Risk management

Taking risks is an inherent part of doing business. At Heijmans, risk management is not an afterthought, but a strategic component. We want to make sure we manage the most important risks responsibly, and that is why risk management is an essential part of Heijmans' culture. We focus on supporting sustainable value creation for all our stakeholders; shareholders, employees, clients, subcontractors and society as a whole. It is essential for us that risks are managed using a systematic approach so that we can achieve our strategic ambitions through a sound structure and exhibiting demonstrable control.

Within this framework, risk management is a key part of our governance, strategy and operational steering. We approach risks not only as potential threats, but also as opportunities that can contribute to our 'Together towards 2030' strategy.

In line with the Dutch Corporate Governance Code, additional attention was required in 2025 to obtain assurances regarding risk management for operational, compliance, reporting and sustainability risks and controls. These form part of the updated risk framework that Heijmans has set up to this end.

In this updated risk framework, Heijmans has structured the risk taxonomy, in which eighteen risk areas have been identified for Heijmans. For ten of these risk areas relevant to the Risk Management Statement (RMS), it has been assessed whether the control measures are adequately set up and effective. The findings per risk area have been assessed based on the degree of assurance applicable for each risk area.

For operational and compliance risks, Heijmans provides an appropriate degree of assurance that the risks are managed effectively. This can be substantiated by the fact that:

that the internal risk management and control systems adequately cover Heijmans’ most material risks (in line with its risk appetite);
Heijmans has an understanding of the design of the measures and processes that mitigate such risks;
Heijmans has an understanding of how these measures and processes work in practice.

Heijmans risk framework

Heijmans uses the COSO ERM model as the basis for its risk framework to identify, assess and manage risks, with a focus on internal controls. The framework takes into account current developments such as cybersecurity and emphasises the importance of risk management for strategy and performance.

The Heijmans risk framework — covering risk strategy, risk culture, risk landscape, risk appetite, the risk management cycle, governance and internal control — provides the guideline for our approach. By using a uniform risk framework that includes the risk areas relevant to Heijmans, we ensure there is a transparent link between initial risks and control measures. We use these insights to make targeted strategic and operational decisions, to control risks and, where necessary, to mitigate such risks within the defined risk appetite.

Risk strategy

Our risk strategy is aimed at only accepting risks that are controllable and manageable, balanced with earning capacity and appropriate to the desired risk profile. Our portfolio choices are focused on a more robust project portfolio, with fewer very large projects, more medium-sized projects and a growing share in recurring business (including services and maintenance).

In doing so, we apply the following core principles:

A conscious balance between risk and return
We only accept risks for which we have assessed the impact, control measures and associated returns in advance.
Preference for a robust portfolio
Over the past five years, we have moved our decisions towards medium-sized projects, construction team and two-phase contracts, and recurring business, particularly within Connecting. This has reduced the overall risk profile compared to more traditional large contracts.
Manage strategic risks proactively and seize opportunities
Instead of taking a reactive approach to management, we focus on strengthening our value proposition through innovation, sustainable development and collaboration throughout the value chain.
Risk philosophy
We do not view risk management as a bureaucratic obligation, but rather as an integral part of our business operations, where every employee takes responsibility.

Governance and operating model

We work according to the traditional three-line model within all risk categories:

First line: The operational business areas, projects and staff department are responsible for identifying, managing and monitoring risks in day-to-day operations. This applies both at project level (development, construction, maintenance and services) and at portfolio level within the business streams Living, Working and Connecting.
Second line: the Risk Office, led by the CRO, as well as Legal Affairs and Compliance, led by the General Counsel, act as an independent monitoring and advisory function. They analyse and assess the risk profile, develop control measures and report to the Executive Board and the Audit and Risk Committee of the Supervisory Board.
Third line: Internal Audit monitors the effectiveness of the control framework and reports independently to the Executive Board and the Audit and Risk Committee of the Supervisory Board.

The Executive Board is ultimately responsible for risk management and sets the risk appetite level. The Audit and Risk Committee and the Supervisory Board assess the effectiveness of internal control and reporting. Quarterly reports from the Risk Office and Internal Audit ensure continuous monitoring and feedback. Escalation paths are clear. All high-risk projects are discussed with the Executive Board and the Risk Office; deviations outside the margins for the risk profile require explicit approval. Partner selection and types of contract are secured through clear decision-making frameworks, where the Risk Office is consulted for high-risk projects.

Risk culture, training and awareness

An open, transparent and actionable culture of ownership is essential for effective risk management. Exemplary conduct from management and a speak-up culture are encouraged through the Code of Conduct, the Zakelijk Zuiver programme and the GO! Compass. Security, integrity and privacy are embedded in programmes and training courses, including the Risk Management Masterclass, GDPR and security training courses and awareness-raising programmes such as 'Working safely with data'. The effectiveness of culture programmes is measured regularly.

