Risk Management
Risk management deals with future uncertainty about deviating from expected income or outcome. Risks are of different types and originate from different situations. At Royal HaskoningDHV we identify so-called corporate risks and operational risks. Each identified risk is linked to one or more of the company’s strategic objectives.
Our mission to Enhance Society Together is leading in what we do and is also the cornerstone for our risk management approach because we want to achieve a net positive impact through our projects for clients. For example, the construction of a new road will positively impact mobility and economic growth but will also emit greenhouse gases both in construction and use. In 2021, our 4 Questions helped us deliver on our purpose of Enhancing Society Together by guiding our conversations with clients and partners on these considerations and helping to identify where we can add value for society while minimising potential negative impact. This approach is embedded in our way of working in the Group Management System.
Every project is a unique opportunity to contribute. Aligning ourselves with our core promise Enhancing Society Together proves to be effective with these four simple questions that we ask ourselves each time.
Corporate risks
Every year, management identifies the most important corporate risks for the company. This is done with an assessment where risks are scored on probability and impact (impact on EBITA for the coming three years). Both endogenous and exogenous risks are considered. The most important corporate risks are adopted by Corporate Transformation Programmes that should mitigate the risk. The areas where various risks are defined and assessed relate to:
-
Organisation, strategy and culture,
-
Markets, clients and competition,
-
Finance, Control and Technology,
-
Fraud, bribery and corruption,
-
Our employees,
-
Business Development and Innovation,
-
Project Management.
In 2021, we continued monitoring the impact of Covid-19 on our employees, clients and business. Subjects receiving specific attention were scenario planning (the impact on revenues, sales and costs), the continuity of our business with lock downs and limited access to our offices and clients, information security, and the health and safety of our employees. Regular pulse-checks were held with employees to assess their well-being.
For any major crisis we continued to uphold our crisis management policies in place, including a well-trained and experienced Corporate Crisis Management Team and a fully staffed back-up team for alternating shifts. In countries where we are operating, Country Incident Management Teams are also well established. These teams advise the Executive Board and Management Teams at various levels about risks and measures to be taken.
To ensure that we enhance society together and avoid integrity risk, we operate in ways that meet fundamental responsibilities in the areas of human rights, labour, environment, and anti-corruption – supporting the 10 Principles of the UN Global Compact. These are incorporated in our Global Code of Conduct and Integrity Management System.
We continue to review what is happening in the world around us and discuss our response. Countries going through political uncertainty are assessed on a regular basis to evaluate what the related risks are and what the consequences for our policies are.
In the past year we extended our insight into parties within our value chain. Based on a risk assessment, the selected clients and partners now undergo a centralised and extensive Third-Party Assessment executed by our Finance and Compliance departments. These procedures are fully embedded in our processes. We are currently embedding the Third-Party Assessment of sub-consultants and suppliers in these processes as well.
Disruptive technologies and other trends will have a significant impact on our knowledge-intensive business. We are monitoring these developments and are actively engaging with partners on innovation and digitalisation.
The most important corporate risks (with higher probability and/or impact) identified are:
Organisation, Strategy & Culture
Key Corporate Risks
Not being able ‘to enhance society together’ may lead to a situation where Royal HaskoningDHV is not able to meet the beliefs where it stands for. This will impact our reputation and lead to an unhappy society in general and specifically unhappy employees, clients and sub-contractors/sub-consultants with whom we work closely.
Key Controls
For each project, the 4 Questions should be addressed (see infographic above).
Note: Our refined company strategy Stronger25 introduces five themes to define our focus in meeting our purpose Enhancing Society Together. In the future our systems will be amended to enable projects to be ‘scored’ against these themes, and to be able to better quantify the positive impacts we deliver through our projects. Whilst this will replace the ‘4 Questions’ approach, in the interim the current 4 Questions do still apply.
Risk Rating
High (low probability, high impact)
Markets, clients and competition
Key Corporate Risks
Losing revenues as a result of economic downturn in markets or segments. This could happen if our clients (both government and private) decide to cancel or postpone projects and investments which directly impact our order portfolio.
Key controls
Overall, market risk is a fact of doing business. We are aware of the risk, and constantly monitor our position in markets and segments, ensure outstanding relations with clients and other stakeholders, and monitor utilisation of resources.
-
Geographical global spread of business.
-
Active in many different business segments.
-
Ability to align the organisation quickly when revenues decrease.
-
Strong client relationship management in place.
-
Ability to financially absorb temporary drops in revenues.
Risk Rating
High (high probability, high impact)
Finance, control and technology
Key Corporate Risks
Cyber security risk which could potentially lead to loss, damage or destruction of assets or data is a key risk for Royal HaskoningDHV, but also for clients who use our applications and products, and for suppliers and sub-consultants/sub-contractors with whom we share information digitally.
Key controls
We have implemented state-of-the-art control measures to mitigate the risk of cyberattacks, like:
-
Patch management (up-to-date operating systems and patches).
-
Anti-virus/firewall protection.
