Risk management
In an ever-changing world, effective risk management is essential for ensuring the continuity and success of our organisation. At Deloitte, risk management is embedded across all layers of our operations. In this section of our Integrated Annual Report, we present our Risk Mitigation & Assurance Map, a comprehensive framework that systematically brings together all our key risk management frameworks.
This Risk Mitigation & Assurance Map is designed not only to identify, assess, and mitigate various risks but also to ensure continuous improvement of our risk management activities. Through this integrated approach, we can proactively address potential challenges and opportunities in the internal- and external environment, contributing to the protection and enhancement of our value to stakeholders.
Our internal financial control framework is one of the key risk management frameworks that we have. In the current economic headwind, driven by, among others, geopolitical tensions across the globe, our internal financial control framework played a pivotal role in navigating through challenging times, ensuring the resilience and stability of our organisation. This comprehensive framework is designed to monitor our financial activities and safeguard our assets, enabling us to maintain financial integrity and operational efficiency amidst market volatility.
At the core of our financial control framework is robust risk assessment and management processes that help identify potential financial risks early. By doing so, we have been able to proactively formulate and implement risk mitigation strategies that are crucial in times of economic uncertainty. Our framework includes stringent controls over financial reporting, budgeting, and expense management, which ensure that our financial resources are used effectively and aligned with our strategic objectives.
Another key risk management framework is our overarching enterprise risk framework. As Deloitte embraces transformative strategic initiatives such as modernising our common storefront (see page 6), establishing trade corridors, and enhancing North-South-East (NSE) integration, robust risk management remains pivotal. These strategic manoeuvres introduce varied risks including e.g. employee engagement, service delivery quality, public interest risks and regulatory complexities. To navigate these challenges, Deloitte relies on its comprehensive enterprise risk framework that ensures operational resilience, compliance with international regulations, and the maintenance of high standards in client service and corporate governance. Our (pro-) active approach in identifying and mitigating potential risks not only safeguards but also enhances the firm's value and reputation.
In case we are confronted with unforeseen events we are able to rely on a robust business continuity management system. Our focus and dedication to business continuity management is proven by the extension of our 22301 ISO certification.
Risk governance remains embedded in our overall governance structure. The primary responsibility for identifying and managing risks, both internal and external, resides with line management, the Executive Committee and ultimately the Executive Board, with oversight from our Supervisory Board. Twice a year the updated NSE ERF is the basis for the refresh of the NL risk profile.
In late May 2024, the NL risk profile was updated by our CQO and Risk & Reputation Leader (RRL) by assessing the impact of trends & themes, both internal and external, to our risk exposure. The updated risk profile coming out of this exercise will be discussed with our Executive Board and Supervisory Board in the first months of Financial Year 2024/2025.
Relevant risk owners are responsible for implementing robust risk mitigating plans and periodically report on the progress of risk mitigating activities. The RRL, who reports to the CQO, has day-to-day responsibility for the overall system of quality control for Risk Management and Reporting. As part of this responsibility the RRL oversees the Enterprise Risk Framework and corresponding risk and control systems through, among other measures, periodic meetings with the individual risk owners to discuss and review mitigations.
On an annual basis, the Executive Board evaluates the performance of, and acknowledges its overall accountability for, the effectiveness of the risk and control system through an internal in-control statement. To substantiate the evaluation, the Board obtains input from line management, the RRL and the internal auditor, who assesses the key elements of the risk and control system. The Executive Board also considers the findings and reporting of the external auditor on the functioning of internal controls as part of their annual audit engagement.
During 2023, we created a more forward-looking approach to risks which could impact the reputation of Deloitte NL by bringing together the expertise of a representative and diverse group of subject matter experts from different enabling areas, leveraging various sensing capabilities and ongoing research related to horizon risks, via a consistent and repeatable process.
Scenarios for potential threats on the risk horizon were reported to a Horizon Scanning Lab with senior partners and relevant subject matter experts. In this Lab our risk appetite and potential for additional risk mitigating strategies were discussed. The output of this Lab was used to enrich the enterprise risk framework and to inform a range of teams across Deloitte NL.
The reputational risk of failing to achieve our net zero targets for climate change has been a relative new priority business risk with a very high exposure. Other risk dimensions of climate change are described in the Climate and CO2 chapter on page3 136-146.
