Governance, Risk and Compliance Charter

Governance, Risk and Compliance Charter

Charter Owner Director GRC

Charter Approver Board of Management

Effective date November 15th, 2013

Date of issue Version Name Title

Group Director Governance Risk &

15 Nov 2013 1.0 Fokko Kool
Compliance

1/17
Governance, Risk and Compliance Charter

Contents
1. Introduction .................................................................................................................... 3
2. Objective ........................................................................................................................ 3
3. Scope of GRC................................................................................................................ 4
4. GRC Organizational structure ........................................................................................ 6
4.1 GRC Function ..................................................................................................... 6
4.2 Relation between GRC Function and other Functions ......................................... 6
5. Foundation of the GRC organization .............................................................................. 8
5.1 GRC is the responsibility of every employee ....................................................... 8
5.2 Role of management ........................................................................................... 8
5.3 Independence and objectivity .............................................................................. 8
5.4 Authorities and GRC Function performance ........................................................ 8
5.5 Qualifications, experience and skills .................................................................... 8
5.6 Collaboration ....................................................................................................... 9
5.7 Access ................................................................................................................ 9
6. Responsibilities on GRC .............................................................................................. 10
6.1 Supervisory Board ............................................................................................. 10
6.1.1 Audit Committee ............................................................................................ 10
6.2 Board of Management ....................................................................................... 10
6.3 GRC Functions at Group, Divisional and GC&BU level ..................................... 11
7. Ethics Committee, Risk Council and Tender Board ...................................................... 12
7.1 Ethics Committee .............................................................................................. 12
7.2 Risk Council ...................................................................................................... 12
7.3 Tender Review Board ........................................................................................ 12
8. Reporting Structure ...................................................................................................... 13
8.1 Dual reporting line ............................................................................................. 13
8.2 Periodic and immediate reporting ...................................................................... 13
8.3 Reporting responsibilities per function at Group level ........................................ 14
8.4 Reporting responsibilities at Divisional or GC&BU level..................................... 15
9. Effective date ............................................................................................................... 15
Annex I: Overview of main responsibilities per Group GRC Function .................................. 16
Annex II: Overview of main responsibilities at Divisional and GC&BU level......................... 17

2/17
Governance, Risk and Compliance Charter

1. Introduction

Imtech has expanded rapidly over the last 10 years. Recently, Imtech's management
concluded that its Governance, Risk and Compliance (hereinafter: GRC) framework was no
longer proportional to the size of its business. Additionally, due to the increased complexity
of projects, the framework needed to be enhanced. Also, it was clear from the irregularities
within Imtech that Imtech's governance and business controls were not sufficiently effective.
Due to these reasons, Imtech has strengthened its GRC framework.

This GRC Charter formalizes the enhanced Imtech GRC organization. The GRC Charter is
intended for (1) employees with a GRC Function at Group level and throughout all Imtech
businesses, such as risk managers and compliance officers, (2) Group and Divisional
Management, and (3) other Group and Divisional staff functions.

2. Objective

The purpose of the GRC Charter is to define the scope, organization, responsibilities and
reporting lines of Imtech’s GRC framework. This GRC Charter describes the framework and
its translation within the Imtech organization. It specifically defines the roles and
responsibilities of the Risk Management and Compliance Functions across Imtech’s
organization.

3/17
Governance, Risk and Compliance Charter

3. Scope of GRC

Imtech has defined the scope of GRC in the Imtech GRC framework in the chart below:

The GRC framework reflects three levels, namely (1) Imtech’s stakeholders’ expectations
and regulatory requirements require an enhanced GRC approach, (2) the executive level
that sets Imtech’s strategy and aligns Imtech’s vision, values, people and culture, and (3) the
GRC organization within Imtech. The latter is described in this GRC Charter and is based on
the following principles:

• Governance Oversight: sets the structure for on-going operation of the governance
framework, provides the hierarchy for reporting and monitoring in line with Imtech’s
decentralized management model;
• Management System: embeds the governance principles into day to day business
activities by setting clear and simple policies, supporting training activities and quality
of business controls and performance requirements;

4/17
Governance, Risk and Compliance Charter

• Risk Management: sets the organization’s risk appetite on strategic, project,

operating and compliance risks and aligns behavior with Imtech’s strategy and
expectations; and
• Incident Management: prevents and deters misconduct within the organization by
supporting that all matters that may cause harm or damage to the organization’s
reputation are reported appropriately and are dealt with in a timely and adequate
manner.

