Risk management and internal control

Introduction ICT Group’s risk management is an integral part of the company’s strategy. The risk management policy is the responsibility of the Executive Board and is given constant attention. The aim is to control and mitigate the most significant risks that ICT Group is or may be exposed to in an optimal fashion, while at the same time facilitating the realisation of operational and financial objectives. Our processes are designed to ensure that ICT complies with legislation and regulations. The risk management framework is reviewed once a year and discussed within the Executive Board, the Audit Committee and the Supervisory Board. It is the responsibility of the Executive Board to identify risks and to mitigate those risks by taking appropriate measures. ICT Group assesses all relevant risks according to the likelihood that they will occur and the impact they could have if they materialised, and ICT then assigns a weighting to those risks on that basis. ICT Group continuously evaluates its internal controls and takes measures to improve, where necessary, the controls. The table titled ‘Sensitivity analysis’ illustrates the impact of changes in ICT’s revenues, operating expenses, net debt and the interest rates.

Sensitivity analysis

Risk management and control systems
ICT has implemented internal risk management and risk control systems with a view to minimising its operating and financial risks and to limit the impact of unexpected events on balance sheet ratios and results. ICT considers risk management to be a continuous process, an essential part of which is to embed policy in control systems and procedures at every level of the organisation. ICT’s internal framework is based on Entity-level controls:

Planning and control cycle
Risk management is an integral part of the planning and control cycle. This system includes the determination of the strategy and the budget and is the responsibility of the Executive Board. The Executive Board discusses the strategy extensively with the Supervisory Board every year. The Executive Board then translates strategic objectives into business plans and budgets in cooperation with the directors of ICT’s subsidiaries. The business plan contains both a financial budget and a number of concrete business objectives per legal entity and underlying business units. These objectives are translated into Key Performance Indicators (KPIs), which are measured for progress throughout the year. Important KPIs at ICT include the capacity utilisation rate, tariffs, numbers of direct and indirect FTEs and the efficiency of the company’s processes. Management evaluates these key performance indicators and financial and operational reporting to identify any deficiencies in internal controls and to monitor results.

Policies and guidelines
Management creates and maintains a culture of integrity and ethical behaviour by setting a right tone at the top. This is done by:
– Leading by example;
– Clear corporate governance practices;
– A code of conduct, which includes relevant policies such as prohibiting employees from accepting gifts from suppliers;
– A whistleblower policy;
– A quality system used to document all of ICT’s significant processes.

ICT’s management is receptive to employee’s ethical concerns and is committed to responding appropriately to misconduct. Management demonstrates adherence through their work practices and decisions. Management enforces its views through a combination of policies and procedures. When changes are made, employees are notified and changes are implemented. Management does not provide incentives or temptations that might prompt personnel to engage in dishonest, illegal or unethical acts. A whistle blowing policy is in place and personnel can report suspected incidents anonymously.

ICT implemented an internal procedure, requiring ICT management to confirm compliance with ICT’s policies and procedures, the so-called letters of representation. Given the growth of the company through acquisitions this process is increasingly important. This helps to provide the assurance the Executive Board needs to make its own in control statement. Responsibility and accountability for implementing systems and controls including fraud prevention and detection has been designated to ICT’s Finance department and is embedded in the Internal Control Framework.

Performance and quality controls
Quality management is another important pillar of the company’s risk management. ICT constantly works on improving the services that it provides to customers in whatever form. Providing services in accordance with accepted standards is embedded in the organisation as a regular process. ICT has adopted various standards, including ISO standards for information security and quality management and standards related to process maturity and safety, health and the environment. Furthermore, ICT continuously monitors the measurement of and reporting on the effectiveness and efficiency of measures taken. ICT regularly evaluates this via an audit by external parties (according to the above mentioned standards), as well as through an internal review process related to effectiveness, suitability and correspondence with agreed norms. No critical findings have come to light in the various reviews.

ICT provides for optimum monitoring and timely identification of risks and, if necessary, mitigation of any risks that arise, through a constant process of internal controls and measurements. This risk management system with its control mechanisms and mitigating measures is a periodically recurring item on the agenda of the Audit Committee and, by extension, the Supervisory Board.

Improvements in the risk management and control systems
Our aim is to optimise the risk management system as a whole and make it as effective and efficient as possible. In 2016, we devoted particular attention to the following topics:
• Integration of recent acquisitions
• Improvements in Internal Control Framework
• Integration of ICT Group internal and external financial reporting in a consolidation tool
• Certificates / quality management; ISO 27001 improvements implemented and certification in place
• Extension of liability insurance for USA and Canada
• Extension of credit insurance (all customers and all legal entities)

For 2017, ICT has formulated a number of measures that will further improve the risk management system:
• Further integration of the internal controls in the internal financial reporting system. In this way, risks and mitigating measures at subsidiary level will also be linked to the financial reporting, making the risk management process more effective and efficient
• ISO27001 implementation for Strypes Bulgaria

Key risk factors
Business risks are documented, identified and evaluated through ongoing assessment of internal and external events and information. The key risks we have identified are outlined below. For each risk, we indicate how these risks are mitigated, and specify our risk appetite for each risk. The order in which the risks are presented does not reflect their importance, probability or materiality. The actual occurrence of any of the following risks could have a material adverse effect on the company’s business, prospects, operations, financial condition or results. All of these risks are contingencies, which may or may not occur.

