In our day-to-day business decisions, we seek to strike a balance between maximizing business opportunities within the framework of our strategy, while at the same time minimizing the strategic and operational risks which are inevitably involved.
A clear and well-structured risk management process allows us to do this in a controlled and transparent manner and to manage residual risk. Market conditions and client expectations, including a growing tendency to share risk with contractors and service providers, increase the size and complexity of the projects we work on. However, our geographical, market and client spread mitigate the potential risk substantially.
Risk appetite in relation to strategy
Arcadis’ risk management policies aim to identify, assess and manage risk. We provide high value-added and consulting type solutions, under contract terms that limit our liabilities. Although we are routinely involved in major turnkey projects with higher risk, these are pursued under the premise that we have the technical, and project management skills to adequately control the risk. Our policy is not to take equity stakes in projects and only by exception and for specific reasons would we deviate from this starting point. In total 56 key controls are defined to manage Arcadis’ risk, which are embedded in the Arcadis Business Control Framework (ABC). These are classified into zero, critical and balanced tolerance indicating the level of acceptable risk appetite.
Risk Management and internal control
In addition to direct business reasons, the regulatory and reporting framework applicable to Arcadis requires effective risk management. Arcadis’ risk management is based on a global Enterprise Risk Management (ERM) process, which provides a structured, consistent and transparent approach to identify, assess and manage risk that may impact our business operations. The framework is named ABC. The key characteristics of our risk management are:
- Focus on primary business risk;
- It is principle rather than rule-based; and
- It represents the minimum requirements that operating companies have to meet.
The ABC Framework is made up of global governance standards and global and operating company policies and standards. The ABC Framework has been rolled out globally.
Responsibility for risk management
The Executive Board, under the supervision of the Supervisory Board, has overall responsibility for the Arcadis risk management and control systems. Management teams of regional and operating companies and global business lines are responsible for operational performance and effectiveness and for managing the associated risk. This is done within the framework of the ERM process as issued and governed by the Executive Board.
As part of the ERM process the various risks that Arcadis faces in the pursuit of its updated strategy have been identified. The main risks were selected following comprehensive discussions that included the likelihood of their occurrence and their potential impact. The Executive Board, Audit Committee and the Supervisory Board review the identified strategic and operational risk annually. The growth in size and complexity of Arcadis warranted a next step in the development and professionalization of Risk Management and Internal Audit functions, which for that purpose were split into two separate departments effective January 2014.
The Risk Management function reports to the CFO and supports the strategic and operational performance of Arcadis by supporting the operating companies in identifying and assessing risk, and implementing mitigating measures. The global function consists of more than 20 people, who perform risk management roles in the regions in which Arcadis is present Internal Audit, reports to the CEO with a functional line to the CFO and has a reporting line into the Audit Committee. It focuses on the improvement of quality of governance, risk management and controls by providing independent and objective assurance, evaluation, promoting and advising on effective risk management based on audit outcomes, control and governance processes and the promotion and monitoring of the implementation of recommendations by internal audit, risk management, legal, Health & Safety and external audit teams. Internal Audit is responsible for auditing compliance with the internal controls as included in the Arcadis Business Control Framework and seeks effective alignment with Risk Management and other internal control functions.
Our Risk Management Committee includes representatives from the Executive Board and the Legal, Risk Management and Internal Audit functions as well as representation from Operations and is charged with supporting the review and implementation of the ERM process. In 2014, the Committee met three times to review and discuss the mapping of controls, information security, the risk management charter, the overall status of the Arcadis Business Control (ABC) framework, outcomes of risk workshops, soft control surveys and further improvements in our risk management approach. Soft control surveys were performed in 17 countries across multiple regions, providing valuable input on the organizational culture and staff behavior in the different operating companies of Arcadis and how people deal with integrity issues, fraud and bribery amongst others. Including the soft control surveys of previous two years in total 3,250 respondents provided feedback to steer Risk Management enhancements. This input is also used in the design of the risk management workshops that are organized around Arcadis to further enhance risk awareness. A total of 56 of these risk workshops were held with in total almost 700 staff attending. End of the year all of our employees took the bi-annual global online business principles training organized out of the Human Resource and Legal departments. Additionally, multiple content & awareness trainings were provided on integrity, anti-corruption and other relevant topics.