This Charter defines the responsibilities for eight GRC areas to create a structured GRC
organization. Those areas are:

1. Risk Management: contains the development and implementation of the Risk

Management Policy, process and related tooling;
1. Strategic Risk
2. Project Risk
3. Operating Risk
4. Compliance Risk
2. Governance Oversight: describes the activities required to determine the governance
structure and the applicable roles and responsibilities;
1. Governing Bodies
2. Policy Governance
3. Operation Model
3. Policies and Procedures: contains a plan regarding the development and
implementation of Imtech group policies and necessary procedures;
4. Training and Awareness: includes the activities that support the development of the
right attitudes and behaviors with respect to GRC;
5. Internal Control Framework: implements the Internal Control Framework that
substantiates the Internal Control Statements (ICS) and provides management with
more assurance on reliable (financial) reporting;
6. Incident Management: focuses on reducing potential damage, such as financial
losses and reputational harm, due to incidents (such as fraudulent reporting,
misappropriation of assets, bribery, corruption);
7. Internal Audit: enables independent assurance on defined objectives and risks; and
8. Communication and Conformance Reporting: focuses on monitoring the progress of
GRC at the organization, including taking corrective actions if necessary.

5/17
Governance, Risk and Compliance Charter

4. GRC Organizational structure

4.1 GRC Function
The Imtech organization consists of three functional levels: (1) Group, (2) Division and (3)
Group Companies and Business Units (hereinafter GC&BU’s). The Board of Management’s
GRC operational responsibility is delegated to the Director GRC. The Director GRC leads
Risk Management, Internal Audit and Compliance at Group level. Internal Audit solely
operates at Group level. Group Risk Management and Group Compliance functionally lead
the Divisional level Risk and Compliance Functions respectively. The Divisional Risk and
Compliance Functions functionally lead the GC&BU Risk and Compliance Functions
respectively. Together, the Director GRC, Group Risk Management, Group Compliance, and
the Risk and Compliance Functions form the GRC Function.

Supervisory Board and its Audit Committee

Board of Management
Group

Director GRC

Group Risk Management Internal Audit Group Compliance Mgr

Risk Council and Tender board Ethics Committee

Division

Divisional Management

Risk Management Function Compliance Function

GC&BU

GC&BU Management

Risk Management Function Compliance Function

GRC Responsibility for every employee

4.2 Relation between GRC Function and other Functions

The GRC Function, besides having its own specific topics in scope, also fulfills an umbrella
function within Imtech as several staff functions have their own GRC related responsibilities.
This umbrella function consists of coordination of and cooperation with other functions
concerning the GRC related areas. The Director GRC is responsible for reporting combined
GRC information to the Board of Management and the Audit Committee.

6/17
Governance, Risk and Compliance Charter

Responsibilities of other staff functions can include: support, investigate, report, inform,
follow up and/or monitor on GRC related areas. The responsibilities of other staff functions
on GRC include:

Communications &
HR Control Legal
CSR

- implement relevant - implement the - take into account - support GRC

policies in new hire Internal Control relevant GRC topics communication within
packages Framework in contracts the organization, e.g.
- implement monitoring - substantiate the - provide advice on via the organization’s
of completion of GRC Internal Control GRC related topics, Group Intranet
related training Statements aligned e.g. competition, on website
with the GRC function request of the - align CSR related
business indicators with GRC
related indicators

7/17
Governance, Risk and Compliance Charter

5. Foundation of the GRC organization

To support the efficacy of the GRC organization, several general foundations have to be set.

5.1 GRC is the responsibility of every employee

Every Imtech employee has the responsibility to comply with applicable laws, regulations,
standards and internal rules. Management is responsible for identifying and communicating
to each employee the minimum GRC requirements in daily business operations.
Management will also to reward or sanction employees’ performance against these
requirements. Employees must be aware, understand, and ensure they meet the GRC
obligations that impact their daily business operations.

5.2 Role of management

At all levels, management must create an environment of individual and collective
accountability, meaning the importance of meeting GRC obligations is well understood.
Management must provide sufficient resources to its GRC Functions (budget, staffing, etc.)
to ensure effective risk management and compliance in the business. Furthermore,
management should promote compliance and ethics by example. To support this, GRC will
be included in the key performance indicators (KPIs) of Management.

