Risk management
RISK MANAGEMENT AS A CORE TASK OF MANAGEMENTRisk management is a core task of the management. Risk identification and risk assessment are the responsibility of the respective management level. Our risk management process involves our integrated quality management system, supporting central divisions and central staff divisions with technical, legal and administrative service and consulting activities and the internal audit department as a neutral and independent auditing entity.
Responsibility for the implementation of the project risk management systems in the divisions has been assigned to the commercial division managers. The central division Project Risk Management System/Organisational Development/International BRVZ Coordination handles the continuous improvement and development of the risk management system for the procurement and execution of construction projects.
All STRABAG leadership employees, within the scope of their duties and responsibilities, and in accordance with the Rules of Procedure and relevant company regulations, are obliged to
- work with the employees to set risk identification measures,
- monitor the risks,
- introduce countermeasures, and
- pass on relevant information about risks to other units or levels within the company. This requirement especially applies to all employees of the STRABAG Group.
The STRABAG SE Management Board prohibits engaging in business transactions whose realisation could endanger the company’s existence.
RISK MANAGEMENT USING DEFINED RISK GROUPS
The group’s internal risk report defines the following central risk groups:
- External risks
- Operating and technical risks
- Financial risks
- Ethical risks
- Human resource risks
- IT risks
- Investment risks
- Legal risks
- Political risks
Following ISO 31000 and the Committee of Sponsoring Organisations of the Treadway Commission (COSO), our risk management system forms part of our integrated management system. We deal with the risks identified by us as follows:
EXTERNAL RISKS COUNTERED THROUGH DIVERSIFICATION
The entire construction industry is subject to cyclical fluctuations and reacts to varying degrees depending on region and sector. Overall economic growth, development of the construction markets, the competitive situation, the conditions on the capital markets and technological changes in construction can all result in risks. These risks are continually observed and monitored by the central departments and operating units. Changes in external risks lead to adjustments in STRABAG’s organisation, its market presence and its range of services and to the adaptation of its strategic and operational planning. STRABAG further counters market risk through geographic and product-related diversification in order to minimise the influence of an individual market or the demand for certain services on the success of the company.
OPERATING AND TECHNICAL RISKS REDUCED THROUGH BINDING MINIMUM STANDARDS
These risks primarily include the complex risks associated with project selection and execution along with the technical risks that need to be assessed for each project, such as subsoil, geology, construction methods, technology, building materials, equipment, design, work planning, etc. An integral part of the project risk management system are minimum standards with group-wide validity for the procurement and execution of construction projects (common project standards). These comprise clearly defined criteria for the evaluation of new projects, a standardised process for the preparation and submission of bids, and integrated internal control systems serving as a filter to avoid loss-making projects. Business transactions requiring approval are reviewed and approved in accordance with the internal rules of procedure.
Depending on the risk profile, bids must be analysed by internal commissions and reviewed for their technical and economic feasibility. The construction and project teams can contact the experts at the central divisions BMTI, TPA, ZT and SID for assistance in assessing the technical risks and working out innovative solutions to technical problems. Project execution, monitored by monthly target/performance comparisons, is managed by the construction or project team on-site using documented procedures. At the same time, our central controlling department provides constant back-office support for the project, ensuring that risks of individual projects do not jeopardise the continued existence of the company.
FINANCIAL RISKS: ACTIVE LIQUIDITY AND RECEIVABLES MANAGEMENT
Under financial risks, STRABAG understands risks in financial matters and in accounting, including instances of manipulation. Special attention is paid to the liquidity and receivables management, which is secured through continuous financial planning and daily status reports. Compliance with internal commercial guidelines is ensured by the central accounting and controlling departments, which are also responsible for internal reporting and the periodic planning process. Risks from possible instances of manipulation (acceptance of advantages, fraud, deception or other infringements of the law) are monitored by the central divisions in general and the internal audit department in particular.
STRABAG is subject to interest, currency, credit and liquidity risks with regard to its assets, liabilities and planned transactions. The goal of financial risk management is to minimise these risks through ongoing financial activities. The basic principles of the financial policy are determined by the Management Board and monitored by the Supervisory Board. The implementation of the financial policy and responsibility for the ongoing risk management are the domain of the group treasury. Detailed information can be found in the Notes under item 34 Financial Instruments.
ETHICAL RISKS COUNTERED WITH AN ETHICS AND BUSINESS COMPLIANCE SYSTEM
Given the risk of corruption and anti-competitive behaviour in the construction industry, STRABAG has implemented a set of tools that have proven effective in combating these problems. The rules for proper business behaviour are conveyed by the STRABAG ethics and business compliance system. These have group-wide validity. The STRABAG business compliance model is based on the Business Compliance Management System (BCMS) along with supplementary management directives, the Code of Conduct and the personnel structure defined for enforcement, consisting of the Chief Compliance Officer, the Corporate Business Compliance Officers and the Regional Business Compliance Officers as well as the internal ombudspersons and the external ombudsman. Details on the ethical risks are available in the Consolidated Non-Financial Report pursuant to Sec 267a of the Austrian Commercial Code (UGB)..
