Compliance and Risk management

Risk management

RAI works continuously on the structural and systematic management of risks. Risk management is embedded in both our strategic and operational processes as an integrated system that covers all levels of operations and all parts of the organisation. Risks and control measures are analysed, recorded in a register and actively monitored. A risk & compliance board reviews progress quarterly, with participation from the Executive Board, senior management and the risk & compliance officer. The Executive Board monitors the effective functioning of this system and, together with the organisation, strives for its continuous improvement and strengthening.

Focus on realising goals

Risk management and internal control are dynamic processes. RAI Amsterdam aims to identify and manage the risks that can occur when realising strategic, tactical and operational goals to a reasonable degree of certainty. Control measures taken in this framework are focused on reducing the chance that the risk will occur and/or lessening any impact the risk might have should that be the case.

To ensure risk management functions well, it is crucial that it is properly embedded in the operational processes and integrally applied. The risk management system developed by RAI Amsterdam is based on the principles of standards such as ISO 31000 and COSO.

Although we try to limit this as much as possible, it cannot be excluded that risks which are currently unidentified or considered insignificant will later have a major negative effect on the capacity of RAI Amsterdam to realise its goals.

Risk attitude and appetite

Entrepreneurship is one of the core values of RAI Amsterdam and involves having the appetite to take risks in a controlled way. The goal of risk management is therefore not to exclude risks but to gain insights that enable us to properly address opportunities and threats. RAI Amsterdam does limit its risk appetite in other ways, however. For instance, we ensure that financial risks cannot threaten our financial resilience. RAI Amsterdam always aims for a healthy safety margin with regard to its main financing ratio (net debt/EBITDA) of 15%. This implies a constant availability of contracted financing capacity of at least €10 million as a liquidity buffer.

RAI Amsterdam aims to be a safe meeting place and is aware of its responsibility to keep locations and events secure, healthy and accessible. In this framework we aim to limit security and health risks as much as possible. Compliance with laws and regulations is the starting point as RAI Amsterdam seeks to minimise the risks of non-compliance and applies a very low tolerance in this field.

Integrity is important and a zero-tolerance policy is applied with regard to fraud and corruption. The risk attitude of RAI Amsterdam can be schematically represented as follows.

RAI Amsterdam’s risk attitude

Organisation based on 'three lines of defence' model

In setting up its risk management system, RAI Amsterdam applied the 'three lines of defence' model. This system of measures consists of three ‘lines of defence’: the operational line, the risk management function and the internal audit function. The first line of defence is primarily responsible for the operational management and takes ownership of controlling operational risks. This control is realised through an adequate set-up of the organisation with regard to structure and processes as well as culture. The second line of defence consists of the independent risk & compliance function that supervises the set-up and functioning of the risk management system. The second line supports the first line, provides a coordinating function and reports to the Executive Board and line management. The third line of defence comprises an independent internal audit function with a scope that is specifically focused on environmental and quality management in line with ISO 9001 and ISO 14001. Based on an annually updated internal audit plan, the function supervises the set-up, existence and functioning of the control measures.

'Three lines of defence' model

Supervision

The Supervisory Board monitors the operations of RAI Amsterdam and approves (changes to) the risk management policy. Risk management is also regularly included on the agendas of meetings of the audit committee and Supervisory Board. The Supervisory Board employs the external accountants and approves their audit plan on an annual basis.

The external accountant also acts as supervisor and monitors the set-up, existence and functioning of the administrative organisation and internal supervision based on an annually updated audit plan. The external accountant reports to the Supervisory Board via an audit report and a statement in the annual report.

Risk inventory and assessment

An integrated update of the risk inventory and assessment was also performed again in 2024. This was in light of the cyclical evaluation of current developments and the adjusted goals of the organisation. Due to the explicit connection to the goals, risk management strengthens performance management. Seventeen risks are considered most relevant. They are often interconnected. For these domains we establish partial risks and we define, implement and monitor control measures.

When assessing the relevance of the risks for RAI Amsterdam, both the probability of an incident occurring and the current consequences (measured in financial terms) this might have for RAI Amsterdam are considered.

Important risks and mitigating measures

Explanation:
  1. Strategy execution and change management
  2. Increased competition
  3. Changing client preferences
  4. Changing environmental factors
  5. Attract and retain personnel
  6. International activities
  7. Reputation risks
  8. Safety & Security
  9. Financial risks (including taxes)
  10. Cybercrime
  11. Contractual obligations
  12. Disrupted operations
  13. Insufficient innovation
  14. Insufficient improvement capacity
  15. Integrity
  16. Non-compliance & licence to operate
  17. Economic and/or political obstacles

Strategy execution and change management
In 2024, the new RAI NEXT strategy was initialised. The core business will be expanded and further optimised. The new strategy is fully committed to making the venue and the RAI area at the Europaplein in Amsterdam future proof and sustainable. We design our organisation and operations in a way it strengthens the implementation of the strategy. The progress is monitored continuously.
External factors, like stakeholders’ interests and geopolitical developments may have a substantial impact on the capability of RAI Amsterdam to realise its strategic objectives.

