4.1 Risk management

In the ordinary course of business, BAM is willing to take risks while benefitting from opportunities. Risk management is an essential activity to ensure risks and opportunities are identified and addressed in a controlled manner. The company’s risk management activities are designed to support long-term value creation.

Risk management framework

In line with the requirements of the Dutch Corporate Governance Code, BAM’s risk management framework is based on the Enterprise Risk Management - Integrated Framework (updated in 2017) of the Committee of Sponsoring Organisations of the Treadway Commission (‘COSO ERM framework’). It provides a standardised framework for identifying risks, mitigating actions and implementing controls. BAM’s risk management framework is reinforced by the integration of internationally recognised standards, which are embedded across its operations to support proactive identification, assessment and mitigation of strategic, operational, financial and compliance risks. Among others, these include several ISO standards (e.g. ISO 45001 Occupational health and safety; ISO 14001 Environmental management systems; and ISO 27001 / NIST Cybersecurity frameworks). The risk management framework facilitates that BAM’s activities are managed in a controlled manner and in accordance with the strategy and related risk appetite.

BAM recognises that while Artificial Intelligence (AI) offers opportunities for efficiency and innovation, it also poses risks. These include ethical and compliance challenges, data privacy concerns, operational reliability and regulatory uncertainty. AI risks are integrated into BAM's enterprise risk management framework and BAM policy framework in alignment with regulatory requirements (e.g. EU AI Act).

The Executive Board is responsible for risk management and maintaining an effective control system. The Executive Board is supported by the Risk and Control Committee (RCC) and supervised by the Supervisory Board. The RCC's role is to coordinate and advise on the implementation of the risk management framework, enabling an integration of risk management and the control system. The RCC is chaired by the CFO and includes risk and control specialists as well as representatives from both divisions.

The risk and control function, at Group level and in the divisions, supports the Executive Board and senior management in risk management activities. This includes providing support in performing risk assessments and monitoring the design and operating effectiveness of control procedures.

Risk management activities are subject to a three lines model to facilitate robust governance and efficient implementation throughout the organisation.

Key risk areas and risk appetite

The identification of BAM’s key risk areas is a process that includes establishing the risk appetite by the Executive Board. This is followed by structured risk assessments to determine the risk profile and the monitoring of mitigating actions. The key risk areas are categorised into strategic, operational, financial and compliance risks.

Risk appetite is defined as the level at which BAM is willing to accept risk in the ordinary course of business to achieve its objectives. The risk appetite is established in accordance with the company’s strategy. The Executive Board validates the risk appetite of key risk areas on an annual basis. It also performs a reassessment when required because of a change in facts or circumstances, such as a change in laws and regulations or change of strategy.

The company’s general risk appetite per risk category is as follows:

  • Strategic risks – BAM takes a balanced approach to risk and reward to achieve its strategic objectives and continues to invest in innovation through digital and sustainable technologies and solutions;

  • Operational risks – BAM seeks to limit risks that may jeopardise the execution of its business activities;

  • Financial risks – BAM strives to maintain a solid financial position, ensuring access to financial markets and retaining its clients, supply chain and other partners. BAM wants to provide an insightful, fair and accurate representation of its performance;

  • Compliance risks – Compliance with all applicable laws and regulations, including BAM’s code of conduct, is of fundamental importance to the Group.

Risk assessments reflect the risk profile and the risk trend versus the company’s risk appetite. These are executed in the divisions, Belgium and at Group level, and include the defining of mitigating actions and monitoring of their effectiveness. Risks are assessed and prioritised based on their probability of occurrence, their potential impact and the effectiveness of mitigating measures.

BAM’s risk framework addresses the key risk areas. The key risk areas, their risk trend, risk appetite and mitigating measures are summarised in paragraph Key risk areas. Overall, risks indicate a slight downward trend, supported by ongoing mitigation efforts.

