Our principal risks
Managing risk is a clear strategic priority for the Management Board and senior management of the firm.
We have a clear business strategy. In implementing this strategy it is vital that we also manage the risks associated with it. As a result we have a defined process for assessing, monitoring and controlling risk.
The Management Board takes overall responsibility for establishing systems of internal control and for reviewing and evaluating their effectiveness. The day-to-day responsibility for implementation of these systems and for ongoing monitoring of risk and the effectiveness of controls rests with senior management.
The systems, which have been in place throughout the financial year and up to the date of approval of these financial statements, include the following:
- The Risk Council, which comprises senior management reporting to the Executive Board, is responsible for making sure that the controls are in place to identify, evaluate and manage risk.
- Our lines of service and our internal firm services, which document risks and the responses to them, carry out risk assessments annually and report to the Risk Council on how effectively they have managed risk during the year.
- Periodic reviews of performance and quality are carried out independently by the PwC network.
- Our internal audit team reviews the effectiveness of the financial and operational systems and controls throughout the Group and reports to the Executive Board and the Audit and Risk Committee.
- Our risk and quality functions oversee our professional services risk management systems and report to the Executive Board.
We take client acceptance procedures extremely seriously and we do not automatically take on new client engagements or new work for existing clients. Understanding properly both who we are working with and the nature of the work requested is central to protecting our reputation for quality.
We have procedures to assess the risks associated with new clients. We seek to serve only those clients we are competent to serve, who value our service and who meet appropriate standards of legitimacy and integrity. We also establish up front whether we are able to comply with independence requirements and to address any potential conflicts of interest. In addition, we conduct annual risk reviews of all audit clients.
Internal control assessment
Our internal control systems are designed to manage, rather than eliminate, the risk of failure to achieve business objectives or, in the case of financial controls, the risk of material misstatement in our financial statements. Accordingly, they provide reasonable, but not absolute assurance against such failure or material misstatement.
The Executive Board has reviewed the systems of internal control in operation during the year and is satisfied with their effectiveness.
On the tabs on the left, you can explore the risks faced by our business and the steps we’re taking to mitigate them.
Regulatory change including regulatory threats to business model
Risk: Failure to manage effectively the impact of changes in the multiple regulatory regimes, both UK and non-UK, under which the UK firm operates. Risks posed to the existing multidisciplinary business model may impact the sustainability of the audit practice within the UK.
Regular engagement and direct interaction, where possible, with governmental bodies and regulators to understand objectives and provisions of changes and the implications for our businesses.
Regular/continuous monitoring of the cumulative impact of changes in the regulatory environment on the firm’s ability to provide services to audit clients.
Regulatory affairs specialists who lead the firm’s efforts to track all changes in applicable regulatory regimes, of whatever origin, under which the UK firm operates.
Regular updating of firm processes and procedures to ensure compliance by all our people, on all our clients, with all applicable regulations.
Quality (audit and non-audit)
Risk: Significant quality failure in the UK firm or the PwC network due to either engaging with an inappropriate client or inadequate delivery of services leading to a potential service failing, litigation and/or regulatory action.
Response: Our internal quality management systems, which are designed to maintain and enhance quality, include:
Recruitment standards and staff development procedures.
Client engagement and acceptance processes.
Client engagement standards supported by methodologies and tools.
Quality reviews of PwC network firms, including the UK firm.
Monitoring and review of key performance indicators by the Executive Board.
People and talent
Risk: Failure to attract, develop and retain key talent.
Regular reviews of the market for student and experienced talent to understand the firm’s relative competitive position ensuring agile management of resources.
Use of various communication and discussion channels to engage with our people.
Continued practical focus on building people engagement and supporting retention.
Monitoring and review of key performance indicators by the Executive Board, including staff surveys, external Brand Health Index and regular client feedback.
Appointment of external Wellbeing advisors and internal Mental Health champions as part of an overall wellbeing programme.
Public perception and reputation
Risk: Failure to respond in an impactful and transparent manner to issues raised by the current environment, including adverse media coverage which impacts the firm’s reputation.
Embedding a culture of 'doing the right thing' for our people, our clients and our communities, as a matter of strategic intent.
