Risk management and controls

We use an enterprise risk management (ERM) framework to identify risks. Once risks are identified, we take measures to prevent or mitigate them. Ultimately, risk management is the responsibility of our Board of Management. Twice a year, we review the effectiveness of our internal controls and risk-mitigation measures on an enterprise level. The Board of Management also regularly discusses risk with the Supervisory Board.

Our risk appetite

Our business is based on trust, and we realize that any loss of trust could adversely affect our social or market position. Through risk management, we aim to ensure the long-term security of our business.

We operate in a complex environment. Moreover, some risks are inherent to our business. We will accept some net risk (i.e., the risk remaining after mitigation measures) on the condition that:

  • it is in line with our overall strategic objectives and contributes responsibly to achieving them, and

  • it does not violate our core values or quality standards.

As a matter of principle, we will not take on net risk that promotes revenue growth at the expense of our sustainability standards or principles, as defined in Our Impact Plan (new window).

Given the importance of trust to our business, we have a relatively low appetite for risk when it comes to decisions that may affect public trust in KPMG N.V. For decisions relating to growth, our appetite is moderately higher.

Key risks

In the course of our business, we face:

  • Financial risks, consisting of financial reporting risks and financial position risks.

    • Financial reporting risks relate to the financial statements containing a material misstatement, due to either fraud or error. Our risk appetite regarding financial reporting is low. We therefore continuously monitor and manage our business through internal processes including monthly financial reporting. We consider the risk as low; estimates and complex valuations, for example, are used on a very limited basis. Based on the current state of affairs, our financial reporting is prepared on a going-concern basis.

    • Financial position risks generally fall into one of three main categories: credit risk, liquidity risk, and market risk. Our risk appetite regarding our financial position is low, as these risks could be substantial. We therefore monitor these risks on a monthly basis.

  • Strategic (including operational and compliance) risks, ranging from non-compliance with laws and regulation to a loss of public trust, breach of privacy, inability to retain and scale resources with the right skillset, or failure to meet stakeholder expectations; for example, regarding the management of ESG topics. We carry out an annual assessment of our strategic risks, updated every six months, based on detailed discussions with our Board of Management and other business leaders. This includes assessment of risks according to impact and percentage likelihood.

See our consolidated financial statements (new window) for further disclosures on our financial risks (new window). See our sustainability statement (new window) for information on how we manage risks and opportunities arising from our material sustainability topics.

Overview of our financial, strategic, operational, and compliance risks

We have identified nine different enterprise risks for KPMG N.V., set out in this table alongside their potential impact, our risk appetite, and our mitigation measures. We have a higher risk appetite in areas of growth and areas with large external influence.

Enterprise risk

Risk description

Risk impact

Risk appetite

Mitigating measures

Business model and geopolitical events and economic factors

Failure to adapt business to changes resulting from significant regulatory decisions or geopolitical events and economic volatility

Business model, viability as a multidisciplinary firm, ability to deliver certain services, to meet our stakeholders’ expectations, to achieve our objectives and strategic goals in a volatile environment

Medium

  • Monitoring of (geo)political developments

  • Identifying and responding to disruptive innovation, competition, and technology

  • Focus on sustainable impact on clients, environment, and society

  • Embedding AI and ESG in everything we do

Global network collaboration

Inability to make full use of KPMG network collaboration or meet network requirements

Our ability to service and grow our global and strategic accounts, and to sustain our brand and license to operate

Medium

  • International member firm cooperation

  • Global growth and investment programs

  • Adherence to international firm requirements

Strategy execution, client and sector focus, and innovation and investments

Failure to successfully execute the firm's business plans, optimize our sector focus and client mix, and execute sustainable innovation and investments in line with our strategy

Our ability to grow our firm and serve our clients, our results if a sector requires specific attention due to market challenges, and our ability to remain competitive, efficient, and relevant for the future needs of our clients and to address technological disruptions in a timely way

Medium

  • Focus areas clearly identified in multi-year strategic ambition and annual business plan