Information Security gets more attention
A communication error that led to the inadvertent early release of our 2013 annual results underpinned the necessity, amongst other factors, to strengthen Information Security. A greater visibility of Arcadis, increased regulation around data collection, storage, distribution and maintenance, new connecting and collaborating trends in IT across networks (social media, cloud computing, mobility and bring-your-own device) as well as increases in cyber security threats – together necessitate more attention for Information Security. For that reason in 2014, Arcadis developed an Information Security strategy and appointed a Global Information Security Officer. Appropriate policies are being revised, and an Arcadis wide implementation program is being prepared including compliance and monitoring mechanisms.
Main risks and how these are managed
Below is an overview of the main risks we face and how these are managed in relation to our core values and strategy. While the risks covered below are considered the most relevant risks to Arcadis, other risks and residual risks could have a similar or more severe impact on the Company. Our most important risks are: contract issues, project failures, integrity issues, health & safety breakdowns, information security breaches and business partner issues. As risks vary, regular assessments are made of the proportion of risk in certain areas, which also relate to the growth of the company, its geographical presence, activities and general risk trends. Increased risk was assessed to be present during 2014 in the area of reputation resulting from Arcadis’ increased exposure to emerging markets, the attraction of more attention from Non-Governmental Organizations and our involvement in larger projects. Acquisition risk increased as deal sizes increased, while the people risk increases as we seek to collaborate better and create a high performance culture. We continuously update our risk measures and approaches to mitigate for the evolving risk profile of Arcadis.
Reputation risk (strategic)
Issues arising from mistakes in projects, non-compliance with laws and regulations or our business principles, Health & Safety issues, client or supplier issues, or controversies around projects may affect our reputation as a reliable, high quality solution provider.
Possible impact: Acadis operates most of its businesses under the Arcadis name or endorses sub-brands with an Arcadis reference. Any reputation damage may have a wide impact and could affect our reputation and ability to attract new business.
Mitigation: Arcadis has a go/no go system in place through which it also assesses possible reputation risks related to clients or projects. Beyond that we have quality control systems in place to help manage such risks. These include a compliance program, a proactive Health & Safety policy, a client focus program and criteria for selection of partners. In addition, communication on major events and crises is centralized to help us manage our reputation effectively.
Market risk (strategic)
Our markets may decline, as a result of economic downturns, government austerity programs, changes in legislation and regulations, or political instability.
Possible impact: Changes in market conditions may lead to increased competition or an inability on the part of Arcadis to procure new projects. This may result in lower revenues and margins.
Mitigation: We foster entrepreneurship, close client relationships and comprehensive sector knowledge. Our proximity to clients and the sectors in which they operate enables us to anticipate changes in market conditions at an early stage. At a corporate level, our Corporate Development department and Global Business Line Teams monitor market trends to adjust to developments in a timely way. In addition, we update our strategy every three years and as needed intermittently to ensure the Company remains focused on long-term growth markets.
Merger & acquisition risk (strategic)
Growth through acquisitions is part of our strategy. This entails a number of specific risks related to the preparation and execution of an acquisition and integration.
Possible impact: Items such as balance sheet misrepresentations, insufficient backlog and unforeseen claims may have an adverse effect on revenues and margins. Integration issues and a lack of retention of key people may also negatively impact our performance.
Mitigation: Acquisition processes are managed centrally and include a thorough analysis of, and due diligence on, the strategic fit, fit with our business principles, management and reputation, culture, financials and policies & procedures. Acquisition contracts include customary representations, warranties and indemnities while employment agreements and non-compete clauses, as well as stock options, are used for retention purposes. In larger privately held company acquisitions, we prefer to pay part of the purchase price in Arcadis shares to promote the alignment of the former owners with our long-term interests. Our post-merger integration processes help us to focus on market and organizational integration, and includes alignment with Arcadis’ ABC Framework. This includes a time schedule with an immediate focus on zero tolerance issues and a phased approach for other risk categories. Larger acquisitions are evaluated after three years and discussed with the Supervisory Board.
