Corporate and Operational Risks

Corporate risks

Every year, management identifies the most important corporate risks. This is done with an assessment where risks are scored on probability and impact (on EBITA for the coming three years). Both endogenous and exogenous risks are considered. The areas where various risks are defined and assessed relate to:

Integrity risks
Organisation, strategy and culture,
Markets, clients and competition,
Technology,
Employees,
Project management.

In 2022, we continued monitoring the impact of Covid-19 on our business (clients and employees). Subjects receiving specific attention were the mental and physical health and safety of our employees, scenario planning (impact on revenues, sales and costs), continuity of our business during lockdowns and limited access to our offices and clients, and information security.

We continue to review what is happening in the world around us and discuss our response. Countries going through political uncertainty are assessed on a regular basis to evaluate related risks and consequences for our policies.

Disruptive technologies and other trends will have a significant impact on our knowledge-intensive business. We are monitoring these developments and are actively engaging with partners on innovation and digitisation.

For any major crisis our crisis management policies remain in place, including well-trained and experienced Corporate Crisis Management Teams. In countries where we are operating, Country Incident Management Teams are also well established. These teams advise the Executive Board and Management Teams at various levels about risks and measures to be taken.

Integrity risks

Key corporate risks	Key controls
Integrity risks	Risk rating: High (low probability, high impact)
To ensure that we avoid integrity breaches, we operate in ways that meet fundamental responsibilities in the areas of human rights, labour, environment, and anti-corruption – supporting the 10 Principles of the UN Global Compact. These are incorporated in our Global Code of Conduct and Integrity Management System.	In 2022 we extended our insight into parties within our value chain. Based on a risk assessment, selected clients and partners now undergo a Third-Party Assessment executed by our Finance and Compliance departments. These procedures are fully embedded in our processes.

Organisation, Strategy and Culture

Key corporate risks	Key controls
Organisation, Strategy and Culture	Risk rating: High (low probability, high impact)
Not being able to enhance society together may lead to a situation where Royal HaskoningDHV fails to meet the beliefs it stands for. This will impact our reputation and lead to unhappy clients, employees and others with whom we work closely. The wider consequence will ultimately be an unhappy society.	Assessments using the Purpose Matrix and the results documented in the Project Health Check.

Markets, clients and competition

Key corporate risks	Key controls
Markets, clients and competition	Risk rating: High (high probability, high impact)
There is a risk of lost revenue as a result of economic downturn in markets or segments. This could happen if our clients (government and private) decide to cancel or postpone projects and investments which directly impact our order portfolio.	Market risk is a fact of doing business. We are aware of the risk, and constantly monitor our position in markets and segments as well as our utilisation of resources. We also ensure outstanding relations with clients and other stakeholders. Further controls are offered by: -Global geographical spread of business. -Differentiation in various business segments. -Ability to realign the organisation quickly when revenues decrease. -Strong client relationship management in place. -Ability to financially absorb temporary drops in revenues.

Technology

Key corporate risks	Key controls
Technology	Risk rating: High (high probability, high impact)
Cyber security risk which could potentially lead to loss, damage or destruction of assets or data is a key risk for Royal HaskoningDHV, and also for clients who use our applications and products, and for suppliers and sub-consultants/sub-contractors with whom we share information digitally.	We have implemented state-of-the-art control measures to mitigate the risk of cyberattacks, including: -Patch management (up-to-date operating systems and patches). -Anti-virus/firewall. -Access management (including multi-factor authentication). -Monitoring (e.g., domain controllers, Microsoft, firewall, email filtering). -Partner selection procedures. -Cyber insurance protection. -Awareness among employees. -Business continuity procedures in place and tested. Information security certification to ISO 27001.

Employees

Key corporate risks	Key controls
Employees	Risk Rating: High (low probability, high impact)
As a company we might be unable to hire sufficient and qualified people in the market. This is heightened by increased demand worldwide for technically and digitally skilled people.	Build on a strong reputation as an employer of choice.
	Ensure we maintain close relationships with relevant universities.
	Offer competitive and modern labour conditions.

Project management

Key corporate risks	Key controls
Project management	Risk rating: High (low probability, high impact)
An inability to deliver world-class products to clients is one of the key risks. Controlling and managing project delivery is key.	Resourcing projects with the right qualified project managers. Continuous training of project managers to manage multi-disciplinary teams. Providing the right tooling. Regular assessment of project delivery (and management) by an independent Project Excellence Team. Ability to work in integrated multi-disciplinary teams.

Project Health Check

The cost of failure in our industry is largely related to flaws in project management. To reduce this, two robust project management tools and training have been implemented. One tool supports Proposal Managers in the assessment of risk and processing of tenders. The other is the Project Health Check which supports Project Managers and Directors in monthly project reviews. This further reduced project losses. We continue efforts to strengthen project management and our commercial way of working.

