Risk management and internal control


ICT Group’s risk management is the responsibility of the Executive Board. Risk management forms an integral part of the company’s strategy. The main objective is to control and mitigate the most significant risks that ICT Group is or may be exposed to, while at the same time facilitating the realisation of operational and financial objectives. ICT Group continuously evaluates its internal controls and takes measures to improve these controls where necessary. The Executive Board discusses the risk management framework regularly with the Audit Committee and the Supervisory Board. In 2017, ICT took significant steps to further strengthen the risk and internal control framework. The position of Chief Information Security Officer was implemented to reflect the increasing importance of information security within the ICT Group. Risks related to information cyber security have been added to the risk framework and are reflected in the risk impact/probability chart and risk overview presented in this chapter. Furthermore, it was decided to implement an internal audit function within the Group due to the company’s growth and the consequential increased need for process improvements and alignment.

Risk management and control systems

ICT has implemented internal risk management and risk control systems with a view to minimising its operating and financial risks and to limit the impact of unexpected events on balance sheet ratios and results. ICT considers risk management to be a continuous process, an essential part of which is to embed policy in control systems and procedures at every level of the organisation.

ICT’s internal framework is based on Entity-level controls:

Important elements of ICT’s Control Framework

Planning and control cycle
Risk management is an integral part of the planning and control cycle. This system includes the determination of the strategy and the budget and is the responsibility of the Executive Board. The Executive Board discusses the strategy extensively with the Supervisory Board every year. The Executive Board then translates strategic objectives into business plans and budgets in cooperation with the directors of ICT’s subsidiaries. The business plan contains both a financial budget and a number of concrete business objectives per legal entity and underlying business units. These objectives are translated into Key Performance Indicators (KPIs), which are measured for progress throughout the year. Important KPIs at ICT include the capacity utilisation rate, tariffs, numbers of direct and indirect FTEs and the efficiency of the company’s processes. Management evaluates these key performance indicators and financial and operational reporting to identify any deficiencies in internal controls and to monitor results.

Policies and guidelines
Management creates and maintains a culture of integrity and ethical behaviour by setting the right tone at the top. This is done by:

  • Leading by example;
  • Clear corporate governance practices;
  • A code of conduct, which includes relevant policies such as prohibiting employees from accepting gifts from suppliers;
  • A whistleblower policy;
  • A quality system used to document all of ICT’s significant processes.

ICT’s management is receptive to employees’ ethical concerns and is committed to responding appropriately to misconduct. Management demonstrates adherence through their work practices and decisions. Management enforces its views through a combination of policies and procedures. When changes are made, employees are notified and changes are implemented. Management does not provide incentives or offer temptations that might prompt personnel to engage in dishonest, illegal or unethical acts. A whistleblowing policy is in place and personnel can report suspected incidents anonymously.
ICT implemented an internal procedure, the so-called letters of representation, requiring ICT management to confirm compliance with ICT’s policies and procedures. Given the growth of the company through acquisitions this process is increasingly important. This helps to provide the assurance the Executive Board needs to make its own in control statement. Responsibility and accountability for implementing systems and controls, including fraud prevention and detection, has been designated to ICT’s Finance department and is embedded in the Internal Control Framework.

Performance and quality controls
Quality management is another important pillar of the company’s risk management. ICT constantly works on improving the services that it provides to customers in whatever form. Providing services in accordance with accepted standards is embedded in the organisation as a regular process. ICT has adopted various standards, including ISO standards for information security and quality management and standards related to process maturity and safety, health and the environment. Furthermore, ICT continuously monitors the measurement of and reporting on the effectiveness and efficiency of measures taken. ICT regularly evaluates this via an audit by external parties (according to the above-mentioned standards), as well as through an internal review process related to effectiveness, suitability and correspondence with agreed norms. No critical findings have come to light in the various reviews.

ICT provides for optimal monitoring and timely identification of risks and, if necessary, mitigation of any risks that arise, through a constant process of internal controls and measurements. This risk management system with its control mechanisms and mitigating measures is a periodically recurring item on the agenda of the Audit Committee and, by extension, the Supervisory Board.

Sensitivity analysis

The table below illustrates the impact of changes in ICT’s revenues, operating expenses, net debt and the interest rates.

Improvements in the risk management and control systems in 2017

In 2017, ICT took significant steps to further strengthen its risk management and controls:

Full integration recent acquisitions
In 2017, we completely integrated both Nozhup, one of ICT’s largest acquisitions, and HTS within ICT Netherlands. Both entities have been integrated within ICT Automatisering Nederland B.V. The people and processes now operate fully in line with the ICT Group policies and guidelines. BMA and Raster – both acquired before 2017 – operate autonomously within the ICT Group but were aligned this year with ICT Group’s back offices systems, including the HR and Financial systems.

