Risk management: An integral part
of our business
processes

As a result of its role as an important element of Dutch infrastructure and as a financially robust business, Royal Schiphol Group is subject to a range of strategic, operational, financial and compliance risks. Risk management is an integral part of our business processes, supported by a uniform policy which has been developed to manage these risks.

Risk profile

As an airport owner and operator, our risk profile is largely determined by our role as manager and operator of an essential part of national infrastructure. The airport infrastructure must be available 24 hours a day, seven days a week. We must facilitate safe and continuous operations and, in doing so, must rely on a number of third parties who carry out key roles as part of these operational processes.

Our business is capital intensive, with a concentration of assets at a single location. We have high fixed costs, and lead times for the development of assets are long. Our business is highly regulated and subject to economic regulation, as well as regulation and legislation governing such areas as noise and the environment, safety and security, competition, and tendering. Our business is subject to considerable public and political scrutiny.

Risk appetite

The extent to which Royal Schiphol Group is prepared to take risks to achieve its objectives differs according to each objective and risk category. Risk limits are set out in various policy documents, handbooks and company regulations, which define the specific limits and tolerances of the various operational activities.

Risk Category

Risk Appetite

Description

Strategic

moderate

Schiphol Group is prepared to take moderate risks to realise its ambitions. In doing so, we aim to strike a balance between our socio-economic role (low risk acceptance) and our commercial targets (higher risk acceptance).

Operational

very low

Schiphol Group focuses primarily on ensuring the continuity of aviation activities, regardless of circumstances. We aim to reduce the risks that threaten this continuity as much as possible. Our risk acceptance in this regard is therefore very low. In the area of safety and security, we do all we can to avoid risks that could put passengers, internal and external employees, visitors or local residents in danger.

Financial and Reporting

low

Schiphol has a low risk appetite with respect to financial reporting risk. Reliability and transparency are key values. We maintain a solid financial position in order to guarantee access to the financial markets. Schiphol is not prepared to take risks that could jeopardise its credit rating of at least 'A' (Standard & Poor's).

Compliance

very low

Schiphol Group strives to comply with all applicable laws and regulations, with a particular focus on environmental, competition, tendering, privacy/information security laws and the European Aviation Safety Agency (EASA) requirements.

Framework for risk management

Taking risks is an integral part of business. By carefully balancing our objectives against the risks we are prepared to take, we strive to conduct business operations in a socially responsible and sustainable manner. This approach will help us achieve our strategic objectives.

Our policy is based on the following principles:

  • The Management Board and management are responsible for developing and testing internal risk management and monitoring systems. These systems have been designed to identify significant risks, monitor the achievement of targets and ensure compliance with relevant legislation and regulations;
  • Effective risk management and internal monitoring systems will reduce the likelihood of errors, wrong decisions and surprises due to unforeseen circumstances;
  • Risk management has been integrated into line-management activities and into the planning and control cycle;
  • In order to thrive, an enterprise must take risks. The Management Board is responsible for determining the limits of what is acceptable (referred to as 'risk appetite').

Line managers are responsible for the implementation of risk management for the processes for which they are responsible. Financial reporting risks and related mitigating actions are recorded, tested and monitored in our risk management information tool.

The Management Board reports on and accounts for the risk management and internal control system to the Supervisory Board. Schiphol Group's most important risks and control measures were reported to and discussed with the Audit Committee of the Supervisory Board in February 2019.

Assessment of the most important risks

We use a risk matrix to assess and compare our risks, with the risks arranged based on an estimate of the likelihood of the risk arising, and an estimate of the impact of the consequences on the achievement of our business objectives. High risks have a potential impact on Schiphol's EBITDA of 25 million euros or more, or have a large non-financial impact; for example, on reputation. We have plotted the most important risks, which are described below, in the risk matrix, following implementation of control measures.

Classification of Schiphol's risks following the implementation of control measures

Risk description

Risk drivers

Mitigation in place

A.