Project risk management procedures are integrated in our management system to ensure consistency throughout the organisation. We identify three main areas: get work, do work, and get paid. For each of these areas, risks and key controls have been defined and can be found in the tables below.

Project acquisition

After a Request for Proposal, responsibility for the proposal is assigned to a Proposal Manager. They must ensure the proposal offers the best technical solution to the client and that the 5 Enhancing Society Together themes in our Purpose Matrix are taken into consideration. They undertake a risk assessment for each proposal and document the outcome in a Risk Mitigation Plan. The risk assessment includes monetary determination of the risk/contingency which is priced into the offer. Final approval of the proposal is defined in the Risk & Approval Matrix.

Key risks	Key controls
The project will not be in line with our strategy.	Risk & Approval Matrix.
	Country policy.
	Purpose Matrix. Deviations discussed and specifically approved.
Teaming up with an unreliable or unprofessional partner.	Third-Party Assessment.
Teaming up with an unreliable or unprofessional partner.	Internal assessment of the capabilities of a partner.
Entering into an agreement with a client who cannot pay our invoice and/or we do not clearly understand the expectations, local standards, culture, or goals.	Third-Party Assessment.
	Payment history.
	Training of Proposal Managers.
The country where the project is executed may have travel and security risks for our employees and requires specific risk assessment, or specific tax rules might apply and need to be taken into account.	For projects abroad, review by the Risk Manager and Tax Director.
	Country Policy.
The scope is not clearly understood, significant health, safety or environment (HSE) risks are identified, or long duration of the project is expected.	Review of scope by minimum 4-eyes in line with the Risk & Approval Matrix.
	Understand HSE risks (evidenced by certifications against ISO 14001 (Environmental Management System) and ISO 45001 (Occupational Health & Safety Management System).
A large part of the work is subcontracted, and the subcontractor/supplier is not reliable.	Assess capabilities of sub-contractor.
	Third-Party Assessment.
Entering into contracts with high liability in relation to the contract value and entering into poor contract conditions.	Standard terms & conditions.
	Deviations from standard are reviewed by our Legal team.
The project may be considered controversial.	Controversial projects guideline.
Financial risk: receipts and/or payments in foreign currency, unfavourable payment conditions and guarantees/bonds to be issued.	Cash flow projections.
	Hedging of exposures in foreign currency.
	Specialist advice for guarantees and bonds.

Project execution

After the contract is won, the Project Manager must set up the team, prepare a detailed project plan and deliver according to the scope and conditions of the contract. During execution, the Project Manager must assess whether the contingencies are adequate. The basis for this assessment is the Project Risk Log where any assessment and/or changes in risk and contingency are recorded.

Information about all projects is tracked in the Project Health Tool.

Key risks	Key controls
Appoint an inadequately equipped Project Manager.	Expertise and experience of the project manager is known (CV system)
Appoint an inadequately equipped Project Manager.	Project tier classification where project tier and project management tier should match.
Inadequate quality of deliverables.	4-eyes principle and peer review on every deliverable.
	Qualified employees to do the job.
	Management system with all steps to be taken are subject to ISO 9001 (Quality Management System) certification.
The Project Manager does not flag issues and/or does not seek help if problems arise.	The Project Health Tool contains information about all projects of Royal HaskoningDHV. Based on pre-defined criteria, projects are classified as basic, lite or full which then determines the depth and level of review. Lite and full projects are manually risk-assessed monthly by the Project Manager on stakeholders, costs, time, scope, resources, QHSE, communication, procurement and other risks. Depending on the level of risk determined, these projects are reviewed and discussed with and by Finance, Project Excellence, and line managers up to Board level. The key is that actions are agreed if risks and issues are flagged.
	Basic projects automatically receive a colour rating based on pre-defined KPIs and the Project Manager discusses actions to be taken with the Director of the Advisory Group.

Project payment

An invoice is raised to the client in line with the contractually agreed payment conditions. After receipt of the final payment and end of contractual agreements, the project can be closed.

Key risks	Key controls
The Project Manager is not aware that invoices are submitted.	Hours and expenses are recorded at the project level where the Project Manager is responsible for review and monitoring.
	The Project Manager is responsible for issuing an invoice which is routed through an automatic workflow. Finance monitors timely billing.
The Project Manager is not aware that an invoice is overdue.	Standard reports with invoice status are generated for the Project Manager.
	Days Sales Outstanding is part of the incentive scheme of Project Managers and management.
	Credit Control provides support on the most effective collection strategy.
	Any provisions for bad debts are recorded on the project and have a negative impact on the project result.