Risk management
At Deloitte we see Business Continuity Management as an important and integrated part of our overall risk management capability. Our focus and dedication to business continuity management had resulted in receiving the 22301 ISO certification in 2022/2023.
During this fiscal year we experienced an increased exposure in all of the three aspects of our ‘Economic, Geopolitical & Competitor shifts’ risk. This risk has become more prominent in our Enterprise Risk Framework and the developments in 2022/2023 resulted in an elevation of this risk on our Risk Radar.
Economic headwind and high inflation asked for robust mitigating activities, not only focused on our own financials and our client- and engagement portfolio, but also on the well-being of our people. Like many others, our people are personally affected by the high inflation from a.o. rising energy prices. As in 2021/2022, we maintained our focus on the effects of the sanctions imposed on Russia as a result of the invasion in Ukraine. Solid risk mitigating measures in our client- and engagement process prevent us from breaching EU/UK and/or US sanctions. The challenges and opportunities in the client- and talent landscape resulting from the potential EY Audit/Advisory separation were addressed in close cooperation with our NSE/DTTL organization.
Our ongoing focus on being Purpose-led requires us to demonstrate how our leadership decisions are guided by our purpose and shared values, from the clients we serve to the work we perform for them. In our firm we see an increase in the number and complexity of matters being brought to the attention of our Responsible Business Committee. In this committee we discuss the acceptance of specific engagements from various angles. A number of more complex responsible business matters were elevated to NSE level where we experienced mature discussions on our role in the NSE/DTTL network and experience sometimes slightly different points of view, often driven by the cultural diversity of our NSE geographies. We remain committed to our shared values at all times.
Our Talent risk slightly decreased due to the implementation of our employee value proposition and the economic headwind, resulting in a less competitive talent market and decreasing attrition levels. Because of our focus on our Talent this risk will remain a priority business risk to be monitored on an ongoing bases.
Governance
Risk governance remains embedded in our overall governance structure. The primary responsibility for identifying and managing risks, both internal and external, resides with line management, the Executive Committee and ultimately the Executive Board, with oversight from our Supervisory Board. In December 2022 during the annual risk workshop, our Executive Committee and – Board refreshed and validated our updated risk profile.
Relevant risk owners are responsible for implementing robust risk mitigating plans and periodically report on the progress of risk mitigating activities. The Risk & Reputation Leader (RRL), who reports to the Chief People & Quality Officer, has day-to-day responsibility for the overall system of quality control for Risk Management and Reporting. As part of this responsibility the RRL oversees the Enterprise Risk Framework and corresponding risk and control systems through, among other measures, periodic meetings with the individual risk owners to discuss and review mitigations.
In 2022/2023, the overall risk and control system was captured in a Risk Mitigation & Assurance Map. In this Map our Strategic-, Operational-, Financial- and Compliance risks are captured, including underlying frameworks, different lines of defence and obtained level of assurance.
On an annual basis, the Executive Board evaluates the performance of and acknowledges its overall accountability for the effectiveness of the risk and control system through an internal in-control statement. To substantiate the evaluation, the Board obtains input from line management, the RRL and the internal auditor, who assesses the key elements of the risk and control system. The Executive Board also considers the findings and reporting of the external auditor on the functioning of internal controls as part of their annual audit engagement.
Activities in 2022/2023
During the creation of the 2023 Strategy, risks have been assessed and mapped to our Ambition. Our Enterprise Risk Framework (ERF) is fully aligned with NSE, supplemented with specific NL risks, and supports us in the delivery of our Ambition. We identify, assess, prioritise, manage and monitor Enterprise-Wide Business Risks on an ongoing basis.
Late in 2022, the update of the NSE Enterprise Risk Framework was approved by the NSE Executive and adopted by Deloitte NL as bases for the NL 2022 update. Based on input received from the NL risk owners and their delegates we were able to update all the NL risks in our ERF. During these discussions with our leadership, several themes were recurring as top of mind. Two of these ‘top of mind’ themes (Operate and Navigating the Downturn) were discussed in detail during the ExCo Risk Workshop in December 2022, ensuring a shared understanding and vision, and alignment on current and required mitigation.
The reputational risk of failing to achieve our net zero targets for climate change has been elevated to a new priority business risk with a very high exposure. Other risk dimensions of climate change are included as components of the risks through which they will be managed: sustainability services (Client Portfolio and the MDM); business resilience (Confidentiality, privacy & security); our commitments, the "company we keep" and the impact on our people (Purpose, Public Interest, Client Portfolio, Conduct and People).
