In 2018 ICT further strengthened its risk management and internal control framework with the appointment of an internal auditor. Due to the company’s growth there is an increased need for process improvement and alignment. These and other elements are part of the internal auditor’s remit. Given ICT’s growth path, implementing uniform processes and controls is important to safeguard the quality of the company’s solutions and services, which in turn is vital for sustainable longer-term growth. Therefore during the year under review ICT again focused on its internal controls, both at newly acquired companies NedMobiel and InTraffic and within the group as a whole, specifically internal controls aimed at cybersecurity and data protection.
Risk management and control systems
ICT has implemented internal risk management and risk control systems with a view to minimising its operating and financial risks and to limit the impact of unexpected events on balance sheet ratios and results. ICT considers risk management to be a continuous process, an essential part of which is to embed policy in control systems and procedures at every level of the organisation.
ICT’s internal framework is based on Entity-level controls:
Important elements of ICT’s Control Framework
Planning and control cycle
Risk management is an integral part of the planning and control cycle. This system includes the determination of the strategy and the budget and is the responsibility of the Executive Board. The Executive Board discusses the strategy extensively with the Supervisory Board every year. The Executive Board then translates strategic objectives into business plans and budgets in cooperation with the directors of ICT’s subsidiaries. The business plan contains both a financial budget and a number of concrete business objectives per legal entity and underlying business units. These objectives are translated into Key Performance Indicators (KPIs), which are measured for progress throughout the year. Important KPIs at ICT include the capacity utilisation rate, tariffs, numbers of direct and indirect FTEs and the efficiency of the company’s processes. Management evaluates these key performance indicators and financial and operational reporting to identify any deficiencies in internal controls and to monitor results.
Policies and guidelines
Management creates and maintains a culture of integrity and ethical behaviour by setting the right tone at the top. This is done by:
- Leading by example;
- Clear corporate governance practices;
- A code of conduct, which includes relevant policies such as prohibiting employees from accepting gifts from suppliers;
- A whistle-blower policy;
- A quality system used to document all of ICT’s significant processes.
ICT’s management is receptive to employees’ ethical concerns and is committed to responding appropriately to misconduct. Management demonstrates adherence through their work practices and decisions. Management enforces its views through a combination of policies and procedures. When changes are made, employees are notified and changes are implemented. Management does not provide incentives or offer temptations that might prompt personnel to engage in dishonest, illegal or unethical acts. A whistleblowing policy is in place and personnel can report suspected incidents anonymously.
ICT has an internal procedure in place, the so-called letters of representation, requiring ICT management to confirm compliance with ICT’s policies and procedures. Given the growth of the company through acquisitions this process is increasingly important. This helps to provide the assurance the Executive Board needs to make its own in control statement. Responsibility and accountability for implementing systems and controls, including fraud prevention and detection, has been designated to ICT’s Finance department and is embedded in the Internal Control Framework.
Performance and quality controls
Quality management is another important pillar of the company’s risk management system. ICT constantly works on improving the services that it provides to customers in whatever form. Providing services in accordance with accepted standards is embedded in the organisation as a regular process. ICT has adopted various standards, including ISO standards for information security and quality management and standards related to process maturity and safety, health and the environment. Furthermore, ICT continuously monitors the measurement of and reporting on the effectiveness and efficiency of measures taken. ICT regularly evaluates this via an audit by external parties (according to the above-mentioned standards), as well as through an internal review process related to effectiveness, suitability and correspondence with agreed norms. No critical findings have come to light in the various reviews.
ICT provides for optimal monitoring and timely identification of risks and, if necessary, mitigation of any risks that arise, through a constant process of internal controls and measurements. This risk management system with its control mechanisms and mitigating measures is a periodically recurring item on the agenda of the Audit Committee and, by extension, the Supervisory Board.
The table below illustrates the impact of changes in ICT’s revenues, operating expenses, net debt and the interest rates.
Improvements in risk management and control systems in 2018
In 2018 ICT again took important steps to further enhance its risk management and control systems.
Integration of recent acquisitions
In 2018 ICT acquired NedMobiel and InTraffic. Both acquisitions were financially integrated into ICT Group in the course of the year. NedMobiel and InTraffic operate autonomously within ICT Group but have adopted the group’s reporting and controlling standards.
Cyber security can pose significant risks to both ICT and its customers. ICT’s Chief Information Security Officer (CISO)is responsible for developing strategy and policies aimed at information security, implementation and monitoring of information security and data privacy. The CISO directs information security for the whole Group and fulfils a central role in managing all processes involved. During 2018 ICT put focus on further improvement of information security processes. In addition ICT implemented a new privacy and awareness training for all employees and a information security monitoring tool called Naris.
