Enterprise Risk Management

Exposure to a variety of risks is unavoidable in pursuit of Arcadis’ strategy. The level of general risk in the world continues to be impacted by economic uncertainty and geopolitical events. Emerging risks present opportunities which, if well-managed, result in value creation; however, uncontrolled risks can threaten the achievement of long-term strategic objectives.

The Arcadis Risk and Control framework

The Arcadis Risk and Control (ARC) framework enables a culture of risk awareness by providing a standardized framework for identifying risks and implementing controls. The ARC framework identifies key risks across three risk categories - Strategic, Operational and Compliance risks. It includes business controls which are supported by policies, procedures, work instructions and guidelines, all of which target risk mitigation in accordance with Arcadis’ risk appetite.

The ARC framework allows the company to evolve its business in line with its risk appetite, execute strategic priorities in a controlled manner, and experience fewer surprises in business performance. The ARC is a cornerstone of Arcadis’ risk management approach and supports Arcadis in embedding a risk conscious way of working in all layers of the organization.

Management of risk

Arcadis’ Executive Board is responsible for maintaining a comprehensive risk management and internal control system, and for regularly reviewing its effectiveness. Each year, the Executive Board performs a review of the risks that Arcadis is subject to and based on its risk assessment, the ARC framework is updated and communicated to leadership. The Executive Board is also responsible for ensuring that the risk management and internal control system is integrated and embedded into the way Arcadis works. The Executive Board is supported in this by the ELT members. In order to strengthen risk oversight, each of the 15 key risks identified in the ARC framework is assigned to an ELT member who has overall responsibility for oversight of that risk.

The Risk Management function, led by the Global Risk Management Director, provides guidance and assistance to the Executive Board and ELT. This includes driving risk awareness across the organization and supporting assessments of the design and operating effectiveness of the ARC framework across the global business (see below ‘Arcadis Risk Assurance Program’).

The Risk Management function provides both risk assurance and proactive risk support to the business. Risk Management plays an active role in Pursuit Committees, which serve to ensure that the selection of the clients and opportunities are in line with the strategy. Additionally, Risk Management engages with leadership teams of the GBAs and enabling functions to identify, evaluate and mitigate enterprise risks that may impact the achievement of strategic objectives.

The quarterly Risk Management Committee, chaired by the CFO, assesses current and emerging risk in the context of Arcadis' risk appetite, considers whether Arcadis has robust risk management in place, and provides advice on these topics to the Executive Board and ELT. The Chair nominates the other members of the Risk Management Committee, which should include (at least) six members: at least one Senior Business Representative, Global General Counsel, Global Internal Audit Director, Global Operations & Services Officer, Global Performance Excellence Director and the Global Risk Management Director. Their appointment is confirmed by the Executive Board.

Risk appetite and Key Risk Indicators

The ARC framework balances risks and opportunities and helps define the Executive Board’s appetite for risk. Arcadis’ risk appetite changes over time, reflecting strategic objectives and developments in society, legislation, geopolitics, the client landscape, and changes within Arcadis.

Key Risk Indicators (KRIs) are in place for each of the key risks. The KRIs are measured and reported to the Executive Board, ELT and Audit and Risk Committee on a quarterly basis to provide an early warning as to where exposure to certain risks may be exceeding the appetite. Where risk exposure is outside of the appetite range, we may place more focus on existing mitigating actions, we may introduce additional controls, or we may choose to tolerate that the current level of risk is outside Arcadis' appetite, in which case leadership will be informed and will monitor the situation closely.

Risk management in action

Arcadis adopts a three lines of defense model to facilitate strong governance and risk management. The GBAs and certain enabling functions are the first line, embedding risk management as a formal part of all major decision-making via tools such as risk registers, project watch lists, and client and opportunity go/no-go assessments. The Risk Management function is part of the second line of defense along with other enabling functions. These functions assist and support the first line with identification and assessment of key risks. Identified risks are mitigated through the introduction of policies, procedures, work instructions and guidelines, and by providing training and promoting awareness. Arcadis’ Internal Audit function provides the third line of defense.

Arcadis’ Risk Assurance Program

The Risk Assurance Program provides for a continuous annual cycle of testing the design and operational effectiveness of controls to provide assurance that the key risks are being effectively identified, mitigated or managed within our risk appetite. Each GBA, country and enabling function reports the results of its Risk Assurance Program annual assessment at the end of the financial year to the Global Risk Management Director and Global Group Controller.

Action plans for controls found not to be designed or operating effectively are developed by the business with deadlines established for remediation to be complete.