DTTL has performed a climate risk assessment for Deloitte in conformity with the standards as defined by the Taskforce for Climate Related Financial Disclosures. Their report is available on the Deloitte global website.
Further details on our environmental and sustainability policies are included in Annex 2 of this report.
Priority Risk
The risk universe of DTTL Global Risk and the topics from dialogues with our Leadership represent the main risks of our risk universe. They are also the input for the annual re-assessment of our risk profile, in the context of Strategy 2023 and our risk appetite. Resulting from the annual re-assessment, we have agreed on risks and opportunities related to our strategy (see the risk radar below). The current exposure (or residual risk) is the likelihood of a risk materialising, and its impact given our current ability to mitigate that risk. It is assessed on a scale of ‘low’ (green) to ‘very high’ (red) taking both residual impact and residual likelihood into account.
The ‘top of mind’ themes (e.g. Operate and AI, Talent, managing our large and complex, often tech-enabled, engagements, Public Interest and navigating the downturn) are integrated in our priority business risks in the risk radar. Most of the risks in which the themes have been integrated have the highest exposure.
In the following table, the risks assessed with a high risk rating are shown. The risks associated with the employment of financial instruments are described in note 5 of the Financial statements.
Risk | Risk description | Risk area* | Risk appetite** | Mitigating measures |
Audit quality | Failure to prevent systemic or major failure of audit quality. | Strategic, Laws & regulations, Financial | Low: Deloitte is committed to high quality execution | Pages 27, 155-156 |
Advisory delivery & risk management | Failure to prevent systemic or major failure of advisory quality. | Strategic, Operational | Low: Deloitte is committed to high quality execution | Pages 156-156 |
Conduct & Ethics | Failure to establish, embed and sustain an inclusive and ethical culture. | Strategic, Operational | Low: Deloitte is committed to our shared values and strives to limit ethical breaches | Pages 156-159 |
Confidentiality, privacy & security | Failure to manage data security and privacy. | Operational, Laws & regulations | Low: Deloitte is committed to preventing, being prepared for and responding to breaches and data loss in a timely fashion | Pages 159-160 |
Economic, geopolitical and competitor moves | Failure to anticipate, adapt to and respond to changes in the economic-, geopolitical- and competitor- landscape | Strategic, Operational, Financial | Medium: Deloitte is committed to (pro-)actively respond to economic-, geopolitical- and competitor driven changes | Pages 10-14 |
Our role & future public-interest impact | Failure to anticipate, adapt to and respond to external scrutiny, criticism and regulation. | Strategic, Operational | Low: Deloitte is committed to making an impact that matters on our clients and society | Pages 18-19, 155-156 |
Purpose | Failure to establish, embed and sustain a Purpose driven culture. | Strategic, Operational | Low: Deloitte is committed to our Purpose | Pages 10-14 |
Talent | Failure to attract, develop and retain high-performing and diverse professionals and world-class leaders; failure to deliver the resource models of the future. | Operational, Financial | Low: Deloitte is committed to employing top class personnel through agile talent models. | Pages 138-144 |
*The risks in the table above can be categorised in more than one of the four impact areas that we identify (see the above risk radar). For the sake of simplicity, we have placed them in the category that we deem to be most appropriate.
**Risk appetite is operationally translated in our Risk Mitigation & Assurance map to monitor exposure and act if needed.
A fraud risk assessment is an integral part of the assessment of the risks and the control environment. Key areas covered by these controls are related to revenue recognition, financial reporting, bank transactions and management override of controls. The tone at the top encourages an ethical culture. Fraud and anti-corruption are an essential part in the learning curriculum of all partners and employees.
In control
Our ERF helps us to maintain control, have the right information available, comply with applicable laws and regulations, and meet our own high-quality standards. Based on the entire system of quality controls, our Executive Board is able to state that:
-
The report provides sufficient insights into the effectiveness of the internal risk management and control systems;
-
The aforementioned systems provide reasonable assurance that the financial reporting does not contain any material inaccuracies;
-
Based on the current state of affairs, it is justified that the financial reporting is prepared on a going concern basis; and
-
The report outlines the material risks and uncertainties that are relevant to the expectation of the company’s continuity for the period of twelve months after its preparation.