  • Detailed high-impact actions per focus area and business function

  • Regular reporting on progress against expected outcomes to Board of Management

  • Successful strategic technology partnerships through digital Alliance

  • Client-centric sales force, focusing on priority sectors

  • Focus on growth areas of ESG, digital transformation, and future of audit

  • Strategic relationship management, lead partner development, and disciplined account and pipeline management

  • Client-care processes to improve client journey and satisfaction

  • Embedding digital, AI, and Alliance solutions

  • Growing market share of digital and AI through our Alliance and global investments

  • Continued investment in digital and AI skills

Relevance and reputation

Failure to address and respond to media and society, including reputation and social issue management

Our brand, position in the market, and reputation with key stakeholders

Low

  • Contingency programs to manage impact on brand and reputation

  • Independent Supervisory Board responsible for taking stakeholder interests into account

  • Our Impact Plan for ESG

  • Leading by example

  • Inspiring employer brand: do work that matters, make your mark, and come as you are

Regulatory compliance, governance, and policies

Inability to consistently demonstrate compliance with applicable laws and regulations and inability to establish effective governance, systems, and controls for adhering to the firm’s values, policies, standards and requirements, including professional, ethical and independence requirements

Our ability to effectively identify and manage key risks, detect and prevent non-compliance, fraud, regulatory sanctions, practice restrictions, other legal and financial liability exposure, and to strengthen public trust

Low

  • Solid and constructive relationships with regulators

  • Independent reviews by KPMG International and external auditors

  • Reporting potential non-compliance with laws, regulations, and KPMG policies – including those relating to ethics and independence – through the annual compliance confirmation

  • Independent Supervisory Board, overseeing the Board of Management

  • Responsibility model with three lines of defense and independent reviews by KPMG International

  • Rigorous internal policies, standards, and frameworks

  • Detailed policies governing client and engagement acceptance procedures

  • Strict approval processes for products and services

  • Commitment to the principles and standards of ethical conduct that KPMG N.V. requires, as described in the Code of Conduct, through the annual compliance confirmation

  • Addressing engagement compliance requirements through quality and professional standards, methodologies, procedures, and tools

  • Compliance and quality of engagement and service delivery subject to monitoring, remediation, and review procedures

Culture, values, and well-being

Failure to create a culture and people environment that reflects the firm’s values and purpose

Firm morale, the motivation to innovate and deliver quality, people engagement levels, and talent attraction, retention rates

Low

  • Ethical culture program focusing on ethics, psychological safety, and well-being

  • Our Impact Plan, including sustainability commitments

  • Code of Conduct, including commitment to ethical principles and standards

  • IDE program

  • Psychological safety program / culture follow-up

  • Wellbeing program, including mental resilience

  • Global People Survey to understand views and perceived people experiences in several domains

  • Independent survey on ethical behavior, culture, integrity, and social safety

  • Whistle-blowing hotline

  • Safety net of confidential counsellors and disputes committee.

Retention and skills development and attraction of talent*

Inability to retain and scale resources with the right skillset and inability to invest in ethical, inclusive, and diverse leadership

Our ability to execute and deliver services, meet client expectations, motivate and retain our people, and ensure strong succession management

Low

  • Ethical culture program focusing on ethics, psychological safety, and well-being

  • Learning and development backbones, including leadership development (e.g., IDE Program), reskilling- and upskilling on ESG, digital, and AI, and life-long learning

  • Long-term investment in rewards and recognition as an attractive employer

  • Continuous investment in enhancing the quality of performance development (e.g., development management curriculum, intervision sessions, toolkits for various types of conversations)

  • Career Development Centre for fostering internal mobility and (thus) retention

  • Professional guidance in case of (long term) illness

  • Modernized talent attraction and selection process

  • Inspiring employer brand: do work that matters, make your mark, and come as you are

  • Robust succession management process Top 200

Information protection and organizational resilience

Inability to protect personal data, intellectual capital, and confidential KPMG N.V. and client information and inability to continue critical business activities during a high-impact event