Cyber security
Cyber security can pose significant risks to both ICT and its customers. ICT appointed a Chief Information Security Officer (CISO), who is responsible for developing strategy and policies aimed at information security, implementation and monitoring of information security and data privacy. The CISO will direct information security for the whole Group and fulfils a central role in managing all processes involved.

Internal controls
The control framework was expanded to include all ICT subsidiaries. In 2017, the focus was on the implementation of the internal controls in the field of cyber security and data protection.

Internal audit
In 2017, the Supervisory Board, based on the Audit Committee’s advice, decided that a formal internal audit function be created with the appointment of an internal auditor in 2018, reporting to the CEO and the Audit Committee.

Integrated reporting
In 2017, ICT took the first steps towards integrated reporting. The Executive Board, in consultation with the Supervisory Board, defined ICT’s long-term value creation model. Furthermore, the company conducted a stakeholder assessment. Based on the dialogue with stakeholder groups, the company defined the material topics for ICT Group. These material topics are in line with the company’s risk framework, as can be seen in the risk overview.

ICT has added specific cyber and data protection insurance policies to its corporate insurance coverage.

Further certification
In 2017, ICT initiated ISO 27001 implementation for Strypes Bulgaria.

Given ICT’s buy and build strategy and the ongoing expansion of the ICT Group, adequate internal controls are a continuous area of attention. Both the strengthening of the internal control framework at the existing ICT subsidiaries, as well as the implementation of the internal controls at newly (and to be) acquired and integrated entities require constant attention and additional steps. Given the company’s growth path, implementing uniform processes and controls is important to safeguard the quality of ICT’s solutions and services, which in turn is vital for sustainable longer-term growth. ICT has therefore identified the following focus areas for further improvement in 2018:

  • Cyber security will continue to be one of the main focus areas.
  • Further define and implement the internal audit function within the group. The search for the internal auditor has already commenced. The internal auditor will set up and lead ICT Group’s Internal Audit Function and develop and execute a group-wide risk-based Internal Audit Plan in consultation with Executive Board, Audit Committee and external auditor.
  • After strengthening the internal controls in the fields of finance, HR and Cyber security at our subsidiaries, in 2018 these controls will be further expanded to the operations of our subsidiaries. This means more process descriptions, improvement and alignment. Our internal audit function will be instrumental in this.
  • Further steps in integrated reporting will be taken.

Key risk factors

ICT Group assesses all relevant risks according to the likelihood that they will occur and the impact they could have if they materialise, and ICT then assigns a weighting to those risks on that basis. The key risks we have identified are outlined below. For each risk, we indicate how these risks are mitigated, and specify our risk appetite for each risk. The order in which the risks are presented does not reflect their importance, probability or materiality. The actual occurrence of any of the following risks could have a material adverse effect on the company’s business, prospects, operations, financial condition or results. All of these risks are contingencies, which may or may not occur.

Key business risks in 2017

Cyber security risks
Digital security is crucial and nowadays affects every aspect of daily life, in business and society. Information security is becoming more and more important and the complexity will only increase. ICT’s solutions are mostly embedded in the heart of its customers’ operations. Digital risks involve issues such as privacy, phishing, cybercrime, internet fraud and even IT terrorism. ICT runs the risk of being fined if it does not comply with the new privacy legislation that comes into effect in 2018. Furthermore, the reputation risk can be very significant.

Clear policies and procedures are necessary to mitigate these risks. Providing its services in accordance with accepted standards is embedded in the organisation as a regular process. ICT has adopted various standards and obtained a number of certifications, including ISO standards for information security (ISO 27001), medical devices (ISO 13485) and quality management and standards (ISO 9001) related to process maturity and safety, health and the environment. Furthermore, information security requires central coordination. Not only within ICT Automatisering Nederland B.V., but also in coordination with our other subsidiaries. The newly appointed Chief Information Security Officer plays a pivotal role in this.

Creating awareness, not only among our own people, but also at the customer, is also vital in mitigating these risks. Every new employee receives training on information security management.

