Risk management
As in previous years, our Business Continuity capabilities enabled us to respond adequately and navigate through the crises we had to face. In our responses we applied strict guiding principles to safeguard the safety of our people and enable our business to operate as normal as possible. In 2021/2022, we had to deal with continuous changing measures regarding COVID-19. With our crisis management structure we were able to navigate the organisation and our people through this crisis and maintain focus on the guiding principles. Also we have embedded the hybrid working model in our current office policies and will maintain the benefits of hybrid working for our people and clients.
The invasion of Ukraine by Russia in February 2022 was another significant event for Deloitte. Following the start of the war, significant sanctions were imposed on Russia by the US, UK and EU. Together with our NSE organisation, we established a crisis management structure to evaluate our compliance with all sanctions and the impact these sanctions had on our client base. Based on the sanctions imposed on Russia, we evaluated our client and engagement portfolio. For this we established a Special Review Committee with the task and authority to take decisions on accepting or continuing engagements that are potentially effected by the sanctions and the situation in Ukraine. In these decisions we not only took into account the strict impact of sanctions, but also we evaluated whether we wanted to continue engagements due to links with Russia. It is not only about ‘can we do it’, but also about ‘do we want to do it’. Deloitte NL has not violated any of the sanctions and we also review ongoing client engagements in light of our risk appetite and values.
Deloitte NL has not violated any of the sanctions and we also review ongoing client engagements in light of our risk appetite and values.
Both the Russia/Ukraine war and the COVID-19 pandemic proved that intelligent risk management supported by mature incident response capabilities enables us to respond in case of unforeseen events and is key to sustaining performance.
Governance
Risk governance is embedded in our overall governance structure. The primary responsibility for identifying and managing risks, both internal and external, resides with line management, the Executive Committee and ultimately the Executive Board, with oversight from our Supervisory Board. In the annual risk workshop, our Executive Committee and Board refresh our risk profile and appoint risk owners for our priority risks. Risk owners are subsequently asked to implement robust risk mitigating plans and periodically report on the progress of risk mitigating activities. The Risk & Reputation Leader (RRL), who reports to the Chief Quality Officer, has day-to-day responsibility for the overall system of quality control for Risk Management and Reporting. As part of this responsibility the RRL oversees the Enterprise Risk Framework and corresponding risk and control system through, among other measures, periodic meetings with the individual risk owners to discuss and review mitigations.
On an annual basis, the Executive Board evaluates the performance of and acknowledges its overall accountability for the effectiveness of the risk and control system through an internal in-control statement. To substantiate the evaluation, the Board obtains input from line management, the RRL and the internal auditor, who assesses the key elements of the risk and control system. The Executive Board also considers the findings and reporting of the external auditor on the functioning of internal controls as part of their annual audit engagement.
Activities in 2021/2022
During the creation of the 2023 Strategy, risks have been assessed and mapped to our Ambition. Our Enterprise Risk Framework (ERF) is fully aligned with NSE, supplemented with specific NL risks, and supports us in the delivery of our Ambition. We identify, assess, prioritise, manage and monitor Enterprise-Wide Business Risks on an ongoing basis.
Late in 2021 the update of the NSE Enterprise Risk Framework was approved by the NSE Executive. Early in 2022, interviews with the NL Executive Board and members of the NL Executive Committee were conducted in order to validate the changes in the NSE ERF and to collect their perspective and key concerns with respect to the Dutch 2023 choices and ambitions.
Based on the input received, we were able to update all the risks in our ERF. During the discussions with our leadership, several themes were mentioned as top of mind. These ‘top of mind’ themes were translated into risk drivers for existing priority business risks and will be discussed in detail during the anticipated ExCo Risk Workshop later in 2022, ensuring a shared understanding and vision, and alignment on current and required mitigation.
