Our principal risks
Managing risk is a strategic priority for PwC. Delivering high quality work clearly benefits our clients, but it’s also critical to ensuring we minimise risk to the firm. So risk management and high quality work go hand in hand.
The Executive Board takes overall responsibility for establishing systems of internal control and for reviewing and evaluating their effectiveness and we have a Risk Council which reviews our risks and approach to risk management regularly. We have risk and quality teams working across our business, guiding our people so that a culture of risk awareness and quality focus is firmly embedded throughout PwC.
On the tabs on the left, you can explore the risks faced by our business and the steps we’re taking to mitigate them. We’re very focused on the risk to our reputation, information security, independence and regulatory compliance, many of which we also measure and share with our stakeholders through our sustainability scorecard.
Risk: Significant quality failure in the Group or the PwC network due to either engaging with an inappropriate client or inadequate delivery of services leading to a potential service failing, litigation and/or regulatory action.
Response: Our internal quality management systems, which are designed to maintain and enhance quality, include:
- Recruitment standards and staff development procedures.
- Client engagement and acceptance processes.
- Client engagement standards supported by methodologies and tools.
- Quality reviews of PwC network firms. Monitoring and review of key performance indicators by the Executive Board.
Instability caused by the result of the EU referendum
Risk: Uncertainty faced by our clients and our people as the economic, legal & regulatory implications of exit from the European Union become clearer.
- Executive Board will review regularly the impacts of uncertainty on the business and take appropriate action.
- Work with our clients closely to help them adapt to, and thrive in, the new environment.
- Provide support and practical advice to European Economic Area (EEA) staff working in the UK and UK staff on overseas assignments in the EEA.
People and talent
Risk: Failure to fully engage with and support our people, impacting our ability to attract, develop and retain the best talent and provide quality services.
- Regular reviews of the market for students and experienced talent to understand the firm’s relative competitive position ensuring agile management of resources.
- Use of various communication and discussion channels to engage with our people.
- Monitoring and review of key performance indicators by the Executive Board, including staff surveys, external Brand Health Index and regular client feedback.
- Appointment of external Wellbeing advisors, an internal Mental Health leader and champions as part of an overall wellbeing programme.
Risk: Failure to manage risks created by new business and other innovations in service delivery.
- Firmwide process for reviewing new business so that relevant risks are identified promptly and addressed.
Risk: Failure to use advanced technology to underpin new business models and cost structures for existing services.
- Significant investment in new and innovative technology solutions for existing services.
- Commitment to new platforms to allow efficient delivery of quality services.
Public perception and reputation
Risk: Failure to respond in a transparent manner to issues raised by the 'public interest' debates.
- Embedding a culture of 'doing the right thing' for our people, our clients and our communities, as a matter of strategic intent.
- Open and active engagement in serious debate with relevant stakeholder groups on trust-related and public interest issues to inspire change.
- Sharing of knowledge and insights on trust to sustain, widen and enrich the discussion.
Independence and regulatory requirements
Risk: Failure to comply with relevant independence, legal, ethical, regulatory or professional requirements.
Response: Established compliance and independence management systems including:
- Clear policies, procedures and guidance.
- Mandatory annual training for all partners and staff.
- Client and engagement acceptance procedures.
- Annual independence and compliance submissions for all partners and staff enforced by penalties for non-compliance.
- Regular monitoring and reporting to the Executive Board.
Risk: Failure to safeguard confidential information.
- Cyber Security Committee, chaired by a member of the Executive Board, which provides overall strategic direction, framework and policies for information security.
- The firm operates an ISO/IEC 27001:2013 certified information security management system which includes:
- Governance and policies for client data and other information.
- Physical, technical and human resource controls.
- Incident response capability.
- Regular monitoring and independent review systems.
- Continual investment in established cyber security controls
Risk: Failure to manage effectively the impact of changes in the multiple regulatory regimes, both UK and non-UK, under which the Group operates.
- Regulatory affairs team which leads the firm’s efforts to track all changes in applicable regulatory regimes, of whatever origin, under which the UK firm operates.
- Regular updating of firm processes and procedures to ensure compliance by all our people, on all our clients, with all applicable regulations.
- Regular direct interaction, where possible, with applicable regulators to understand detailed provisions of changes and the implications for our businesses.
- Regular/continuous monitoring of the cumulative impact of changes in the regulatory environment on the firm’s ability to provide services to audit clients.
Risk: Failure to appropriately manage client assets, including major client administrations.
Response: Well-established procedures for dealing with client assets and related matters including:
- Portfolio diversification policy.
- Daily monitoring of credit and related ratings and maturities.
- Internal controls and procedures.
- Monitoring and independent review.
- A Treasury Committee which receives regular updates on the above.
Risk: Failure to safeguard the physical security of all our people wherever deployed on the Group’s business including within our own premises in the UK.
- Firmwide travel policy and processes for all our people, incorporating 24/7 tracking and, where appropriate, consultation with a dedicated security team.
- Comprehensive security infrastructure covering all our premises.
- Continuous monitoring of threat levels and issues in overseas travel destinations, and potential threats to our premises.
Strategic change portfolio
Risk: Failure to manage the changes implicit in the UK's strategic change portfolio.
Response: Inbuilt into strategic change portfolio programme:
- the need for careful sequencing especially where automation may change the end result.
- the potential need for additional dedicated resources to ensure delivery does not impact business as usual.