ARCADIS’ approach to risk management

Key element of business processes
Risk is intrinsic to entrepreneurship, one of ARCADIS’ core values. We seek a balance between maximizing business opportunities within the framework of our strategy, while identifying, assessing and minimizing the risks involved. A well-defined risk management process facilitates this in a controlled and transparent manner. Changing market conditions and client behavior, including a tendency to shift more risks to contractors and service providers, the increasing size and complexity of projects, as well as more stringent regulations and reporting requirements, have increased the importance of risk management.

Enterprise Risk Management
ARCADIS’ risk management is based on a global Enterprise Risk Management (ERM) process. This involves a structured, consistent and transparent approach to identify, control and mitigate significant risks that may affect achieving our objectives. The scope of ERM is broad, with a focus on all primary business risks, not just risks related to financial reporting. The process includes an annual review as well as a more in depth analysis every three years within the framework of our strategy update. In 2011, a Risk Management Committee has been established with representation from the Executive Board, legal, audit and operations, to support the review and implementation of the risk management process.

Risk assessment
Based on the ERM process, the strategic, operational, compliance and financial risks which ARCADIS faces in pursuit of its strategy, were identified. An overview of risks is presented in the section on risk management on our website at www.arcadis.com/Governance/. In-depth discussions on the likelihood of occurrence of these risks and their potential impact, led to a selection of the main risks. This process was reviewed by the Audit Committee and the Supervisory Board.

Risk appetite in relation to strategy
ARCADIS’ policy aims at limiting the Company’s risk exposure. Risks are usually linked to the contract type under which services are provided. An overview of contract types is available here: Types of contracts. Our strategy focuses on providing high added value professional services, based on a strong client-focused approach. This allows us to perform most of our business under contract terms that limit our liabilities. Whilst ARCADIS is also involved in turnkey (contracting) projects and other similar projects based on alternative delivery approaches that usually entail higher risks, these are pursued under the premise that we have the technical and project management skills to control these risks. Under our GRiP® program we provide fixed price remediation services, but with insurance coverage and specific risk management procedures to minimize risks. Our policy is not to take equity stakes in projects and only by exception and for specific reasons do we deviate from this. Although our policy is to avoid or minimize risks, it cannot be ruled out that in certain cases events occur that may seriously impact the Company and its performance.

Main risks and how these are managed
Below is an overview of the main strategic, operational, compliance and financial risks we face and how these are managed. While these are considered the most relevant to ARCADIS, other risks may have a similar or greater impact on the Company.

Market risks (strategic)
Possible impact: Our markets may decline, temporarily or structurally, and changes in market conditions may lead to increased competition. These risks can be caused by economic downturns, government austerity programs, changes in political priorities or in legislation and regulations, political instability, consolidation of clients and changes in tendering procedures. This all may result in lower revenues and margins.
Mitigation: At ARCADIS, we foster entrepreneurship and close client relationships deep in the organization. Our proximity to clients enables us to anticipate changes in market conditions at an early stage. At a strategic level, Global Business Line Teams monitor market trends to adjust timely to strategic and long term developments. In addition, every three years we update our strategy to ensure the Company remains focused on long term growth markets.

Acquisition risks (strategic)
Possible impact: Growth through acquisitions is part of ARCADIS’ strategy and involves several risks. Balance sheet misrepresentations, insufficient backlog and unforeseen claims may have an adverse effect on revenues and margins. Integration risks and lack of retention of key people may negatively impact performance.
Mitigation: Acquisition processes are managed centrally and include a thorough analysis of strategic fit, an assessment of management and reputation, and extensive due diligence,  including review of backlog and human resources policies. Contracts include representations, warranties and escrows to cover guarantees, while employment and non-compete contracts as well as stock options are used for retention purposes. Occasionally we use after payments to link purchase price to post acquisition performance. Part of the purchase price is sometimes paid for in ARCADIS shares to promote alignment of the former owners with the long term interests of ARCADIS. Together with management of the acquired company a post-acquisition plan is developed which focuses on market and operational synergies and the organizational integration process, including alignment with ARCADIS’ governance, financial reporting and business control framework. Larger acquisitions are evaluated after three years in terms of strategy, synergies, performance, people and organization, and lessons learned. These evaluations are discussed with the Supervisory Board.