5.3 Independence and objectivity

Independence and objectivity are essential elements to ensuring the effectiveness of the
GRC organization. Members of the Imtech GRC Function display independence and
objectivity from the business activities of their Group, Division and GC&BU creating
countervailing powers which helps to avoid conflicts of interest.

5.4 Authorities and GRC Function performance

Imtech employees with a Risk and Compliance Function are appointed by the business in
accordance with the designed profile by the GRC Function. Decisions regarding hiring,
appraisals, terms of employment and dismissal will be taken by the relevant manager
together with the Group Director GRC. The GRC Function will monitor the performance of
the Risk and Compliance Function on divisional level based on the responsibilities described
in this GRC Charter.

5.5 Qualifications, experience and skills

Individuals who serve in an Imtech GRC Function must have the necessary qualifications,
experience and professional and personal skills to enable them to carry out their
responsibilities effectively. They must have an overall understanding of Imtech and the

8/17
Governance, Risk and Compliance Charter

commercial operation of its business. They must also understand the obligations, legislation
and standards that impact Imtech’s business.

5.6 Collaboration
The GRC Function collaborates with other functions to ensure optimal leverage with existing
approaches and methodologies. Responsibilities of other staff functions can include:
supporting, investigating, reporting, informing, following up and/or monitoring GRC related
areas.

5.7 Access
The GRC Function must, at all times, have unrestricted and direct access (in accordance
with local laws and regulations) to all activities in their area of responsibility. This includes
access to all documentation and systems, e.g. complaints register, whistleblower reports and
files.

9/17
Governance, Risk and Compliance Charter

6. Responsibilities on GRC
6.1 Supervisory Board
Imtech’s Supervisory Board is responsible for supervising the policies of the Board of
Management and the general affairs of the company, as well as providing advice to the
Board of Management. The Supervisory Board is responsible for supervising the Board of
Management with regard to the design and efficacy of the internal risk management and
control systems, risks inherent to the business activities and compliance with laws,
regulations and internal rules from a GRC Function perspective.

6.1.1 Audit Committee

The Supervisory Board established an Audit Committee from amongst its members. The
Audit Committee has specific responsibilities and tasks for which it advises the Supervisory
Board. The Audit Committee specifically focuses on internal risk management and control
systems, internal audit process and supervision of the compliance with relevant legislation
and regulations.

With regards to Risk Management, Compliance and Internal Audit, the Audit Committee’s
supervision responsibilities are described in more detail in Imtech’s Audit Committee
Charter.

6.2 Board of Management

The Board of Management manages Imtech, which means that it is responsible for achieving
Imtech’s aims, the strategy and associated risk profile, the development of results and
stakeholder’s issues that are relevant to the company.

To meet the Board of Management GRC responsibilities, the Board of Management

appointed a Director GRC to manage the GRC Function.

The Board of Management should :

• promote compliance and ethics by leading by example

• provide sufficient resources to its GRC Function (budget, staffing, etc.) for effective
GRC management in the business.
• ensures the operation of an Ethics Committee.
• ensures the operation of a Tender Review Board

10/17
Governance, Risk and Compliance Charter

6.3 GRC Functions at Group, Divisional and GC&BU level

The GRC Functions at Group level consist of the Director GRC, the Internal Audit
Department, Group Risk Management and the Group Compliance Manager. An overview of
the main responsibilities per Group GRC Function – Director GRC, Group Risk
Management, Group Compliance Manager and Internal Audit – is provided for in Annex I. An
overview of the main responsibilities per Divisional and GC&BU GRC Function – Risk
Management Function and Compliance Function – is provided for in Annex II.

11/17
Governance, Risk and Compliance Charter

7. Ethics Committee, Risk Council and Tender Board

The composition, structure and role of the Ethics Committee, Risk Council and Tender
Review Board are described in this Chapter.

7.1 Ethics Committee

The Ethics Committee facilitates the enforcement of the Code of Conduct and other
compliance activities as well as focuses on critical compliance and ethics misconduct. When
suspected misconduct is reported to the Ethics Committee, the investigation is conducted
under its guidance. The Ethics Committee may also request the Internal Audit Department to
conduct a special purpose engagement.