Engage more fully in open and serious debate with relevant stakeholder groups on trust-related and public interest issues to inspire change.
Sharing of knowledge and insights on trust to sustain, widen and enrich the discussion.
More actively promote the firm’s positive contributions including those to our clients, to broader society and as a significant employer.
Risk: Failure to comply with relevant independence, legal, regulatory or professional requirements leading to regulatory action and/or a client conflict of interest.
Response: Established compliance and independence management systems including:
Clear policies, procedures and guidance.
Mandatory annual training for all partners and staff.
Client and engagement acceptance procedures.
Annual independence and compliance submissions for all partners and staff enforced by penalties for non-compliance.
Regular monitoring and reporting to the Executive Board.
Instability and uncertainty caused by Brexit negotiations
Risk: Uncertainty faced by our clients and our people as the economic, legal and regulatory implications of exit from the European Union become clearer.
The Executive Board, supported by the Brexit Steering Committee, will manage the impacts based on contingency planning undertaken pre-referendum.
We work closely with our clients to help them adapt to, and thrive in, the new environment.
We provide support and practical advice to European Economic Area (EEA) staff working in the UK and UK staff on overseas assignments in the EEA
Information and Cyber Security
Risk: Non-protection, loss, theft or misuse of client (or the firm’s) confidential data. This risk encompasses electronic and hard copy documents, including off-shored or outsourced repositories, disclosure within social media and direct cyber-security threats.
Information Protection Governance Group, chaired by a member of the Executive Board, which provides overall strategic direction, framework and policies for information security.
The firm operates an ISO/IEC 27001:2013 certified information security management system which includes:
Governance - including policies, processes, leadership (Cyber Committee) and assessment for client data and other information.
Physical, technical and human resource controls.
Incident response capability.
Regular monitoring and independent review systems.
Continual investment in established cybersecurity controls.
Criticality of IT to service delivery
Risk: Risk of being unable to perform or deliver assignments due to outages or failures in applications and/or the general IT environment.
- Recovery of critical systems is assured by use of two geographically distant data centres. Failed systems are reinstated at the second data centre, in line with Business Impact Analysis priorities.
- Continuing programme of testing provides indicators of assurance of our ability to rebuild systems from backups.
- IT Incident management procedures identify key systems to determine the real time criticality of impacted systems to ensure appropriate prioritisation of actions.
- Review of business critical systems.
Risk: Failure to appropriately manage client assets, including major client administrations.
Response: Well-established procedures for dealing with client assets and related matters including:
Portfolio diversification policy.
Daily monitoring of credit and related ratings and maturities.
Internal controls and procedures.
Monitoring and independent review.
A Treasury Committee which receives regular updates on the above.
New business models and technology
Risk: Failure to manage adequately risks created by new businesses most of which are technology dependent, these include failure of new technology, creation of unexpected issues, threats to established business approaches and services or generation of significant independence issues.
Firmwide process for reviewing new business so that relevant risks are identified promptly and addressed.
Internal focus on relevant on-boarding and operating processes and procedures.
Technological change and relevance
Risk: Risk of reduced relevance of current product offerings and solutions due to new or advanced technology underpinning new business models and cost structures, under-investment in new and advanced technology or inadequate response to non-traditional disruption.
Significant investment in new and innovative digitising technology solutions for existing services.
Commitment to new platforms to allow efficient delivery of quality services.
Risk: Failure to secure the physical security of all our people wherever deployed on the firm’s business including within our own premises in the UK.
Firmwide travel policy and processes for all our people, incorporating 24/7 tracking and, where appropriate, consultation with a dedicated security team.
Comprehensive security infrastructure covering all our premises.
Continuous monitoring of threat levels and issues in overseas travel destinations, and potential threats to our premises.
Litigation and regulatory sanction
Risk: Risks related to significant commercial litigation or regulatory sanction, regulatory investigation or other sensitive situation, including financial, commercial and reputational impact
In-house legal team with specialized resources in litigation, contract law, regulation, data privacy, compliance, sanctions and technology.
Development of efficient discovery processes using e-Discovery tools
Incident management protocols across all areas to allow rapid deployment of specialist resources.