Airport Accessibility (Landside)

Accessibility by rail and road is under pressure and is not meeting the desired level of quality

  • Congestion and passenger volumes continuing to grow
  • Various major construction and renovation projects are taking place at the same time in a relatively small area
  • No direct metro connection between Schiphol and Amsterdam
  • Pick-up and drop-off, as it creates four transport movements instead of two
  • More stringent security requirements

  • Crowd control management. Refer to: Safety of travellers and visitors
  • Digital Airport Programme (ongoing) and New road configuration (A9). Refer to: Improving landside accessibility at Schiphol in Accessibility

B.

Airport Capacity
(Airside & Terminal)

Limited capacity to achieve qualitative objectives

  • Congestion and passenger volumes continuing to grow
  • The accelerated growth in market demand for air transport, combined with the limit imposed on air transport movements, has led to a significant increase in the number of wide-body aircraft movements. The increased presence of larger aircraft resulted in shortages in our wide-body connected handling capacity
  • As Schiphol has reached the capacity cap of 500,000 flights a year, there is a greater probability of airlines not being allocated the requested slots
  • Contraction in cargo movements due to lack of slot rights
  • Dependence on third-party service providers (e.g. Royal Marechaussee and baggage handlers)

  • Speeding up security through automation. Refer to: Speeding up security through automation
  • New security lanes in Departure Hall 1. Refer to: New security lanes in Departures 1 - Airport Capacity
  • Temporary extra departure hall. Refer to: The best connections
  • New aircraft apron (M apron) officially in use since December 2017
  • Gap in the wide-body capacity per hour. Refer to Quality: Busy days require investment and Wide-body restrictions in Network of destinations

C.

Business Continuity Management

Disruption of critical business processes or functions due to a long-term or permanent loss of key facilities, utilities, IT infrastructure, personnel or key suppliers

  • Cyber and terrorist attack
  • Technical failure
  • Electrical outage
  • Fire in the Terminal
  • Crowd/congestion
  • Strikes
  • Climate change (drought, excessive rain)
  • Major projects
  • Failure points and contingency risks within the supply chain
  • Infrastructure limits have been reached, making Schiphol vulnerable to business continuity disruptions

  • Corporate Business Continuity Management Programme (ongoing)
  • IT Security Programme (ongoing). Refer to: Building IT resilience
  • Landside Security Programme (ongoing). Refer to: Landside safety
  • Emergency Power Generators
  • Integral Fire Safety Plan (ongoing). Refer to: Fire safety
  • Crowd control management. Refer to: Safety of travellers and visitors

D.

Connectivity Performance

Connectivity performance under pressure

  • The 500,000 air transport movements limit reached well in advance of 2020
  • No new slots available
  • Shrinking support base for growth beyond 2020 in connection with concerns on sustainable performance
  • Increasing competition from other hub airports within Europe/ME that have undergone rapid growth
  • Cargo flights under pressure due to slot scarcity

  • Operational measures aimed at noise and emissions reductions
  • Coordination with sector to reduce environmental impact (e.g. via 'Smart and Sustainable' action plan)
  • Permanent dialogue with political and public authority stakeholders at local, regional, and national level
  • Exploring opportunities with airlines to optimise network
  • Support airlines in route and business development to maintain network
  • Support maintaining cargo volumes

E.

Environmental Regulatory Changes

Impact of new/increased environmental regulation

  • New Climate law (2019) - no inclusion of international aviation yet
  • Lack of national policy for managing PFOS-contaminated land
  • Air Quality Act (ultra)fine particles
  • Multi-year agreement Energy efficiency (ends in 2020)
  • Environmental Standards and Enforcement System - interpretation of WHO advice on noise
  • Buildings Decree. New and existing offices must have energy label C by 2023

  • Stakeholder dialogues on various issues related to new and existing environmental regulation
  • Plan for ultra-fine particles
  • Schiphol sustainability strategy
  • Participate in consultations

F.

Information Security

Failure to implement or update technologies, processes and practices designed to protect networks, computers, programmes and data from attack, damage or unauthorised access (e.g. denial of service attacks, data exfiltration)

  • Unauthorised access (e.g. cyber attack)
  • Use by third parties
  • Data integrity

  • IT Security Programme (ongoing). Refer to Refer to: Building IT resilience:
  • Life-cycle Management
  • Change Management
  • Back-up and restore
  • Logical access

G.