Loss of clients, competitive disadvantage, reputational and financial damage, or consequences due to non-compliance with legal, regulatory, and KPMG International requirements, as well as impact our on people, reputation, and/or (continued) operations

Low

  • Robust information security and data privacy policies, standards, and frameworks

  • ISO 27001:2022 certification

  • Respect for confidentiality of personal, client, and KPMG N.V. data, including annual compliance confirmation, annual training, and continuous awareness campaigns

  • Responsibility model with three lines of defense and independent reviews by KPMG International

  • Strict approval processes for products and services

  • Business continuity management lifecycle, including incident and crisis management

  • Continuous risk monitoring and treatment, including threat analysis and business impact assessments

Financial strength

Inability to adequately monitor and act on the firm’s financial position, based on accurate, complete, and timely financial reporting

Our ability to meet our financial commitments and targets, to stay within our (financial) risk appetite parameters, and to run a sustainable and profitable firm

Low

  • Long-term investment plans, including in our people, to deliver quality and innovation against sustainable market prices

  • Transformation plans for an efficient and learning organization

  • Strict procedures and controls for trustworthy financial reporting

  • Constant monitoring of credit, liquidity, and market risk exposure, including:

  • Routine checks of clients’ creditworthiness for larger transactions

  • All cash deposits at banks with minimum BBB credit rating

  • Liquidity risk to meet financial commitments

  • Aim for constant availability of liquid funds to meet financial commitments

  • Surplus funds deposited in business savings accounts or held aside for specific periods

  • Keeping changes in market prices within acceptable limits, while maximizing income
  • * Please note that in our materiality assessment we identified employee attraction and retention as material topic from a positive impact perspective. As the above table looks at specific topics from solely a risk perspective, this topic is identified as a risk to be mitigated.

    • Fraud risk assessment

    We recognize that fraud risk is present in our business and has a potentially significant impact on other strategic and financial risks. Preventing and detecting fraud is therefore an important part of our activities. We carry out regular risk assessments to identify and monitor fraud risks. We mitigate the fraud risks identified through measures including policies, procedures, training, monitoring, regular reporting, and clear values in our Code of Conduct and elsewhere. We have found these measures to be effective in reducing net risk to acceptable levels. 

    Climate change risk

    Climate change risk is incorporated into KPMG N.V.’s overall risk management processes, along with other ESG risks. In compliance with ESRS requirements, information on our ESG risks and how we manage them, can now be found in our sustainability statement (new window).

    Internal policies and controls

    We have a series of internal policies, controls, and guidelines that support our formal system of governance and decision-making. They are supported by mandatory training to ensure KPMG N.V.’s people and partners are fully aware of their responsibilities. We also engage with our people on these policies through newsletters, webcasts, and our intranet channels.

    A global KPMG Code of Conduct applies to all member firms. All employees are required to undergo training on the code and abide by its provisions. It sets out commitments in areas ranging from compliance and maintaining quality to fair competition and independence. It also details employees’ responsibilities regarding the conduct and behavior we expect of the people working for the KPMG network. The KPMG International Hotline allows employees and outside parties to report suspected violations in confidence.

    Alongside the Code of Conduct, KPMG N.V. has separate policies covering areas such as risk management, remuneration, and data privacy. We also have a Global Supplier Code of Conduct, a Business & Human Rights Statement, and a Corporate Tax Policy, which commit KPMG N.V. to maintaining a constructive and open relationship with tax authorities, paying its fair share of taxes, and refraining from using artificial structures that bear no relation to our business. We also publish an annual Modern Slavery Statement.[1] Many of our policies are based on international commitments, including the UN Global Compact and the UN Guiding Principles for Business and Human Rights. KPMG N.V. is also a signatory to the World Economic Forum’s Partnering Against Corruption – Principles for Countering Bribery. See our Statement of effectiveness (new window) on the effectiveness of our SoQM during 2023/2024.

    More information on our ESG-related policies can be found in the relevant chapters of our sustainability statement (new window).

  • 1 In line with the UK’s Modern Slavery Act.