Risk management

A business must take risks to create value. Having a risk management assessment in place allows a company to take risks in a managed and controlled manner. Within Q-Park strategic, operational, financial, and reputational risks are made controllable by carefully weighing risks and returns against each other. Effective risk management is integrated into our daily operations.

Q-Park deploys a top-down risk management assessment in which strategic risk management is executed at corporate level. Responsibility for operational risk management lies primarily with local country management. Q-Park's Executive Board bears ultimate responsibility for managing the risks that the company faces.

Risk management and internal control

Ongoing identification and assessment of risks is part of our governance and periodic business review. Our Enterprise Risk Management (ERM) assessment and Compliance Programme are designed to provide management with an understanding of the key business risks the company faces. It also provides methods and processes to manage the risks that might hamper the business in delivering on our strategy.

Q-Park is averse to the risk of non-compliance with relevant laws and regulations, our own codes, contractual agreements and certain covenants. As legislation and other formal guidelines cover various functional areas and can be very extensive (even country-specific), compliance is managed in a structured way. Our Compliance Programme covers most relevant compliance areas for Q-Park, ensuring:

  • That the actions per step of the risk control cycle are executed based on a clearly defined plan with clear roles and responsibilities;
  • That implementation of relevant legislation and internal guidelines within the organisation is assured;
  • The tone at the top regarding the importance of compliance.

Significant developments in 2020 and focus areas for 2021:

  • The COVID-19 pandemic has had a significant impact on our business and financial results. The impact of the pandemic on our company is driven by the various restrictions that governments implemented. Restrictions aimed at minimising social contacts and slowing down the spread of the virus varied from full lockdown situations to closing retail, bars and restaurants. Furthermore, leisure activities and (mass) events have been halted for most of the year. As a result, our short-term parking revenues declined as the direct amenities in the area of our parking facilities were temporarily not available to people. As our business is largely built around the availability of these amenities, a pandemic and related measures of this order are critical to our performance and constitute a significant risk to our business.
  • Related to information security, an extensive programme (2019-2021) has been developed and is being executed. The ICT infrastructure organisation and ICT processes are being transformed to higher information security standards. In 2020 user awareness has improved due to the introduction of e-learning modules for all employees within the Q-Park organisation. Furthermore, the Q-Park data centre was migrated to a new and improved environment and the roll-out of the ‘modern workplace’ with higher security standards for all devices has started. Cyber security will remain a priority in 2021 (and beyond) during which we will build on the progress made in 2020 and further focus on data security and (mobile) device management.
  • Several policies regarding ethics and integrity such as the Integrity Policy and Competition Law Compliance Policy have been issued throughout the Group. Though the COVID-19 crisis has caused some delay, training to increase awareness has started.
  • Internal human resource management processes have been optimised and formalised. In 2020 efficiency and consistency improvements have been realised by implementing a Q-Park Self Service portal. Our response to the COVID-19 crisis has included specific attention to employee safety and healthcare.

The Executive Board and key management periodically review the risks and related mitigation controls and procedures of the ERM assessment and Compliance Programme and reconsider the focus areas identified. Furthermore, they provide complementary insights into existing and emerging risks that are subsequently included in the policy. The ERM assessment and Compliance Programme influence the formation of controls and procedures, and the focus of business planning and performance process.

Risk appetite

Factors which determine the risk appetite include the international footprint of the business, the robustness of the balance sheet, long-term duration of contracts, strength of cash flows and a commitment to conservative financial management. Our risk appetite varies per objective and risk category:

  • Strategic: Taking strategic risks is an inherent part of how we do business. In pursuing growth as a strategic ambition, we are prepared to take risks in a responsible way, taking account of our stakeholders' interests.
  • Operational: Depending on the type of operational risk, we take a cautious to averse approach. We give the highest priority to ensuring the safety of our employees and customers, to delivering the desired level of service, and to protecting the company's reputation.
  • Financial: We pursue a conservative financial strategy, including a balanced combination of self-insurance and commercial insurance coverage.
  • Compliance: We are averse to the risk of non-compliance with relevant laws or regulations, or non-compliance with our own codes, contractual agreements, and financial covenants.
  • Fraudulent and unethical behaviour: We are committed to act with honesty, integrity, and respect. We are fully averse to risks relating to fraudulent behaviour and we apply a zero-tolerance policy.

Main risks

The following risk overview highlights the main risks which might prevent us from achieving our strategic, operational, and financial objectives. The list is not exhaustive and there may be additional risks which do not constitute a direct threat in the short-term or which management deems immaterial or otherwise common to most companies, but which could at some time have a material adverse effect on our financial position, results, operations, or liquidity.