HUMAN RESOURCE RISKS: COUNTERMEASURES WITH CENTRAL HUMAN RESOURCE MANAGEMENT AND NEEDS-ORIENTED HUMAN RESOURCE DEVELOPMENT
Material human resource risks, such as recruiting bottlenecks, skilled labour shortages, fluctuation and labour law risks, are countered with a central human resource administration and long-term, needs-oriented human resource development. Human resource risks are to be reduced to a large extent through targeted recruiting of qualified specialists and leaders, extensive training activities, performance-based remuneration under compliance with labour law, and early succession planning. Additionally, systematic potential management is in place to ensure the development and career planning of company employees. Complementary initiatives to promote employee health, improve employment conditions and raise employee satisfaction further contribute to the company’s attractiveness and prestige. Details on the human resource risks are available in the Consolidated Non-Financial Report pursuant to Sec 267a UGB.
IT RISKS: IT USAGE GUIDELINES AND CONTINUOUS REVIEW OF SECURITY CONCEPTS TO COUNTER CYBERCRIME
With the increasing threat of IT risks, different measures are being implemented in the form of multistep security and anti-virus concepts, user access rights, password-controlled access, expedient data backups and independent power supply. The company is also working together with professional specialty service providers to ensure an efficient defence against cybercrime and is constantly reviewing its security concepts. By issuing IT usage guidelines and repeatedly informing on the necessity of risk awareness when working with information and communication technologies, we aim to ensure the security, availability, performance and compliance of the IT systems. Project ideas to improve and develop IT-related processes and control systems are evaluated and prepared through cooperation between the central divisions STRABAG Innovation & Digitalisation and BRVZ Information Technology.
INVESTMENT RISKS: SECTOR-TYPICAL MINORITY HOLDINGS OF MIXING PLANTS
The shares in mixing companies typically involve minority interests, as is usual in this sector. With these companies, economies of scope are at the fore.
LEGAL RISKS AVOIDED THROUGH EXTENSIVE RISK ANALYSIS
The central division CML Construction Services supports the risk management of the operating entities in matters of construction management and construction operation in all project phases (contract management) and provides, organises and coordinates legal advice (legal services) in this regard. Its most important tasks include comprehensive reviews and consultation in project acquisition – e.g. analysis and clarification of tender conditions, performance specifications, pre-contract agreements, tender documents, draft contracts and framework conditions – as well as support in project management.
POLITICAL RISK: INTERRUPTIONS AND DISPOSSESSION POSSIBLE
The group also operates in countries experiencing political instability. Interruptions of construction activity, restrictions on ownership by foreign investors, and even expropriations are among the possible consequences of political changes which could have an impact on the group’s financial structure. These risks are analysed during the tendering phase and assessed by internal commissions.
MANAGEMENT SYSTEM FOR WORK SAFETY AND HEALTH IN PLACE
In order to control the risks related to employee safety and health, STRABAG has implemented a work safety and health management system in accordance with ISO 45001 and/or SCC. Moreover, the company works to maintain this system and ensures a suitable emergency organisation. Specially appointed officers and representatives ensure that the group-wide work safety standards are followed. In 2020, the country-specific safety and hygiene regulations in connection with Covid-19 had to be implemented in particular. The infection figures could be kept at a very low level in most of the Group countries due to the strict implementation. The aspects of work safety and health also form part of the evaluation of subcontractors and suppliers. Details on the risks related to employee safety and health are available in the Consolidated Non-Financial Report pursuant to Sec 267a UGB.
CERTIFIED ENVIRONMENTAL AND ENERGY MANAGEMENT SYSTEM DESIRED
STRABAG is committed to reducing the negative environmental impact of its activities as far as this is technically possible and economically feasible. The company has implemented and is maintaining an environmental and energy management system based on ISO 14001 or EMAS, ISO 50001 or equivalent and – wherever possible – seeks to minimise the use of natural resources, avoid waste and promote recycling. Details on the environmental risks are available in the Consolidated Non-Financial Report pursuant to Sec 267a UGB.
QUALITY MANAGEMENT AS COMPONENT OF THE INTEGRATED MANAGEMENT SYSTEM
In accordance with its vision and values, it is the company’s aim to realise construction projects on schedule, to the highest quality and at the best price. This quality of the company’s processes, services and products must therefore be ensured at all times. To achieve this goal, quality management forms an integral component of an integrated management system. This system is documented in the Management Manual, in group directives and in subordinated provisions.
BUSINESS CONTINUITY: RIGOROUS INCLUSION OF GROUP CENTRAL DIVISIONS
The failure of equipment and production facilities, subcontractors and suppliers, human resources, the IT system or office buildings and accommodation must not be allowed to jeopardise the continued existence of the company. For this reason, precautions are taken under a business continuity management system to ensure that incidents or disasters only temporarily interrupt business activity – if at all. This includes the consistent involvement of the group’s own specialised central divisions, which can, for example, procure equipment, accommodation, IT systems or staff on short notice, build up long-term strategic partnerships with selected subcontractors and suppliers, and arrange for the audit of emergency scenarios in IT.