Reputational risks (strategic)
Possible impact: ARCADIS is operating most of its business under the ARCADIS name, which allows building a strong global brand. However, as a consequence, any reputational damage may have an impact beyond local markets and can potentially seriously affect our reputation and business. Reputational issues are typically linked to other risks the Company faces, such as mistakes in projects, non-compliance with regulations or business principles, health & safety issues, client or supplier issues.
Mitigation: ARCADIS has quality systems in place, a compliance program, a proactive health & safety policy, a client focus program and criteria for selection of partners, all aimed at minimizing the risks of business failures and reputational issues. In addition, external communication on major events or issues is centralized to manage our reputation effectively. See also mitigation of other major risks.

Project risks (operational)
Possible impact: ARCADIS works on thousands of projects annually. Although in most cases project risks are limited, projects may incur serious cost overruns, errors or omissions may lead to substantial claims and contractual conditions may result in considerable liabilities.
Mitigation: Risk management involves project approval procedures, including a go/no go process and review of contract conditions; regular project reviews; selection, training and performance reviews of people; procedures for project management; quality management systems; procedures for claims reporting and management; and a global insurance policy. Project risks and claims are assessed quarterly, and if required, provisions are taken to cover risks. All claims with a potential impact above a certain size are monitored at corporate level and discussed quarterly with the Audit Committee.

Capacity risks (operational)
Possible impact: A decrease in workload may reduce staff utilization. Experience indicates that strong market downturns can cause a 15% decrease in annual revenue for the business in that market. This may seriously impact margin and profitability.
Mitigation: All operating companies monitor and report order intake and billability bi-weekly. In Europe, 10% to 15% of staff is employed on flexible contracts. On a strategic level, our portfolio management aims for a good balance in geography, business lines and client categories in order to spread market, strategic and operational risks.

Knowledge management and innovation risks (operational)
Possible impact: Inability to leverage know-how, capabilities and client relationships or lack of innovation to develop new business may hamper growing our business in line with our strategic objectives.
Mitigation: ARCADIS has made substantial investments in knowledge management. Within the global business lines, global experts are responsible for the development and distribution of knowledge through Communities of Practice. Relationships with global clients are managed through our Multinational Clients Program. Most of our innovation takes place in close relationship with clients within projects. Each business line has specific innovation programs, such as e.g. for remediation technologies in Environment. In addition, innovation is stimulated through our global “Imagine” competition and similar initiatives of operating companies.

Compliance risks
Possible impact: Failure to meet regulatory compliance may expose the Company to fines, other penalties and reputational risks. As a global company, ARCADIS is expanding into geographies with different business practices and cultures.
Mitigation: ARCADIS has General Business Principles in place and a compliance program which includes stimulating awareness of employees regarding business dilemmas and monitoring and reporting on issues. Compliance officers have been appointed in all operating companies, while an integrity phone line allows employees to report issues anonymously. For additional information see the chapter on Corporate Social Responsibility, on page 44 of the Annual Report 2011.

Liquidity risks (financial)
Possible impact: Financial risks include credit, liquidity, currency and interest rate risks. The risk assessment showed liquidity risks to be the most important. This also includes the availability of sufficient financial resources to finance our growth strategy.
Mitigation: Risks are managed by giving high priority to working capital and cash flow, which are reported by all operating companies on a monthly basis. The corporate treasury department is responsible for liquidity (risk) management based on our treasury policy. To have entry to capital markets we focus on solid financial performance both in the short and long term, debt levels that stay well within the loan covenants, transparent reporting and proactive investor relations. We also aim for diversity in our sources of funding and the duration of our loans to reduce vulnerability. More extensive information on financial risks (including sensitivity analysis), and the way these are  managed can be found in note 32 to the Financial Statements of the Annual Report 2011.