Strategic

Download XLS

Risk description

Q-Park risk management measures

Regulatory changes

National or local governments could implement measures which are potentially unfavourable to the parking sector (e.g. introduction of low emission zones, electric vehicle charging requirements and banning of traffic within inner-city boundaries).

  • Have an active role in industry representing associations such as Vexpan and EPA.
  • Create sufficient presence in cities and regions to have a seat at the table and cooperate with governments, NGOs, and businesses on mobility needs.
  • Ensure geographic diversification of Q-Park's portfolio in the different countries but also within cities to avoid large dependencies on specific regions or locations.
  • Invest extensively in online platforms and value-added services to become a proactive business partner for local authorities and help them to develop (mobility) solutions.

Economic environment

Factors that potentially influence parking revenues (prices and/or mobility) include pressure from the general public and retailers, political changes, or a long-term fall in GDP. Lower parking revenues could significantly impact Q-Park’s profitability and cash flows, particularly in situations where lower parking prices will not result in more transactions.

  • Cooperate with governments, NGOs, and other businesses.
  • Highlight the relevance of regulated and paid parking to society through clear communication via a variety of channels.
  • Maintain a centralised pricing function within the Group that analyses different tariff schemes, simulates the effects of changes and aligns prices with the local circumstances and market situation.
  • Strengthen the commercial, customer, and market intelligence organisation by establishing Group-wide teams and actively sharing knowledge and experiences.

Competitive environment and economic

conditions

The parking market (new business) is characterised by competition between a limited number of existing players. In addition, technology is used increasingly in the parking market and results in new competitors with a possible negative impact on Q-Park's financial results.

  • Ensure geographic diversification with sufficient presence in different regions and cities to ensure efficiency in operations and to be competitive in tenders.
  • Invest in the digital transformation of the Company (online platforms and parking management systems) to provide customers efficient access and payment solutions.
  • Closely monitor developments in digital solutions created by existing and new competitors.­

Dependency on other businesses and

local developments

A car parking service is an indirect service which depends on external factors (e.g. offices, shopping centres, leisure amenities). New customer behaviour (e.g. online shopping, working from home) or changes in the popularity of certain stores, locations or areas pose a risk of a significant decrease in parking demand and, hence, a decrease in Q-Park’s business and revenue.

  • Ensure geographic diversification of Q-Park's portfolio and a further spread across multiple indirect markets.
  • Manage a portfolio with focus on large multifunctional locations instead of monofunctional locations.

Operational

Download XLS

Risk description

Risk management measures

Pandemic outbreaks

A pandemic outbreak in combination with government measures that restrict people from going out to cities and events can significantly impact our business and financial results as we are dependent on the availability and accessibility of the amenities in the vicinity of our parking facilities.

Safety and liability

  • Ensure geographic diversification of Q-Park's portfolio and a further spread across multiple indirect markets.
  • Manage a portfolio with focus on large multifunctional locations instead of monofunctional locations.
  • Maintain a healthy and solid liquidity position to be able to absorb a temporary loss of income and related cash flow.
  • Apply a high standard of health and safety measures in our parking facilities to provide customers a safe parking experience under all circumstances.

The safety of our customers and employees is our top priority. If an employee or a customer sustains injury while at work or while visiting one of the Q-Park parking facilities, this could also impact our reputation.

  • Adhere to health and safety procedures relating to employees and customers.
  • Invest in maintenance and security tools (i.e. CCTV monitoring) to ensure clean and safe parking facilities with proper instructions for visitors.
  • Encourage non-cash payments and outsourcing of cash handling to specialised third parties to reduce risks of theft.
  • Provide training and development focusing on personal safety and safety measures in and around our parking facilities.

Dependency risks, interruptions, and

business continuity

Continuity of the company and its business is crucial. Continuity depends on a number of factors, including suppliers. We are particularly vulnerable regarding Parking Management Systems (PMS), ICT, and infrastructure which are to a large extent provided by third party suppliers.

  • Business Continuity and Data Recovery is a crucial component of our Information Security Programme.
  • We use different systems from independent suppliers where operational efficiency is one of the key objectives.
  • Conduct preventive maintenance and conclude service level agreements (SLAs) with suppliers to ensure corrective interventions within agreed time frames.
  • Connect the Q-Park Control Room (QCR) to parking facilities to assist in the event of business interruptions and operate a 24-hour service desk.­

Staffing and retention

Good, experienced, and knowledgeable people are the foundation of our company and its success. The company must ensure that it is able to employ and retain the right people.

