6.5 Governance information

Business conduct (ESRS G1)

Business conduct and business conduct matters relate to BAM’s business ethics and the relationships the company has with its stakeholders, especially own workforce (including subcontractors) and vendors (subcontractors and suppliers). Disclosures are related to the following material impacts, risks and opportunities, as identified through BAM’s double materiality assessment process. Refer to chapter 6.1 for the full details.

The disclosures in these this sections should be read in conjunction with the disclosures in chapter 6.2 on Governance, Strategy, and Impact, risk and opportunity management.

Description of the processes to identify and assess material impacts, risks and opportunities (IRO-1)

BAM identifies material impacts, risks and opportunities related to business conduct matters by evaluating criteria such as location, activity, sector and the structure of transactions, with particular attention to local laws and regulations in the Netherlands and the United Kingdom and Ireland. By considering these criteria, including compliance with local laws, BAM effectively manages risks and capitalises on opportunities aligned with its strategic objectives.

The role of the administrative, supervisory and management bodies (GOV-1)

The Ethics and Compliance Committee supports the Executive Committee and the divisions with the compliance programme, actual compliance matters and remedial actions. It ensures consistency across the Group. Reported suspicions of misconduct are discussed on a quarterly basis with the Executive Committee and every six months with the  Supervisory Board. 

On an annual basis, the effectiveness of the management approach is assessed and improvement activities are captured in the operating plan. The procedures described in this paragraph apply to all of the themes that are relevant to the business conduct matters discussed in this chapter.

The administrative, management and supervisory bodies have been engaged with BAM for several years; they possess expertise in business conduct matters, drawing from diverse backgrounds in human resources, operations, finance and engineering.

Business conduct policies and corporate culture (G1-1)

The BAM Code of Conduct and underlying procedures describe the expected behaviours and it deals with varying subjects such as the BAM values, safety, human rights, preventing bribery & corruption, protection of data and respecting privacy. It applies to all BAM employees, including contract and temporary workers. Living the Code of Conduct contributes to a safe, ethical and sustainable culture and protects the future of BAM.

The Code emphasises acting with integrity and honesty, complying with legislation, regulations, and generally accepted social standards. The topics in the BAM code of conduct form part of the risk management process (including a compliance risk assessment), training and awareness, and monitoring and reporting. New employees must sign a statement in which they confirm they will comply with the code as part of their employment contract. Further information on how BAM interacts with its employees is disclosed in the chapter 6.4 section Policies related to own workforce (S1-1) and Action taking on material impacts on own workforce, approaches to managing material risks and effectiveness of those actions (S1-4) and chapter 6.5 section Business conduct policies and corporate culture (G1-1). chapter 6.4 section Policies related to own workforce (S1-1) and Action taking on material impacts on own workforce, approaches to managing material risks and effectiveness of those actions (S1-4) and chapter 6.5 section Business conduct policies and corporate culture (G1-1).chapter 6.4 section Policies related to own workforce (S1-1) and Action taking on material impacts on own workforce, approaches to managing material risks and effectiveness of those actions (S1-4) and chapter 6.5 section Business conduct policies and corporate culture (G1-1). Chapter 6.4 section Policies related to own workforce (S1-1) and Action taking on material impacts on own workforce, approaches to managing material risks and effectiveness of those actions (S1-4) and chapter 6.5 section Business conduct policies and corporate culture (G1-1).

BAM’s anti-bribery and corruption policy states that, in line with law, regulation and the BAM Code of Conduct, the company does not tolerate bribery and corruption. It includes the key anti-bribery and corruption principles that all employees and any other representatives of BAM need to adhere to, and that business must be conducted honestly. Engaging in bribery or corruption, even indirectly or through third parties, may lead to dismissal, end of a business relationship, and, in addition to substantial fines, even imprisonment. In 2025, we extended our code of conduct, policies and training based on the UK Economic Crime and Corporate Transparency Act (ECCTA),aimed at strengthening the controls to prevent fraud.

BAM’s key principles in the privacy policy, the information security governance policy and the data retention policy relate to the processing of personal data and the duty of employees, and any other representatives, to report any (suspected) personal data breaches and ensure the proper protection and management of information to ensure confidentiality, integrity and availability of information.

BAM believes that communication and training are fundamental to bringing the code of conduct to life and to encouraging open conversations. BAM adopted a targeted approach to the different working groups to achieve optimum understanding and adaptation. An e-learning tool is used to train selected employees on all the topics in the code. The training, available in country-specific languages (e.g. Dutch and English), is mandatory for BAM employees, except BAM site employees who do not have access to online learning platforms. The mandatory group covers roughly 70% of the total number of employees.

Progress is closely monitored and reported to management. BAM targets a 95% completion score for the training, to allow for fluctuations due to new people joining the company. Site employees without access to online learning platforms are trained through so-called toolbox meetings. Additionally, compliance officers provide target-group-specific training sessions to educate specific people about particular compliance themes.

