4.3 Risks and Risk Management
Our operations involve uncertainties. By defining our risk appetite in advance and actively managing risks, we continually seek the right balance between seizing opportunities and controlling risks. An important guide in this is our corporate values matrix, which helps us assess the impact of our decisions on Vitens' objectives.
Developments in the risk management system
In 2025, we held discussions with the Executive Board, directors and subject-matter experts to reassess the risks and control measures identified in previous years. In the reassessment, we took into account both external and internal developments (such as the restructuring of our organisation), applicable laws and regulations, and the interests of our stakeholders. By linking risks to our strategy and objectives, we ensure that risk management remains an integral part of our decision-making. The risks have been discussed in the executive meeting and with the BoD.
We also worked on further integrating internal risk management and control systems into our work processes. Within most departments, a risk management and compliance specialist has been appointed who acts as the first point of contact within the departments. These (first line) contacts will work closely with the (second line) Risk Manager and Compliance Officer to improve the management of risks in the processes. We held sessions with external risk specialists to identify improvement opportunities in the process-level-risk-control matrices and to develop an action plan to further strengthen internal control in the coming years.
In addition, a fraud risk profile has been drawn up for each department, enabling us to monitor and manage our fraud-sensitive activities and processes in an integrated, risk-based manner.
Risk management process
Risk management is a cyclical process for identifying risks, selecting, and implementing measures to control them, with the aim of preventing surprises and supporting decision-making.
The Board is responsible for identifying and managing the risks associated with Vitens’ strategy and activities. It determines our organisational risk appetite and sets the policy accordingly. In doing so, it ensures that the right conditions are in place to manage risks effectively. The Supervisory Board oversees this process through the audit committee and regularly discusses strategy, strategy implementation, and related key risks.
Department directors identify risks within their own areas of work and take measures to control them. Together, they form the first line of defence (first line): they ensure that Vitens stays within the agreed risk limits and, together with the process managers, identify risks at process level and implement measures in the processes.
The Internal Control & Improvement Department supports this process; they are the second line of defence (second line). They ensure we comply with laws and regulations, maintain the risk management policy, guide departments in performing risk analyses, monitor this and report important issues to the board and audit committee.
The Internal Audit Department forms the third line of defence (third line) and conducts internal audits and advises on improvements in our internal processes.
Overview of key risks
Within Vitens, risk management plays an important role in achieving our strategic objectives. Every year, we evaluate the risks that could have the greatest impact on achieving our strategic goals, the top business risks. Steering these control measures and monitoring risks are an essential part of our planning and control cycle. We elaborate on each risk by providing it with a management approach and associated measures, which we implement and monitor during the year. Our risk appetite is very low, given the nature of our business.
The business risks identified for 2024 remain unchanged in 2025 and are as follows:
1. Climate impact
2. Administrative social engineering (of infrastructure)
3. Technical feasibility (of infrastructure)
4. Financial engineering (of infrastructure)
5. Cybersecurity
6. Attractive employer
7. Pressure in the subsurface
Climate
| Risk description | Risk management | Risk development |
|---|---|---|
| Vitens wants to reduce its climate impact and anticipate climate change, but due to the limited manufacturing feasibility of infrastructure and the acceleration of climate change, there is a risk that climate and impact targets (2030 and 2050) will not be met in time. Extreme weather conditions increase the risk of pipe breaks and reduced freshwater availability. | • CO2 reduction: incorporating reduction targets into infrastructure plans and the list of measures; developing a performance indicator for the CO2 impact of the investment portfolio. • Adaptation: stricter requirements regarding resilience and flexibility in design standards; preventive maintenance and replacement of high-risk pipes; setting aside funds for rapid repairs. • Water availability: development of a target framework featuring fewer, sustainably integrated extraction sites; collaboration within a Living Lab on water source diversification; implementation of a drought damage policy. |
The risk profile is increasing due to faster climate change (IPCC report) and increases in weather extremes, such as additional pipe bursts due to saturated soils in stormy weather. Adaptation measures may increase the CO2 footprint in the short term, but are necessary for long-term goals. |
Feasibility
| Risk description | Risk management | Risk development |
|---|---|---|
| Vitens identifies three manufacturing feasibility risks that threaten the timely realisation of future-proof infrastructure: • Administrative: complex and lengthy licensing processes with uncertain outcomes. • Technical: limited capacity and resources to implement investments. • Financial: insufficient investment room to maintain infrastructure and liquidity. If these bottlenecks are not resolved, Vitens cannot meet security of supply (24/7) and licence requirements. |