Risk landscape and risk appetite

Heijmans systematically maps out its initial risks in the strategic, operational, financial and compliance areas and assesses them before taking any control measures. These risks are then actively mitigated with targeted measures to limit the probability and/or impact of adverse events. The residual risk is the risk that remains after application of such control measures.

The tables below give a brief description of Heijmans' gross risks, the most important control measures and the associated risk appetite for each risk category. The impact shows how the risk affects Heijmans. The trend describes the development of the risk in the reporting year.

Strategy	Description of gross risk	Risk and risk appetite	Control measures
Economic conditions	Economic conditions, such as market cycles and regulation (nitrogen or PFAS, for example), cause unpredictable fluctuations in turnover and returns.		Heijmans has a structured crisis management and multidisciplinary business continuity organisation to ensure continuity by taking a safe, healthy approach. (Macro)economic conditions are closely monitored, and mitigating measures are defined and prepared so as to be able to anticipate changing economic conditions in the best possible way.
Climate change and energy transition	Climate change and the energy transition are essential for the future viability of our planet. The main risks lie in acting too slowly towards an economy that minimises emissions of harmful substances. Significant investments are required to reduce emissions and lower the ecological footprint of Heijmans and its clients. There is also a risk that Heijmans will not respond to climate-related changes in the construction sector in good time. We see an increase in this risk due to the energy transition and the resulting grid congestion.		Heijmans has been following a roadmap to become CO₂-neutral since 2023, primarily by making production processes and facilities more sustainable. We develop data-driven, climate-adaptive solutions. Since 2024, we have been targeting zero Scope 1 and 2 emissions (with offsetting), striving to halve Scope 3 emissions by 2030 and aiming for close to zero Scope 3 emissions by 2040 (without offsetting).
Innovative power	There is a risk that investments in innovation do not deliver timely, sustainable and scalable technologies that make a contribution to future challenges and strategic objectives.		Heijmans works together with universities, knowledge institutions and (high-tech) companies, allowing us to benefit from external knowledge and expertise and therefore work more effectively. By taking advantage of technological developments in the areas of digitalisation, industrialisation, electrification, connectivity and advanced analyses, Heijmans offers safer, faster and higher-quality products and services, with a significantly lower carbon footprint. The 'Hive building' boasts plenty of space for innovation, knowledge sharing and learning. Innovative projects are received with enthusiasm, particularly when they are small-scale projects. Our 'Hive' offers plenty of space for innovation, knowledge sharing and learning.
Availability of workforce	Availability of workforce refers to the extent to which an organisation is able to attract, train and retain sufficient staff with the right qualifications.		Heijmans recognises that professionals are essential to the company's success. As such, Heijmans focuses on diversity, inclusion, training, leadership, career development and attracting young talent. Heijmans also invests in employment potential, such as newcomers, and in digitalisation as well as modular and industrial production to reduce dependence in the event of staff shortages.
Mergers and acquisitions	Incorrect acquisition or merger decisions can lead to financial write-offs, loss of value, integration issues, a mismatch with Heijmans' business model, loss of trust among stakeholders, and loss of strategic market positions.		Heijmans mitigates M&A risks by carefully assessing the strategic fit in advance, structurally monitoring integration risks and anchoring all M&A decisions in the formal ERM and governance process.
(Geo)political conditions	The risk that geopolitical or national changes, such as conflict, sustainability regulations or trade barriers, have a negative effect on Heijmans' operations. Geopolitical tensions, such as the war in Ukraine and trade conflicts (such as between the United States and China), increase the risks of economic instability, rising inflation and disrupted supply chains around the world. Businesses are facing strategic dependencies, while cyber threats and physical security risks are on the rise. This requires increased resilience and risk coverage.		Heijmans assesses the impact that changes to regulations, trade or international stability may have on projects, chain partners and operational continuity. Geopolitical risks form part of the wider Enterprise Risk Management process. This ensures attention is paid systematically by the Executive Board and the Supervisory Board.
Commercial and competition	The risk that Heijmans does not return an optimal performance on the Dutch market due to factors such as competition, market size, quality issues, changing client needs, potential dissatisfaction, pricing and (financial) pressure from suppliers. We have seen the market continue to stabilise over the past year.		Heijmans mitigates these risks by strictly checking commercial decisions for a strategic fit to ensure that opportunities are in line with the business model and support value creation. In addition, market developments and client needs are monitored systematically to enable timely adjustments.

