The Executive Board is ultimately responsible for risk management within the company and sets the risk acceptance level. In addition, every Heijmans employee is aware of their role in the management and/or mitigation of the risks to which the company is exposed. Heijmans’ risk management and internal control process is essential to our business model and is implemented at three levels in the organisation:
-
The first line is the operation responsible for implementing and complying with agreed procedures and managing the associated operational risks and specific project risks. In this respect, we recognise the following gradation:
-
-
the management of project-level risks from project development, design and construction to completion and maintenance: primary responsibility project and/or line management.
-
the management of business risks of the portfolio of projects and sales, general and administrative costs at business area level: primary responsibility business area management. the management of the portfolio of projects across business areas and business risks at group level: primary responsibility Executive Board.
-
-
The second line includes the Risk Office, Legal and Compliance and analyses and tests the substance of the risk profile, develops and improves control measures, codifies lessons learned and ensures that these are implemented in the first line.
-
The third line (Internal Audit) monitors the correct compliance with and effectiveness of the control measures through an audit programme and reports periodically to the Executive Board, group board and the Risk and Audit committee.
The Executive Board reports to the Supervisory Board’s Risk and Audit committee on risk management processes. The Risk and Audit committee and the Executive Board receive independent information on risk management activities from both the CRO (substantive reporting on Heijmans’ risk profile) and Internal Audit (reporting on risk-driven process testing). In order to advise on and prepare the Supervisory Board’s decision-making, the Risk and Audit committee assesses the quality of reporting and the effectiveness of Heijmans’ internal risk management and control systems. The Risk and Audit committee reports its observations and findings to the full Supervisory Board.
This structured process enables Heijmans to take risks in a controlled manner. Constant monitoring of the external environment and the operational and financial results is an inherent part of our way of working.
Risk Office
The second line of risk management includes a Risk Office led by the CRO. The objective of the Risk Office is to permanently raise risk management and a risk-aware culture to a higher level at every level and across the entire organisation. In addition, the CRO and the Risk Office act as a (substantive) second pair of eyes on project, portfolio and business risks. The CRO and the Risk Office are independent of the business areas, with the CRO reporting directly to the Executive Board. The Risk Officers are based in the various Heijmans business units, so they are a mix of experienced specialists and young potentials, frequently with project-related knowledge and experience. After a period with the Risk Office, a specialist returns to the business and is succeeded by a new experienced specialist from that business. For Heijmans, an active period as a Risk Officer is an important part of succession planning and leadership development.
Heijmans regularly evaluates the activities of the Risk Office and makes adjustments if this proves necessary. In addition, process meetings deal with and adjust elements Heijmans wide, which results in the continuous improvement of both risk awareness and risk management. These process meetings discuss and make improvements on issues such as the weighting model for project categorisation, tender board presentation, use of supporting tools, adjustment of formats used, etc.
Risk Officers are involved in categorising projects for pre-qualification and project selection. They provide an independent opinion on the risk profile of all project risk category 3 tenders and the larger and more risky project risk category 2 tenders. They are deployed for both the substantive design of second-line risk management and the substantive performance of independent risk reviews of tenders and projects under construction. This involves testing the effectiveness of our main business processes. In the CRO report, the CRO provides a quarterly update on the development of Heijmans’ business risk profile.
The CRO is also consulted in the selection of partner choices for larger projects based on predefined weighting framework and reports their findings to the Executive Board.
Internal Audit
Heijmans has an internal audit team whose primary task is to initiate and realise sufficient risk-driven process audits, including clear feedback to the relevant management and follow-up actions.
In 2023, standards and risk audits were carried out in accordance with the audit plan. In addition, the team carried out regular compliance audits to ensure that the right level of smooth-running processes was maintained. The findings from the audits are compared with the main risks identified by Heijmans and the associated risk acceptance.
The main findings from the audits are shared quarterly with the Supervisory Board’s Audit and Risk committee, the Executive Board and the management of the business areas. In the year under review, the entire audit programme was incorporated in a tool that records audit planning, audits, findings and follow-up actions for the entire company. When audits give rise to remedial or improvement actions, these are assigned to action holders and responsible parties. A dashboard gives us increasing insight into the nature and scope of the findings, and actions can be set out Heijmans-wide and risk-driven. In consultation with the Executive Board and Supervisory Board, a number of focus areas for the audit programme have been designated for the coming audit year, which runs from April to March. The focus of the audit programme will be determined in the first quarter of 2024. In line with expectations, the focus will be on maintaining existing processes (compliance), predictability, compliance with the General Data Protection Regulation, evaluation of investment cases and the embedding and implementation of the identified improvement actions.
External auditor
The external auditor EY performs an audit of the annual figures. The findings from the management letter are placed alongside Internal Audit’s findings and included in the improvement register. The auditor is also given access to the CRO and audit reports and attends the discussion of same with the Supervisory Board meetings at least once each year.
External certification audits
Heijmans sets great store in quality and safety. To this end, the associated certifications are regularly subjected to structured audits by external bodies. The findings, any deviations and recommendations are included in Internal Audit’s quarterly reports. In 2023, Heijmans was Multi-site certified for the ISO 9001, ISO 14001 and VCA** and VCA-P standards. Heijmans thus demonstrates that it has uniform processes and working methods, with room for customisation where necessary. In addition, this reduces the audit burden on the organisation. With the exception of recently acquired companies, the whole of Heijmans is now certified for Safety Culture Ladder level 4.
Executive Board and the Risk and Audit committee
The Risk Office and Internal Audit prepare quarterly reports and discusses these with the Executive Board, the group board and the risk and audit committee. The focus in these meetings is on ownership and the follow-up on mitigating measures and improvement actions. In 2023, the chairman of the Audit and Risk committee was briefed in more detail on the tool deployed to monitor audit planning, the recording of findings and the follow-up on actions. A dashboard enables us to better analyse findings and, looking towards the future, to focus the audit programme on risks that are undesirable on the basis of our risk appetite.