Given ICT’s buy and build strategy and the ongoing expansion of the ICT Group, adequate internal controls continue to be an area of attention. Both the strengthening of the internal control framework at the existing ICT subsidiaries, as well as the implementation of the internal controls at newly (and to be) acquired and integrated entities require constant attention. In 2018, the focus was on the integration of two new subsidiaries (NedMobiel and InTraffic), and on the improvement of internal controls in the field of cyber security and data protection.
In 2018 ICT appointed an internal auditor. During the year the internal auditor got acquainted with the company and set up the internal audit function. For this purpose interviews were held with business unit managers, department heads and other key staff. The internal auditor explored ICT’s products, people, processes, procedures and culture, and met with the external Audit team. Based on risk assessment, a risk-based audit planning was made for the first year. The internal auditor focused on assessing the status of the GDPR implementation, project controls and the progress made implementing financial and operational controls within subsidiaries that operate autonomously.
Security certifications were achieved for ISAE3402 type 1 for Service processes, ISO27001 for Strypes EOOD and Automotive specific security standard. ICT also extended the ISO27001 (information security) certification from 5 specific units to ICT Netherlands BV as a whole due to scaling advantages.
Focus in 2019
In 2019 ICT intends to focus on the following:
- Internal controls in the fields of finance, HR and cybersecurity will be rolled out further to our subsidiaries, particularly the companies acquired in 2018. This means more process descriptions, process improvement and alignment.
- The first steps for setting up a shared service centre for the back-office processes of ICT Group subsidiaries will be taken.
- Cybersecurity and GDPR will continue to be the main focus areas.
- The internal auditor will continue to develop and execute a group-wide risk-based Internal Audit Plan in consultation with the Executive Board, the Audit Committee and the external auditor.
Key risk factors
ICT Group assesses all relevant risks according to the likelihood that they will occur and the impact they could have if they materialise, and ICT then assigns a weighting to those risks on that basis. The key risks we have identified are outlined below. For each risk, we indicate how these risks are mitigated, and specify our risk appetite for each risk. The order in which the risks are presented does not reflect their importance, probability or materiality. The actual occurrence of any of the following risks could have a material adverse effect on the company’s business, prospects, operations, financial condition or results. All of these risks are contingencies, which may or may not occur.
Key business risks in 2018
Cyber security risks
Digital security is crucial and nowadays affects every aspect of daily life, in business and society. Information security is becoming more and more important and the complexity will only increase. ICT’s solutions are mostly embedded in the heart of its customers’ operations. Digital risks involve issues such as privacy, phishing, cybercrime, internet fraud and even IT terrorism. ICT runs the risk of being fined if it does not comply with the new privacy legislation that came into effect in 2018. Furthermore, the reputation risk can be very significant.
Clear policies and procedures are necessary to mitigate these risks. Providing its services in accordance with accepted standards is embedded in the organisation as a regular process. ICT has adopted various standards and obtained a number of certifications, including ISO standards for information security (ISO 27001), medical devices (ISO 13485) and quality management and standards (ISO 9001) related to process maturity and safety, health and the environment. Furthermore, information security requires central coordination. Not only within ICT Automatisering Nederland B.V., but also in coordination with our other subsidiaries. The Chief Information Security Officer plays a pivotal role in this. Also our internal auditor is focussed on monitoring progress.
Creating awareness, not only among our own people, but also at the customer, is also vital in mitigating these risks. Every new employee receives training on information security management.
ICT’s growth strategy is based on both organic growth and growth through acquisitions. This strategy does entail the risk of poor integration of acquisitions. In the event that ICT acquires companies, its ultimate objective is to adequately integrate these companies into the ICT Group. When acquiring a company, there is a risk of an undesired outflow of staff and drop off of operational performance. In addition, market circumstances and forecasts may sometimes necessitate the impairment of goodwill on acquisitions. However, ICT is building a track record in the successful integration of newly-acquired companies. During 2018 ICT acquired NedMobiel and InTraffic. Progress of integration processes and business performance of these new subsidiaries were in line with expectations.
Labour market scarcity
The ability to attract and retain the right people is a key driver of growth. And this is becoming more crucial as talent is increasingly scarce. ICT strives to be an attractive employer that invests in its people and encourages entrepreneurship. ICT continuously develops and implements initiatives to reinforce this. “Bring out the best in yourself” is how ICT approaches its HR development strategy. Important elements in this approach are employee empowerment and entrepreneurship. ICT’s approach to being the employer of choice is further elaborated on in the section ICT – an ambitious employer.