Risk management and internal control
The ARCADIS Business Control (ABC) Framework
Based on the outcome of the Enterprise Risk Assessment, the ARCADIS Business Control Framework (ABC) has been developed. Key characteristics of this framework are:
• It focuses on primary business risks;
• It is based on aggregated standards and policies;
• It is principle rather than rule based and therefore leaves room for operating companies to determine the most efficient way to meet standards and policies;
• It represents the minimum requirements that operating companies have to meet.
The ABC Framework is made up of global governance standards (e.g. ARCADIS General Business Principles, complaints procedure, approval procedures), global policies (e.g. health and safety policy, treasury policy, human resources policy) and operating company policies and standards (e.g. go/ no go procedures, quality systems). In addition, it includes all key controls which need to be in place in order to comply with the policies and standards. On our global intranet, a central repository with documentation of the complete framework is available. The ABC Framework was already fully operational at corporate, ARCADIS Netherlands and ARCADIS U.S. by the end of 2010. The other operating companies completed implementation in 2011. The external auditor KPMG reviewed the control framework. Based on KPMG’s observations and the experiences so far, the ABC Framework was updated by the Risk Management Committee, also to align it with the strategy 2011 – 2013. This update as well as implementation of the ABC Framework has been discussed with the Audit  Committee. Internal audit regularly audits compliance with this risk based approach. In addition to the systematic approach outlined above, regular communication between the various levels of management is in place to enhance that (potential) risks are identified early and addressed properly.

Management statements
Assessment of internal control
The Executive Board has reviewed the effectiveness of internal risk management and control systems, based upon the following information:
• Report of internal audit, including an evaluation and conclusions regarding internal control in the operating companies. This was based on reports of operating company management on its testing of entity level controls, general ICT controls and (automated and manual) process level controls. Internal audit evaluated these reports, identified areas for further improvements and discussed findings with management. Subsequently, operating company management signed a Letter of Representation for its reporting and an in control statement for the primary and supporting processes.
• Reports of internal audit on audits performed throughout the year. Findings and measures to  address issues were discussed with local management, the Executive Board and the Audit Committee.
• Management letter from the external auditor with findings and remarks regarding internal control. This letter has been discussed with the Audit Committee and the Supervisory Board. The Executive Board concluded that good progress was made with further improvements of risk management and internal control in the Company and that the issues identified did not materially impact the consolidated accounts of ARCADIS NV. This conclusion as well as the review of internal risk management and control systems has been discussed with the external auditor, the Audit Committee and the Supervisory Board.

In control statement
The Executive Board is responsible for the design and functioning of the internal risk management and control systems. Although such systems are intended to optimally control risks, they can never, however well designed or functioning, provide absolute certainty that human errors, unforeseen circumstances, material losses, fraud or infringements of laws or regulations will not occur. In addition, the efforts related to risk management and internal control systems should be balanced with the costs of their implementation and maintenance. Based on the approach as outlined above, the Executive Board believes that to the best of its knowledge, the internal risk management and control systems provide a reasonable assurance that the financial reporting does not contain any errors of material importance and that the risk management and control systems worked properly in 2011.

Responsibility statement
In accordance with article 5:25c of the Financial Markets Supervision Act (Wet op het financieel toezicht), the Executive Board confirms that to the best of its knowledge:
• the Annual Financial Statements give a true and fair view of the assets, liabilities, financial position and profit and loss of ARCADIS and its consolidated companies,
• the Annual Report gives a true and fair view of the position as per December 31, 2011 and the developments during the financial year of ARCADIS and its group companies included in the annual Financial Statements, and
• the Annual Report describes the principal risks ARCADIS is facing.

The names and functions of the Executive Board members can be found here.