Skip to content Skip to footer
Search

Loading Results

Risk

Global Annual Review 2021

Download this report

“In a rapidly-changing world, it is vital that we work together as a network to understand the risks faced by PwC and implement effective responses to mitigate them. A key part of that mitigation is how PwC communicates and engages with our key stakeholders across the world.”

Paddy Carney

Paddy Carney

FY21 Chair of the Board of PwCIL Risk Committee

How we identify and manage key risks and engage with our stakeholders

Identifying, managing and planning for the mitigation of risk is an essential part of running any business. At PwC, we work with many organisations across the globe to help them deal with the growing risks they face in our increasingly complex world. We also invest significant time and resources in anticipating and managing the risks faced by PwC.

At PwC, the Board of PwCIL (global board) provides oversight, review and approval of our network enterprise risk management (ERM) approach and focus. The Risk Committee of the Board is responsible for monitoring key risks and responses, quality assurance, the network’s overall risk management framework, and overseeing compliance with both network standards and policies (and the compliance monitoring process), as well as legal and regulatory requirements.

The Network Leadership Team provides strategic direction (including in the area of ERM). The Chief Risk Officer (CRO) is responsible for network risk management, including ERM.

Members of the Global Leadership Team have ownership of some of the most significant risks and set the guidelines for the compliance and monitoring associated with them. Line of service leaders are responsible for the quality management systems within their own line of service.

The Network Risk Council provides strategic direction and advice for the network risk management strategy, including consideration of strategic risks and input to the network ERM programme. The Network Risk Council is composed of the Global Markets leader; CRO; Chief Administrative Officer; Global Chief Information Technology Officer; Global General Counsel; Chief Ethics & Compliance Officer; Global Clients and Industries leader; Purpose, Policy & Corporate Responsibility Leader; and the Global Security Leader. 

The PwC network and member firms take a rigorous approach to ERM. The risks with the highest potential impact for the PwC network are identified on an annual basis. These key network risks (KNRs) and their related significant mitigation plans are reviewed by the Global Board and specifically its Risk Committee.

KNRs are identified as risks which have the potential to either: 

  • undermine the achievement of the network strategy and business objectives, or

  • fundamentally damage the network and compromise its future.

In assessing the significance of risks, consideration is given to the impact on:

  • revenues across the network of firms 

  • client and service quality, and the network’s ability to fulfil its obligations to regulators, clients and stakeholders

  • the confidence of clients and other key stakeholders (including regulators and governments)

  • legal and regulatory compliance across the network

  • achievement of the network strategy, including its purpose

  • the ability of member firms to recruit and retain key talent in significant parts of the business.

The current KNRs are as follows.

Quality and compliance:

  • Client and service quality: Failure in client acceptance or continuance, or failure to manage service delivery quality in existing and new services with cross-border and network implications. 

  • Compliance: Failure to manage and comply with legal or professional requirements, including local policies and standards, leading to regulatory action and/or significant conflicts of interest.

  • Independence: Failure to comply with external independence requirements and/or manage the ongoing complexity and changes in independence regulations, while attempting to grow the business in new areas and meet changing expectations. 

  • Significant matters: Failure to respond promptly and appropriately to a significant issue in a member firm that could have security-, technology- or client-related implications for the broader network.

  • Regulations and/or public policy: Risk of a regulatory change that would hamper our ability to operate in a sustainable way.

  • Data strategy and management: Failure to manage and maintain firm or third-party data in line with compliance and regulatory standards.

  • Information and cyber security: Failure to manage the security of firm or third-party information, causing legal, reputational and brand damage to the network.

Network resilience:

  • Black swan events: Failure to prepare for market events with network-wide implications which require an immediate response, such as a regulatory change or a macroeconomic disruption like a pandemic. 

  • Green swan events: Failure to prepare for environmental events with network-wide implications in terms of immediate/disaster response, reputational damage and potential macroeconomic impact.

  • Resilience of member firms: Failure of a significant member firm to withstand an economic, regulatory or political shock, or complete adequate contingency planning. 

  • Technology resilience and availability: Failure to manage critical system availability, impacting the ability to service clients and manage the business.

