We use an enterprise risk management (ERM) framework to identify risks, after which we take measures to prevent or mitigate them. Twice a year, we review the effectiveness of our internal controls and risk mitigation measures at the enterprise level. Risk management is ultimately the responsibility of our Board of Management, which also regularly discusses risk with the Supervisory Board.
Our risk appetite
Our business is based on trust, and we recognize that any loss of trust could adversely affect our social or market position. We operate in a complex environment; moreover, some risks are inherent to our business. By managing risks, we aim to ensure the long-term security of our organization and activities.
We will accept some net risk (that is, the risk remaining after mitigation measures) on condition that:
the risk is in line with our overall strategic objectives and contributes responsibly to achieving them, and
it does not violate our core values or quality standards.
As a matter of principle, we will not take on net risk that promotes revenue growth at the expense of our sustainability standards or principles, as defined in our Impact Plan.
Given the importance of trust to our business, we have a relatively low appetite for risk when it comes to decisions that may affect public trust in KPMG. For decisions relating to growth, our risk appetite is moderately higher.
As part of our bi-annual update of our ERM framework, we have agreed to increase the level of detail in anticipation of the application of the Statement on Risk Management (Verklaring omtrent Risicobeheersing, or VOR) as set out in the Dutch Corporate Governance Code. This statement will require us to report on our assessment of financial risks (including sustainability risks), as well as operational and compliance risks.
The enhanced level of detail will include a deeper understanding of our principal risks, our risk appetite, and a more comprehensive view of roles and responsibilities for managing these risks. We intend to voluntary issue the Statement on Risk Management next year.
Key risks
In the course of our business, we face the following types of risk:
Financial risk, consisting of financial reporting risks and financial position risks.
Financial reporting risks relate to our financial statements containing a material misstatement, due to either fraud or error. We consider the risk to be low; for example, estimates and complex valuations are used on a limited basis. Our risk appetite regarding financial reporting is low, and we therefore continuously monitor and manage our business through internal processes, including monthly financial reporting. Based on the current state of affairs, our financial reporting is prepared on a going-concern basis.
Financial position risks generally fall into one of three categories: credit risk, liquidity risk, or market risk. Our risk appetite regarding our financial position is low, since the impact of these risks could be substantial. We therefore monitor these risks on a monthly basis.
Strategic, operational, and compliance risks.
These range from non-compliance with laws and regulations to a loss of public trust, breach of privacy, inability to retain and scale resources with the right skillset, or failure to meet stakeholder expectations – for example, regarding the management of environmental, social, and governance (ESG) topics.
We carry out an annual assessment of these risks, with an interim update every six months. The assessment includes their impact and percentage likelihood, based on detailed discussions with our Board of Management and other business leaders.
See our consolidated financial statements for further disclosures on our financial risks. Our Sustainability Statement provides information on how we manage risks arising from our material sustainability topics.
Overview of our financial, strategic, operational, and compliance risks
We have identified 10 different enterprise risks for KPMG, set out in this table alongside their potential impact, our risk appetite, and our mitigation measures. We have a higher risk appetite in areas of growth or large external influence. Note that while this table considers employee attraction and retention from a risk mitigation perspective, this topic was identified in our Double Materiality Assessment as a sustainability matter where we have a positive impact.
|
Enterprise Risk |
Description |
Impact |
Mitigating measures |
|
|---|---|---|---|---|
|
Business model, geopolitical events, and economic factors |
Failure to adapt business to changes resulting from significant regulatory decisions or geopolitical events and economic volatility |
Business model; viability as a multidisciplinary firm; ability to deliver certain services, meet stakeholder expectations, and achieve our strategic goals in a volatile environment |
• |
Monitoring of geopolitical developments |
|
• |
Identification of and response to disruptive innovation, competition, and technology |
|||
|
• |
Focus on sustainable impact on clients, environment, and society |
|||
|
• |
AI and ESG embedded in all we do |
|||
|
Global network collaboration |
Inability to make full use of the KPMG network or meet its requirements |
Ability to serve and grow our global and strategic accounts and to sustain our brand and license to operate |
• |
Cooperation with other member firms |
|
• |
Global growth and investment programs |
|||
|
• |
Adherence to global firm requirements |
|||
|
• |
Attendance at KPMG International and EMA board meetings |
|||
|
Strategy execution, client and sector focus, and innovation and investments |
Failure to successfully execute the firm’s business plans, optimize our sector focus and client mix, and execute sustainable innovation and investments in line with our strategy |
