The Executive Board is ultimately responsible for risk management within the company and sets the risk acceptance level. In addition, every Heijmans employee is aware of their role in the management and/or mitigation of the risks to which the company is exposed. Heijmans’ risk management and internal control process is essential to our business model and is implemented at three levels in the organisation:
The first line is the operation responsible for implementing and complying with agreed procedures and managing the associated operational risks and specific project risks. In this respect, we recognise the following gradation:
the management of project-level risks from project development, design and construction to completion and maintenance: primary responsibility project and/or line management.
the management of business risks of the portfolio of projects and sales, general and administrative costs at business area level: primary responsibility business area management.
the management of the portfolio of projects across business areas and business risks at group level: primary responsibility Executive Board.
The second line includes the Risk Office, Legal and Compliance and analyses and tests the substance of the risk profile, develops and improves control measures, codifies lessons learned and ensures that these are implemented in the first line.
The third line (Internal Audit) monitors the correct compliance with and effectiveness of the control measures through an audit programme and reports periodically to the Executive Board, group board and the risk and audit committee.
The Executive Board reports to the risk and audit committee on risk management processes. The risk and audit committee and the Executive Board receive independent information on risk management activities from both the CRO (substantive reporting on Heijmans’ risk profile) and Internal Audit (reporting on risk-driven process testing). In order to advise on and prepare the Supervisory Board's decision-making, the risk and audit committee assesses the quality of reporting and the effectiveness of Heijmans’ internal risk management and control systems. The risk and audit committee reports its observations and findings to the full Supervisory Board.
This structured process enables Heijmans to take risks in a controlled manner. Constant monitoring of the external environment and the operational and financial results is an inherent part of our way of working.
The second-line of risk management includes a Chief Risk Officer and a Risk Office. The objective of the Risk Office is to permanently raise risk management and a risk-aware culture to a higher level at every level and across the entire organisation. In addition, the CRO and the Risk Office act as a (substantive) second pair of eyes on project, portfolio and business risks. The CRO and the Risk Office are independent, with the CRO reporting directly to the Executive Board. The Risk Officers are based in the various Heijmans business units, so they are a mix of experienced specialists and young potentials with mostly project-related knowledge and experience. After a period within the Risk Office, a specialist returns to the business and is succeeded by a new experienced specialist from that business. For Heijmans, an active period as a Risk Officer is an important part of succession planning and leadership development.
Heijmans regularly evaluates the activities of the Risk Office and makes adjustments if this proves necessary. In addition, Heijmans-wide process meetings deal with and adjust elements that improve both risk awareness and risk management. These process meetings discuss and make improvements on issues such as the weighting model, tender board presentation, use of supporting tools, adjustment of formats used, etc.
Risk Officers are involved in categorising projects for pre-qualification and project selection. They provide an independent opinion on the risk profile of all project risk category 3 tenders and the larger and more risky project risk category 2 tenders. They are deployed for both the substantive design of second-line risk management and the substantive performance of independent risk reviews of tenders and projects under construction. This involves testing the effectiveness of our main business processes. In the CRO report, the CRO provides a quarterly update on the development of Heijmans’ business risk profile.
Heijmans has an internal audit team whose primary task is to initiate and realise sufficient risk-driven process audits, including clear feedback to the relevant management and follow-up actions.
In 2022, standards and risk audits were carried out in accordance with the audit plan. In addition, the team carried out compliance audits to ensure that the right level of smooth-running processes was maintained. The main findings from the audits are shared quarterly with the Executive Board, the group board and the Supervisory Board's risk and audit committee. When the audits find reasons for improvement, these are recorded in improvement registers. These improvement registers are used to monitor the follow-up on improvement actions. In 2022, Heijmans added thematic audits with impact on (financially) successful projects, such as the introduction of ProjectID on construction sites (repeat), the predictability of project results, valuation of Opportunities & Risks (repeat), Procurement process, process maintenance contracts and the General Data Protection Regulation (GDPR). At the end of 2022, Heijmans completed the set-up of a tool that provides better support for the entire process, from audits and deviations to follow-up actions.
In consultations with the Executive Board and Supervisory Board, Heijmans has identified a number of focus areas for the audit programme for the coming year. The focus of the audit programme in 2023 will be on maintaining already existing processes (compliance), predictability, compliance with the General Data Protection Regulation and the embedding and implementation of the stated improvement actions.
The external auditor EY performs an audit of the annual figures. The findings from the management letter are placed alongside Internal Audit's findings and included in the improvement register. The auditor is also given access to the Chief Risk Officer reports and audit reports and attends the discussion of same in the Supervisory Board meetings.
External certification audits
Heijmans sets great store in quality and safety. To this end, the associated certifications are regularly subjected to structured audits by external bodies. The findings, any deviations and recommendations are included in Internal Audit’s quarterly reports. In 2022, Infra was once again certified by Kiwa for Safety Ladder step 4, strengthening its position to a score of 87% from 84%. Heijmans successfully completed preparatory audits at the other business units for them to also achieve the Step 4 level in 2023.
Executive Board and the risk and audit committee
The Risk Office and Internal Audit prepare quarterly reports and discusses these with the Executive Board, the group board and the risk and audit committee. The focus in these meetings is on ownership and the follow-up on mitigating measures and improvement actions.