Market and competition
The commercial playing field and competitive position can be affected by activities of, or developments at competitors and potential partners in the market. Therefore, we have developed a strategic portfolio policy and we keep a close eye on our portfolio. We proactively assess the opportunities in this area. We translate them into a growth strategy for the domains and markets in which we wish to operate. The strength of this approach has a positive impact on the resilience of RAI Amsterdam in relation to threats from the market and our competitors.

Changing environmental factors
Developments in the environment of a company may have a material impact on the extent to which strategic goals can be realised. In many cases, we have a limited impact on occurrences in our environment and we mainly focus on controlling the consequences in a best possible way. In 2025, the worldwide geopolitical developments were very turbulent and this will probably continue also in 2026. RAI Amsterdam follows these developments closely and constantly assesses where this may have consequences for its activities. In 2025, the direct impact was still small.

Labour market developments
RAI Amsterdam is an attractive employer. In general, we manage to fill our vacancies well, but in a few specific segments of the labour market it still remains difficult to attract and retain suitable talent. This could make us vulnerable to staff turnover. Customised recruitment and strategic personnel planning mitigate this risk to a significant extent. The agency staff market is also tight. This makes the timely availability of sufficient competent agency staff uncertain, which may put pressure on the business activities. The regulations regarding prevention of false self-employment of ZZPers (self-employed freelancers) and equal working conditions make this even more complex. RAI continuously adapts its hiring policy when market conditions and relevant regulations require it.

Cybercrime
Cybercrime is one of the greatest threats to businesses worldwide and RAI Amsterdam is by no means immune. The risks are significant so we have defined a cyber security policy and are taking organisational and physical measures to mitigate this risk as much as possible. We are setting up to control IT security along the lines of ISO 27002. The intention is also to reduce consequential risks such as operational disruptions and the loss of privacy-sensitive information.

Economic climate
The past year, the economic climate was not unfavourable. Inflation fell, but the uncertainty regarding the direction in which the global economy is developing remains considerable. Especially the geopolitical developments increase the potential threat of a recession, although it did not manifest in 2025. To RAI Amsterdam, this remains important, because less customer demand and cost inflation can put pressure on the return of the operations. If required, flexibility, directed cost savings and margin control are deployed to cope with it.

Safety & Security
RAI Amsterdam is a multifunctional venue where large numbers of people come together. This can have health & safety risks and involve a risk of property theft for visitors and employees. We have therefore developed an integrated safety management system that involves a risk-based focus on strategic and operational safety management issues. It also mitigates as much as possible the risk of business interruption caused by calamities. The effective functioning of these measures is monitored. RAI continuously invests in organisational, technical and IT-related solutions to ensure the safety of its employees, visitors and the venue.

Financial risks
Financial risks usually originate from underlying strategic, operational or compliance risks, and the related control measures take place within the spectrum of financial management and treasury. The focus is on strengthening the financial resilience and profitability of the company in the short and long term.

Reputation
As any damage to the reputation of RAI Amsterdam can have major long-term consequences for the company, a range of mitigation instruments have been deployed. A compliance management system has been set up to ensure laws and regulations are closely observed. An integrity policy helps prevent undesirable or dishonest behaviour. Intensive stakeholder management is partly focused on consolidating the good reputation of RAI Amsterdam, while a corporate communication policy ensures effective communication to all stakeholders.

Compliance management

RAI Amsterdam aims to comply with all legal and licence-related requirements and guidelines that apply to the company. This also goes for the standards and guidelines with which the RAI organisation has chosen to comply. RAI Amsterdam aims to minimise the risks of noncompliance as much as possible. It has a low tolerance in this respect and has established a compliance management system.

In setting this up we closely followed the starting points and principles of the ISO 19600 standard for compliance management wherever possible. Key starting points are:

  • A dedicated, structured approach to a continuous process;
  • A clearly defined scope and a risk analysis-based prioritisation in the context of the specific characteristics of the RAI Amsterdam organisation;
  • A clear division and appointment of tasks and responsibilities, with a leading and dedicated role for senior management;
  • A cyclical process that enables RAI Amsterdam to be a learning organisation;
  • A focus on culture and behaviour in line with the core values;
  • Transparency regarding the compliance approach and the way non-compliance is handled.

The compliance management system has comprehensively mapped out the obligations of RAI Amsterdam and secured compliance using various programmes. The progress is constantly monitored and discussed in the risk & compliance board, which includes the Executive Board, senior management and the risk & compliance officer.