Risk Management
Our purpose Enhancing Society Together is the foundation of our risk management to ensure we achieve lasting positive impact through our activities. Our company strategy Stronger25 also underpins our risk management approach. It defines where we play and how we win, while staying independent and financially healthy.
We identify corporate risks and operational risks. Each risk is linked to one or more of the company’s strategic objectives.
Corporate risks
We continually review what is happening in the world around us and take appropriate mitigating measures for risks impacting us. For example, because of the ever-present demand for talent, our organisation fine-tunes policies and practices to meet our strategic ambition of being employer of choice. The continuing wars in Ukraine and Gaza, as well as natural disasters such as floods and wildfires elsewhere, required us to assess the need for operational adaptation. This includes considering the mental health and safety of our people and potential impact on our value chain. Any country going through political uncertainty is assessed regularly to evaluate related risks and consequences for our policies. Disruptive technologies and other trends have a significant impact on our knowledge-intensive business. We are monitoring these developments and are actively engaging with partners on innovation and digitisation.
Policies remain in place to manage any major crisis, including well-trained and experienced Corporate Crisis Management Teams. Country Incident Management Teams are well established where we operate. These teams advise the Executive Board and Management Teams at various levels about risks and measures to be taken.
Every year, management identifies the most important corporate risks which are then scored on probability and impact on EBITA (for the coming three years). Both endogenous and exogenous risks are considered. For 2024, the areas where risks were defined and assessed relate to:
Integrity (Fraud)
Key corporate risks | Key Controls |
Risk rating: Low (unlikely probability, moderate impact) | |
The risk of corruption (like bribery and fraud) and/or criminal offence leading to reputational damage. | To ensure we avoid integrity breaches, we operate in ways that meet fundamental responsibilities in the areas of human rights, labour, environment, and anti-corruption – supporting the Ten Principles of the UN Global Compact. These are incorporated in our Code of Conduct (the subject of a mandatory e-learning in 2024), Compliance and Integrity Management System and Human Rights policy. |
Based on a risk assessment, selected clients and partners undergo a Third-Party Assessment executed by our Finance and Compliance departments. | |
Mandatory Integrity e-learning for all staff in 2024 and going forward for all new hires. |
Organisation, Strategy and Culture
Key corporate risks | Key Controls |
Risk rating: Medium (moderate probability, moderate impact) | |
An inability to successfully execute our strategy (Stronger25) may lead to a failure to achieve our purpose to Enhance Society Together. We may not realise (strategic) objectives of investments, or culture ambitions. This will impact our reputation and lead to unhappy clients, employees, and others with whom we work closely. The wider consequence will ultimately be an unhappy society. | Our strategic objectives are overseen via our Stronger25 Office with clearly defined ambitions and plans for our Global Leading Markets. Progress is monitored via KPIs and dashboards, such as the Enhancing Society Together Purpose Matrix. |
Our values define and drive the culture and behaviour within Royal HaskoningDHV. | |
Markets, clients and organisation
Key corporate risks | Key Controls |
Risk rating: High (moderate probability, major impact) | |
There is a risk of lost revenue as a result of economic downturn or decline in demand in markets or segments, and not being able to secure sufficient work. This could happen due to a lack of commercial focus or if our clients (government and private) decide to cancel or postpone projects and investments which directly impact our order portfolio. | Market risk is a fact of doing business. We are aware of the risk, and constantly monitor our position in markets and segments aligned with our global leading markets as well as our abilities and utilisation of resources. We also ensure outstanding relations with clients and other stakeholders. Further controls are offered by: |
Technology and Information Security
Key corporate risks | Key Controls |
Risk rating: High (unlikely probability, catastrophic impact) | |
Cyber security risk which could potentially lead to loss, damage or destruction of assets or data is a key risk for Royal HaskoningDHV, and also for clients who use our applications and products, and for suppliers and sub-consultants/sub-contractors with whom we share information digitally. | We have implemented state-of-the-art control measures to mitigate the risk of cyberattacks, including: |
Employees
Key corporate risks | Key controls |
Risk Rating: High (moderate probability, major impact) | |
As a company we might be unable to hire sufficient and qualified people in the market. This is heightened by increased demand worldwide for technically and digitally skilled people and the increased challenges to retaining knowledge. | We continuously work on our attractiveness as an employer through our Employer Value Proposition. |
Project management
Key corporate risks | Key Controls |
Risk rating: Medium (moderate probability, moderate impact) | |
