Risk management
Like the rest of the world, we were impacted this financial year by the severity and magnitude of the COVID-19 virus outbreak. Thankfully, our Business Continuity Management capabilities enabled us to respond in a quick and effective manner. In these responses we applied strict guiding principles to safeguard the safety of our people and enable our business to operate as normal as possible. Events like the COVID-19 pandemic prove that intelligent risk management creates opportunities, enables us to respond in case of unforeseen events and is key to sustaining performance.
Context
During the creation of the 2023 Strategy, risks have been assessed and mapped to our Ambition. Our Enterprise Risk Framework (ERF) is fully aligned with NSE and supports us in the delivery of our Ambition. We identify, assess, prioritise, manage and monitor Enterprise-Wide Business Risks on an ongoing basis.
Early 2021, interviews with our Executive Board and members of our Executive Committee were conducted in order to collect their perspective and key concerns with respect to the 2023 choices and ambitions. Based in the input received, we were able to update all the risks in our ERF. During the discussions with our leadership, three risks were top of mind (Talent, Advisory delivery & risk management, and Our role and future public interest impact). These three ‘top of mind’ risks were discussed in detail during the ExCo Risk Workshop in March 2021 ensuring a shared understanding and vision, and alignment on current and required mitigation.
Governance
Risk governance is embedded in our overall governance structure. The primary responsibility for identifying and managing risks, both internal and external, resides with line management, the Executive Committee and ultimately the Executive Board, with oversight from our Supervisory Board. In the annual risk workshop, our Executive Committee and Board refresh our risk profile and appoint risk owners for our priority risks. Risk owners are subsequently asked to implement robust risk mitigating plans and periodically report on the progress of risk mitigating activities. The Risk & Reputation Leader (RRL), who reports to the Chief Quality Officer, has day-to-day responsibility for the overall system of quality control for Risk Management and Reporting. As part of this responsibility the RRL oversees the Enterprise Risk Framework and corresponding risk and control system through, among other measures, periodic meetings with the individual risk owners to discuss and review mitigations.
On an annual basis, the Executive Board evaluates the performance of and acknowledges its overall accountability for the effectiveness of the risk and control system through an internal in-control statement. To substantiate the evaluation, the Board obtains input from line management, the RRL and the internal auditor, who assesses the key elements of the risk and control system. The Executive Board also considers the findings and reporting of the external auditor on the functioning of internal controls as part of their annual audit engagement.
In control
Our ERF helps us to maintain control, have the right information available, comply with applicable laws and regulations, and meet our own high-quality standards. Based on the entire system of quality controls, our Executive Board is able to state that:
-
The report provides sufficient insights into material failings in the effectiveness of the internal risk management and control systems;
-
The aforementioned systems provide reasonable assurance that the financial reporting does not contain any material inaccuracies;
-
Based on the current state of affairs, it is justified that the financial reporting is prepared on a going concern basis; and
-
The report outlines the material risks and uncertainties that are relevant to the expectation of the company’s continuity for the period of twelve months after its preparation.
After implementing the Deloitte global CRM Salesforce system last year, we this year successfully implemented the Deloitte global finance system, SAP S/4HANA®. We were able to mitigate the risks that always come with a financial system migration. Day-to-day risk management activities reflect our risk appetite for specific domains, for example, when making client and engagement acceptance decisions. Currently a set of key risk indicators (KRIs), including tolerance levels, is being mapped to our strategic KPI dashboard and will be discussed with the risk owners. These KRIs will enable us to monitor our risk appetite and maintain the right balance between risk and reward.
Priority risks
The risk universe of DTTL Global Risk and the topics from dialogues with our Leadership represent the main risks of our risk universe. They are also the input for the annual re-assessment of our risk profile, in the context of strategy 2023 and our risk appetite. Resulting from the annual re-assessment, we have agreed on risks and opportunities related to our strategy (see the risk radar below). The current exposure (or residual risk) is the likelihood of a risk crystallising and its impact given current ability to mitigate that risk. It is assessed on a scale of ‘low’ (green) to ‘high’ (red) taking account both residual impact and residual likelihood.
The three ‘top of mind’ risks (Talent, Advisory delivery & risk management, and Our role and future public interest impact - bold in the risk radar) have the highest exposure.
In the following table, the six risks assessed with a very high exposure are displayed. The risks associated with the employment of financial instruments are described in note 5 of the Financial statements. Our position regarding the use of derivatives can be found in the Derivatives and Hedge Accounting section.
Risk | Risk description | Risk area* | Risk appetite** | Mitigating measures |
Audit quality | Failure to prevent systemic or major failure of audit quality. | Strategic, Laws & regulations, Financial | Low: Deloitte is committed to high quality execution | Page 29-30 |
Advisory quality & risk management | Failure to prevent systemic or major failure of advisory quality. | Strategic, Operational | Low: Deloitte is committed to execute high quality. | Pages 78-79 |
Conduct & purpose | Failure to establish, embed and sustain an inclusive and ethical culture. | Impacts all categories | Low: Deloitte is committed to our shared values and strives to limit ethical breaches | Pages 59-60 |
Confidentiality, privacy & security | Failure to manage data security and privacy. | Operational, Laws & regulations | Low: Deloitte is committed to preventing, being prepared for and responding to breaches and data loss in a timely fashion. | Pages 79-82 |
Our role & future public-interest impact | Failure to anticipate, adapt to and respond to external scrutiny, criticism and regulation. | Impacts all categories | Low: Deloitte is committed to making an impact that matters on | Pages 14, 79 |
Talent | Failure to attract, develop and retain high-performing and diverse professionals and world-class leaders; failure to deliver the resource models of the future. | Operational, Financial | Low: Deloitte is committed to employing top class personnel through agile talent models. | Pages 57-59 |
- * The risks in the table above can be categorised in more than one of the four impact areas that we identify (see the above risk radar). For the sake of simplicity, we have placed them in the category that we deem to be most appropriate.
- ** Risk appetite is operationally translated in KRIs to monitor exposure and act if needed.