Operational	Description of gross risk	Risk and risk appetite	Control measures
Safe and healthy working environment	An unsafe workplace or building site can lead to physical and mental harm.		Heijmans prioritises safety and complies with all relevant standards. We encourage a proactive safety culture in the workplace and in social interactions. Our GO! programme and Step 4 of the Safety Culture Ladder are the driving force in this regard. Integrity is key, and we treat everyone with respect. The compliance programme includes the Code of Conduct, the Transaction Register for Real Estate and the 'Zakelijk Zuiver' workshop for employees. "We work safely, or we don't work at all."
Project execution	Project execution can lead to loss-making and/or unpredictable projects and result in dissatisfied clients if mitigating actions are not taken on time. There is a risk of missing out on references and follow-up orders when clients are not satisfied.		Heijmans manages project risks by selectively subscribing to and focusing on portfolio management. Projects and service contracts are approved according to the authorisation matrix; Category 3 projects require approval from the Board and the CRO. Contract rules and mandatory controls give projects structure. The Risk Office independently assesses the risk profile and SUPs track the progress throughout the implementation. Performance dashboards are increasingly providing instant insight into performance.
Availability and price of materials and labour bought in	Inadequate control of inflation and price increases in the supply chain (such as subcontractors, materials and services) and limited access to qualified and cost-effective suppliers affect the availability and price of materials and products, which can have both financial and technical implications for projects.		Heijmans limits price risks by selecting as many regular partners as possible and making purchases in good time, and by including an indexation clause for long-term contracts. Suppliers are selected and assessed based on safety, quality, cost, logistics and engineering process. Following the assessment, consultations take place to improve performance and collaboration or seek alternatives if necessary.
IT and cybersecurity	Risks include loss of assets due to theft, misuse or inaccessibility of systems, and that confidential information may be leaked or privacy rules breached.		Heijmans applies measures in the area of GDPR and security management with regard to the availability and continuity of information, including cybersecurity breaches. This policy ensures control measures are embedded, such as drawing up guidelines and conducting awareness tests with our employees on a regular basis.
Organisation and ability to learn	There is a risk that Heijmans cannot implement efficiency and effectiveness initiatives properly in practice due to insufficient capacity (quantitative and/or qualitative) and ability to learn.		Heijmans mitigates risks relating to organisation and ability to learn by explicitly linking HR risks to the Strategy 2030, by systematic risk identification and analysis with HR, Business and Risk Office, and by targeted measures relating to leadership, onboarding, culture, compliance and staff availability. We map out the skills needed in the future and develop an active programme on this basis.

Financial position and reporting	Description of gross risk	Risk and risk appetite	Control measures
Financing and financial resilience	Up-to-date, honest reporting of performance and financial results is important when it comes to trust in and the success of Heijmans. Being able to identify developments quickly allows timely adjustments to be made. Limited solvency and liquidity reduce business space, while a limited grip on finances and poor preparation for setbacks undermine financial resilience.		Heijmans maintains long-term relationships with renowned financial institutions and uses a spread repayment schedule. Treasury reviews and distributes warranty claims to different providers and monitors their progress. Intensive stakeholder management takes place with bilateral financiers. The strict planning and control cycle ensures continuous assessment of finances, projects and short- and long-term risks.
Financial reporting	There is a risk that Heijmans' financial reporting may contain material misstatements, such as with regard to turnover, works in progress or cash flows, or does not comply with the applicable legal requirements for financial reporting. In addition to reputational damage, this may result in a loss of trust among key stakeholders such as banks and shareholders.		Heijmans mitigates reporting risks through a low risk appetite, robust internal controls, periodic reporting and external auditing. This is supported by a strict financial reporting process and Heijmans' risk framework.
Sustainability reporting	There is a risk that sustainability reporting does not comply with the ESRS or Article 8 of Regulation (EU) 2020/852, and material misstatements related to quantitative non-financial reporting may occur.		Heijmans manages sustainability reporting risks through a low risk appetite, a governance structure based on the three-line model, established CSRD processes, internal controls and external auditing. This control is supported by Heijmans' risk framework, process documentation and dashboards for monitoring (under development).

Laws and regulations	Description of gross risk	Risk and risk appetite	Control measures
Statutory tax and regulatory requirements	Laws and regulations are changing rapidly in the areas of sustainability, the environment, intellectual property, ICT law, cybersecurity, GDPR and the energy transition. It is therefore essential to remain vigilant and comply with all legal, tax and regulatory requirements.		Heijmans considers compliance with laws and regulations to be a natural part of professional conduct. We identify and manage these risks in a structured manner as part of our risk framework, supported by the three-line model and a robust compliance framework. The tightening of the Corporate Governance Code (2025) saw us further deepen our internal control, demonstrating that measures are well-structured and effective. We systematically address any shortcomings to ensure we can continue to rely on integrity and reliability in our business operations.
Contract management, insurance and legal proceedings	From a legal perspective, there is a risk related to the incorrect management of project-related contracts and ensuring insurance is adequately maintained. In addition, there may be legal and criminal proceedings that may have a negative impact on Heijmans' reputation and public image.		Heijmans limits risks related to contract management, insurance and legal affairs through the strict control of contracts. This includes change and overtime management and an independent review of contracts by the general counsel. A careful and balanced insurance policy prevents deviations from contracts, claims or legal procedures from causing financial harm or reputational risks that exceed the risk appetite.
Integrity and conduct	There is a risk that Heijmans employees deliberately fail to comply with internal rules or legislation, which may lead to unfair competition, conflicts of interest, corruption, bribery, fraud, use of inside information or inappropriate conduct.		Heijmans manages integrity and behavioural risks through, among other things, a Code of Conduct, cultural and awareness programmes (Zakelijk Zuiver), clear reporting procedures, and a robust governance and compliance structure based on the three-line model and the compliance framework.