EVALUATION OF PARTNER COMPANIES TO REDUCE RISKS IN THE SUPPLY CHAIN
In the interest of quality and efficiency, STRABAG not only taps its own skills and resources to work off its orders, but also relies on the support of proven subcontractors and suppliers. The company focuses on long-term partnerships, a clear, transparent and complete description of the services and products to be procured, and an agreement on acceptance criteria for the products and services. STRABAG also systematically evaluates subcontractors, service providers and suppliers as part of its decision-making foundation for future orders.
A review of the current risk situation reveals that there were no risks which jeopardised the company’s existence, nor were there any visible future risks.
REPORT ON KEY FEATURES OF THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM IN RELATION TO THE FINANCIAL REPORTING PROCESS
Introduction
The control structure as defined by COSO (Committee of Sponsoring Organisations of the Treadway Commission) provides the basis for describing the key features of the internal control and risk management systems with regard to the financial reporting process in the management report. The COSO framework consists of five interrelated components: control environment, risk assessment, information and communication, control activities and monitoring activities. On this basis, the STRABAG Group has set up a company-wide risk management system in accordance with generally accepted principles. The aim of the internal control system is to support the management in such a way that it is able to ensure internal controls with regard to financial reporting which are effective and which are improved on an ongoing basis. The system is geared to the compliance with rules and regulations and to creating conditions which are conducive to performing specific controls in key accounting processes.
Control environment
The corporate culture determines the control environment in which management and employees operate. STRABAG is constantly working to improve its communication and to convey its corporate values as defined in its Code of Conduct and its Business Compliance Management System (BCMS) in order to ensure moral standards, ethics and integrity within the company and in its dealings with others. The implementation of the internal control system with regard to the financial reporting process is based on internal rules and regulations. Responsibilities for internal control have been adapted to fit the corporate organisation. The internal audit department carries out periodic reviews – announced as well as unannounced – of all relevant business units as part of its responsibility for monitoring compliance with the law and corporate guidelines in the technical and commercial areas. The internal audit department also monitors the effectiveness of business compliance. During these reviews, the internal audit department analyses the legality and correctness of individual actions. The department also conducts regular, independent reviews of compliance with internal guidelines in the area of accounting. The head of the internal audit department reports directly to the CEO. The effectiveness of the work of the internal audit department is reviewed periodically by the financial auditor. The last review was carried out in the 2019 financial year.
Risk assessment
The management identifies and monitors risks relating to the financial reporting process, with a focus on those risks that are typically considered to be material.
The preparation of the financial statements requires regular forecasts, with the inherent risk that the actual future development will deviate from the expectation. This especially affects the following matters/items of the Consolidated Financial Statements: assessment of unfinished construction projects, recognition and measurement of provisions (including social capital), the outcome of legal disputes, the collectability of receivables as well as the recoverability of investments and goodwill. In individual cases, external experts are called in or publicly available sources are considered in order to minimise the risk of a false assessment.
Control activities
All control activities are applied in the ongoing business process to ensure that errors or deviations in financial reporting are avoided or detected and subsequently corrected. The control activities range from a review of the period results to the specific monitoring of accounts and cost centres to the analysis of ongoing accounting processes. It is the responsibility of the Management Board to design the levels of hierarchy in such a way that an activity and the control of that activity are not performed by the same person (four-eyes principle). This separation of functions encompasses a separation between decision-making, implementation, review and reporting. The organisational units of the BRZV central division support the Management Board in this task.
Processes which are relevant to financial reporting are increasingly automated. IT security control activities therefore represent a cornerstone of the internal control system. The separation of sensitive activities, for example, is supported by a restrictive allocation of IT authorisations. For its accounting and financial reporting, the company mainly uses self-developed software which reflects the unique features of the construction sector. The effectiveness of the financial reporting system is further assured through automated IT controls included in the system.
Information and communication
The management regularly updates the rules and regulations for financial reporting and communicates them to all employees concerned. In addition, regular discussions regarding the financial reporting and the rules and regulations in this context take place in various committees. These committees are composed of the corporate management as well as the department head and senior staff from the accounting department. The committees’ work aims, among other things, to ensure compliance with accounting rules and regulations and to identify and communicate weak points and potential areas for improvement in the financial reporting process. Accounting employees receive regular training with regard to innovations in national and international financial reporting in order to identify risks of unintended misreporting at an early stage.
Monitoring
The Management and Supervisory Boards bear responsibility for the ongoing company-wide monitoring. Additionally, the remaining management levels are responsible for the monitoring of their respective areas of responsibility. Controls and plausibility checks are carried out at regular intervals. The internal audit department is also involved in the monitoring process.
The top management receives monthly summarised financial reports on the development of the output volume and earnings of the respective segments and countries and of the liquidity. Financial statements to be published are reviewed internally by several instances within management, receiving a final appraisal by the senior accounting staff and the Chief Financial Officer before being passed on to the Audit Committee of the Supervisory Board.