. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Risk management

Next Article

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Foreword

RISK ANALYSIS AND MANAGEMENT

RAI Amsterdam further enhanced its risk management activities during 2020, with policy steps taken in relation to the structural and systematic control of risks. Risk management is embedded in the strategic and operational processes. The integrated risk management system covers all levels of the operational management and all parts of the company. Risk and control measures are periodically analysed, recorded in a register and monitored. A risk & compliance board oversees progress every quarter, with the Executive Board, senior management and risk & compliance officer taking part.

The Board monitors the effective functioning of the system and, together with the company, aims for continuous improvement and strengthening. COVID-19 obviously led to a great deal of attention being paid to acute crisis management alongside the structural developments in integrated risk management. While the pandemic was an unforeseen crisis for the RAI in 2020, the company could leverage on previously developed risk control measures which certainly made the situation and impact more manageable.

Focus on realising goals

Risk management and internal control are dynamic processes. RAI Amsterdam aims to analyse and manage the risks that may arise in realising strategic, tactical and operational goals with a reasonable level of certainty. Management measures taken in this framework are focused on reducing the chance that the risk will occur and/or reducing the impact that the risk might have when it occurs.

reducing chances and/or impact

operational processes properly embedded and integrated

uncertainties

taking risks is part of business Risk management needs to be solidly embedded in the operational processes and fully applied in order to properly function. The risk management system set up by the RAI is based on the principles and starting point of standards such as ISO 31000 and COSO.

Although we try to limit them as much as possible, it cannot be excluded that certain risks not currently identified or considered significant may later have a negative effect on the capacity of the RAI to realise its goals. The COVID-19 pandemic has once again reinforced this point.

Risk attitude and tolerance

Entrepreneurship is one of the core values of the RAI. This involves the tolerance to take risks in a controlled way. The goal of risk management is therefore not to exclude risks, but to gain insights that enable us to properly address opportunities and threats.

RAI Amsterdam risk attitude RAI Amsterdam does limit its risk tolerance. Financial risks, for instance, may not threaten the financial resilience of the RAI. The RAI always aims for a healthy safety margin with regard to its main financing ratio (net debt/EBITDA) of 15%. This implies a continuous availability of contracted financing capacity of at least 10 million euros as a liquidity buffer. This buffer has certainly proven its value in 2020.

RAI Amsterdam aims to be a safe place to meet and is aware of its responsibilities in keeping our locations and events secure, healthy and accessible. In addition, we limit all safety and health risks as much as possible. Compliance with laws and regulations is the starting point. The RAI seeks to minimise the risks of non-compliance and applies a very low tolerance in this field. Integrity is important and the RAI applies a zero-tolerance policy with regard to bribery and corruption. The risk attitude of RAI Amsterdam can be schematically represented as follows:

Risicohouding RAI Amsterdam

first line:

operational management

second line: risk &

compliance function

Organisation in accordance with 'three lines of defence' model

In setting up its risk management system, RAI Amsterdam applied the 'three lines of defence' model, a structure of measures comprised of an operational line, risk management function and internal audit function.

The first line of defence is primarily responsible for the operational management and takes ownership of controlling related risks. This is realised via a proper set-up of the organisation, which involves both structure and processes as well as culture.

The second line of defence consists of the risk & compliance function that supervises the set-up and functioning of the risk management system. The second line reports to the Board and line management.

third line: internal audit The third line of defence comprises an independent internal audit function. Based on an internal audit plan that is updated annually, the function supervises the set-up, existence and functioning of the administrative organisation, internal audit and control measures.

At this time, RAI Amsterdam has an internal audit approach that is limited to ISO certifications. The form and definition of the approach will be further broadened in 2021.

'Three lines of defence'-model

internal: Supervisory Board

external accountant

strategic risks

Supervision

The Supervisory Board monitors the operational management of RAI Amsterdam, among others. It approves (changes to) the risk management policy, and risk management is regularly included on the agendas of meetings of the audit committee and Supervisory Board. The Supervisory Board employs the external accountant and approves its audit plan on an annual basis.

The external accountant also acts as supervisor and monitors the set-up, existence and functioning of the administrative organisation and internal supervision based on an annually updated audit plan. The external accountant reports to the Supervisory Board via a management letter and an accountant statement in the annual report.

Risks

An update of the risk assessment was implemented during 2020 in light of the current developments & crisis situation and adjusted goals of the organisation. Due to the explicit link to the actualised goals of RAI Amsterdam, risk management strengthens the crisis management and performance management. In total there are 18 risks which are considered most relevant.

The uncertainty caused by the COVID situation is described in this chapter under ‘changing environmental factors’.

