Risk management is embedded in our daily activities. Action, guidelines and procedures are defined throughout the entire Group in order to manage one or more specific risk categories. Examples include our internal planning and control procedures, our reporting guidelines and our organisational structure, accompanied by an appropriate delegation of powers.
In order to maintain an appropriate internal-control regime and a balanced approach to risk management in accordance with our risk appetite and profile, risk management is an integral part of our organisation. This involves our staff taking responsibility for identified risks as part of doing business. Our approach to risk management is based on our aim to obtain a reasonable degree of certainty in achieving our business objectives, while complying with applicable legislation and internal and external regulations.
Although our internal control mechanisms, our people, our available processes and guidelines, and our approach to risk management all help to limit uncertainty or unexpected losses, which could constitute obstacles to the achievement of our business objectives, a risk management process cannot offer an absolute guarantee that we will achieve these objectives. Nor can risk-management processes preclude the occurrence of material reporting errors, losses, fraud, human error, insufficiently substantiated decision-making or contraventions of the relevant legislation and regulations. There may even be other
considerable risks that we have not yet identified or risks that we assume do not have a potentially significant impact on our results, although this may subsequently prove to be the case.
In 2009, we will further improve our pragmatic approach to risk management and will further incorporate it into our business operations. In the coming two to three years, our focus will be on the implementation and monitoring of a risk control
framework based on the COSO framework. Further to the decision taken in 2008 to embed an internal audit function, an internal auditor has been hired and started as of 1 January 2009.
We have identified the following categories of risks: strategic and operational risks, those associated with legislation and regulations, and those concerning financial reporting. The overview is not exhaustive. In view of the great diversity of our markets, clients and regions, and our broad spectrum of operations, it is virtually impossible to quantify all of the risks that may occur and which are relevant to the entire Group. We have listed the most relevant risks in the paragraph below.
S T R A T E G I C A N D O P E R A T I O N A L R I S K S
Main strategic risks
The most important risks that could pose a threat to a consultancy and engineering firm are:
o wage demands that cannot be passed on in the form of higher fees; o shortage of available professionals;
o a significant change in public investment behaviours at all or any government level.
Grontmij’s day-to-day operations are less sensitive to fluctuations in prices of fuel, raw and building materials, interest rates and fluctuations in financial markets.
While it is true that the various aspects of our core business are interrelated, they are also linked to various markets, clients and sectors.
The influence of positive and negative cyclical effects is tempered by:
o the cohesion of the Group’s operations; o our broad geographical distribution;
o the diversity of our client base and market sectors; o our strong market position and size.
Markets: Grontmij’s former dependence on the Dutch market has been transformed into a geographical spread over six economies. Grontmij remains alert to signals of changes in market conditions in each of the countries where it operates. However, it is always possible for market conditions to change unexpectedly. Postponements and a halt in the flow of orders may result in losses due to a temporary under-utilisation of capacity.
Sectors: Our operations are spread over six sectors: environment, water, energy, building, industry and transportation. As our portfolio is diversified over six sectors, we are dependent to a limited extent on the performance of the weakening building sector. Within this sector, we focus on asset management, energy and climate control, and the safety aspects of construction within management and maintenance services. Consultancy services for the construction of new commercial buildings only account for a limited proportion of our revenue.
Clients: A large proportion of the services we provide (approximately 70%) is directly and indirectly related to the (semi)public- sector and utility companies.
Grontmij’s revenues are largely based on investments expected from the governments of European countries and a large number of industries. To a certain degree, Grontmij is sensitive to changes in price and sudden amendments in government policy, but we are able to adapt to these promptly by flexible (re-)allocation of specialists in our decentralised multidisciplinary teams. Sharp fluctuations in price, energy or labour costs (up or down) do not result in changes being made to the investments made by governments, unless a simultaneous structural economic downturn occurs in all countries and sectors.
The GDP growth rate projections of each country in Europe is therefore one of our guiding indicators. Contract risks
Thanks to our decentralised network of offices, we generate a considerable portion of our revenue from a large number of contracts of a relatively limited size with correspondingly limited risks. The largest project in our portfolio accounts for less that 2% of our revenue. Where risks are suspected, they are covered, where possible, by appropriate insurance (for projects and otherwise). Some contracts are awarded to Grontmij on the basis of long-term agreements stipulating that it is the preferred supplier.
The majority of our projects is carried out by Grontmij companies acting as the chief contractor for clients, and usually involve a fixed contract fee.
Project risks
Given the nature and complexity of the consulting and engineering business, Grontmij has developed a robust risk-manage- ment policy for its business operations: an alternating contract portfolio provides the protection required against contract losses, thorough disciplinary controls have been embedded and funds are actively managed on a daily basis.
Grontmij systematically (ISO-9001 and ISO-14001) adopts a bottom-up approach to its business operations. Risks are identified at project level, which means it is possible to oversee the risk profiles of all projects by market sector and/or client categories in each region. This enables us to assess the conditions and risks involved in individual projects and spread the risk adequately. The diagram on the next page shows the type of risks involved in the execution of projects.
Projects are evaluated against their financial projections at least once per month based on the PCM-method so that necessary amendments can be made promptly if and when necessary.
Grontmij also carries out area development projects in conjunction with external partners that require a limited capital contribution. In order to limit the operational and financial risks of such projects, Grontmij regularly opts to place these activities in separate legal entities in which the Group has an interest of 50% or less. For a limited period of three to four years, Grontmij is usually able to convert the time spent by our engineers into a (minority) interest in the joint venture company and to invest the additional cash flow from dividends generated in this way in its core business. Because the organisation has placed limits on its capital, it applies a very strict investment selection policy when investing in such development projects. The return on equity from these selected projects amounts to at least 20%.
Such joint ventures are a structural part of our business; they have contributed to Grontmij´s results for many years. The involvement of Grontmij in joint ventures varies from year to year. Results from joint ventures also vary from year to year and have to be seen in conjunction with the Group’s other business results. The composition of our project portfolio for the coming years provides sufficient confidence in the combined results of our engineering and consultancy activities and related joint ventures.
Risks related to systems
IT systems are a core enabler of business operations at Grontmij. Therefore, it is crucial to have appropriate Information Security in place. During 2008, a formal Corporate Information Security Policy in line with the ISO-27001 Code of Practice was developed and approved by the Executive Board. This policy is underpinned by a risk-analysis framework that stress tests the availability, integrity and confidentiality of information and other operating assets against specific threats to Grontmij’s business processes and supporting information systems and IT infrastructure. We will roll out and implement this policy Group-wide, starting in 2009.
Labour market risks
Our ability to grow our revenue base is driven to a large extent by the number of qualified staff we are able to recruit and retain. Our position in the labour market is vitally important for our business operations.
Grontmij strives to have a balanced workforce. About 85% of our people is employed under an employment contract for indefinite term and the remaining 15% is hired for a particular project or on a flexible basis. Sharing manpower between the Types of risks involved in the execution of projects
Exploitation risks Sales risks Project realisation risks
Design, preparation and planning risks