  • People: Failure to attract, retain and train appropriate talent to ensure resources can be deployed rapidly in order to realise opportunities and make adequate plans for workforce-related changes such as automation; and failure to have the right skills in place to meet clients' changing needs. In the context of the COVID-19 pandemic, resilience with regard to people includes the need to respond to the health emergency, adopt different virtual and socially distanced business practices, and address the challenges of ensuring a successful ‘return to office’ strategy.

Market risks: 

  • Technology-enabled disruption: Failure to prepare for and respond to disruption, including bringing new services and solutions to the market with speed and agility.

  • Strategy execution: Failure to ensure relevance and meet client expectations due to incomplete implementation of core elements of the network strategy. 

  • Investment: Failure to ensure sufficient investment in future growth areas and reinvestment in existing services.

Societal risks and trust:

  • Societal risks and trust: Failure to anticipate and respond to market and societal expectations or engage in the broader societal agenda.

  • Purpose, values and behaviours: Failure to adopt and live our values. 

  • Climate: Failure to review and consider the impact of climate change on the network and prepare for its implications.

Network mutuality and speed of response:

  • Network mutuality/alignment: Failure of member firms to act collaboratively, due to conflicting regional and national priorities in the external environment.

  • Strategy execution: Failure of member firms to execute multiple priorities simultaneously. 

As with most other businesses, the most significant risks facing the network are relatively constant over time. They reflect risks that are inherent to the nature of the business, and include the response to changes in strategy and the external environment. Accordingly, the risks we face around ensuring the quality of our services, meeting our legal obligations, and adhering to the professional regulations and standards under which we operate (including those related to auditor independence) remain as important as ever. Similarly, the security and resilience of our systems and technology infrastructure, and the resilience of the individual member firms that provide our global reach and capability, are key to their ability to recruit and retain the right staff both to service our existing businesses and clients, and also to explore future opportunities for expansion and development.

The COVID-19 pandemic has underlined the importance of managing certain risks. In particular, it highlighted risks related to the resilience of our technology infrastructure, which underpinned all of our professional services as our 295,000 people switched to working remotely. In addition, it underscored the importance of mitigating risks that could affect our people, both in terms of keeping them safe through the health emergency and ensuring their mental wellbeing as we moved to continued remote working.

The challenges inherent in the ADAPT framework (increasing wealth disparity, technology disruption, demographic pressures, polarisation and a decrease in trust) not only underpin the reasoning behind The New Equation strategy, but are also radically changing the business context in which we operate.

We are acutely aware of the impact that we have on the world around us and the need to work with our stakeholders to manage those impacts more effectively. As an example, the network now clearly recognises that the world is facing a series of potentially existential threats around climate change. As a major international organisation and employer, we need to play our part in addressing these threats. Accordingly, this year marks the first time we have formally recognised this risk within the network’s ERM structures and processes. 

PwC’s network ERM standard requires each member firm to develop an ERM programme with roles and responsibilities for identification, prioritisation and mitigation of enterprise-level risks. This programme identifies the most significant risks that could impact the member firm, using the KNRs as a major input. For every risk identified, each member firm is required to assess the probability of the risk occurring, its potential impact, and whether the risk is operational, forward-looking or emerging, and then develop an appropriate response.

people on a bridge at night

Material issues impacting stakeholders

The issues that are of concern to our key external stakeholders are assessed and taken into account as part of the process to identify KNRs.

These can be summarised as follows:

  • The quality of work performed for clients and delivery of sustained outcomes

  • Our compliance with international and local laws, regulations and professional standards and rules. This includes the compliance by member firms of the network with audit independence rules and regulations

  • Our ability to meet the evolving requirements of regulatory and public policy

  • The compliance by member firms with applicable data management standards

  • The ability of member firms to safeguard and manage data appropriately

  • The quality of our information and cyber security processes and procedures

  • The alignment of the behaviours of member firms and our partners or staff with our values and societal expectations

  • The resilience of member firms to withstand economic, regulatory and political shocks

  • The resilience of critical network and member firm technology systems 

  • Our ability to attract, retain, train and deploy the right people to ensure quality delivery and innovation 

  • The maintenance of the PwC brand and the confidence it gives to investors and clients in our work and deliverables 

PwC’s key internal and external stakeholders

A diagram illustrating the types of stakeholders that surround material issues.