-
Access management (including multi-factor authentication).
-
Monitoring (e.g., domain controllers, Symantec, firewall, email filtering).
-
Partner selection procedures.
-
Cyber insurance protection.
-
Awareness among employees.
-
Business continuity procedures in place and tested.
Certification against ISO 27001 on information security.
Risk Rating
High (high probability, high impact)
Fraud, bribery and corruption
Key Corporate Risks
Being involved in corruption, bribery, or other dishonest behaviour is against our company values. If one of our employees would be involved this will have a negative impact on the brand, our clients, suppliers and sub-consultants/sub-contractors with whom we work together. In addition, this could lead to sanctions by governments and (international) financing institutions.
Key controls
-
Integrity Management System in place that is certified annually against ISO 37001 (anti-corruption) and ISO 37301 (Integrity Management Systems). The ISO audit 2021 was concluded and no non-conformities were revealed.
-
Clear policy and monitoring of agents.
-
Support the 10 principles of the UN Global Compact.
Third-Party Assessment in value chain.
Risk Rating
High (medium probability, high impact)
Our employees
Key Corporate Risks
As a company we might be unable to hire sufficient qualified people in the market. This is especially driven by an increased demand worldwide for technically and digitally skilled people.
Key controls
-
Build on strong reputation as an employer of choice.
-
Ensure we are close to universities.
Offer competitive and modern labour conditions.
Risk Rating
High (medium probability, high impact)
Business development and innovation
Key Corporate Risks
Not being successful in innovation and being outmaneuvered by competitors are the keys risks which we considered here. Not being successful in innovation will not be helpful for our clients getting more efficient and effective solutions. At the end they may decide to reconsider their relationship with our company.
Key controls
-
Strategy Stronger25 in place with clear focus on growth of the segments and software and technology. Implementation plans are being monitored.
-
Professionalisation of the Business Line Digital in process, people, systems, and risk management.
-
Focus on most viable software offerings (make choices on what to scale).
-
Continue acquisitions in promising technologies.
-
Implement the Transformation Programme about Digital Ways of Working in the company.
Innovation Hub online platform to share ideas, contribute to ideas, explore innovations currently in development, share best practices and connect with like-minded colleagues.
Risk Rating
High (low probability, high impact)
Project management
Key Corporate Risks
Not being able to deliver world class products to clients is one of the key risks. This could be caused by lack of knowledge, lack of skills and lack of innovation in new products.
Key controls
-
Continuous training of project managers and experts.
-
Invest in (new) technologies and software.
-
Transformation Programme Project Excellence being implemented.
-
Launched the Unlocking our Full Potential Programme for all our employees.
-
Appointment of global leading professionals.
Ability to work in multi-disciplinary teams.
Risk Rating
High (low probability, high impact)
Operational risks
To reduce the cost of failure, which in our industry is largely related to flaws in project management, we spent much time and effort implementing two robust project management tools and training. One of these tools supports the proposal manager in the risk assessment and processing of tenders. The other is the Project Health Check which supports the project managers and directors in their monthly project reviews. This has already reduced project losses. We see further opportunities in strengthening project management and our commercial way of working.
Projects
Project risk management procedures are integrated in our management system to ensure consistency throughout the organisation. We identify three main areas: get work, do work, and get paid. For each of these areas, risks and key controls were defined and can be found in the tables below.
Project Risk Management - Get Work
After a Request for Proposal, the responsibility for the proposal is assigned to a proposal manager. They are responsible for ensuring the proposal offers the best technical solution to the client, that the 4 Questions are taken into consideration and that the risks and mitigating measures are considered and priced in the offer. The final approval of the proposal is defined in the Risk & Approval Matrix.
Key risks | Key controls |
The project will not be in line with our strategy and/or the project will not add value to Enhancing Society Together. | Risk & Approval Matrix. |
Country policy. | |
The 4 Questions to be answered. Deviations being discussed and specifically approved. | |
Teaming up with an unreliable or unprofessional partner. | Third-Party Assessment. |
Internal assessment of the capabilities of a partner. | |
Entering into an agreement with a client who cannot pay our invoice and/or we do not clearly understand the expectations, local standards, culture, or goals. | Third-Party Assessment. |
Payment history. | |
Training of proposal managers. | |
The country where the project is executed may have travel and security risks for our employees and requires specific risk assessment, or specific tax rules might be applicable that have to be accounted for. | For projects abroad, review by the Risk Manager and Tax Director. |
A Country policy is applicable with country specific requirements that may apply. | |
The scope is not clearly understood, significant health, safety or environment (HSE) risks are identified, or long duration of the project is expected. | Review of scope by minimum 4-eyes in line with the Risk & Approval Matrix. |
Understand HSE risks (which is evidenced by certifications against ISO 14001 (Environmental Management System) and ISO 45001 (Occupational Health & Safety Management System). | |
A large part of the work is subcontracted, and the subcontractor/supplier is not reliable. | Assess capabilities sub-contractor. |
Third-Party Assessment. | |
Entering into contracts with high liability in relation to the contract value and entering into poor contract conditions. | Standard terms & conditions. |
Deviations from standard are reviewed by our Legal team. | |
The project may be considered controversial. | Assessment based on controversial projects guideline. |
Financial risk: receipts and/or payments in foreign currency, unfavourable payment conditions and guarantees/bonds to be issued. | Cash flow projections. |
Hedging of exposures in foreign currency. | |
Specialist advice for guarantees and bonds. | |
For each proposal the proposal manager performs a risk assessment, and the outcome is documented in a Risk Mitigation Plan. The risk assessment includes monetary determination of the risk/contingency which should be included in the pricing of the offer.