Ability to grow our firm and serve clients; results if a sector requires specific attention due to market challenges; ability to remain competitive, efficient, and relevant for the future needs of clients and to address technological disruptions in a timely way |
• |
Clear focus areas identified in multi-year strategic ambitions and annual business plan |
|
• |
Detailed high-impact actions per focus area and business function |
|||
|
• |
Regular reporting to Board of Management on progress against expected outcomes |
|||
|
• |
Successful strategic technology partnerships (digital Alliances) |
|||
|
• |
Client-centric sales force, focusing on priority sectors |
|||
|
• |
Focus on growth areas: ESG, digital transformation, and future of audit |
|||
|
• |
Strategic relationship management, lead partner development, and disciplined account and pipeline management |
|||
|
• |
Client-care processes to improve client journey and satisfaction |
|||
|
• |
Embedded digital, AI, and Alliance solutions |
|||
|
• |
Growing market share of digital and AI through Alliance and global investments |
|||
|
• |
Continued investment in digital and AI skills |
|||
|
Relevance and reputation |
Failure to address and respond to media and society, including reputation and social issue management |
Brand; position in the market; reputation with key stakeholders |
• |
Contingency programs to manage impact on brand and reputation |
|
• |
Independent Supervisory Board responsible for taking stakeholder interests into account |
|||
|
• |
Impact Plan |
|||
|
• |
Leading by example, setting the tone at the top |
|||
|
• |
Inspiring employer brand: do work that matters, make your mark, and come as you are |
|||
|
Service Quality |
Failure to win and conduct engagements in accordance with the firm’s quality and professional standards |
Ability to remain public trust, strengthen our reputation, avoid claims of clients or regulatory fines. |
• |
Engagement compliance requirements are addressed in quality and professional standards, methodologies, procedures and tools |
|
• |
Quality of engagement and service delivery is subject to monitoring, remediation and review procedures |
|||
|
• |
Internal risk and control framework |
|||
|
• |
Robust quality management system |
|||
|
• |
Engagement quality control reviews |
|||
|
• |
Clear standards and robust audit methodology |
|||
|
• |
Digital Audit Transformation, implementation Advanced Technology and AI-tools |
|||
|
• |
Engagement Management Life Cycle (EMLC) |
|||
|
• |
Training and accreditation |
|||
|
Regulatory compliance, governance, policies, and legal liability |
Inability to consistently demonstrate compliance with applicable laws and regulations and to establish effective governance, systems, and controls for adhering to the firm’s values, policies, standards, and requirements, including professional, ethical, and independence requirements |
Ability to effectively identify and manage key risks, to detect and prevent non-compliance, fraud, regulatory sanctions, and practice restrictions; other legal and financial liability exposure; ability to strengthen public trust |
• |
Solid and constructive relationships with regulators |
|
• |
Independent reviews by KPMG International and external auditors |
|||
|
• |
Reporting potential non-compliance with laws, regulations, and KPMG International or KPMG N.V. policies – including those relating to ethics and independence – through the annual compliance confirmation |
|||
|
• |
Independent Supervisory Board, overseeing the Board of Management |
|||
|
• |
Responsibility model with three lines of defense and independent reviews by KPMG International |
|||
|
• |
Rigorous internal policies, standards, and frameworks |
|||
|
• |
Detailed policies governing client and engagement acceptance procedures |
|||
|
• |
Strict approval processes for products and services |
|||
|
• |
Commitment to the principles and standards of ethical conduct that KPMG requires, as described in the Code of Conduct, through the annual compliance confirmation |
|||
|
• |
Addressing engagement compliance requirements through quality and professional standards, methodologies, procedures, and tools |
|||
|
• |
Compliance and quality of engagement and service delivery subject to monitoring, remediation, and review procedures |
|||
|
Culture, values, and well-being |
Failure to create a culture and people environment that reflects the firm’s values and purpose |
Firm morale; motivation to innovate and deliver quality; people engagement levels; talent attraction and retention rates |
• |
Ethical culture program focusing on ethics, psychological safety, and well-being |
|
• |
Impact Plan, including sustainability commitments |
|||
|
• |
Code of Conduct, including commitment to ethical principles and standards |
|||
|
• |
IDE program |
|||
|
• |
Psychological safety program/culture follow-up |
|||
|
• |
Well-being program, including mental resilience |
|||
|
• |
Global People Survey to understand people’s views and experiences in several domains |
|||
|
• |
Independent survey on ethical behavior, culture, integrity, and social safety |
|||
|
• |
Whistleblowing hotline |
|||
|
• |
Safety net including confidential counsellors and Complaints & Disputes Committee |
|||
|
Retention, skills development, talent attraction, and leadership development |
Inability to retain and scale resources with the right skillset, and inability to invest in ethical, inclusive, and diverse leadership |
Ability to execute and deliver services, to meet client expectations, to motivate and retain our people, and to ensure strong succession management |
• |
Ethical culture program focusing on ethics, psychological safety, and well-being |
|
• |
Learning and development backbones, including leadership development (e.g., IDE Program), reskilling and upskilling on ESG, digital, and AI, and life-long learning |
|||
|
• |
