Managing risk

We use an Enterprise Risk Management (ERM) framework to identify risks. Where possible, we take measures to prevent or mitigate these risks. Ultimately, risk management is the responsibility of our Board of Management. Twice a year, as part of our approach, we assess the effectiveness of internal controls and risk-mitigation measures.

Risk philosophy

Our business is based on trust – we realize that any loss of this trust could adversely affect our social and market position. Some risks are inherent to our business: we operate in an increasingly complex and competitive environment. Through risk management, our objective is to ensure the long-term security of our business. We do not engage in business activities that would compromise our quality or ethical standards.

Risk appetite

We will accept some net risk[1], but will do so only if this risk is:

  • In line with our strategic objectives, and contributes responsibly to achieving them

  • And does not violate our core values or quality standards

As a matter of principle, we will not take on any net risk that promotes revenue growth at the expense of our sustainability principles or standards. We have a relatively low risk appetite on decisions that may affect public trust (given the importance of trust to our business). For decisions related to growth, our appetite is moderately higher than those potentially affecting trust. 

Financial and strategic risks

In the course of our business, we face both financial and strategic risks. Generally, financial risks fall into four main categories: credit risk, liquidity risk, market risk and risk associated with financial instruments. Strategic risks vary from non-compliance with rules and regulations to a loss of public trust or a failure in innovation or talent management. We carry out an annual assessment of strategic risks, based on detailed discussions with the Board of Management and other business leaders. See our Consolidated financial statements (new window) for further disclosures on financial risk and Management of our material topics (new window) for how we manage risks and opportunities arising from our material topics.

Financial risks


Financial instruments

We use financial instruments in the normal course of our business. These instruments include share capital, receivables from and liabilities to (former) equity partners.

Credit risk

This relates to potential losses if a client or counterparty defaults:

We constantly monitor our exposure in this area. Clients’ creditworthiness is routinely checked for transactions above a certain amount. All cash is deposited at banks with a minimum BBB credit rating. Our risk is also diversified, given the limited number of clients that may owe amounts at any given time.

Liquidity risk

This relates to the firm being unable to meet financial commitments because of a lack of available liquidity:

Our aim is to ensure, as far as possible, that there are always liquid funds available. This avoids financial loss and damage to the firm’s reputation. Surplus funds are deposited in business savings accounts or held aside for specific periods.

Market risk

This relates to changes in market prices adversely affecting income or asset values:

We aim to keep market risks within acceptable limits (while maximizing income). Changes in exchange and interest rates, if persistent, will have an impact on the firm’s profits.

Strategic risks

Potential impact

Mitigation measures taken

Failure to comply with quality or professional standards

Loss of audit clients due to reputation damage

Increased ‘steering on quality’ monitoring by members of Board of Management (new window)

Attracting new talent into the firm becomes harder

Continuous quality improvement programs, based on root cause analysis

Possible regulatory fine(s) or even temporary or permanent loss of audit license

Maintaining robust quality management system (new window)

Additional litigation or claims by clients

Rigorous client and engagement acceptance procedures

Implementation of clear standards and robust audit methodology

Engagement quality control reviews, where appropriate

Unfavorable or hostile media coverage, or incidents damaging firm’s business or reputation

Damage to firm’s reputation, resulting in loss of major clients or inability to attract talent

Independent Supervisory Board (new window)

Possible regulatory sanctions

Active dialogue with stakeholders

Loss of public trust and long-term social license to operate

Procedures to ensure effective issue management between Brand & Reputation, Quality & Risk, Management and Legal departments

Increased risk of litigation

Contingency programs to manage impact of incidents on firm’s reputation

Failure to meet regulators’ expectations or correct non-compliance with laws or regulations

Loss of public trust and weakening in license to operate

Specific roles with responsibility for maintaining dialogue with regulators

Reputation damage as a result of negative press publicity

Implementation of clear framework to manage regulatory issues and expectations

Inability to attract talent and possible loss of major audit clients

‘Qualified individuals’ appointed to leadership positions

Possible regulatory sanctions

Regulatory findings shared with senior management

Policies, procedures and controls in place to reduce risk of non-compliance

Failure to create effective corporate culture or unwillingness to improve weak performance in critical areas