Training

In 2025, there were 211 (2024: 148) suspicions of misconduct reported. The reported suspicions of misconduct have been assessed and, where needed, sanctions have been taken, up to and including dismissal. Reported cases dealt with issues such as inappropriate use of company assets, safe working environment and privacy breaches, of which a limited number needed to be reported to the local external privacy authorities. There have not been any fines, penalties or compensation for damages regarding the suspicions of misconduct reported in 2025 (2024: 0).

Fostering a speak-up culture, in which employees feel empowered to talk about any issue without fear of negative consequences, is essential for BAM. The Speak Up procedure, which is also summarised in the code of conduct, encourages the reporting of possible breaches. This can be done through independent and protected systems for employees, offering protection for those who do so. These systems ensure confidentiality and the impartial handling of complaints.

The procedure also includes the requirements of the (EU) Whistleblower Directive. The periodic 'employee pulse survey' showed that the majority of employees feels free to express concerns without fear of negative consequences.

Work to promote awareness of the Speak Up option is a key theme in the compliance programme. Those who wish to report a concern or incident can report directly to a line manager, confidential advisor or compliance officer. People wishing to remain anonymous can use the Speak Up Line, which is operated by a third party and open to employees and external stakeholders alike 24/7. Cases that are identified as higher risk are reported to the Ethics and Compliance Committee.

BAM is involved in many stages of the construction value chain, from development, engineering and construction to maintenance and operation. Vendors are essential in all this, as their knowledge, people and other resources provide more than 70% of BAM’s revenue.

Vendors are subject to BAM’s general purchasing terms and conditions and BAM’s Vendor Code of Conduct, which cover commitments to safety, human rights, sanctions and trade restrictions and the environment.

Procurement secures continuous alignment on selected categories, systems, reporting and knowledge exchange. In 2025, sustainable sourcing and safety in the supply chain remained key topics contributing to the BAM strategy.

BAM focuses on key and preferred vendors to strengthen and monitor quality and compliance in the chain of subcontractors and suppliers. The company also deploys onboarding for vendors and they are assessed on their compliance with BAM requirements. Depending on the specific nature of the services provided by potential higher risk vendors, additional risk mitigating measures are taken, such as specific certifications, which are audited by external parties.

Prevention and detection of corruption and bribery (G1-3)

Undetected corruption and bribery can cause serious damage to society, including damaging public trust and causing injustice by benefitting some at the expense of others. Compliance risk assessments are conducted as part of BAM’s risk management process. BAM obtains its main revenue in countries with a low or very low risk of corruption according to the Corruption Perception Index (CPI) from Transparency International. This index focuses on the strict application of the United Nations Convention Against Corruption (UNCAC). Furthermore, there are quarterly risk assessments. These examine compliance risk developments and assess measures to ensure a match with the very low risk appetite for corruption and bribery risks. The results are reported to the Executive Committee and other stakeholders on a quarterly basis. In the case of an investigation, the investigators or investigating committee is separate from the chain of management involved in the matter.

Certain functions are more vulnerable to corruption, bribery and fraud risks. These include (commercial) management, project management, finance- and procurement-related functions and the members of the Executive Committee. This specific group, targeted for the corruption and bribery e-learning, covers around 40% of the total number of employees and there is a specific, in-depth e-learning on the prevention of corruption, bribery and fraud for all these functions. This training includes components like legal frameworks, risk management, ethical decision-making, third-party management, reporting, and whistleblowing. BAM has a formal learning platform through which these mandatory trainings are spread, linked to BAM’s HR data platform.

BAM’s percentage of targeted employees that have completed training regarding corruption and bribery is in line with the target (refer to the Training table). The topic of corruption and bribery also forms part of the code of conduct and its underlying policies and is monitored by BAM’s compliance officers.

Incidents of corruption or bribery (G1-4)

There were no fines, penalties or compensation for damages related to corruption and bribery in 2025. This includes incidents involving actors in BAM’s value chain in which BAM or its employees were directly involved.

Protection of data and respecting privacy (entity-specific)

Implementing robust data protection measures safeguards the personal data of employees and clients. Protection of data and respecting privacy is a core element of the BAM code of conduct, and is part of underlying, specific policies on data privacy, information and cyber security. BAM has dedicated Privacy and Security functions who collaboratively work together with management to implement ‘privacy and security by design’ within the organisation, at selected projects, and in contracts with new third parties.

BAM has relevant certifications in place, such as ISO 27001 Information Security and Cyber Essentials. Furthermore, there is a coordinated training and awareness programme to keep management and employees up-to-date regarding new developments and required behaviour. The training is mandatory for BAM employees, including the members of the Executive Committee, but excluding BAM site employees without access to online learning platforms. The mandatory group covers roughly 70% of the total number of employees. The objective is to reach around 95% completeness on an ongoing basis. Performance for 2025 has been in line with the target (refer to the Training table). In addition, there are specified privacy, information security and cyber security controls included in the BAM Requirements Framework. These are being assessed on the effectiveness of their risk mitigation. A limited number of privacy breaches had to be reported to the local external privacy authorities. There were no fines, penalties or compensation for damages during the reporting period.

Incidents related to data protection and privacy