Priority Business Risks
The risk universe of DTTL Global Risk contains all relevant risks for a company like ours. The DTTL risk universe is periodically complemented with topics that arise from dialogues with our leadership and risk owners and with trends and themes coming out of our refreshed horizon scanning capability. This holistic risk overview is input for the periodic re-assessment of our risk profile, in the context of our Strategy 2027 and our risk appetite. Resulting from the periodic re-assessment, we have agreed on priority business risks and opportunities related to our strategy (see the risk radar below). The current exposure (or residual risk) is the likelihood of a risk materialising, and its impact given our current ability to mitigate that risk. It is assessed on a scale of ‘medium’ (green) to ‘very high’ (red) taking both residual impact and residual likelihood into account.
The current ‘top of mind’ themes (e.g. our learning culture, economic and geopolitical challenges including subsequent growth outlook, increasing societal polarisation, Gen-AI, the volume of change and public interest) are integrated in our priority business risks in the risk radar. Most of the risks in which the themes have been integrated have the highest exposure.
In the following table, the risks assessed with a high risk rating are shown. The risks associated with the employment of financial instruments are described in note 5 of the Financial statements.
Risk | Risk description | Risk area* | Risk appetite** | Mitigating measures |
Audit quality | Failure to prevent systemic or major failure of audit quality. | Strategic, Laws & regulations, Financial | Low: Deloitte is committed to high quality execution | Pages 178-181 |
Advisory delivery & risk management | Failure to prevent systemic or major failure of advisory quality. | Strategic, Operational | Low: Deloitte is committed to high quality execution | Pages 178-181 |
Conduct & Ethics | Failure to establish, embed and sustain an inclusive and ethical culture. | Strategic, Operational | Low: Deloitte is committed to our shared values and strives to limit ethical breaches | Pages 181-184 |
Confidentiality, privacy & security | Failure to manage data security and privacy. | Operational, Laws & regulations | Low: Deloitte is committed to preventing, being prepared for and responding to breaches and data loss in a timely fashion | Pages 184-186 |
Economic, geopolitical and competitor shifts | Failure to anticipate, adapt to and respond to changes in the economic-, geopolitical- and competitor- landscape | Strategic, Operational, Financial | Medium: Deloitte is committed to (pro-)actively respond to economic-, geopolitical- and competitor driven changes | Pages 10-14 |
Our reputation, role & future public-interest impact | Failure to anticipate, adapt to and respond to external scrutiny, criticism and regulation. | Strategic, Operational | Low: Deloitte is committed to making an impact that matters on our clients and society | Pages 18-19, 178-181 |
Purpose | Failure to establish, embed and sustain a Purpose driven culture. | Strategic, Operational | Low: Deloitte is committed to our Purpose | Pages 10-14 |
People & culture | Failure to attract, develop and retain high-performing and diverse professionals and world-class leaders; failure to deliver the resource models of the future. | Operational, Financial | Low: Deloitte is committed to employing top class personnel through agile talent models. | Pages 157-171 |
*The risks in the table above can be categorised in more than one of the four impact areas that we identify (see the above risk radar). For the sake of simplicity, we have placed them in the category that we deem to be most appropriate.
**Risk appetite is operationally translated in our Risk Mitigation & Assurance map to monitor exposure and act if needed.
A fraud risk assessment is an integral part of the assessment of the risks and the control environment. Key areas covered by these controls are related to revenue recognition, financial reporting, bank transactions and management override of controls. The tone at the top encourages an ethical culture. Fraud and anti-corruption are an essential part in the learning curriculum of all partners and employees.
In control statement
Our ERF helps us to maintain control, have the right information available, comply with applicable laws and regulations, and meet our own high-quality standards. Based on the entire system of quality controls, our Executive Board is able to state that:
-
The report provides sufficient insights into the effectiveness of the internal risk management and control systems;
-
The aforementioned systems provide reasonable assurance that the financial reporting does not contain any material inaccuracies;
-
Based on the current state of affairs, it is justified that the financial reporting is prepared on a going concern basis; and
-
The report outlines the material risks and uncertainties that are relevant to the expectation of the company’s continuity for the period of twelve months after its preparation.