The reputational risk of failing to achieve our net zero targets for climate change has been elevated to a priority risk having previously been a component of the Purpose risk. Other dimensions of climate change are included as components of the risks through which they will be managed: sustainability services (Client Portfolio and the MDM); business resilience (Confidentiality, privacy & security); our commitments, the "company we keep" and the impact on our people (Purpose, Public Interest, Client Portfolio, Conduct and People).
DTTL has performed a climate risk assessment for Deloitte in conformity with the standards as defined by the Taskforce for Climate Related Financial Disclosures. Their report is available on the Deloitte global website.
Further details on our environmental and sustainability policies are included in Annex 2 of this report.
Priority Risk
The risk universe of DTTL Global Risk and the topics from dialogues with our Leadership represent the main risks of our risk universe. They are also the input for the annual re-assessment of our risk profile, in the context of Strategy 2023 and our risk appetite. Resulting from the annual re-assessment, we have agreed on risks and opportunities related to our strategy (see the risk radar below). The current exposure (or residual risk) is the likelihood of a risk crystallising and its impact given current ability to mitigate that risk. It is assessed on a scale of ‘low’ (green) to ‘high’ (red) taking both residual impact and residual likelihood into account.
The ‘top of mind’ themes (Talent, Quality in large and complex tech-enabled engagements, Operate, Public Interest and Increased dependency on implementation of DTTL technologies) are integrated in our risks as presented in bold in the risk radar. Most of the risks in which the themes have been integrated have the highest exposure.
In the following table, the six risks assessed with a very high exposure are displayed. The risks associated with the employment of financial instruments are described in note 5 of the Financial statements. Our position regarding the use of derivatives can be found in the Derivatives and Hedge Accounting section.
Risk | Risk description | Risk area* | Risk appetite** | Mitigating measures |
Audit quality | Failure to prevent systemic or major failure of audit quality. | Strategic, Laws & regulations, Financial | Low: Deloitte is committed to high quality execution | Pages 142-143 |
Advisory delivery & risk management | Failure to prevent systemic or major failure of advisory quality. | Strategic, Operational | Low: Deloitte is committed to high quality execution | Pages 142-143 |
Conduct & purpose | Failure to establish, embed and sustain Purpose driven, inclusive and ethical culture. | Strategic, Operational | Low: Deloitte is committed to our Purpose and shared values and strives to limit ethical breaches | Pages 7-9, 21-22 |
Confidentiality, privacy & security | Failure to manage data security and privacy. | Operational, Laws & regulations | Low: Deloitte is committed to preventing, being prepared for and responding to breaches and data loss in a timely fashion | Pages 146-147 |
Our role & future public-interest impact | Failure to anticipate, adapt to and respond to external scrutiny, criticism and regulation. | Strategic, Operational | Low: Deloitte is committed to making an impact that matters on our clients and society | Pages 21-22, 34-38, 142-143, |
Talent | Failure to attract, develop and retain high-performing and diverse professionals and world-class leaders; failure to deliver the resource models of the future. | Operational, Financial | Low: Deloitte is committed to employing top class personnel through agile talent models. | Pages 21-22, 134-141 |
*The risks in the table above can be categorised in more than one of the four impact areas that we identify (see the above risk radar). For the sake of simplicity, we have placed them in the category that we deem to be most appropriate.
**Risk appetite is operationally translated in KRIs to monitor exposure and act if needed.
In control
Our ERF helps us to maintain control, have the right information available, comply with applicable laws and regulations, and meet our own high-quality standards. Based on the entire system of quality controls, our Executive Board is able to state that:
-
The report provides sufficient insights into material failings in the effectiveness of the internal risk management and control systems;
-
The aforementioned systems provide reasonable assurance that the financial reporting does not contain any material inaccuracies;
-
Based on the current state of affairs, it is justified that the financial reporting is prepared on a going concern basis; and
-
The report outlines the material risks and uncertainties that are relevant to the expectation of the company’s continuity for the period of twelve months after its preparation.