  • Maintain a system for performance measurement and annual reviews.
  • Continuously work on employer branding in the job market and have competitive employment conditions.
  • Develop training and development opportunities for employees.

Ethics and integrity

Ethics and integrity are important conditions for confidence in the company. Behaviour deemed to be unethical could lead to loss of revenue and reputation.

  • Maintain a code of ethics and integrity including a whistle-blower policy with periodic training to ensure awareness and having proper systems in place to detect irregularities.
  • Ensure Executive Board and management demonstrate ‘tone at the top’.
  • Apply a zero-tolerance strategy.

Financial

Risk description

Risk management measures

Valuation of fixed assets and goodwill

The company owns a considerable amount of property and goodwill. If the economic climate deteriorates this could result in a permanent reduction in the value of assets. If potential impairment indicators are not identified, determined, or communicated in a timely fashion, the company could incur reputational and financial damage.

  • Evaluate the existence of impairment indicators on an annual basis.
  • Monitor performance against prior periods and budgets to identify risk areas and act timely.
  • Employ an independent valuation expert to conduct periodic valuations when necessary.

Financing

Given that the nature of the business is capital-intensive, access to external financing is crucial for continuity. A liquidity risk could arise if external financing is not available to the company when refinancing is required.

  • Strict monitoring of certain financial covenants.
  • Consult regularly with external debt providers to discuss the ongoing business, strategy, results, and financing needs.
  • Periodic evaluation of the appropriateness of the financing structure and adjust if needed.

Interest rate risks

The external debts can be subject to variable interest rates, thereby exposing the company to fluctuations in interest rates. A significant increase in variable interest rates would have a negative impact on results.

  • Include a mix of fixed and variable interest rates for financing operations, combined with the use of interest rate instruments if needed.
  • Adopt an interest rate policy in which part of the variable rated debt is covered by interest rate derivatives (interest rate swaps and interest caps).

Currency risk

The company's functional currency is the euro. Given that the company also operates in the United Kingdom and Denmark, we are exposed to fluctuations in the GBP and DKK exchange rates.

  • Monitor and report periodically on currency risk exposure.
  • Optimise currency risk through natural hedges (i.e. revenue and costs in local same currencies, external debt in foreign currency).

Compliance and reporting

Download XLS

Risk description

Risk management measures

Financial statement does not give a true

and fair view

If misstatements are made such that the financial statements do not give a true and fair view of the company's financial position, financial performance, and cash flows, users of the financial statements would be incorrectly informed.

  • Maintain common and consistent accounting policies, reporting processes, and standard chart of accounts.
  • Monitor critical access and segregation of duties and perform compensating controls if necessary.
  • Periodic audits on both consolidated and local statutory financial statements.
  • Actively involve relevant stakeholders.

ICT and information security

Given the increasing use of online communication and the professionalism of cyber criminals, the company must focus constantly on continuity of ICT systems and on ensuring the security of crucial information and sensitive customer data (e.g. payment card details, passwords). A successful attack or hack by cyber criminals could cause reputational and financial damage and impact business continuity.

  • Implementation of the Q-Park Information Security Programme based on a Cyber Maturity Assessment and executed in accordance with a formal governance structure. Important components of this programme include:
    • Embed and monitor our information security policies to secure confidentiality and integrity of data, including continuity measures in conjunction with outsourcing partners.
    • Improve user awareness and behaviour to reduce cyber security risks by offering training programmes to our employees.
    • Manage IT Asset risks in a proactive and reactive way (monitoring).
    • Improve incident response, disaster recovery and business continuity.
    • Further comply to common standards such as PCI DSS, GDPR and ISO 27001.
    • Implement cyber security solutions to detect cyberattacks and have remediation procedures in place.
    • Centralisation of ICT systems allowing central enforcement of security measures.
    • Initiate a Secure Software Development life cycle programme for our applications in collaboration with our supplier.
  • Our Information Security officer coordinates the execution of the Information Security programme and manages operational cyber security risks.

Non-compliance with European and

national laws

Changes in the legal and regulatory environment tend to increase the risk of non-compliance with local, national, and international laws and regulations, as well as tax legislation. Failure to comply with applicable regulations could lead to fines, claims, and reputational damage.

  • Having corporate functions in place to monitor local risks and challenges from a Group perspective (e.g. compliance, tax, finance, and legal).
  • Involve external specialists where necessary to analyse impact, risks and actions needed on regulatory changes.