The Risk Management function monitors the progress of remedial actions and evaluates whether they are working appropriately before closing out the action. Regular status reports are provided to the business and to the ELT in terms of remedial action progress. The Risk Assurance Program also evaluates the design of the controls on an annual basis and updates them as necessary to reflect the current business policies and processes.

Appropriate GBA, country, and enabling function leadership are required to sign an annual Document of Representation (DOR), which is addressed to the Group CEO and CFO. In addition, each ELT member is required to sign enabling function DORs that address the key risks in their areas of responsibility. The DORs include a statement regarding the design and operating effectiveness of controls based on the results of the Risk Assurance Program. Based on the combined DORs, Arcadis N.V. issues a Letter of Representation (including an In-Control Statement) to the external auditor.

Internal Audit

Arcadis’ Internal Audit function operates under the responsibility of the Executive Board. Its mission is to enhance Arcadis’ performance through assurance. The Global Internal Audit Director has direct access to the Executive Board and the Chair of the Audit and Risk Committee and is a permanent invitee to the Audit and Risk Committee meetings. The priorities for the Internal Audit function are defined with the Executive Board and the Audit and Risk Committee and are approved by the Executive Board and the Supervisory Board. 

In 2024, the Internal Audit function updated its annual plan on a quarterly basis to respond to changes in the global risk and internal control environment. Changes were approved by the Executive Board and Audit and Risk Committee on behalf of the Supervisory Board. The Internal Audit function continually interacts with the external auditor regarding the preparation and execution of the annual audit plan, changes to the audit plan and the main reported results.

The function consists of a multidisciplinary team of business, general and IT auditors. Experts are involved where needed. Internal Audit governs itself by complying with the Standards of the Institute of Internal Auditors. Observations and recommendations, as reported by the Internal Audit function, are submitted to management of the GBAs or enabling functions and responsible ELT member. Management is responsible for executing and monitoring the progress of remedial measures put in place to mitigate and manage the reported risks.

The Internal Audit function monitors remediation actions required based on the results of its audit reports. Each quarter, the Executive Board and Audit and Risk Committee receive the results of internal audits and an update on the progress of remedial actions. The role of the Audit and Risk Committee includes monitoring the progress of management follow-up on audit findings.

Integrated assurance

In 2024, Arcadis commenced a program to provide integrated assurance across the three lines of defense. The program will continue through 2025 and will facilitate clearer insights into the risk environment and the effectiveness of the management of risk across the business.

Management statements

The GBAs and enabling functions issued signed DORs and In-Control statements to the Executive Board which include the results of the Risk Assurance Program testing carried out in 2024. This process is in line with the Risk Assurance Program as described on page 192.

The Executive Board, supported by the ELT, has reviewed the DORs and In-Control statements, along with reports from the Internal Audit function and the external auditor. There were no significant changes in the internal risk management and control systems during 2024. The Executive Board has assessed the effectiveness of the design and operation of the ARC framework in 2024 and discussed with the Audit and Risk Committee and the Supervisory Board.

During 2024, no significant weaknesses in the design or implementation of the controls under the ARC framework were observed (i.e., no deficiencies that resulted in material losses or impact). Where a control did not operate as expected, areas for improvement were identified, remedial action plans formalized, and progress against the plans was monitored throughout 2024.

As substantiated in this Enterprise Risk Management chapter of the Annual Report, based on the information referred to above and its assessment, the Executive Board believes that:

1. The Annual Integrated Report provides sufficient insights into any significant deficiencies in the effectiveness of the internal risk management and control systems;

2. The aforementioned systems provide reasonable assurance that financial reporting does not contain any material inaccuracies;

3. Based on the current state of affairs, it is justified that financial reporting is prepared on a going concern basis; and

4. The Annual Integrated Report states those material risks and uncertainties that are relevant to the expectation of the company’s continuity for the period of twelve months after the preparation of the report. See in particular the Key Risks table on the previous pages.

In accordance with Article 5:25c of the Financial Markets Supervision Act (Wet op het Financieel Toezicht), the Executive Board confirms, to the best of its knowledge, that:

1. The Consolidated financial statements give a true and fair view of the assets, liabilities, financial position and profit and loss of Arcadis and its consolidated companies;

2. The Annual Integrated Report gives a true and fair view of the position as of 31 December 2024 and the developments during the financial year of Arcadis and its group companies included in the consolidated financial statements; and

3. The Annual Integrated Report describes the main risks Arcadis is facing in the Key Risks table on the previous pages.

The above statements are given on the basis that the ARC framework is primarily designed to bring Arcadis’ risk exposure within its appetite and cannot therefore provide full and complete assurance that all human error, unforeseen circumstances, material misstatements, fraud, or non-compliance with laws and regulations will be prevented.