An inability to deliver world-class products and services to clients in an ever-changing world. Not having the right set of project management tools to control and manage project delivery. Resulting in substandard products and service, executing projects inefficiently and/or ineffectively. | • Upholding the principle of people, process, technology by implementing an integrated management system that is ISO 9001, 14001 and 45001 certified. |
International Laws and Regulations
Key corporate risks | Key controls |
Risk Rating: Low (unlikely probability, moderate Impact) | |
The risk is not being compliant with the letter and spirit of international and local laws, increase in claim appetite in the private and public sector. | • Our worldwide professional legal team has in-depth knowledge of local and international legislation. Providing legal advice during proposals to protect us from entering into unbalanced contracts. |
Finance and Control
Key corporate risks | Key controls |
Risk Rating: Low (unlikely probability, moderate Impact) | |
The risk is that insufficient funds are available (cash and credit facilities) and that profitability is too low. | • Clear policies and procedures are in place: Treasury, credit control, debt collection, pricing, target setting and monitoring. |
Digital Transformation, Services and Applications
Key corporate risks | Key controls |
Risk Rating: High (moderate probability, major Impact) | |
The risk is that insufficient funds are available (cash and credit facilities) and that profitability is too low. | • Clear policy on digital transformation and use of generative AI. Controls such as the Stronger 25 portfolio board and Enterprise Architecture Board. |
Operational Risks
Project Health Check
Failure in our industry is typically related to weaknesses in project management. To reduce this, we have two robust project management tools and training in place. One tool supports Proposal Managers in assessing risk during the proposal process. The other is the Project Health Check which supports Project Managers and Directors in monthly project reviews. These tools have effectively reduced project losses. We continue efforts to strengthen project management and our commercial way of working.
Project risk management procedures are integrated in our management system to ensure consistency throughout the organisation. We identify three main areas: get work, do work, and get paid. For each of these areas, risks and key controls have been defined and can be found in the tables below.
Project acquisition
During a Request for Proposal, responsibility for the proposal is assigned to a Proposal Manager. They must ensure the proposal offers the best technical solution to the client and that the 5 Enhancing Society Together themes in our Purpose Matrix are taken into consideration. They undertake a risk assessment for each proposal and document the outcome in a Risk Mitigation Plan. The risk assessment includes monetary determination of the risk/contingency which is priced into the offer. Final approval of the proposal is defined in the Risk & Approval Matrix. Projects with highest risks are discussed in the Risk Assessment Board.
Key risks | Key controls |
The project is not in line with our strategy. | Risk & Approval Matrix. |
Country policy. | |
Purpose Matrix. Deviations discussed and specifically approved. | |
Defined Global Leading Markets and Growth Themes in the Netherlands to align the project with our strategy. | |
Teaming up with an unreliable or unprofessional partner. | Third-Party Assessment. |
Internal assessment of the capabilities of a partner. | |
Entering into an agreement with a client who cannot pay our invoice and/or we do not clearly understand the expectations, local standards, culture, or goals. | Third-Party Assessment. |
Payment history. | |
Training of Proposal Managers. | |
The country where the project is executed may have travel and security risks for our employees and requires specific risk assessment, or specific tax rules might apply and need to be taken into account. | For projects abroad, review by the Risk Manager and Tax Director. |
Country Policy. | |
Travel risk assessment. | |
The scope is not clearly understood, significant health, safety or environment (HSE) risks are identified, or long duration of the project is expected. | Review of scope by minimum 4-eyes in line with the Risk & Approval Matrix. |
Understand HSE risks (evidenced by certifications against ISO 14001 (Environmental Management System) and ISO 45001 (Occupational Health & Safety Management System). | |
A large part of the work is subcontracted, and the subcontractor/supplier is not reliable. | Assess capabilities of sub-contractor. |
Third-Party Assessment. | |
Entering into contracts with high liability in relation to the contract value and entering into poor contract conditions. | Standard terms & conditions. |
Deviations from standard are reviewed by our Legal team. | |
The project may be considered controversial. | Controversial projects guideline. Position Papers |
Financial risk: receipts and/or payments in foreign currency, unfavourable payment conditions and guarantees/bonds to be issued. | Cash flow projections. |
Hedging of exposures in foreign currency. | |
Specialist advice for guarantees and bonds. |
Project execution
After the contract is won, the Project Manager must set up the team, prepare a detailed project plan and deliver according to the scope and conditions of the contract. During execution, the Project Manager must assess whether the contingencies are adequate. The basis for this assessment is the Project Risk Log where any assessment and/or changes in risk and contingency are recorded.