Risk management cycle

The risk management process is cyclical in nature and structured as follows:

Identification: Risks and opportunities are systematically mapped out at group, business flow and project level. In doing so, we use tools such as risk matrices and heat maps.
Analysis: This forms the basis for determining which risks are prioritised and which control measures are necessary.
Assessment: Risks are assessed for opportunity and impact, with impact covering financial, reputational and social aspects.
Control: This is ensured using risk and control matrices, contract rules, tender boards and portfolio management.
Monitoring and reporting: Risk profiles are evaluated on a regular basis. The CRO's dashboard report provides insight into the development of the risks to the Executive Board and the Supervisory Board. Additional insights arise from Status Update Projects, periodic reviews of projects in progress and the planning and control cycle. Improvement actions are logged and monitored centrally.

This cycle is embedded in the governance and management structure and ensures that risk management is not a one-off action, but an integral part of our business operations. Heijmans continuously monitors the effectiveness of the measures taken and adjusts them where necessary to ensure that the risk profile remains in line with the strategic objectives, risk appetite and the stakeholders' interests.

Development of the risk profile

Heijmans' risk profile is shifting due to both internal professionalisation as well as dynamics in our environment. Internally, our operational base remains stable, but requires an increasing focus on innovation and change projects as well as more integral considerations. In the updated risk framework – where strategy, culture, risk appetite and internal control come together – we see that operational risks such as safety, project execution and learning ability are stable, but that strategic and regulatory risks increase slightly due to the changing environment. The implementation of the 'Together towards 2030' strategy is becoming increasingly relevant to the risk profile, which means that adherence to a uniform, demonstrable risk management process remains essential.

Externally, we are in a complex and volatile environment. Government initiatives around residential construction create opportunities while at the same time increasing our dependency on political and administrative decision-making and nitrogen regulation. Structural bottlenecks such as grid congestion, electrification, the granting of permits and shortages on the labour market can lead to delays and higher failure costs, while margin pressures from inflation and sector bankruptcies can affect the financial risk profile. In addition, compliance and sustainability risks are increasing due to stricter (environmental) legislation and the introduction of the CSRD. All of this increasingly requires integrated, transparent and verifiable control. Continuous monitoring, strengthening governance and ensuring risk discipline are crucial in order to continue to achieve our (strategic) objectives within the defined risk appetite.

Internal control and assurance

In order to ensure the reliability and effectiveness of our risk management, we have established a comprehensive control and assurance framework that includes governance, policy structure, authorisations, business process systems and certifications. Internal Audit carries out risk-driven audits and monitors the follow-up of actions.

The external auditor audits the financial statements, the Management Report and the sustainability statement, and external certifications safeguard quality, safety and the environment (including ISO 9001/14001, VCA, the CO₂ Performance Ladder and SCL). Acquisitions focus on the harmonisation of management systems and certifications, while maintaining entrepreneurship within the framework.

Heijmans risk framework: standards, procedures and measures are set out that apply at Group, business stream and project level.
Self-assessments: Line management periodically carry out self-assessments on compliance and the operation of control measures.
Control of reporting risks: When determining (non-)financial reporting risks, specific control measures are defined in risk control matrices for quantitative data points. These matrices describe the control activities carried out by the line to ensure the completeness, accuracy and transparency of the data.
Internal control statements: In accordance with the laws and regulations, the Executive Board is responsible for the operation of internal risk management and control systems.
Role of Internal Audit: carries out audits of selected process elements, reports findings to the Executive Board and the Audit and Risk Committee, and advises on follow-up actions.
External assurance and certifications: in addition to the work performed by the external auditor, attention is paid to external standards such as ISO, the CO₂ Performance Ladder and SCL (safety certification) to support systematic control.
Follow-up of findings: Audit findings are made visible in a dashboard, assigned to responsible action owners and progress is actively monitored via reports.

This set-up ensures that we not only define control measures, but also actively check whether they are effective and continue to focus on ongoing improvement.