PwC engages with stakeholders at both network and individual member firm levels. Details of how PwC communicates with certain stakeholders at the member firm level can be found in individual firms’ transparency reports.

Engaging with our stakeholders

Some examples of how PwC engages at a network level are described below. These examples are by no means exhaustive - they’re only an indication of the multiple ways that PwC actively engages with its stakeholders on key issues throughout the course of the year.

Our People: PwC engages with its people across the world on a continuous basis, both locally and network-wide.

Clients: We work with over 200,000 organisations across the world ranging from individuals to the world’s largest corporations.

Standard setters: PwC actively participates in the process of commenting on both financial and non-financial reporting consultations.

Regulators: We work closely with our regulators across the world, particularly on efforts to enhance audit quality.

Think tanks: Being involved in key discussions on issues such as climate change and social inequality is a top priority for PwC and a key part of our work to fulfil our purpose.

Investors: As the world’s largest network of audit firms we play a key role in the functioning of the capital markets. Understanding the views and needs of investors is very important to us.

Alumni: There are many thousands of PwC alumni across the world and they remain an important part of the PwC community.

PwC’s approach to knowing our clients

We demonstrate our integrity by knowing the identity of our clients and others with whom we do business, and adhering to applicable standards on anti-money laundering. Where we suspect criminal behaviour, we take appropriate action.

The PwC standard on ethics and compliance sets out how PwC member firms should mitigate the risk that they inadvertently become involved in actual or potential money-laundering activities. As most legislation on anti-money laundering is based on the Financial Action Task Force (FATF) recommendations as a baseline, the PwC standard is consistent with these recommendations and the risk-based approach guidance for accountants.

The standard requires each PwC member firm to establish systems, policies and procedures to mitigate the risk of being, directly or indirectly, involved in money laundering or terrorist financing. The specific standard requirements for each PwC member firm are described in the following section.

The standard also sets out the core requirements and prohibitions for every partner and member of staff. It is made very clear that engaging in money-laundering practices is illegal and unacceptable behaviour, and partners and staff have obligations to assist in the prevention of money laundering. Specifically, partners and staff in member firms must:

  • establish their client’s identity (including the identification of ultimate beneficial owners where required)

  • not provide any service, or enter into any business relationship, that could constitute them or a firm being involved in direct or indirect money-laundering activities

Our policy and guidance provides practical and detailed explanations that explain concepts such as when to do the checks and what to look for. Each member firm is required to establish a reporting procedure in place for any partner or staff member to report any knowledge or suspicion of money laundering.  

Our clients work with us because they trust PwC and expect quality service. For this reason, we continually seek to enhance our standards to combat financial crime. As a network, we are in the process of implementing new network Know Your Client (KYC) policies, procedures and technology to help assess the risks related to our new and existing clients and the services we provide to them, while also driving a consistent approach to KYC across the PwC network. This new approach to KYC will help us monitor risk profile changes to the client during engagements. It will also provide transparency and comprehensive information about our clients on a global basis to support us in making informed decisions that protect our brand and reputation.

PwC’s approach to anti-corruption 

Corruption is at the centre of some of the world’s most pressing problems. PwC is opposed to corruption in any form and recognises the importance of making smart choices when it comes to its business relationships. We think carefully about our actions to avoid engaging in or facilitating bribery, corruption, money laundering, and/or terrorist financing activities.

The PwC standard on ethics and compliance specifically sets out how member firms are expected to identify and mitigate the risk of bribery and corruption in their activities. It is consistent with the principles of the UK Bribery Act 2010 and the U.S. Foreign Corrupt Practices Act of 1977. The standard requires each member firm to establish systems, policies and procedures for the prevention of bribery and corruption. It sets out specific requirements for each member firm, including:

  • appointing an experienced individual who, with appropriate leadership oversight, is responsible for implementation of the requirements of this standard

  • annually preparing a risk assessment to evaluate (a) the level and type of risks the firm faces and (b) the policies and procedures the firm uses to comply with this standard and/or to respond to local risks

  • training all personnel (including new joiners) annually on the PwC network and local policies and guidance

  • taking steps to identify and resolve any departures from or violations of PwC network and local policies

  • annually undertaking monitoring to assess compliance with this standard as well as PwC network and local policies and guidance, and resolving any deficiencies, where identified.