Information about all projects is tracked in the Project Health Check Tool.
Key risks | Key controls |
Appoint an inadequately equipped Project Manager. | Expertise and experience of the project manager is known (CV system) Project tier classification where project tier and project |
Inadequate quality of deliverables. | 4-eyes principle and peer review on every deliverable. |
The Project Manager does not flag issues and/or does not seek help if problems arise. | The Project Health Tool contains information about all projects of Royal HaskoningDHV. Based on pre-defined criteria, projects are classified as basic, lite or full which determines the depth and level of review. Lite and full projects are manually risk-assessed monthly by the Project Manager on stakeholders, costs, time, scope, resources, QHSE, communication, procurement and other risks. Depending on the level of risk determined, these projects are reviewed and discussed with and by Finance, Project Excellence, and line managers up to Board level. The key is that actions are agreed if risks and issues are flagged. |
Project payment
An invoice is raised to the client in line with the contractually agreed payment conditions. After receipt of the final payment and end of contractual agreements, the project can be closed.
Key risks | Key controls |
Invoices are not submitted timely. | Hours and expenses are recorded at the project level where the Project Manager is responsible for review and monitoring. |
The Project Manager is responsible for issuing an invoice which is routed through an automatic workflow. Finance monitors timely billing. | |
Invoices are overdue. | Standard reports with invoice status are generated for the Project Manager. |
Days Sales Outstanding is part of the incentive scheme of Project Managers and management. | |
Finance provides support on the most effective collection strategy. | |
Any provisions for bad debts are recorded on the project and have a negative impact on the project result. |
Other financial risks
Liabilities
Our liabilities are defined within each contract. Most of these will fall within our standard conditions for what we consider acceptable risk. If conditions are not met, additional approvals are required. Legal counsel reviews and provides recommendations to limit liability when possible. In addition, we are covered to a significant level by professional indemnity insurances.
Liquidity
Two main controls help ensure sufficient funding is available for our operations: control over our working capital (mainly work in progress positions and debtors) and securing our bank facilities. Before submitting a proposal, we assess the client’s ability to settle our invoices over the duration of the project and monitor our credit risk continuously during project execution. In addition, for each proposal, a cash flow forecast must be prepared, and we aim to negotiate a positive cumulative cash position during the project. We have agreed guarantee facilities with our banks where loan covenants are applicable. Our Corporate Treasury monitors that these are met.
Currency
Fluctuations in commonly traded currencies like USD and GBP and in less-traded currencies represent a risk on part of our turnover. Our treasury policy aims to cover the currency risk as much as possible during execution of projects. Corporate Treasury monitors and advises on foreign currency exposures and the use of hedge instruments.
Guarantees
A few clients require us to issue corporate guarantees for the execution of a project. It is our policy to limit the issue of these guarantees. For this reason, we manage our balance sheets to ensure solvency of our companies is enough to operate independently in the market. Royal HaskoningDHV has stringent procedures to review and approve bank guarantees and bonds (like advance payment guarantees and performance bonds) before they are issued.
Pensions
In principle, Royal HaskoningDHV operates pension plans under defined contribution pension schemes. However, at HaskoningDHV UK Limited there is a closed defined benefit scheme. This scheme was closed for new entries and future accruals in 2005. The closed defined benefit members became deferred members. The Group does not and will not provide any guarantees to the United Kingdom defined benefit pension scheme. The responsibility lies with the Royal HaskoningDHV entity in the United Kingdom. The defined benefit scheme deficit under Dutch GAAP (Generally Accepted Accounting Principles) on December 31, 2024 is €6.4 million (2023: €8.7 million) with an associated deferred tax asset of €1.6 million (2023: €2.2 million).
For more information about internal risk management and control systems, please see the section.