Assurance Program also evaluates the design of the controls on an annual basis and updates them as necessary to reflect the current business policies and processes.
Appropriate GBA, country and enabling function leadership are required to sign an annual Document of Representation (DOR), which is addressed to the Group CEO and CFO. In addition, each ELT member is required to sign enabling function DORs that address the key risks in their areas of responsibility. The DORs include a statement regarding the design and operating effectiveness of controls based on the results of the Risk Assurance Program.
Based on the combined DORs, Arcadis NV issues a Letter of Representation to the external auditor.
Internal Audit
Arcadis’ Internal Audit function operates under the responsibility of the EB. Its mission is to enhance Arcadis’ performance through assurance.
The Global Internal Audit Director has direct access to the EB, Chair of the Audit and Risk Committee and is a permanent invitee to the Audit and Risk Committee meetings.
The priorities for Internal Audit are defined with the EB and the Audit and Risk Committee and are approved by the EB and the Supervisory Board. In 2023, Internal Audit updated its annual plan on a quarterly basis to respond to changes in the global risk and internal control environment. Changes have been approved by the EB and Audit and Risk Committee on behalf of the Supervisory Board. The main focus areas in 2023 were pursuit-related processes, IT and enabling functions. Internal Audit continually interacts with the external auditor regarding the preparation and execution of the annual audit plan, changes to the audit plan and the main reported results.
The function consists of a multidisciplinary team of business, general and IT auditors. Experts are involved where needed. Internal Audit governs itself by complying with the Standards of the Institute of Internal Auditors. Observations and recommendations, as reported by Internal Audit, are submitted to management of the GBAs or enabling functions and responsible ELT member. Management is responsible for executing and monitoring the progress of remedial measures put in place to mitigate and manage the reported risks.
Internal Audit monitors remediation actions required based on the results of their audit reports. Each quarter, the EB and Audit and Risk Committee receive the results of internal audits and an update on the progress of remedial actions. The role of the Audit and Risk Committee includes monitoring the progress of management follow up on audit findings.