Project Execution

Failure to deliver project benefits on time, within budget and with the required quality

  • Unrealistic tactical (project) planning (lack of a masterplan, overly ambitious forecasting, poor initial risk assessment, high pressure from stakeholders)
  • Inability to define all relevant project requirements at the start of the project due to complex multi-stakeholder specification process
  • Significant changes in requirements during design and/or construction stage of a project
  • Failure to deliver the requirements
  • Failure to identify, assess, manage relevant project risks
  • Buoyant market results in fewer bids being received during the tender processes
  • Lower supplier risk appetite. RSG contract risk perceived as too high
  • Contractors/consultants not performing as required
  • Lack of required resources during project delivery

  • Project Portfolio Management
  • Risk-based tactical and project planning
  • Project Change and Risk Management processes
  • Quality management processes
  • Performance management (new) Main Contractors
  • Professional project management and development capabilities
  • Safety Management System
  • Market consultation processes

H.

Regulation & Compliance

Violation of laws, internal policies, or Code of Conduct

  • Aviation Sector is highly regulated
  • The high number of operating parties
  • Lack of awareness of laws & regulations
  • Compliance and integrity incidents

Refer to: material aspect Integrity

I.

Safety & Security

Risk of a serious safety & security incident

  • Bird Strikes
  • Construction failures
  • Crowd
  • Fire in the Terminal
  • Major projects
  • Runway incursions
  • Terrorist and cyber attacks

Refer to: material aspect Safety & Security

J.

Workforce

Inability to attract and retain personnel

  • Tight labour market conditions (IT, Digital capabilities)
  • Inability to attract the right capabilities
  • High number of external personnel
  • Mismatch between available jobs and personnel
  • Digital transformation
  • High turnover of young professionals

Refer to: material aspect Employment practices

Financial risk factors

Due to the nature of its activities, Schiphol Group faces a variety of risks, including market risk, counterparty risk and liquidity risk. The financial risk management programme (which is part of Schiphol Group’s overall risk management programme) focuses on the unpredictability of the financial markets and on minimising any adverse effects this may have on Schiphol Group’s financial results.

Schiphol Group uses derivative financial instruments to hedge certain risks. Financial risk management is carried out by the central treasury department (Corporate Treasury) and is part of the approved Management Board policy. In addition to drawing up written guidelines for financial risk management, the Management Board determines the policy for specific key areas, such as currency risk, interest-rate risk, credit risk, the use of derivative and non-derivative financial instruments, and the investment of temporary liquidity surpluses.

For a more detailed description of financial risk management, reference is made to note 29 of the financial statements.

Statement of the Management Board

We aim to reduce the likelihood of errors, wrong decisions and the impact of surprises due to unforeseen circumstances as much as possible. However, there are no absolute guarantees, and we cannot exclude the possibility of being exposed to risks of which we are currently unaware, or which may not yet be considered important at this time. No risk management or internal control system can provide an absolute safeguard against failure to achieve corporate objectives, nor fully prevent any possible loss, fraud or breach of rules and regulations.

In addition, as an airport, Schiphol is susceptible to adverse weather conditions and other natural phenomena; we simply cannot prevent or influence these. We can, however, ensure that the consequences remain as limited as possible.

In light of the above, we believe that the risk management and internal control systems provide a reasonable degree of assurance concerning financial reporting risks, and that the financial reporting does not contain any material misstatements.

The Management Board declares that, to the best of its knowledge:

  • the financial statements give a true and fair view of the financial assets, liabilities, financial position and profits of Schiphol Group, as well as the combined consolidated enterprises;
  • the financial statements have legitimately been prepared on a going concern basis for Schiphol Group, given its strong financial position;
  • the annual report describes the material risks and uncertainties that are relevant to the assessment of the continuity of Schiphol Group for a period of 12 months following the date of the report;
  • the annual report gives a true and fair view of the situation on the balance sheet date and of developments over the course of the financial year; and
  • the principal risks facing Schiphol Group are described in this annual report.
Next:

Relevant
non-financial
indicators