Reduced morale among partners and other staff

‘Tone at the top’, emphasizing importance of quality, ethics and integrity

Loss of talent leading to service delivery problems and a reduction in quality

Internal controls governing recruitment, personal development and assignments

Loss of revenue opportunities from engagements

‘Closed-loop’ approach to address feedback from people surveys

Loss of reputation in wider industry as an ‘employer of choice’

‘People’ managers embedded in the firm’s senior leadership

Increased risk of quality loss and non-compliance

Regular roadshows to share experience and success stories

Failure to adhere to Code of Conduct (new window) and corporate values

KPMG Story, encompassing the group’s purpose, values, vision, strategy and promise

Breaches of privacy, loss of data or other technology risk

Possible loss of service delivery

Robust IT security policies and processes

Reputation damage and possible loss of clients

ISO 27001 accreditation for cyber security management

Potential litigation or regulatory sanctions (including fines)

Ongoing training and awareness campaigns

Business continuity management

Failure to adapt business model to client demand, strategy, ESG or brand positioning

Inability to develop, maintain or monetize high quality assets and services

Clear client and engagement acceptance procedures (including proprietary systems for checking for conflicts of interest)

Loss of reputation and/or major clients

Detailed policies and procedures governing auditor independence

Increased risk of litigation

Strict approval process for products and services

Continuous review of firm’s business model (as it relates to strategy)

Code of Conduct (new window), corporate values, compliance programs and whistle-blower hotline (new window)

Procedures for reporting money laundering

Failure to respond to economic changes or increased competition from new business models

Failure to capitalize on growth opportunities, resulting in loss of revenue

Constant monitoring of resource availability

Failure to allocate resources to areas of higher demand (leading to rising costs elsewhere in the business)

Clear career paths and development plans for partners

Inability to allocate human resources effectively, resulting in possible loss of quality

Partner succession planning

Audit-only firms challenging KPMG’s multi-disciplinary business model

Global mobility program (for those employees wishing to work in other countries)

Further prohibition or restrictions on professional services

Clear client and engagement acceptance procedures

Centralized innovation program

Structured dialogue with regulators

Robust contingency planning

Failure to attract and retain talent because of high work volumes, uncompetitive pay or lack of career opportunities

Disengaged staff, leading to possible problems with service delivery and quality

KPMG Story, encompassing the group’s purpose, values, vision, strategy and promise.

Loss of reputation with clients and/or position as employer of choice

‘People’ managers embedded in the firm’s senior leadership

Loss of talented employees, leading to possible problems with service delivery and quality

Extensive performance, pay, promotions and benchmarking processes

Lower productivity

Continuous review of global performance management and development programs

Failure to adhere to Code of Conduct (new window) and corporate values

‘Closed-loop’ approach to address feedback from people surveys

Succession planning ‘fails’

Defined career paths, development framework and health and well-being programs

Loss of revenue opportunities from engagements

Succession planning for partners and leadership development

Inclusion, Diversity and Equity (new window) program, supported by dedicated task force

Failure to implement Trust & Growth strategy in line with business planning

Loss of reputation as an ‘employer of choice’

Central project management office

Failure to achieve stated objectives, goals or ambitions

Clear governance procedures and independent Supervisory Board (new window)

Reduced morale among partners and other professionals

Cascading strategic key performance indicators to individual professionals

Constant monitoring of progress/business planning against strategic priorities

Fraud risk assessment

We estimate our fraud risk as relatively low; this is because preventing and detecting fraud is an inherent part of our business. We also know, from our risk assessment, that fraud risk may be detected because of its potentially significant impact on other strategic and financial risks. Even so, we recognize that fraud risk is structurally present in our business. We implement a range of measures to mitigate this risk. Essentially, these measures include having clear core values, policies, procedures, training, monitoring and reporting. In recent years, we have found these measures to be effective in reducing 'net risk' to an acceptable level.

  • 1i.e., the risk remaining after mitigation measures have been taken