Risk management
In today’s increasingly complex external landscape, characterised by geopolitical tensions, economic volatility, the growth of AI and evolving regulatory requirements, alongside internal decision-making, the necessity for a robust and comprehensive risk management framework has never been more critical. The multifaceted nature of these challenges demands that we remain vigilant and adaptive to safeguard our interests and ensure long-term sustainability.
To navigate this complexity effectively, we updated our Enterprise Risk Framework and have further enhanced our Risk Mitigation & Assurance Map, an overarching framework that encapsulates our most prominent risk mitigating strategies and practices. This map serves as a vital tool, guiding our approach to identifying, assessing, and managing the risks that could potentially impact our operations and strategic objectives.
Our risk management capability is designed to be forward-looking, fueled by a growing 'expect the unexpected’ mindset in our risk community. This proactive stance ensures that we are prepared to act on emerging risks and seize opportunities that may arise in an ever-changing environment.
In addition, we place significant emphasis on our crisis management and Business Continuity Management System (BCMS) capabilities. This capability is crucial in equipping us to respond effectively to unforeseen events, thereby minimising the potential impact of disruptions and ensuring the continuity of our services. As we continue to refine our risk management practices, we remain committed to fostering resilience and delivering value to our stakeholders, even in the face of uncertainty. Our focus and dedication to business continuity management is proven by the extension of our 22301 ISO certification late 2024.
Governance
Risk governance is deeply integrated within our overall governance framework, reflecting the complexities of the current external and internal environment. The primary responsibility for identifying and managing risks lies with line management, the Executive Committee, and ultimately, the Executive Board, under the oversight of our Supervisory Board.
Designated risk owners are tasked with implementing comprehensive risk mitigation plans and are required to report periodically on the progress of these activities. The RRL, who reports directly to the CQRO, holds day-to-day responsibility for the overarching quality control system for Risk Management and Reporting. In this capacity, the RRL oversees the Enterprise Risk Framework and associated risk and control systems, facilitating regular meetings with individual risk owners to review and discuss mitigation strategies.
Annually, the Executive Board appraises the performance of the risk and control system, affirming its overall accountability for its effectiveness through an internal in-control statement. To support this evaluation, the Board gathers insights from line management, the RRL, and the internal auditor, who reviews the critical components of the risk and control system. Furthermore, the Executive Board considers the findings and reports from the external auditor concerning the efficiency of internal controls as part of their annual audit engagement.
Activities in 2024/2025
We initiated a full update of our Enterprise Risk Framework in which we agreed to enhance the level of detail anticipating the introduction of the Statement on Risk Management (Verklaring omtrent Risicobeheersing or VOR) in the Dutch Corporate Governance Code. This increased level of detail consists of an enhanced understanding of key risks, our risk appetite, and a more in-depth view on roles and responsibilities for key controls.
This work enables us to further enrich our overarching Risk Mitigation and Assurance Map, based on which we will periodically challenge the key control owners on the operating effectiveness of these key controls. We intend to roll out the resulting changes early in Financial Year 2025/2026.
Within our Enterprise Risk Framework, we traditionally have a Conduct & Ethics priority business risk focused on conduct and behaviour within our organisation. As an outcome of our Learning investigation we are looking to better integrate cultural and behavioural aspects in all our priority business risks in the coming year.
Another initiative in 2024/2025, is the enhancement of our risk management governance through the establishment of the Reputation & Risk Executive. This executive, which convenes monthly, is designed to further enhance our proactive approach to risk management.
The Reputation & Risk Executive focuses on monitoring risk trends and themes through a combination of signals from within our organisation, a comprehensive data analysis (key risk indicators) and horizon scanning.
In addition, the Executive closely monitors the operating effectiveness of the key risk controls.
Priority Business Risks
We continually update and reassess our Priority Business Risks and use input from both DTTL and NSE to challenge our thinking. The latest reassessment was in the context of our Strategy 2027, changes in market conditions and learnings from recent investigations, including our learning investigation. Resulting from the periodic re-assessment, we have agreed on priority business risks and opportunities related to our strategy (see the risk radar below). The current exposure (or residual risk) is the likelihood of a risk materialising, and its expected impact given our current ability to mitigate that risk. It is assessed on a scale of ‘medium’ (green) to ‘very high’ (red) taking both residual impact and residual likelihood into account.
The current ‘top of mind’ themes, e.g. economic and geopolitical unpredictability including subsequent growth outlook, the exponential growth of Gen-AI, the volume and pace of internal change and conduct, are integrated in our priority business risks in the risk radar. Most of the risks in which the themes have been integrated have the highest exposure.
In the following table, the risks assessed with a high-risk rating are shown. The risks associated with the employment of financial instruments are described in note 5 of the Financial statements.
|
Risk |
Risk description |
Risk area* |
Risk appetite** |
Mitigating measures |
|
Ability to adapt and deliver future changes |
Failure to adapt and deliver our transformation agenda |
Strategic, Operational |
Medium: Deloitte is committed to successfully deliver transformation |
Pages 6-8, 10-12, 22-26 |
|
Advisory delivery & risk management |
Failure to prevent systemic or major failure of advisory quality. |
Strategic, Operational |
Low: Deloitte is committed to high quality execution |
Pages 170-173 |
|
Conduct & Ethics |
Failure to establish, embed and sustain an inclusive and ethical culture. |
Strategic, Operational |
Low: Deloitte is committed to our shared values and strives to limit ethical breaches |
Pages 173-180 |
|
Confidentiality, privacy & security |
Failure to manage data security and privacy. |
Operational, Laws & regulations |
Low: Deloitte is committed to preventing, being prepared for and responding to breaches and data loss in a timely fashion |
Pages 178-180 |
|
Economic, geopolitical and competitor moves |
Failure to anticipate, adapt to and respond to changes in the economic-, geopolitical- and competitor- landscape |
Strategic, Operational, Financial |
Medium: Deloitte is committed to (pro-)actively respond to economic-, geopolitical- and competitor driven changes |
Pages 6-8, 10-12 |
|
Gen AI and digital transformation |
Failure to successfully execute the digital (incl. AI) transformation |
Strategic, Operational |
Medium: Deloitte is committed to embed AI and new technologies in the internal operations and external service delivery. |
Pages 6-8, 10-12, 22-26 |
|
Our role & future public-interest impact |
Failure to anticipate, adapt to and respond to external scrutiny, criticism and regulation. |
Strategic, Operational |
Low: Deloitte is committed to making an impact that matters on our clients and society |
Pages 15-16, 170-173 |
|
People & Culture |
Failure to attract, develop and retain high-performing and diverse professionals and world-class leaders. |
Operational, Financial |
Low: Deloitte is committed to employing top class personnel through agile talent models. |
Pages 143-160 |
*The risks in the table above can be categorised in more than one of the four impact areas that we identify (see the above risk radar). For the sake of simplicity, we have placed them in the category that we deem to be most appropriate.
**Risk appetite is operationally translated in our Risk Mitigation & Assurance map to monitor exposure and act if needed.
Our ERF helps us to maintain control, have the right information available, comply with applicable laws and regulations, and meet our own high-quality standards. Based on the entire system of quality controls, our Executive Board is able to state that:
In control statement for financial reporting
-
-
The report provides sufficient insights into the effectiveness of the internal risk management and control systems for financial reporting;
-
The aforementioned systems provide reasonable assurance that the financial reporting does not contain any material inaccuracies;
-
Based on the current state of affairs, it is justified that the financial reporting is prepared on a going concern basis; and
-
The report outlines the material risks and uncertainties that are relevant to the expectation of the company’s continuity for the period of twelve months after its preparation.
-