Internal controls

BAM has a requirements framework to manage risks, to prevent material misstatements in (non)financial reporting and to facilitate compliance with laws and regulations. This framework addresses BAM’s key risk areas by defining control requirements to be executed in the business. Business managers and functional leads in both divisions, Belgium and at Group level are responsible for managing risks and controls and performing self-assessments for their design, implementation and operating effectiveness.

The risk and control function reviews the operating effectiveness of the control requirements framework. Reviews of controls are performed throughout the year, based on a pre-defined schedule covering the full year. The results are reported to the Executive Committee and the Audit Committee.

The internal audit function validates the control assessments and reports its observations to the Executive Committee and the Audit Committee. Internal audit also provides business managers and the risk and control function with recommendations to further improve the design, implementation and/or effectiveness of control requirements.

The results of effectiveness testing of the control requirements, together with the reporting of control incidents (if any) and internal and external audit findings, are taken into consideration by business management and division management in their internal reporting of in-control statements.

These internal in-control statements form the basis for managerial accountability for the effectiveness of the control requirements framework. Any deviations from the internal control requirements framework are reported, including remediations and follow-up actions to resolve them.

BAM strives to continuously improve its risk management activities. In 2025, this resulted in a next step in the maturity of adhering to control requirements. This was evidenced by higher effectiveness scores versus 2024 and the years before. The management of the divisions and Belgium have confirmed and signed the internal in-control statement 2025, which supports the Executive Board in its assessment of the effectiveness of the design and operation of the internal control and risk management systems.

Executive Board statement

In accordance with the 2025 Dutch corporate governance code and the Financial Supervision Act (‘Wet op het financieel toezicht’), the Executive Board confirms that, to the best of its knowledge:

  • The Executive Board report provides sufficient insights into any failings in the effectiveness of the internal risk management and control systems of Royal BAM Group;

  • The aforementioned systems provide reasonable assurance that the financial statements do not contain any material inaccuracies;

  • The aforementioned systems provide limited assurance that the sustainability statements do not contain any material inaccuracies;

  • The aforementioned systems provide, considering the risk appetite and inherent limitations, sufficient comfort that the identified operational and compliance risks are effectively managed at the balance sheet date;

  • Based on the current state of affairs, it is justified that the financial statements are prepared on a going-concern basis;

  • There are no material risks or uncertainties that could reasonably be expected to have a material adverse impact on the Group’s continuity for the period of 12 months after the preparation of the financial statements.

Sufficient comfort on operational and compliance risks means that the Executive Board has obtained adequate evidence, through controls, audits and oversight mechanisms, to reasonably conclude that the risk management framework of BAM is functioning as intended.

It should be noted that the above does not imply that these systems and procedures provide absolute assurance as to the realisation of operational and strategic business objectives, or that they can prevent all misstatements, inaccuracies, errors, fraud and non-compliances with legislation, rules and regulations. Nor can they provide certainty that BAM will achieve its objectives.

Furthermore, the Executive Board confirms that, to the best of its knowledge:

  • The financial statements give a true and fair view of the assets, liabilities, financial position and profit or loss of BAM and the subsidiaries included in the consolidation;

  • The sustainability statement is prepared in accordance with the European Sustainability Reporting Standards (ESRS) as adopted by the European Commission, Taxonomy Regulation, and in accordance with the company’s double materiality assessment;

  • The Executive Board report provides a fair view of the position at the balance sheet date and the development and performance of the business during the financial year;

  • The Executive Board report describes the principal risks and uncertainties that the Group faces.

Key risk areas

The following table summarises BAM’s key risk areas, the respective risk appetite and management’s measures to bring the risk in line with the risk appetite.

For further details about policies and performance on health and safety, refer to chapter 6.4.

For further details on human resources, refer to chapter 6.4. For further details on information technology and security, refer to chapter 6.5.

For further details on climate change and environmental impact, refer to chapter 2.5 and chapter 6.

For further details on communication to employees and employee training related to the code of conduct, refer to chapter 6.5.