Financing risk (strategic)
To properly fund its business, invest in innovation and organic growth and to do acquisitions, Arcadis needs access to capital.
Possible impact: Restrictions in access to or lack of capital may limit Arcadis’ ability to fulfil its obligations in delivering solutions to its clients. Lack of capital for acquisitions may weaken our relative position in our rapidly consolidating industry.
Mitigation: Arcadis has access to credible sources of funding and has long-term financing arrangements with banks to fund its daily capital needs under a well-spread out debt maturity schedule. In past years, Arcadis has diversified its sources of funding and has also attracted capital through US Private Placements for longer time periods from institutional investors. In 2014, Arcadis did an equity placement to partly finance the acquisition of Hyder Consulting through an accelerated book building approach. The issuance grossed €174 million. Arcadis has a well-developed working capital management system and centralized cash management approach, limiting capital costs. We focus on maintaining a solid financial performance in the short and long-term, with debt levels that stay well within our loan covenants, transparent reporting, and a proactive investor relations program.
People risk (strategic)
Arcadis has a strategic ambition to be the best in everything it undertakes, which includes attracting and retaining the best people and allow them to reach their full potential. In addition, we strategically rely on collaboration to leverage our capabilities and global footprint to bring the best of Arcadis to better serve our local, national and global clients.
Possible impact: Failure to develop a balanced culture focused on performance and collaboration may negatively impact our ability to successfully pursue work and provide leading edge solutions for our clients. This in turn can lead to loss of opportunities, client relationships and ultimately loss of revenues.
Mitigation: Arcadis manages the recruitment and selection of people based on job qualifications, but also on the ability to work in global teams and perform under high pressure conditions. In addition, Arcadis has a multitude of programs directed at improving collaboration and knowledge exchange around the world, including our Quest exchange program, generation Y engagement program, centers of excellence, and targeted education programs, such as our Program Management and Client Development Academies.
Client & Project risk (operational)
Arcadis works on tens of thousands of projects annually for many different clients and encounters a variety of risks. Client selection determines our ability to perform work effectively, while also impacting remuneration for the performance we deliver. Project selection is critical to our success as project demands need to match our ability to provide the right solutions and not introduce undue limitations or liabilities to our performance. Partner selection is essential to successful project completions.
Possible impact: Inappropriate client selection may expose Arcadis to risk with regard to its receivables, unfavorable discussions with regard to scope changes and other issues, resulting in lower margins. Improper project selection and management may lead to cost overruns, while contractual conditions may result in considerable liabilities, claims and loss of clients. Selecting inappropriate partners may result in design failures, project delays, conflicts of interest, again resulting in possible liabilities and negative effects on revenues and/or margins.
Mitigation: An extensive and globally prescribed go/no go process prescribes client and project selection that are carefully weighed against a broad set of criteria. Our thorough review of contract conditions, regular project reviews, selection, training and performance reviews of people, quality management systems, and a global insurance policy also limit our project risk. Main project risks and claims are assessed quarterly, and if required, provisions are taken to cover risk. All claims with a potential impact above a certain size are monitored at corporate level and discussed with the Audit Committee each quarter.
Reporting risk (operational)
The size and the complexity of Arcadis’ fast growing organization may introduce challenges with regard to the way in which we report our (financial) performance.
Possible impact: A material misrepresentation of our (financial) performance, misjudgement of our backlog, or other management judgments with regard to our financial performance, may trigger the need for restatements. Recent events in the market place have shown that such restatements (if sizable) can have a severe impact on a company’s reputation and stock market value.
Mitigation: Arcadis performs monthly project reviews and for large projects performs a deep dive every quarter to review project progress and assess both revenue and profitability. Project revenues are reviewed by finance staff, while finance directors of the operating companies report to the CFO of Arcadis, not to the local managing directors.
Capacity/capability risk (operational)
Employee utilization is a key driver for Arcadis’ financial success. More effective use of the time available from our experts can be a strong driver for our margin performance.
Possible impact: A decrease in workload may reduce employee utilization. Experience indicates that a strong market downturn can cause a substantial decrease in annual revenues for the business in that market. Such conditions could seriously impact margins and profitability.