The Ethics Committee is chaired by the Director GRC and consists of senior executives (at
least: Corporate Secretary and Head of Internal Audit). The Ethics Committee will discuss
ethical misconduct and investigations on a regular basis and as circumstances require.

7.2 Risk Council

The Risk Council coordinates and aligns Imtech’s risk management with its common
practices. The Risk Council evaluates the Risk Management Process and discusses the
interpretation of the Risk Management Policy, Divisions Risk Manuals and related Risk
Management procedures, when needed.

The Risk Council is chaired by the Director GRC and consists of the Group Risk Managers
and Divisional Risk Managers. The Risk Council will meet on a regular basis.

7.3 Tender Review Board

The Tender Review Board oversee the tender procedures for new projects and approve
projects above certain contract value as defined in the Autorisation Matrix.

The Tender Review Board at Group level is consisting of, among others, a member of the
Board of Management and the Director GRC.

12/17
Governance, Risk and Compliance Charter

8. Reporting Structure
8.1 Dual reporting line
Within Imtech, a dual reporting line is in place to management and the GRC Function. This
dual reporting consists of operational reporting to the relevant manager and functional
reporting to the relevant GRC Function. This dual reporting structure with a separate
functional reporting line supports independence of the GRC Functions from business
activities and assists in avoiding potential conflicts of interest.

Audit Committee

Board of Director GRC

Management
GROUP LEVEL (CFO)
Group Group
Internal
Risk Compliance
Audit
Managers Manager

Risk
Divisional Compliance
DIVISIONAL LEVEL Management
Management Function
Function

Risk
GC&BU Compliance
GC&BU LEVEL Management
Management Function
Function

Functional Reporting Operational Reporting

8.2 Periodic and immediate reporting

Imtech distinguishes between periodic reporting and immediate reporting. Periodic reporting
consists of general updates, summaries or overviews that allow the operational or functional
higher level to take its GRC related responsibilities. In exceptional cases, such as in case of
serious misconduct (as described in the Incident Management Policy), a report will be send
immediately to the Director GRC.

13/17
Governance, Risk and Compliance Charter

8.3 Reporting responsibilities per function at Group level

Director GRC:

The Director GRC reports on a regular basis to the Board of Management. The report can
include information on, but not limited to, the following:

• the roll out of the GRC year plan, upcoming GRC activities and follow up activities; and
• summary of the reports of, developments in and correlation between Risk Management,
Compliance and Internal Audit, including, e.g., a summary of (suspected) misconduct
cases, proceedings on investigations and follow up.

In case of serious misconduct, the Director GRC reports immediately to the Board of
Management and the Audit Committee.

Group Risk Management:

The Group Risk Managers report on a regular basis to the Director GRC. The report can
include information on, but not limited to, the following:

• developments on the Group Risk Management Policy and Division Risk Manuals, tools
and methodologies (including training on Risk Management);
• the progress on risk assessments at divisional and GC&BU levels; and
• the projects that require Authorization To Proceed (ATP).

Group Compliance Manager:

The Group Compliance Manager reports on a regular basis to the Director GRC. The report
can include information on, but not limited to, the following:

• reports on (suspected) misconduct cases and proposed remedial and corrective actions;
• compliance progress, monitoring and follow up activities;
• significant regulatory changes in the field of compliance; and
• proposed changes in compliance related policies and other documents.

Internal Audit Department:

The Head of Internal Audit reports to the Director GRC, the Board of Management and the
Audit Committee on a regular basis. The report can include information on, but not limited to,
the following:

• the progress regarding audit planning and audit execution;

• the Internal Audit coverage in accordance with the agreed Audit Plan;

14/17
Governance, Risk and Compliance Charter

• delivery of audit services against the agreed audit plan; and

• a summary of results of the audit function’s work.

8.4 Reporting responsibilities at Divisional or GC&BU level

The Risk Management Function and the Compliance Function at Divisional or GC&BU level
will provide the Group Risk Management and Compliance Management updates on a
regular basis as well as specific information requested by the Group Risk Management,
Compliance Management and Director GRC. In case of serious misconduct, the Divisional or
GC&BU Compliance Function reports immediately to the Group Risk Management and
Compliance Management and Director GRC.

9. Effective date

This GRC Charter takes effect on November 15th, 2013.