Labour market scarcity also results in incremental costs to attract highly talented people. These costs can result in the risk of serious margin pressure. ICT tries to mitigate this risk by continuously moving up the value chain, where additional margin can be realised. We are also shifting toward more scalable projects and selling an increasing number of solutions. ICT has always been known for its high quality and this should also translate into higher fees. And lastly, ICT tries to create awareness at its customers that as talent is becoming increasingly scarce, it is also becoming more expensive.
New business development
Innovation is very important for the future development of the company. The pace of new technological developments is constantly increasing. ICT’s focus on new business development, in combination with an acceptable risk level, is reflected in the company’s commitment to invest 1.5% of the company’s added value in research & development. In addition to the creation of solutions tailored to the customer’s requirements, ICT increasingly develops proprietary solutions. Furthermore ICT is also responding to the relatively new low-coding trend in software development using its Motar solutions for the high-tech and automotive industries.
These new business development initiatives bring broader opportunities but also carry a higher risk. The impact can be even greater in initiatives where ICT takes on different roles, such as that of technology partner, supplier or customer of start-ups. This relationship with start-ups can also entail financial risk (risk of bad debt or impairment).
New business models
The establishment of OrangeNXT provides increased focus on Software as a Service offerings. This business model is robust and increases ICT’s recurring revenue stream while also having a different dynamic and risk profile. Business models such as this require relatively more investment in software development than traditional business models. Also, more cash is required in the start-up phase and revenue is generated later in time. Given the relatively small scale of these initiatives and the company’s restricted investment of around 1.5% of added value for Research & Development, ICT takes a prudent approach toward such investments.
Inadequate project control
Projects can be complex due to the scale, the desired functionality, the applied technology or the involvement of several parties. This can result in financial risks in projects for which ICT Group bears result responsibility. ICT works continuously on an optimally functioning internal quality and control system to minimise the risks related to the execution of projects and assignments. To ensure continuity in the event of claims, ICT has a general and professional liability insurance. As the projects ICT is involved with are increasing in size, both the impact and the probability of the associated risks are likely to increase and will be addressed with appropriate risk mitigation measures.
These developments and trends can also be seen in the map below:
Impact and trends risks in 2018
Principal risk areas
The following overview of the principal risks for ICT is not exhaustive. It is also possible that risks that have not currently been identified, or that are not regarded as material, will have a significantly adverse effect on ICT’s ability to achieve its objectives at a later date. ICT’s internal risk management and risk control systems are, in as far as possible, geared to the timely identification of such risks.
Executive Board’s in control statement
The Executive Board is responsible for the design and operation of the internal risk management and control systems. In discharging this responsibility, the Executive Board has made an assessment of the effectiveness of the design and operation of the internal control and risk management systems.
In accordance with best practice 1.4.3 of the Dutch corporate governance code of December 2016 and taking into account the aforementioned assessment, the Executive Board confirms to the best of its knowledge and belief, that:
- the report provides sufficient insights into any deficiencies in the effectiveness of the internal risk and control systems;
- the internal risk management and control systems of the company provide reasonable assurance that financial reporting does not contain any material inaccuracies;
- there is a reasonable expectation that ICT Group will be able to continue its operations and meet its liabilities for at least twelve months, therefore, it is appropriate to adopt the going concern basis in preparing the financial reporting;
- there are no material risks or uncertainties that could reasonably be expected to have a material adverse effect on the continuity of ICT Group’s operations in the coming twelve months.
It should be noted that the above does not imply that these systems and procedures provide absolute assurance as to the realization of operational and strategic business objectives, or that they can prevent all misstatements, inaccuracies, errors, fraud and non-compliances with legislation, rules and regulations. Nor can they provide certainty that we will achieve our objectives.
Executive board responsibility statement
The Executive Board is responsible for preparing the financial statements and the annual report in accordance with Dutch law and International Financial Reporting Standards (IFRS as adopted in the EU). Pursuant to article 5:25c of the Financial Supervision Act, the Executive Board, taking into account the above, confirms that, to the best of its knowledge, (i) the financial statements give a true and fair view of the assets, liabilities, financial position and profit or loss of the company, and (ii) the Report of the Executive Board includes a fair review of the position at the balance sheet date and the development and performance of the business during the financial year, (iii) together with a description of the principal risks and uncertainties that the company faces.
Barendrecht, 28 February 2019