The standard also sets out requirements for every partner and staff member. It is clear that engaging in corrupt practices is not acceptable behaviour. Specifically, partners and staff in member firms must not:

  • engage in bribery or any other corrupt practices, including the giving/receiving of preferential treatment that may be perceived as a bribe

  • solicit, accept, offer, promise or pay a bribe or improper payment, either directly or through a third party. This includes so-called ‘facilitating payments’ or ‘facilitation payments’.

Our policy and guidance provide practical and detailed explanations to clarify difficult concepts, such as what may constitute a bribe or corrupt behaviour and what is considered a ‘gift’ or other preferential treatment. Each member firm is required to establish a reporting procedure for any partner or staff member to disclose if they have unwittingly been involved in any activity that may have contravened this standard. 

Each year, all partners and staff at PwC member firms are required to sign a personal anti-corruption compliance confirmation. 

In FY21, among our 21 largest firms, one employee was dismissed from a firm for violating that firm's internal anti-corruption policy. The incident involved a PwC employee demanding cash payments from an individual who worked as a contractor. 

person holding a calculator and chart printout

Managing independence 

Ethics, independence and objectivity

Ethics

At PwC, we adhere to the fundamental principles of ethics set out in of the International Ethics Standards Board for Accountants (IESBA) Code of Ethics for Professional Accountants (“the IESBA Code”), which are:

  1. Integrity – to be straightforward and honest in all professional and business relationships.

  2. Objectivity – to not allow bias, conflict of interest or undue influence of others to override professional or business judgements.

  3. Professional competence and due care – to maintain professional knowledge and skill at the level required to ensure that a client or employer receives competent professional services based on current developments in practice, legislation and techniques; and to act diligently and in accordance with applicable technical and professional standards.

  4. Confidentiality – to respect the confidentiality of information acquired as a result of professional and business relationships. This includes not to disclose any such information to third parties without proper and specific authority, unless there is a legal or professional right or duty to disclose, and not to use the information for the personal advantage of the professional accountant or third parties.

  5. Professional behaviour – to comply with relevant laws and regulations and avoid any action that discredits the profession.

All member firms must also comply with our network standards, which cover a variety of areas related to ethics and compliance, including ethics and business conduct, independence, anti-money laundering, anti-trust and fair competition, anti-corruption, information protection, firms’ and partners’ taxes, sanctions laws, internal audit, and insider trading. We take compliance with these ethical requirements seriously and strive to embrace the spirit and not just the letter of those requirements. Ethical conduct is the expected behaviour of all of our partners and staff, and they undertake annual mandatory training and submit annual individual compliance confirmations as part of our system to support appropriate understanding of the ethical requirements under which we operate. Partners and staff uphold and comply with the standards developed by the PwC network, and the leadership of each firm monitors compliance with these obligations.

Each member firm is required to uphold the PwC purpose and values. In addition, each PwC member firm has adopted the PwC network standards, including the PwC Global Code of Conduct (“the Code”) and related policies that clearly describe the behaviours expected of our partners and staff members. These behaviours will enable us to build public trust. Because of the wide variety of situations that our professionals may face, our standards provide guidance under a broad range of circumstances, but all with a common goal: to do the right thing.

Upon hiring or admittance, all staff and partners are provided with the Code. They are expected to live by the values expressed in the Code in the course of their careers at PwC. They have a responsibility to report and express concerns, and to do so fairly, honestly, and professionally when dealing with a difficult situation or when they see any instances of behaviour inconsistent with the Code. 

We have just completed the network-wide implementation and rollout of the new PwC Ethics Helpline and case management system. Each member firm has a confidential and secure tier of the helpline where concerns may be reported and will be investigated. The Ethics Helpline is available to all PwC partners and staff as well as third parties. 

In order to deal with any concerns regarding the movement of people between PwC and government, PwC has in place a set of principles that our network expects to be followed by all firms when hiring a former government official or when someone from PwC takes a senior post in government.

Objectivity and independence

As auditors of financial statements and providers of other types of professional services, PwC member firms and their partners and staff are expected to comply with the fundamental principles of objectivity, integrity and professional behaviour. In relation to assurance clients, independence underpins these requirements. Compliance with these principles is fundamental to serving the capital markets and our clients.