15/17
 Governance, Risk and Compliance Charter
Annex I: Overview of main responsibilities per Group GRC Function
Director GRC
- Develop, implement and maintain
the GRC charter, plan and activities
- Ensure an independent Risk
Management, Compliance and
Internal Audit Function at Group
level and be involved in decisions
regarding hiring, appraisals, terms of
employment and dismissal of
Divisional Risk Function and
Compliance Function.
- Review and approve GRC related
Responsibilities
policies and monitor the
implementation and maintenance of
these policies.
- Coordinate the Tender Review
Board process.
- Coordinate the incident management
process and the investigations
conducted under the guidance of the
Ethics Committee.
- Monitor management effectiveness
in incorporating GRC into the
organization and regular
management activities.
- Report the status of GRC activities to
the Board of Management and Audit
Committee.
Group Risk Management
- Develop, implement and maintain the
Group Risk Management Policy.
- Review the Division Risk Manuals
and ensure they are in line with the
Group Risk Management Policy and
related procedures.
- Advise on Authorization To Proceed
(ATP) Projects.
- Provide the Board of Management
and Director GRC with a weekly
report on ATP projects.
- Oversee the tender procedures for
new projects.
- Coordinate training in risk
management for target groups at
Group and Division level in
coordination with Divisional Risk
Managers.
- Evaluate the RM implementation
within each division as well as how
this implementation complies with
the RM Policy
- Report to the Director GRC.
16/17
Group Compliance Manager
- Develop, implement and maintain
compliance related policies.
- Review the Division compliance
procedures and ensure they are in
line with the Group compliance
related policies.
- Perform compliance risk analyses as
input for Group compliance activities.
- Monitor reports on (suspected)
misconduct cases, follow up on
reported incidents and proposed
remedial and corrective actions.
- Coordinate training in compliance for
target groups at Group and Division
level in coordination with Divisional
Compliance Functions.
- Evaluate the implementation of
compliance within each division as
well as how this implementation
complies with the compliance related
policies.
- Determine follow up activities and
report to the Director GRC.
Group Internal Audit
- Develop, implement and maintain the
Group Internal Audit Charter.
- Examine and evaluate the adequacy
and efficacy of internal controls in
case of assurance services.
- Support or execute the investigation
of an incident.
- Evaluate and improve the
effectiveness of project risk
management, internal control and
governance processes.
- Execute and monitor the delivery of
audit services against the agreed
audit plan (including ad hoc special
purpose engagements).
- Summarize and present results of the
Internal Audit function’s work and
discuss these with the Board of
Management and Audit Committee.
Governance, Risk and Compliance Charter
Annex II: Overview of main responsibilities at Divisional and
GC&BU level
Risk Management Function
- Develop, implement and maintain risk
management plan at Divisional and
GC&BU level in accordance with this
GRC Charter and the Group Risk
Management Policy.
- Develop, implement and maintain
Divisional Risk Manual and Divisional or
GC&BU risk management procedures to
support this and ensure they are in line
with the Group Risk Management Policy
and related procedures.
Responsibilities
- Facilitate and participate in the project
risk management process and coordinate
that risk mitigation actions are taken at
Division, GC and/or BU level.
- Advice on Authorization To Proceed
(ATP) Projects.
- Provide the Divisional Management with
report on ATP projects on a regular basis.
- Organize training in risk management for
target groups at Division and GC&BU
level in coordination with Group Risk
Management.
- Report updates to the Group Risk
Managers and provide specific
information on request of the Group Risk
Managers and/or Director GRC.
17/17
Compliance Function
- Develop, implement and maintain
compliance plan at Divisional and
GC&BU level in accordance with this
GRC Charter and compliance related
policies.
- Develop, implement and maintain
Divisional and GC&BU compliance
procedures to support this and ensure
they are in line with the Group
compliance related policies.
- Perform compliance risk analyses as
input for Group compliance activities.
- Monitor reports on (suspected)
misconduct cases, follow up on reported
incidents and proposed remedial and
corrective actions.
- Organize training in compliance for target
groups at Division and GC&BU level in
coordination with Group Compliance
Manager.
- Report updates to the Group Compliance
Manager and provide specific information
on request of the Group Compliance
Manager and/or Director GRC.
- In case of serious misconduct, immediate
report to the Director GRC.