Project Risk Management - Do Work
After the contract is won, the project manager has to set up the team, prepare a detailed project plan and deliver according to the scope and conditions of the contract.
Key risks | Key controls |
Appoint an inadequately equipped project manager for the project. | Expertise and experience of the project manager is known (application for sharing CVs). |
Project tier classification where project tier and project management tier should match. | |
Inadequate quality of deliverables. | 4-eyes principle and peer review on every deliverable. |
Qualified employees to do the job. | |
Management system with all steps to be taken are subject to ISO 9001 (Quality Management System) certification. | |
The project manager does not flag any issues and/or does not seek for help if problems arise. | The Project Health Tool contains information about all projects of Royal HaskoningDHV. Based on pre-defined criteria, projects are classified as basic, lite or full. Based on this classification the depth and level of review are determined. Monthly, lite and full projects are manually risk assessed by the project manager on stakeholders, costs, time, scope, resources, QHSE, communication, procurement and other risks. Depending on the level of risk being determined, these projects are reviewed and discussed with and by Finance, Project Excellence, and line managers up to Board level. The key is that actions are agreed if risks and issues are flagged. |
Basic projects automatically receive a colour rating based on pre-defined KPIs and the project manager discusses the actions to be taken with the director of the advisory group. | |
As per 30 November 2021, 160 projects were included in the full health check cycle and 479 were in the lite health check cycle. | |
During the execution of the project, the project manager must assess whether the contingencies are adequate. The basis for this assessment is the Project Risk Log where any assessment and/or changes in risk and contingency are recorded.
Project Risk Management - Get Paid
Depending on contract conditions, an invoice can be raised to the client. Raising of invoices will be done in line with the contractually agreed payment conditions.
Key risks | Key controls |
The project manager is not aware that invoices are submitted. | Hours and expenses are recorded on project level where the project manager is responsible for review and monitoring. |
The project manager is responsible for issuing an invoice which is routed through an automatic workflow. Finance is monitoring timely billing. | |
The project manager is not aware that an invoice is overdue. | Standard reports with invoice status are generated for the project manager. |
Days Sales Outstanding is part of the incentive scheme of project managers and management. | |
Support from Credit Control on the most effective collection strategy. | |
Any provisions for bad debts are recorded on the project and have negative impact on the project result. | |
After receipt of the final payment and end of contractual agreements, the project can be closed.
Other risks
Liabilities
Our liabilities are defined within each contract. Most of these will fall within our standard conditions for what we consider acceptable risk. If conditions are not met, additional approvals are required. Legal counsel reviews and provides recommendations to limit liability when possible. In addition, we are covered to a significant level by Professional Indemnity insurances.
Liquidity
Two main controls help ensure sufficient funding is available for our operations: control over our working capital (mainly work in progress positions and debtors) and securing our bank facilities. Before submitting a proposal, we assess the client’s ability to settle our invoices over the duration of the project and monitor our credit risk continuously during project execution. In addition, for each proposal a cash flow forecast must be prepared and we aim to negotiate a positive cumulative cash position during the project. We have agreed facilities with our banks where loan covenants are applicable. Our Corporate Treasury monitors that these are met.
Currency
Fluctuations in commonly traded currencies like USD and GBP and in less-traded currencies represent a risk on part of our turnover. Our treasury policy aims to cover the currency risk as much as possible during execution of projects. Corporate Treasury monitors and advises on foreign currency exposures and the use of hedge instruments.
Guarantees
A few clients require us to issue corporate guarantees for the execution of a project. It is our policy to limit the issue of these guarantees. For this reason, we manage our balance sheets to ensure solvency of our companies is enough to operate independently in the market. Royal HaskoningDHV has stringent procedures to review and approve bank guarantees and bonds (like advance payment guarantees and performance bonds) before they are issued.
Pensions
In principle, Royal HaskoningDHV operates pension plans under defined contribution pension schemes. However, at HaskoningDHV UK Limited there is a closed defined benefit scheme. This scheme was closed for new entries and future accruals in 2005. The closed defined benefit members became deferred members. The Group does not and will not provide any guarantees to the United Kingdom defined benefit pension scheme. The defined benefit scheme deficit under Dutch GAAP (Generally Accepted Accounting Principles) on December 31, 2021, is €17.4 million (2020: €21.7 million) with an associated deferred tax asset of €4.3 million (2020: €4.1 million).