ICT’s growth strategy is based on both organic growth and growth through acquisitions. This strategy does entail the risk of poor integration of acquisitions. In the event that ICT acquires companies, its ultimate objective is to adequately integrate these companies into the ICT Group. When acquiring a company, there is a risk of an undesired outflow of staff and drop off of operational performance. In addition, market circumstances and forecasts may sometimes necessitate the impairment of goodwill on acquisitions. However, ICT is building a track record in the successful integration of newly-acquired companies. This was demonstrated particularly well in 2017, with the smooth integration of one of ICT’s largest acquisitions, Nozhup.

Labour market scarcity
The ability to attract and retain the right people is a key driver of growth. And this is becoming more crucial as talent is increasingly scarce. ICT strives to be an attractive employer that invests in its people and encourages entrepreneurship. ICT continuously develops and implements initiatives to reinforce this. “Bring out the best in yourself” is how ICT approaches its HR development strategy. Important elements in this approach are employee empowerment and entrepreneurship. ICT’s approach to being the employer of choice is further elaborated on in the section ICT – an ambitious employer.

Labour market scarcity also results in incremental costs to attract highly talented people. These costs can result in the risk of serious margin pressure. ICT tries to mitigate this risk by continuously moving up the value chain, where additional margin can be realised. We are also shifting toward more scalable projects and selling an increasing number of solutions. ICT has always been known for its high quality and this should also translate into higher fees. And lastly, ICT tries to create awareness at its customers that as talent is becoming increasingly scarce, it is also becoming more expensive.

New business development
Innovation is very important for the future development of the company. The pace of the new technological developments is constantly increasing. ICT’s focus on new business development, in combination with an acceptable risk level, is reflected in the company’s commitment to invest 1.5% of turnover in R&D. However, new business development initiatives carry a higher risk. In particular, the impact can be even higher in initiatives where ICT has different roles, such as technology partner, supplier or customer of start-ups. This relationship with start-ups can lead to financial risk (bad debt or impairment risk).

Inadequate project control
Projects can be complex due to the scale, the desired functionality, the applied technology or the involvement of several parties. This can result in financial risks in projects for which ICT Group bears result responsibility. ICT works continuously on an optimally functioning internal quality and control system to minimise the risks related to the execution of projects and assignments. To ensure continuity in the event of claims, ICT has a general and professional liability insurance. As the projects ICT is involved with are increasing in size, both the impact and the probability of the associated risks are likely to increase and will be addressed with appropriate risk mitigation measures.

These developments and trends can also be seen in the map below:

Principal risk areas

The following overview of the principal risks for ICT is not exhaustive. It is also possible that risks that have not currently been identified, or that are not regarded as material, will have a significantly adverse effect on ICT’s ability to achieve its objectives at a later date. ICT’s internal risk management and risk control systems are, in as far as possible, geared to the timely identification of such risks.

Executive Board’s in control statement

The Executive Board is responsible for the design and operation of the internal risk management and control systems. In discharging this responsibility, the Executive Board has made an assessment of the effectiveness of the design and operation of the internal control and risk management systems.
In accordance with best practice 1.4.3 of the Dutch corporate governance code of December 2016 and taking into account the aforementioned assessment, the Executive Board confirms to the best of its knowledge and belief, that:

  • the report provides sufficient insights into any deficiencies in the effectiveness of the internal risk and control systems;
  • the internal risk management and control systems of the company provide reasonable assurance that financial reporting does not contain any material inaccuracies;
  • there is a reasonable expectation that ICT Group will be able to continue its operations and meet its liabilities for at least twelve months, therefore, it is appropriate to adopt the going concern basis in preparing the financial reporting;
  • there are no material risks or uncertainties that could reasonably be expected to have a material adverse effect on the continuity of ICT Group’s operations in the coming twelve months.

It should be noted that the above does not imply that these systems and procedures provide absolute assurance as to the realization of operational and strategic business objectives, or that they can prevent all misstatements, inaccuracies, errors, fraud and non-compliances with legislation, rules and regulations. Nor can they provide certainty that we will achieve our objectives.

Executive board responsibility statement

The Executive Board is responsible for preparing the financial statements and the annual report in accordance with Dutch law and International Financial Reporting Standards (IFRS as adopted in the EU). Pursuant to article 5:25c of the Financial Supervision Act, the Executive Board, taking into account the above, confirms that, to the best of its knowledge, (i) the financial statements give a true and fair view of the assets, liabilities, financial position and profit or loss of the company, and (ii) the Report of the Executive Board includes a fair review of the position at the balance sheet date and the development and performance of the business during the financial year, (iii) together with a description of the principal risks and uncertainties that the company faces.

Barendrecht, 1 March 2018
Executive Board

J.H. Blejie
W.J. Wienbelt