The PwC Global Independence Policy is based on the international independence standards included in the Code, supplemented by the independence requirements of the United States Securities and Exchange Commission (SEC), the Public Company Accounting Oversight Board (PCAOB) of the United States, and the EU Audit Regulation of 16 April 2014. It contains minimum standards with which PwC member firms have agreed to comply, including processes that are to be followed to maintain independence from clients, when necessary.

Each member firm has a designated partner (known as the ‘Partner Responsible for Independence’ or ‘PRI’) with appropriate seniority and standing. This partner is responsible for implementation of the PwC Global Independence Policy, including managing the related independence processes and providing support to the business. The partner is supported by a team of independence specialists. 

Independence policies and practices

The PwC Global Independence Policy covers the following areas among others:

  • personal and firm independence, including policies and guidance on the holding of financial interests and other financial arrangements such as bank accounts and loans by partners, staff, the firm and its pension schemes

  • non-audit services and fee arrangements. The policy is supported by Statements of Permitted Services (SOPS), which provide practical guidance on the application of the policy in respect of non-audit services to audit clients and related entities 

  • business relationships, including policies and guidance on joint business relationships (such as joint ventures and joint marketing) and on the purchasing of goods and services acquired in the normal course of business 

  • acceptance of new audit and assurance clients, and the subsequent acceptance of non-assurance services for those clients.

In addition, there is a Network Risk Management Policy governing the independence requirements related to the rotation of key audit partners.

These policies and processes are designed to help PwC comply with relevant professional and regulatory standards of independence that apply to the provision of assurance services. Policies and supporting guidance are reviewed and revised when changes arise, such as updates to laws and regulations, changes to the Code, or changes in response to operational matters.

Each firm supplements the PwC Global Independence Policy as required by local regulations in cases where these requirements are more restrictive than the global policy.

Independence-related systems and tools

As a member of the PwC network, each PwC member firm has access to a number of systems and tools which support member firms and their personnel in executing and complying with our independence policies and procedures. These include:

  • The Central Entity Service (‘CES’), which contains information about corporate entities including all PwC audit clients and their related entities (including all public interest audit clients and SEC-restricted entities) as well as their related securities. CES assists in determining the independence restriction status of clients of the member firm and those of other PwC member firms before entering into a new non-audit service or business relationship. This system also feeds Independence Checkpoint and Authorisation for Services.

  • ‘Independence Checkpoint’, which facilitates the pre-clearance of publicly traded securities by all partners and managerial practice staff before acquisition and is used to record their subsequent purchases and disposals. Where a PwC member firm wins a new audit client, this system automatically informs those holding securities in that client of the requirement to sell the security where required.

  • Automated Investment Recording ('AIR'), which is a global PwC solution that simplifies portfolio maintenance for PwC partners and staff in Independence Checkpoint by automating the recording of security transactions using direct daily feeds from participating brokers.

  • Authorisation for Services (‘AFS’), which is a global system that facilitates communication between a non-audit services engagement leader and the audit engagement leader regarding a proposed non-audit service, documents the analysis of any potential independence threats created by the service and proposed safeguards (where deemed necessary), and acts as a record of the audit partner’s conclusion on the permissibility of the service. 

  • The Global Breaches Reporting System, which is designed to be used to report any breaches of external auditor independence regulations (e.g. those set by regulation or professional requirements) where the breach has cross-border implications (e.g. where a breach occurs in one territory which affects an audit relationship in another territory). All breaches reported are evaluated and addressed in line with the Code. 

  • The Global Joint Business Relationship system, which provides a standardised process and system for the assessment, approval and ongoing monitoring of joint business relationships.

Each member firm also has a number of specific systems, which could include, for example, a rotation tracking system that monitors compliance with audit rotation policies for engagement leaders and other key audit partners involved in an audit.

Independence training and confirmations

Consultation by engagement teams on independence issues is embedded in the PwC culture. Teams are encouraged to consult with independence specialists whenever a matter is complex, or in the case of any doubt about what to do.

