We use an enterprise risk management (ERM) framework to identify risks. Once risks are identified, we take measures to prevent or mitigate them. Ultimately, risk management is the responsibility of our Board of Management. Twice a year, we review the effectiveness of our internal controls and risk-mitigation measures on an enterprise level. The Board of Management also regularly discusses risk with the Supervisory Board.
Our risk appetite
Our business is based on trust, and we realize that any loss of trust could adversely affect our social or market position. Through risk management, we aim to ensure the long-term security of our business.
We operate in a complex environment. Moreover, some risks are inherent to our business. We will accept some net risk (i.e., the risk remaining after mitigation measures) on the condition that:
it is in line with our overall strategic objectives and contributes responsibly to achieving them, and
it does not violate our core values or quality standards.
As a matter of principle, we will not take on net risk that promotes revenue growth at the expense of our sustainability standards or principles, as defined in Our Impact Plan (new window).
Given the importance of trust to our business, we have a relatively low appetite for risk when it comes to decisions that may affect public trust in KPMG N.V. For decisions relating to growth, our appetite is moderately higher.
Key risks
In the course of our business, we face:
Financial risks, consisting of financial reporting risks and financial position risks.
Financial reporting risks relate to the financial statements containing a material misstatement, due to either fraud or error. Our risk appetite regarding financial reporting is low. We therefore continuously monitor and manage our business through internal processes including monthly financial reporting. We consider the risk as low; estimates and complex valuations, for example, are used on a very limited basis. Based on the current state of affairs, our financial reporting is prepared on a going-concern basis.
Financial position risks generally fall into one of three main categories: credit risk, liquidity risk, and market risk. Our risk appetite regarding our financial position is low, as these risks could be substantial. We therefore monitor these risks on a monthly basis.
Strategic (including operational and compliance) risks, ranging from non-compliance with laws and regulation to a loss of public trust, breach of privacy, inability to retain and scale resources with the right skillset, or failure to meet stakeholder expectations; for example, regarding the management of ESG topics. We carry out an annual assessment of our strategic risks, updated every six months, based on detailed discussions with our Board of Management and other business leaders. This includes assessment of risks according to impact and percentage likelihood.
See our consolidated financial statements (new window) for further disclosures on our financial risks (new window). See our sustainability statement (new window) for information on how we manage risks and opportunities arising from our material sustainability topics.
Overview of our financial, strategic, operational, and compliance risks
We have identified nine different enterprise risks for KPMG N.V., set out in this table alongside their potential impact, our risk appetite, and our mitigation measures. We have a higher risk appetite in areas of growth and areas with large external influence.
Enterprise risk |
Risk description |
Risk impact |
Risk appetite |
Mitigating measures |
---|---|---|---|---|
Business model and geopolitical events and economic factors |
Failure to adapt business to changes resulting from significant regulatory decisions or geopolitical events and economic volatility |
Business model, viability as a multidisciplinary firm, ability to deliver certain services, to meet our stakeholders’ expectations, to achieve our objectives and strategic goals in a volatile environment |
Medium |
|
Global network collaboration |
Inability to make full use of KPMG network collaboration or meet network requirements |
Our ability to service and grow our global and strategic accounts, and to sustain our brand and license to operate |
Medium |
|
Strategy execution, client and sector focus, and innovation and investments |
Failure to successfully execute the firm's business plans, optimize our sector focus and client mix, and execute sustainable innovation and investments in line with our strategy |
Our ability to grow our firm and serve our clients, our results if a sector requires specific attention due to market challenges, and our ability to remain competitive, efficient, and relevant for the future needs of our clients and to address technological disruptions in a timely way |
Medium |
|
Relevance and reputation |
Failure to address and respond to media and society, including reputation and social issue management |
Our brand, position in the market, and reputation with key stakeholders |
Low |
|
Inability to consistently demonstrate compliance with applicable laws and regulations and inability to establish effective governance, systems, and controls for adhering to the firm’s values, policies, standards and requirements, including professional, ethical and independence requirements |
Our ability to effectively identify and manage key risks, detect and prevent non-compliance, fraud, regulatory sanctions, practice restrictions, other legal and financial liability exposure, and to strengthen public trust |
Low |
|
|
Culture, values, and well-being |
Failure to create a culture and people environment that reflects the firm’s values and purpose |
Firm morale, the motivation to innovate and deliver quality, people engagement levels, and talent attraction, retention rates |
Low |
|
Retention and skills development and attraction of talent* |
Inability to retain and scale resources with the right skillset and inability to invest in ethical, inclusive, and diverse leadership |
Our ability to execute and deliver services, meet client expectations, motivate and retain our people, and ensure strong succession management |
Low |
|
Information protection and organizational resilience |
Inability to protect personal data, intellectual capital, and confidential KPMG N.V. and client information and inability to continue critical business activities during a high-impact event |
Loss of clients, competitive disadvantage, reputational and financial damage, or consequences due to non-compliance with legal, regulatory, and KPMG International requirements, as well as impact our on people, reputation, and/or (continued) operations |
Low |
|
Financial strength |
Inability to adequately monitor and act on the firm’s financial position, based on accurate, complete, and timely financial reporting |
Our ability to meet our financial commitments and targets, to stay within our (financial) risk appetite parameters, and to run a sustainable and profitable firm |
Low |
|
|
Fraud risk assessment
We recognize that fraud risk is present in our business and has a potentially significant impact on other strategic and financial risks. Preventing and detecting fraud is therefore an important part of our activities. We carry out regular risk assessments to identify and monitor fraud risks. We mitigate the fraud risks identified through measures including policies, procedures, training, monitoring, regular reporting, and clear values in our Code of Conduct and elsewhere. We have found these measures to be effective in reducing net risk to acceptable levels.
Climate change risk
Climate change risk is incorporated into KPMG N.V.’s overall risk management processes, along with other ESG risks. In compliance with ESRS requirements, information on our ESG risks and how we manage them, can now be found in our sustainability statement (new window).
Internal policies and controls
We have a series of internal policies, controls, and guidelines that support our formal system of governance and decision-making. They are supported by mandatory training to ensure KPMG N.V.’s people and partners are fully aware of their responsibilities. We also engage with our people on these policies through newsletters, webcasts, and our intranet channels.
A global KPMG Code of Conduct applies to all member firms. All employees are required to undergo training on the code and abide by its provisions. It sets out commitments in areas ranging from compliance and maintaining quality to fair competition and independence. It also details employees’ responsibilities regarding the conduct and behavior we expect of the people working for the KPMG network. The KPMG International Hotline allows employees and outside parties to report suspected violations in confidence.
Alongside the Code of Conduct, KPMG N.V. has separate policies covering areas such as risk management, remuneration, and data privacy. We also have a Global Supplier Code of Conduct, a Business & Human Rights Statement, and a Corporate Tax Policy, which commit KPMG N.V. to maintaining a constructive and open relationship with tax authorities, paying its fair share of taxes, and refraining from using artificial structures that bear no relation to our business. We also publish an annual Modern Slavery Statement.[1] Many of our policies are based on international commitments, including the UN Global Compact and the UN Guiding Principles for Business and Human Rights. KPMG N.V. is also a signatory to the World Economic Forum’s Partnering Against Corruption – Principles for Countering Bribery. See our Statement of effectiveness (new window) on the effectiveness of our SoQM during 2023/2024.
More information on our ESG-related policies can be found in the relevant chapters of our sustainability statement (new window).