Evaluating the actual risks for RAI Amsterdam involves assessing both the current risk of an incident occurring and the current consequences (measured in financial terms) this might have on RAI Amsterdam.

current risk and consequences

evaluation of risk impact The combination of the current risk and current consequences determines whether the current risk level is seen as low, medium or high. The evaluation explicitly takes into account the monitoring procedures and measures taken to mitigate the relevant risk. The determination of risk and consequence is indicated in the matrix table. The letters in the matrix indicate the type of risk, with S representing strategic risks, O operational risks, and F financial/administrative risks. The associated numbers refer to the specific risks as described above. The colours represent the following risk levels: low (blue), medium (grey) and high (red).

Main risks and mitigating measures

strategic portfolio policy and developing new business Increasing competition The commercial playing field and competitive position of RAI Amsterdam can be affected by activities or developments by competitive parties and potential partners. These market developments have been further strengthened by the pandemic. With this in mind, the RAI has developed a strategic portfolio policy and keep a close eye on the market position of its portfolio. The merits of and conditions related to potential partners are identified. This is translated into a market strategy for each domain. The new business process is aimed at developing new propositions with or without partnerships.

Changing environmental factors

four tracks to survive the

COVID pandemic

strategic and operational agility

maximum focus on cashflows

cyber security policy defined, measures being realised The pandemic hit the RAI very hard and is therefore the most relevant external environmental factor, one which is having enormous consequences. How the crisis will develop in the future remains uncertain, but the impact on the RAI is clearly long term. While it remains uncertain how and when restrictions related to travel and event visits will be lifted, the RAI continues to believe in the strength of personal meetings. To get through the COVID crisis, the RAI established a crisis management approach focused on four tracks: the fast reopening of the RAI, securing financial continuity, the accelerated development of new revenue models, and the further modernisation of the venue into an attractive multifunctional location. In concrete terms, these points were translated into the further development of COVID protocols, a focus on cash management, cutbacks and a reorganisation, early refinancing, making use of COVID-related government support schemes such as NOW and GO-C, a maximum focus on digital and hybrid events, and the further development of our local area and the logistical concept for the RAI.

Strategy realisation and change management Strategic and operational manoeuvrability are crucial in turbulent times. The RAI addressed this by establishing a crisis organisation at an early stage and applying the existing crisis management protocol. A newly enhanced strategy was translated into a four-track policy, and the related risks and insecurities were systematically mapped. Alignment with the various stakeholders (shareholders, Supervisory Board, municipality and works council) was intensified, and a reorganisation was prepared and realised. Transition plans per department helped make the effects and risks manageable, and the number of flex workers was reduced. This resulted in a major corporate financial contribution to the survival of the company. A commercial task force focused on client relations and managing the postponement and cancellation of events. Relevant conditions in the standard contracts supported their efforts and mitigated the negative effects. An operational taskforce developed COVID protocols and managed the impact on employees and the venue. The innovation platform accelerated the development of new revenue models, such as digital and hybrid events, while the IT infrastructure was adapted to facilitate working from home. Finally, the financial taskforce supervised the various programmes, analysed scenarios, enhanced the focus on cash flows and succeeded in continuing and expanding the RAI’s financing.

Financial risks Financial risks usually originate from underlying strategic, operational or compliance risks, and the related control measures take place within the spectrum of financial management and treasury. In 2020, the RAI responded to the COVID crisis via a savings programme with a maximum focus on cashflows. The current loan portfolio was refinanced, resulting in a more flexible commitment and an extension of the term. The RAI also benefited from the NOW government subsidy scheme and obtained GO-C corporate financing in late 2020.

Cash management was intensified and scenario-based planning is helping the organisation through this challenging period.

Cybercrime Cybercrime is one of the greatest threats to businesses worldwide, and RAI Amsterdam is not immune. We have therefore defined a cyber security policy and are taking organisational and physical measures to mitigate this risk as much as possible. A periodical external audit of the

integrated safety management system developed

compliance management, integrity policy, stakeholder management & communication policy soundness of these measures is part of this approach.

Safety en security RAI Amsterdam is a multifunctional venue where in normal times lots of people come together. This implies health & safety risks for visitors and employees and the risk of damage to or theft of their property. The RAI has therefore developed an integrated safety management system that involves a risk-based focus on strategic and operational safety management issues. The effective functioning of these measures is monitored. COVID protocols for safely visiting the RAI venue were logically a major focal point throughout the year.

Reputation Any damage to the reputation of the RAI can have major long-term consequences so a range of instruments have been deployed to mitigate these. A compliance management system has been set up to ensure that laws and regulations are closely observed. An integrity policy helps prevent undesirable or dishonest behaviour. Client reputations are constantly monitored and translated into actions. Intensive stakeholder management is partly focused on consolidating the good reputation of the RAI, while a corporate communication policy ensures effective communication to all stakeholders.