PwC’s processes are supported by comprehensive training of partners and staff. Each member firm provides all partners and staff with annual or ongoing training in independence matters. This training is typically based around milestones related to a change in position or role, changes in policy or external regulation, and, as relevant, provision of services. Partners and staff receive computer-based training on independence policy and related topics. Additionally, training is delivered to members of the practice on an as-needed basis by independence specialists and risk and quality teams.

All partners and practice staff are required to complete an annual compliance confirmation. This involves confirming their compliance with relevant aspects of the member firm’s independence policy, including their own personal independence. In addition, all partners confirm that all non-audit services and business relationships for which they are responsible comply with policy and that the required processes have been followed in accepting these engagements and relationships. These annual confirmations are supplemented by periodic and ad-hoc engagement-level confirmations for certain clients.

Independence monitoring and disciplinary policy

Each member firm is responsible for monitoring the effectiveness of its quality control system in managing compliance with independence requirements. In addition to the confirmations described above, as part of this monitoring member firms perform:

  • compliance testing of independence controls and processes

  • personal independence compliance testing of a random selection of, at a minimum, partners, as a means of monitoring compliance with independence policies

  • an annual assessment of the member firm’s adherence with the PwC network’s standard on independence.

The results of monitoring and testing are reported to the firm’s management on a regular basis.

Each member firm has disciplinary policies and mechanisms in place that promote compliance with independence policies and processes, and require any breaches of independence requirements to be reported and addressed. This includes a discussion with the client’s audit committee regarding the nature of a breach, an evaluation of the impact of the breach on the independence of the member firm and the engagement team, and the need for actions or safeguards to maintain objectivity. Although most breaches are minor and attributable to an oversight, all breaches are taken seriously and investigated as appropriate. The member firm also follows any supplemental local requirements relating to the reporting of breaches. The investigations of any identified breaches of independence policies also serve to identify the need for disciplinary measures, improvements in systems and processes, and for additional guidance and training.

Review

PwC reviews each firm’s compliance with professional standards and policies, including those relating to independence, through inspection activities directed at a risk-based sample of member firms. Any departure from independence requirements in the PwC independence policies and/or external regulations is evaluated. 

Controls over non-audit services 

Before providing non-audit services to entities that are subject to independence restrictions, all member firms are required to obtain authorisation from the group audit engagement partner responsible for services to that entity (or a related entity). A new Authorisation for Service (AFS) system launched in FY20 has increased the effectiveness and efficiency of the scope of services review and approval process. 

In FY21, as part of our ongoing improvement efforts, the AFS system was replatformed to further enhance our independence control processes and integrate them more closely with our other risk processes. To support these improvements and promote understanding of the independence requirements that apply, PwC has developed a comprehensive set of policy and supplementary guidance documents that address the provision of non-audit services to audit clients and their related entities. These documents are based on the international independence standards established by the IESBA, as well as the rules and standards issued by other regulatory authorities. Member firms supplement this with local standards.

When our member firms are providing non-audit services to audit clients, they are required to provide only those non-audit services that are permissible under the applicable rules. In some instances, these non-audit services are required by law or regulations to be performed by the auditor. However, while we have the right controls in place regarding the provision of non-audit services to audit clients, we are also conscious of the threats to independence in appearance that can be created by the provision of non-audit services to our audit clients. So we assess this threat as part of our acceptance processes.

Our Network Risk Management Policy also requires that engagement teams who perform certain non-audit services engagements for SEC-restricted entities obtain approval from an independence specialist. These reviews are performed by independence specialists who make up a global Centre of Excellence (CoE). 

In FY21, 72% of revenues from our audit clients in major global indices were for audit services. Twenty eight per cent were for non-audit services (FY20: 29%).

Revenues from audit clients in major indices

people in a meeting having a discussion

WEF IBC metrics report

As part of our commitment to transparency we are including an overview of our disclosures based on the WEF IBC Stakeholder Capitalism Metrics.

Download the report

Want to take the Global Annual Review with you?

Download as PDF (15.5mb, PDF)
Mike Davies

Mike Davies

Director, Global Corporate Affairs and Communications, PwC UK

Tel: +44 7803 974136

Email

Contact us

Mike Davies

Director, Global Corporate Affairs and Communications, PwC United Kingdom

Tel: +44 7803 974136

Follow us