Mitigation: All operating companies monitor and report order intake and billability on a bi-weekly basis. In Europe, our policy is to have a certain percentage of our people on flexible contracts.
Liquidity risk (operational)
A free flow of capital is crucial for future success to fund our growth strategy.
Possible impact: Financial risks include credit, liquidity, currency and interest rate risks. Of these, our risk assessments have shown liquidity risks to be the most important. This includes the availability of sufficient financial resources to finance our growth strategy.
Mitigation: Liquidity risks are centrally managed by giving a high priority to working capital and cash flow, which are reported by all operating companies on a monthly basis to the Corporate Treasury department. More extensive information on financial risks (including sensitivity analysis), and the way these are managed can be found in Note 30 to the Financial Statements in the Annual Report 2014.
Information technology risk (operational)
In Arcadis’ increasingly global operations, we rely on collaboration to win work and bring the best of Arcadis to clients, wherever they operate. Seamless communications and connectivity are paramount to that approach.
Possible impact: Information Technology (IT) is fundamental to our daily operations and is critical to our supporting processes and portfolio of capabilities and increasingly relying on providing services to clients with integrated applications or services (webhosting). Communication and collaboration requires operating information and communication technology systems that meet the needs of an increasingly mobile and socially connected workforce. Arcadis must guard against the risks of loss or corruption of critical, confidential, financial data and the disruption of productivity.
Mitigation efforts run across three areas; People, process/structure, and technology. Risk awareness surrounding safe IT usage amongst our people, including the employees of partner companies with whom we collaborate on projects is essential. This includes use of (social) networks, access such as password safety and information integrity. Processes/structures and technology are set up to provide preventive and repressive controls, such as physical and logical security, backup of data, restore testing and business continuity plans and disaster recovery testing.
Health & Safety risk (operational)
Through our project engagements, our people may work in hazardous conditions or dangerous environments that may lead to accidents. Nevertheless, also the office environment may be risk prone if people are not properly aware of health & safety aspects.
Possible impact: Health & Safety (H&S) incidents may translate into project stoppages, loss of working hours, medical costs, or worst case in loss of life. All of these incidents are associated with extra costs or liabilities and as a result may impact company performance.
Mitigation: Arcadis has a proactive Health & Safety policy and culture. Arcadis strives to provide a healthy and safe work environment for all of its employees, clients and subcontractors. In addition, our Global Health & Safety Vision and Policy commits us to proactively identify and control the H&S risks of our work to prevent injuries and strive every day for zero incidents. Our Global H&S Management System prevents risks and our behavior-based approach encourages continuous improvement of H&S performance.
With Integrity as one of our core values, Arcadis has a zero tolerance approach with regard to compliance issues.
Possible impact: As a global company, Arcadis operates in a world that is generally becoming increasingly regulated, and in geographies with different business practices and cultures. Failure to meet regulatory compliance may expose the Company to fines, other penalties and reputational risks.
Mitigation: We have an integrity focused compliance program, which aims to further improve awareness among employees on our policies & procedures and business dilemmas they may face. Applicable policies & procedures include our General Business Principles, policies confirming procedures for issue reporting and content policies with clear guidance on anticorruption, trading prohibitions etc. Specific trainings and awareness sessions are provided during the year. Compliance officers have been appointed in all operating companies. An integrity phone line allows employees to report issues anonymously if uncomfortable going to management or compliance officers. For additional information refer to the Sustainability chapter.
Assessment of internal control
The Executive Board has reviewed the effectiveness of internal risk management and control systems, based upon the following information:
- Report of internal audit, including an evaluation and conclusions regarding internal control in the operating companies, based on operating company management reports on its testing of entity level controls, general ICT controls and (automated and manual) process level controls. Internal audit evaluated these reports, and identified improvement areas and discussed findings with management. Subsequently, operating company management signed a Letter of Representation for its reporting and an in-control statement for the primary and supporting processes.
- Reports of internal audit on audits performed throughout the year. Findings and measures to address issues were discussed with local management, the Executive Board and the Audit Committee.
- Management letter from the external auditor with findings and remarks regarding internal controls. This letter has been discussed with the Audit Committee and the Supervisory Board.