Corporate and Operational Risks

Corporate risks

We continually review what is happening in the world around us and take appropriate mitigating measures for risks impacting us. For example, as demand for talent intensified in 2023, our organisation fine-tuned policies and practices to meet our strategic ambition of being employer of choice. Also in 2023, the wars in Ukraine and Gaza, as well as natural disasters such as floods and wildfires elsewhere, required us to assess the need for operational adaptation. This included consideration of the mental health and safety of our people and of potential impact on our value chain. Any country going through political uncertainty is assessed regularly to evaluate related risks and consequences for our policies. Disruptive technologies and other trends will have a significant impact on our knowledge-intensive business. We are monitoring these developments and are actively engaging with partners on innovation and digitisation.

Policies remain in place to manage any major crisis, including well-trained and experienced Corporate Crisis Management Teams. Country Incident Management Teams are well established where we operate. These teams advise the Executive Board and Management Teams at various levels about risks and measures to be taken.

The Corporate Risk Register was discussed in the Supervisory Board meeting of November 2023.

Every year, management identifies the most important corporate risks which are then scored on probability and impact on EBITA (for the coming three years). Both endogenous and exogenous risks are considered. For 2023, the areas where risks were defined and assessed relate to:

Integrity (Fraud)

Key corporate risks	Key Controls
Integrity (Fraud)	Risk rating: Low (unlikely probability, moderate impact)
The risk of corruption (like bribery and fraud) and/or criminal offence leading to reputational damage.	To ensure we avoid integrity breaches, we operate in ways that meet fundamental responsibilities in the areas of human rights, labour, environment, and anti-corruption – supporting the Ten Principles of the UN Global Compact. These are incorporated in our Code of Conduct and Compliance and Integrity Management System.
	Based on a risk assessment, selected clients and partners undergo a Third-Party Assessment executed by our Finance and Compliance departments.

Organisation, Strategy and Culture

Key corporate risks	Key Controls
Organisation, Strategy and Culture	Risk rating: Medium (moderate probability, moderate impact)
An inability to successfully execute our strategy (Stronger25) may lead to a failure to achieve our purpose to Enhance Society Together. We may not realise (strategic) objectives of investments, or culture ambitions. This will impact our reputation and lead to unhappy clients, employees and others with whom we work closely. The wider consequence will ultimately be an unhappy society.	Our strategic objectives are overseen via our Stronger25 Office with clearly defined ambitions and plans for our Global Leading Markets. Progress is monitored via KPIs and dashboards, such as the Enhancing Society Together Purpose Matrix.
	Our values define and drive the culture and behaviour within Royal HaskoningDHV.

Markets, clients and competition

Key corporate risks	Key Controls
Markets, clients and organisation	Risk rating: High (moderate probability, major impact)
There is a risk of lost revenue as a result of economic downturn or decline in demand in markets or segments, and not being able to secure sufficient work. This could happen due to a lack of commercial focus or if our clients (government and private) decide to cancel or postpone projects and investments which directly impact our order portfolio.	Market risk is a fact of doing business. We are aware of the risk, and constantly monitor our position in markets and segments aligned with our global leading markets as well as our abilities and utilisation of resources. We also ensure outstanding relations with clients and other stakeholders. Further controls are offered by: Global geographical spread of business Differentiation in various business segments Ability to realign the organisation quickly when revenues decrease Strong client relationship management in place Ability to financially absorb temporary drops in revenues.

Technology and Information Security

Key corporate risks	Key Controls
Technology and Information Security	Risk rating: High (unlikely probability, catastrophic impact)
Cyber security risk which could potentially lead to loss, damage or destruction of assets or data is a key risk for Royal HaskoningDHV, and also for clients who use our applications and products, and for suppliers and sub-consultants/sub-contractors with whom we share information digitally.	We have implemented state-of-the-art control measures to mitigate the risk of cyberattacks, including: Patch management (up-to-date operating systems and patches) Anti-virus/firewall Access management (including multi-factor authentication). Monitoring (e.g., domain controllers, Microsoft, firewall, e-mail filtering) Partner selection procedures Cyber insurance protection Awareness among employees Business continuity procedures in place and tested Information security management system certification to ISO 27001.

Employees

Key corporate risks	Key controls
Employees	Risk Rating: High (moderate probability, major impact)
As a company we might be unable to hire sufficient and qualified people in the market. This is heightened by increased demand worldwide for technically and digitally skilled people and the increased challenges to retaining knowledge.	We continuously work on our attractiveness as an employer through our Employer Value Proposition. We build on a strong reputation as an employer of choice. We ensure we maintain close relationships with relevant universities. We offer competitive and modern labour conditions. We provide opportunities for our people to grow through various learning academies and building our knowledge network.

Project management

Key corporate risks	Key Controls
Project management	Risk rating: Medium (moderate probability, moderate impact)
An inability to deliver world-class products and services to clients in an ever-changing world. Not having the right set of project management tools to control and manage project delivery. Resulting in substandard products and service, executing projects inefficiently and/or ineffectively.	Upholding the principle of people, process, technology by implementing an integrated management system that is ISO 9001, 14001 and 45001 certified. Resourcing projects with appropriately qualified project managers via our tier structure. Continuous training of project managers to manage multi-disciplinary teams. Providing the right tooling for the job. Regular assessment of project delivery and management.

International Laws and Regulations

Key corporate risks	Key controls
International Laws and Regulations	Risk Rating: Low (unlikely probability, moderate Impact)
The risk is not being compliant with the letter and spirit of international and local laws, increase in claim appetite in the private and public sector.	Our worldwide professional legal team has in-depth knowledge of local and international legislation. Providing legal advice during proposals to protect us from entering into unbalanced contracts. Code of Conduct, together with our Compliance Integrity Management System (CIMS) and Compliance Programme. Our values are key to our existence as a company and are communicated through our Code of Conduct.