Long-term investment in rewards and recognition as an attractive employer |
|||
|
• |
Continuous investment in enhancing the quality of performance development (e.g., development management curriculum, intervision sessions, toolkits for conversations) |
|||
|
• |
Career Development Center for fostering internal mobility and (thus) retention |
|||
|
• |
Professional guidance in case of (long-term) illness |
|||
|
• |
Modernized talent attraction and selection process |
|||
|
• |
Inspiring employer brand: do work that matters, make your mark, and come as you are |
|||
|
• |
Robust succession management process Top 200 |
|||
|
Information protection and organizational resilience |
Inability to protect personal data, intellectual capital, and confidential KPMG and client information, and to continue critical business activities during a high-impact event |
Loss of clients; competitive disadvantage; reputational or financial damage; consequences due to non-compliance with legal, regulatory, and KPMG International requirements; impact on people and/or (continued) operations |
• |
Robust information security and data privacy policies, standards, and frameworks |
|
• |
ISO 27001:2022 certification |
|||
|
• |
Respect for confidentiality of personal, client, and KPMG data, including annual compliance confirmation, annual training, and continuous awareness campaigns |
|||
|
• |
Responsibility model with three lines of defense and independent reviews by KPMG International |
|||
|
• |
Strict approval processes for products and services |
|||
|
• |
Business continuity management life cycle, including incident and crisis management |
|||
|
• |
Continuous risk monitoring and treatment, including threat analysis and business impact assessments |
|||
|
Financial strength |
Inability to adequately monitor and act on the firm’s financial position, based on accurate, complete, and timely financial reporting |
Ability to meet financial commitments and targets, to stay within our (financial) risk appetite parameters, and to run a sustainable and profitable firm |
• |
Long-term investment plans, including in our people, to deliver quality and innovation against sustainable market prices |
|
• |
Transformation plans for a more efficient, learning-oriented organization |
|||
|
• |
Strict procedures and controls for trustworthy financial reporting |
|||
|
• |
Constant monitoring of credit, liquidity, and market risk exposure, including: routine checks of clients’ creditworthiness for larger transactions; holding all cash deposits at banks with minimum BBB credit rating; ensuring liquidity risk meets financial commitments; aiming for constant availability of liquid funds to meet financial commitments; depositing surplus funds in business savings accounts or holding them aside for specific periods; keeping changes in market prices within acceptable limits, while maximizing income |
Fraud risk
We recognize that fraud risk is present in our business and has the potential to significantly impact other strategic and financial risks. Preventing and detecting fraud is therefore an important part of our activities, and we conduct regular risk assessments to identify and monitor fraud risks. To mitigate any identified fraud risks, we use measures including policies, procedures, training, monitoring, regular reporting, and clear values set out in our Code of Conduct and elsewhere. Additionally, every professional who encounters a potential sign of fraud or a breach of laws and regulations while providing services is expected to consult with our Department of Professional Practice. We have found these measures effective in reducing net risk to an acceptable level.
Climate change risk
Climate change risk is incorporated into KPMG’s overall risk management processes, along with other ESG risks. For information on our ESG risks and how we manage them, see our Sustainability Statement.
Internal policies and controls
We have a series of internal policies, controls, and guidelines that support our formal system of governance and decision-making. These are, in turn, supported by mandatory training to ensure that KPMG’s people and partners are fully aware of their responsibilities. We also engage with our people on these policies through newsletters, webcasts, and our intranet channels.
A global KPMG Code of Conduct applies to all member firms. All employees are required to undergo training on the code and abide by its provisions. It sets out commitments in areas ranging from compliance and quality to fair competition and independence. It also outlines employees’ responsibilities regarding the conduct and behavior we expect from those working for the KPMG network. The KPMG International Hotline allows employees and outside parties to report suspected violations in confidence.
Alongside the Code of Conduct, KPMG has separate policies relating to governance and decision-making, covering areas such as risk management, remuneration, and data privacy.
We also have a Global Supplier Code of Conduct and a Business & Human Rights Statement, and we publish an annual Modern Slavery Statement in line with the United Kingdom’s Modern Slavery Act. Our Corporate Tax Policy commits KPMG to maintaining a constructive and open relationship with the tax authorities, paying its fair share of taxes, and refraining from using artificial structures that bear no relation to our business.
Many of our policies are based on international commitments, including the United Nations (UN) Global Compact and the UN Guiding Principles for Business and Human Rights. KPMG is also a signatory to the World Economic Forum’s Partnering Against Corruption Initiative Principles for Countering Bribery.
This report provides a statement of effectiveness on our SoQM in 2024/2025. More information on our ESG-related policies can be found in the relevant chapters of our Sustainability Statement.