• Administrative: intensive cooperation with stakeholders (farmers, wildlife organisations, local residents) and integrated area development to increase licensing opportunities. • Technical: formating partnerships with market stakeholders, new forms of tendering, focus on water saving, leak detection and reduction of production losses. • Financial: consultations with the Dutch Ministry of Infrastructure and Water Management and the Dutch Authority for Consumers and Markets regarding Weight Average Cost of Capital adjustments; decisions in the investment plan to achieve strategic objectives in phases. |
The risk profile has increased in all three areas due to: • Labour market tightness complicating cooperation with market players. • Environmental risks affecting effectiveness of measures. • Limited funding scope, leading to later achievement of strategic goals and increased short-term operational risks. Positive trend: deployment of programme director, improved resource planning and development of multi-year implementation plan increase predictability and manageability. |
Cybersecurity
| Risk description | Risk management | Risk development |
|---|---|---|
| Vitens is at risk of cyber attacks from internal and external influences, with possible sabotage of its vital task as a drinking water supplier. Digital threats such as phishing, ransomware, data breaches and attacks by state actors are permanent and high. | • Framework & policy: integral security policy with periodic risk analysis, implementation of measures and independent review. • Programmatic approach: optimisation of organisation, processes and systems; secure-by-design for all digital projects. • Task force & testing: permanent multidisciplinary task force resolves findings from penetration testing immediately. • Governance: Vitens Security Board (VSB) steers cybersecurity programme and projects. |
Digital threats remain high and are constantly evolving, including techniques that circumvent existing measures (such as two-factor authentication). Vitens must be prepared for scenarios in which damage limitation is insufficient and business continuity must be ensured using minimal digital resources |
Being an attractive employer
| Risk description | Risk management | Risk development |
|---|---|---|
| Due to high outflow and tightness in the labour market, there is a risk that Vitens will not be able to meet the recruitment task and the quantitative and qualitative labour needs. This may lead to (partial) non-performance of work, with impact on continuity and projects. | • Strategic staff planning: annual analysis of formation and talent needs by department. • Entry measures: campus recruitment, traineeships, work-learning pathways, lateral entry, part-time after retirement, threshold reduction for non-Dutch speakers. • Employer branding & data: revamped branding strategy, website, data-driven recruitment and targeted campaigns. • Retention & development: learning and development paths, cooperation with sector for collective agreement and terms of employment. • Productivity: standardisation of processes, cooperation for new working methods, automation and digitalisation. |
The risk profile has increased due to persistent labour market shortages and an ageing population. Despite more filled vacancies, recruitment takes more time and effort. Structural shortages in engineering and ICT persist. Even with maximum inflow options, productivity improvements are necessary to mitigate shortages. Positive: MTO shows slight improvement in employee satisfaction, offering perspective for further steps in leadership and direction. |
Subsurface congestion
| Risk description | Risk management | Risk development |
|---|---|---|
| With increasing use of the subsurface (energy, heat, storage), there is a risk that groundwater quality will deteriorate and wells will no longer be available for water extraction. This threatens the continuity and quality of drinking water supply now and in the future. | • Monitoring & adaptive strategy: daily monitoring of water quality from source to tap; development of smart water systems and flexible water extraction methods. • Legislation and regulations: lobbying via Vewin for stricter source protection; safeguarding drinking water interests in the Dutch Drinking Water Policy Document and the Dutch Drinking Water Decree. • Cooperation & governance: implementation and execution agenda with provinces, water boards, municipalities and central government; active participation in working groups (Vulnerable Areas, Deep Subsurface). • Prevention & supervision: ensuring that provincial authorities prioritise the separation of duties, record-keeping, licensing and enforcement; internal agreements and regular monitoring of new initiatives. |
The risk profile remains high and has increased due to frequent interactions between drinking water extraction and groundwater/geothermal energy. Positive developments in cooperation and policy offer perspective, but do not yet reduce the immediate risk. Vitens remains proactively involved in planning processes and sector initiatives to strengthen future enforcement and protection. |
Risk management statement
As of the 2025 reporting year, the revised Dutch Corporate Governance Code enters into force, in which the Risk Management Statement (VOR) plays a central role. For Vitens, this means that the new requirements apply to the 2025 financial year. The VOR requires the Board to state explicitly in the management report to what extent the internal risk-management and control systems are functioning effectively.
Vitens is taking a phased approach to developing a complete substantiation of the effectiveness of the internal risk-management and control system. In 2025 the system has been further developed; however Vitens does not at this stage consider it possible to issue a full VOR.