Risk: Failure to manage effectively the impact of changes in the multiple regulatory regimes, both UK and non-UK, under which the UK firm operates. Risks posed to the existing multidisciplinary business model may impact the sustainability of the audit practice within the UK.

Response:

• Regular engagement and direct interaction, where possible, with governmental bodies and regulators to understand objectives and provisions of changes and the implications for our businesses.

• Regular/continuous monitoring of the cumulative impact of changes in the regulatory environment on the firm’s ability to provide services to audit clients.

• Regulatory affairs specialists who lead the firm’s efforts to track all changes in applicable regulatory regimes, of whatever origin, under which the UK firm operates.

• Regular updating of firm processes and procedures to ensure compliance by all our people, on all our clients, with all applicable regulations.

• Contingency planning.

Risk: Significant quality failure in the UK firm or the PwC network due to either engaging with an inappropriate client or inadequate delivery of services leading to a potential service failing, litigation and/or regulatory action.

Response: Our internal quality management systems, which are designed to maintain and enhance quality, include:

• Recruitment standards and staff development procedures.

• Client engagement and acceptance processes.

• Client engagement standards supported by methodologies and tools.

• Quality reviews of PwC network firms, including the UK firm.

• Monitoring and review of key performance indicators by the Executive Board.

Risk: Failure to attract, develop and retain key talent.

Response: 

• Regular reviews of the market for student and experienced talent to understand the firm’s relative competitive position ensuring agile management of resources.

• Use of various communication and discussion channels to engage with our people.

• Continued practical focus on building people engagement and supporting retention.

• Monitoring and review of key performance indicators by the Executive Board, including staff surveys, external Brand Health Index and regular client feedback.

• Appointment of external Wellbeing advisors and internal Mental Health champions as part of an overall wellbeing programme.

Risk: Failure to respond in an impactful and transparent manner to issues raised by the current environment, including adverse media coverage which impacts the firm’s reputation.

Response: 

• Embedding a culture of 'doing the right thing' for our people, our clients and our communities, as a matter of strategic intent.

• Engage more fully in open and serious debate with relevant stakeholder groups on trust-related and public interest issues to inspire change.

• Sharing of knowledge and insights on trust to sustain, widen and enrich the discussion.

• More actively promote the firm’s positive contributions including those to our clients, to broader society and as a significant employer.

Risk: Failure to comply with relevant independence, legal, regulatory or professional requirements leading to regulatory action and/or a client conflict of interest.

Response: Established compliance and independence management systems including:

• Clear policies, procedures and guidance.

• Mandatory annual training for all partners and staff.

• Client and engagement acceptance procedures.

• Annual independence and compliance submissions for all partners and staff enforced by penalties for non-compliance.

• Regular monitoring and reporting to the Executive Board.

Risk: Uncertainty faced by our clients and our people as the economic, legal and regulatory implications of exit from the European Union become clearer.

Response: 

• The Executive Board, supported by the Brexit Steering Committee, will manage the impacts based on contingency planning undertaken pre-referendum.

• We work closely with our clients to help them adapt to, and thrive in, the new environment.

• We provide support and practical advice to European Economic Area (EEA) staff working in the UK and UK staff on overseas assignments in the EEA

Risk: Non-protection, loss, theft or misuse of client (or the firm’s) confidential data. This risk encompasses electronic and hard copy documents, including off-shored or outsourced repositories, disclosure within social media and direct cyber-security threats.

Response: 

• Information Protection Governance Group, chaired by a member of the Executive Board, which provides overall strategic direction, framework and policies for information security.

• The firm operates an ISO/IEC 27001:2013 certified information security management system which includes:

  • Governance - including policies, processes, leadership (Cyber Committee) and assessment for client data and other information.

  • Physical, technical and human resource controls.

  • Threat intelligence.

  • Incident response capability.

  • Regular monitoring and independent review systems.

  • Continual investment in established cybersecurity controls.

Risk: Risk of being unable to perform or deliver assignments due to outages or failures in applications and/or the general IT environment.

Response:

• Recovery of critical systems is assured by use of two geographically distant data centres.  Failed systems are reinstated at the second data centre, in line with Business Impact Analysis priorities.
• Continuing programme of testing provides indicators of assurance of our ability to rebuild systems from backups.
• IT Incident management procedures identify key systems to determine the real time criticality of impacted systems to ensure appropriate prioritisation of actions.
• Review of business critical systems.

Risk: Failure to appropriately manage client assets, including major client administrations.

Response: Well-established procedures for dealing with client assets and related matters including:

• Portfolio diversification policy.

• Daily monitoring of credit and related ratings and maturities.

• Internal controls and procedures.

• Monitoring and independent review.

• A Treasury Committee which receives regular updates on the above.

Risk: Failure to manage adequately risks created by new businesses most of which are technology dependent, these include failure of new technology, creation of unexpected issues, threats to established business approaches and services or generation of significant independence issues.

Response: 

• Firmwide process for reviewing new business so that relevant risks are identified promptly and addressed.

• Internal focus on relevant on-boarding and operating processes and procedures.

Risk: Risk of reduced relevance of current product offerings and solutions due to new or advanced technology underpinning new business models and cost structures, under-investment in new and advanced technology or inadequate response to non-traditional disruption.

Response: 

• Significant investment in new and innovative digitising technology solutions for existing services.

• Commitment to new platforms to allow efficient delivery of quality services.

Risk: Failure to secure the physical security of all our people wherever deployed on the firm’s business including within our own premises in the UK.

Response: 

• Firmwide travel policy and processes for all our people, incorporating 24/7 tracking and, where appropriate, consultation with a dedicated security team.

• Comprehensive security infrastructure covering all our premises.

• Continuous monitoring of threat levels and issues in overseas travel destinations, and potential threats to our premises.

Risk: Risks related to significant commercial litigation or regulatory sanction, regulatory investigation or other sensitive situation, including financial, commercial and reputational impact

Response: 

• In-house legal team with specialized resources in litigation, contract law, regulation, data privacy, compliance, sanctions and technology.

• Development of efficient discovery processes using e-Discovery tools

• Incident management protocols across all areas to allow rapid deployment of specialist resources.