Finance and Control

Key corporate risks	Key controls
Finance and Control	Risk Rating: Low (unlikely probability, moderate Impact)
The risk is that insufficient funds are available (cash and credit facilities) and that profitability is too low.	Clear policies and procedures are in place: Treasury, credit control, debt collection, pricing, target setting and monitoring. Insight into profitability on project level and organisation unit level, with information about budgets, forecast and realisation. Adequate bank facilities in place. Centralised expertise over all financing activities, approving all such facilities. Maintaining relationship with banks in case additional funding is required.

Operational Risks

Project Health Check

Failure in our industry is typically related to weaknesses in project management. To reduce this, two robust project management tools and training are in place. One tool supports Proposal Managers in assessing risk and processing tenders. The other is the Project Health Check which supports Project Managers and Directors in monthly project reviews. These tools have effectively reduced project losses. We continue efforts to strengthen project management and our commercial way of working.

Project risk management procedures are integrated in our management system to ensure consistency throughout the organisation. We identify three main areas: get work, do work, and get paid. For each of these areas, risks and key controls have been defined and can be found in the tables below.

Project acquisition

After a Request for Proposal, responsibility for the proposal is assigned to a Proposal Manager. They must ensure the proposal offers the best technical solution to the client and that the 5 Enhancing Society Together themes in our Purpose Matrix are taken into consideration. They undertake a risk assessment for each proposal and document the outcome in a Risk Mitigation Plan. The risk assessment includes monetary determination of the risk/contingency which is priced into the offer. Final approval of the proposal is defined in the Risk & Approval Matrix. Projects with highest risks are discussed in the Risk Assessment Board.

Key risks	Key controls
The project is not in line with our strategy.	Risk & Approval Matrix.
	Country policy.
	Purpose Matrix. Deviations discussed and specifically approved.
	Defined Global Leading Markets and Growth Themes in the Netherlands to align the project with our strategy.
Teaming up with an unreliable or unprofessional partner.	Third-Party Assessment.
Teaming up with an unreliable or unprofessional partner.	Internal assessment of the capabilities of a partner.
Entering into an agreement with a client who cannot pay our invoice and/or we do not clearly understand the expectations, local standards, culture, or goals.	Third-Party Assessment.
	Payment history.
	Training of Proposal Managers.
The country where the project is executed may have travel and security risks for our employees and requires specific risk assessment, or specific tax rules might apply and need to be taken into account.	For projects abroad, review by the Risk Manager and Tax Director.
	Country Policy.
The scope is not clearly understood, significant health, safety or environment (HSE) risks are identified, or long duration of the project is expected.	Review of scope by minimum 4-eyes in line with the Risk & Approval Matrix.
	Understand HSE risks (evidenced by certifications against ISO 14001 (Environmental Management System) and ISO 45001 (Occupational Health & Safety Management System).
A large part of the work is subcontracted, and the subcontractor/supplier is not reliable.	Assess capabilities of sub-contractor.
	Third-Party Assessment.
Entering into contracts with high liability in relation to the contract value and entering into poor contract conditions.	Standard terms & conditions.
	Deviations from standard are reviewed by our Legal team.
The project may be considered controversial.	Controversial projects guideline.
Financial risk: receipts and/or payments in foreign currency, unfavourable payment conditions and guarantees/bonds to be issued.	Cash flow projections.
	Hedging of exposures in foreign currency.
	Specialist advice for guarantees and bonds.

Project execution

After the contract is won, the Project Manager must set up the team, prepare a detailed project plan and deliver according to the scope and conditions of the contract. During execution, the Project Manager must assess whether the contingencies are adequate. The basis for this assessment is the Project Risk Log where any assessment and/or changes in risk and contingency are recorded.

Information about all projects is tracked in the Project Health Tool.

Key risks	Key controls
Appoint an inadequately equipped Project Manager.	Expertise and experience of the project manager is known (CV system)
Appoint an inadequately equipped Project Manager.	Project tier classification where project tier and project management tier are matched.
Inadequate quality of deliverables.	4-eyes principle and peer review on every deliverable.
	Qualified employees to do the job.
	Management system with all steps to be taken are subject to ISO 9001 (Quality Management System) certification.
The Project Manager does not flag issues and/or does not seek help if problems arise.	The Project Health Tool contains information about all projects of Royal HaskoningDHV. Based on pre-defined criteria, projects are classified as basic, lite or full which determines the depth and level of review. Lite and full projects are manually risk-assessed monthly by the Project Manager on stakeholders, costs, time, scope, resources, QHSE, communication, procurement and other risks. Depending on the level of risk determined, these projects are reviewed and discussed with and by Finance, Project Excellence, and line managers up to Board level. The key is that actions are agreed if risks and issues are flagged. Basic projects automatically receive a colour rating based on pre-defined KPIs and the Project Manager discusses actions to be taken with the Director of the Advisory Group.

Project payment

An invoice is raised to the client in line with the contractually agreed payment conditions. After receipt of the final payment and end of contractual agreements, the project can be closed.

Key risks	Key controls
Invoices are not submitted timely.	Hours and expenses are recorded at the project level where the Project Manager is responsible for review and monitoring.
Invoices are not submitted timely.	The Project Manager is responsible for issuing an invoice which is routed through an automatic workflow. Finance monitors timely billing.
Invoices are overdue.	Standard reports with invoice status are generated for the Project Manager.
	Days Sales Outstanding is part of the incentive scheme of Project Managers and management.
	Finance provides support on the most effective collection strategy.
	Any provisions for bad debts are recorded on the project and have a negative impact on the project result.