Key business risks in 2016
The business risks that have changed compared to 2015 are explained below. In 2016, we devoted extra attention to these risks to ensure that we are well prepared if they should occur.

Risks related to newly acquired companies: As from 2014 onwards, ICT Group combined its strong organic development with growth through acquisitions. Also the coming years, the full focus remains on the further execution of the strategy, aimed at organic growth combined with acquisitions. This strategy does bring with it the risk of poor integration of acquisitions. In the event that ICT acquires companies, its ultimate objective is to adequately integrate these companies into the ICT organisation. When acquiring a company, there is a risk of an undesired outflow of staff. In addition, market circumstances and forecasts may sometimes necessitate the impairment of goodwill on acquisitions.

Market risk / sensitivity to economic cycles: ICT still is too dependent on a small number of large clients / markets. The strategy of focusing our core activities on the specified business areas, diversity in customers and suppliers mitigates the influence of cyclical and incidental positive and negative trends. ICT Group manages the risks it is exposed to as effectively as possible by making carefully considered choices and spreading its activities across different markets. New business development initiatives are very important to the future development of the company. In some of these initiatives, ICT acts as a technology partner, supplier and customer of start-ups. If anything goes wrong in the chain, the impact on ICT may be twofold or threefold as a result of this multi-dimensional relationship. This relationship with start-ups can lead to financial risk (bad debt or impairment risk). ICT’s focus on new business development, in combination with an acceptable risk level, is reflected by the company’s commitment to invest 1.5% of turnover in R&D.

Revenue mix between secondment, projects, services or software development activities: to support the transition from a leading software integrator to a total technology and service provider, ICT strives to increase its higher value added revenue from projects, as well as from services and licences. Moreover, the latter provides ICT with a recurring revenue stream. ICT aims at around 30% of total revenue for both project and services & licences oriented revenue and 40% of its revenue from secondment. In this transition, unexpected or unanticipated risks in projects and the potential consequences on the financial performance are higher. Projects can be complex due to the scale, the desired functionality, the applied technology or the involvement of several parties. This can result in financial risks in projects for which ICT Group bears result responsibility. ICT works continuously on an optimally functioning internal quality and control system to minimise the risks related to the execution of projects and assignments. When the direct and full impact of a risk on the result to be achieved can be assigned to ICT, ICT will of course assume this responsibility. ICT can bear this responsibility, as it has management with the right breadth and depth of competencies and business and IT knowledge. To ensure continuity in the event of claims, ICT has a general and professional liability insurance.

Labour market scarcity: a number of competencies are scarce. The ability to attract and retain the right people is a key driver of growth. ICT strives to be an attractive employer that invests in its people and encourages entrepreneurship. ICT continuously develops and implements initiatives to reinforce this. “Bring out the best in yourself” is how ICT approaches its HR development strategy. Important elements in this approach are employee empowerment and entrepreneurship.

Inadequate funding: ICT Group combines its strong organic development with growth through acquisitions. In 2016, ICT Group extended its acquisition credit facility with Rabobank to € 11 million from € 6 million. Additionally, ICT increased its working capital credit facility to € 10 million from € 6 million. The conditions of the facilities remained unchanged. As per 31 December 2016, ICT Group had unused credit facilities totalling € 12 million (2015: € 12 million). At year-end 2016, ICT Group was operating well within the ratios stipulated by its banks. The company assesses on a quarterly basis whether it is still in compliance with the terms of its bank covenants. These developments and trends can also be seen in the map below:

Impact and trends risks in 2016

Principal risk areas
The following overview of the principal risks for ICT is not exhaustive. It is also possible that risks that have not currently been identified, or that are not regarded as material, will have a significantly adverse effect on ICT’s ability to achieve its objectives at a later date. ICT’s internal risk management and risk control systems are, in as far as possible, geared to the timely identification of such risks.

Executive Board’s in control statement
Based on the evaluations carried out, the Executive Board concludes that the risk management system, as well as the control of the business processes and the internal controls within ICT, are sufficiently professional and appropriate. The Executive Board is of the opinion that the risk management system with its controls and measurements offers a sufficient degree of certainty regarding the reliability of the financial information and the management information generated by this system and is in accordance with the relevant laws and regulations.