Annual report 2018: Governance and transparency

Governance and transparency

Why governance and transparency are central to solving problems

Solving important problems sits at the heart of our business, whether that’s working on insolvencies, combating cyber threats or providing assurance on financial statements. Governance and transparency are both essential to helping us find and deliver solutions: our governance procedures guide our work, while transparency is critical to building trust.

On this page of our Annual Report you can find out about the work of our Management Board, our Supervisory Board and the Public Interest Body. You can read feedback from our stakeholders, look into our executive pay, find out how we work with political parties, the role of our client committee, and what our principal risks and tax strategy are.

Meet our Management Board

Our Management Board leads our firm and is made up of our Executive Board and our Clients and Markets Executive. PwC’s Executive Board is chaired by our Chairman and Senior Partner, Kevin Ellis, and is structured to bring focus to our strategy, operations, talent and technology. Our Clients and Markets Executive (CME) works with the Executive Board focusing on delivering the very best assurance, consulting, deals and tax services to our clients with an appropriate industry and market emphasis.
Find out more here.

What role does our Supervisory Board play?

The Supervisory Board, chaired by Anne Simpson, provides the Executive Board with guidance on matters of actual or potential concern to partners and represents the interests of all partners. As such, it is a core part of our governance structure. Supervisory Board members hold regular meetings with partners to get their views on the firm’s overall strategy and any other issues that may be of concern. You can find out more about our supervisory board in our transparency report.

Hear from our Public Interest Body

Our Public Interest Body (PIB) for FY18 comprised five Independent Non-Executives and, as of the 30th June 2018, three representatives from our firm. Their role is to enhance confidence in the public interest aspects of our firm’s strategy and decision making. The PIB plays a key part in ensuring public interest is at the heart of our stakeholder management and reputational risk management. The PIB also has a role in ensuring we are considering the way our purpose links to our strategy. You can hear more from them here.

Executive remuneration

£712,000

distributable profit per partner

▲ 9%

13.1

multiple of average employee pay and bonus to average partner profits

FY17 12

Management Board

£3.4m

Chairman's distributable profit share

FY17 £3.1m

£21.6m

estimated Management Board distributable profit share

FY17 £19.8m

We believe being transparent about pay is an important way to build trust within our business, which is why we publish details of our executive pay. Individual profit per partner is based on a number of factors including responsibility, individual performance and overall profitability of the firm. We’ve tracked or average profit per partner in relation to our average UK salary for a number of years, this enables us to ensure we are balancing being fair to our people with rewarding strong performance.

How we work with political parties

Part of building trust in society and solving important problems is to make a constructive contribution to public policy debates. We maintain a strict policy of political neutrality, however, we believe that our insights can support and inform good policy making, strong opposition and better government. Politicians and policy-makers are important stakeholders to business and we believe it is natural that we build relationships with them in areas of joint interest. We also engage with politicians, officials and regulators outside of the UK to reflect the international dimension of our firm’s work.

During FY18 we did not provide any secondment support to any political party.

A statement of our political activities and the principles which guide our work can be found here.

Building trust and being transparent

At PwC we recognise that our reputation is based on quality and trust. Our values are to act with integrity, make a difference, care, work together and reimagine the possible. Our board leads by example, and our people are responsible for bringing these values to life.

We have many stakeholders, including: our people, our clients, our regulators, the communities in which we live and work, and many others. We understand that we need to be trusted to be the market leading firm. Transparency, openness and honesty are at the heart of our work with our stakeholders. Some areas across our firm where transparency is paramount, include audit and cyber governance.

Audits are a valuable part of promoting trust in capital markets - a strong and respected audit profession helps to maintain the UK’s global reputation as a trusted place to do business. We are continually looking to improve audit quality, which is helped by maintaining a constructive relationship with our regulators, primarily the Financial Reporting Council (FRC), and adhere to professional standards and codes of ethics. The profession has been under scrutiny in recent times, and we must be open and ready for change. We want to help create and deliver an audit system fit for the future which brings our purpose to life. You can find out more about how we’re working towards this in our transparency report.

Transparency over our own cyber governance is also critical to our values in establishing trust with society. Warwick Hunt is our Executive Board member responsible for cyber and we have a monthly governance committee with representatives from all lines of the business. Our UK Chief Information Security Officer oversees our cyber operations and resiliency, while our market facing cyber security competencies are used to provide independent review. You can find out more about our cyber practice here.

We have a continuous improvement approach to our policies and procedures, reviewing them regularly in light of internal priorities or changes in the market. Please see our transparency report for further details.

Managing risk

Our principal risks
Regulatory change including regulatory threats to business model
Quality (audit and non-audit)
People and talent
Public perception and reputation
Regulatory compliance
Instability and uncertainty caused by Brexit negotiations
Information and Cyber Security
Criticality of IT to service delivery
Client assets
New business models and technology
Technological change and relevance
Physical security
Litigation and regulatory sanction

Our principal risks

Managing risk is a clear strategic priority for the Management Board and senior management of the firm.

We have a clear business strategy. In implementing this strategy it is vital that we also manage the risks associated with it. As a result we have a defined process for assessing, monitoring and controlling risk.

The Management Board takes overall responsibility for establishing systems of internal control and for reviewing and evaluating their effectiveness. The day-to-day responsibility for implementation of these systems and for ongoing monitoring of risk and the effectiveness of controls rests with senior management.

The systems, which have been in place throughout the financial year and up to the date of approval of these financial statements, include the following:

The Risk Council, which comprises senior management reporting to the Executive Board, is responsible for making sure that the controls are in place to identify, evaluate and manage risk.
Our lines of service and our internal firm services, which document risks and the responses to them, carry out risk assessments annually and report to the Risk Council on how effectively they have managed risk during the year.
Periodic reviews of performance and quality are carried out independently by the PwC network.
Our internal audit team reviews the effectiveness of the financial and operational systems and controls throughout the Group and reports to the Executive Board and the Audit and Risk Committee.
Our risk and quality functions oversee our professional services risk management systems and report to the Executive Board.

We take client acceptance procedures extremely seriously and we do not automatically take on new client engagements or new work for existing clients. Understanding properly both who we are working with and the nature of the work requested is central to protecting our reputation for quality.

We have procedures to assess the risks associated with new clients. We seek to serve only those clients we are competent to serve, who value our service and who meet appropriate standards of legitimacy and integrity. We also establish up front whether we are able to comply with independence requirements and to address any potential conflicts of interest. In addition, we conduct annual risk reviews of all audit clients.

Internal control assessment

Our internal control systems are designed to manage, rather than eliminate, the risk of failure to achieve business objectives or, in the case of financial controls, the risk of material misstatement in our financial statements. Accordingly, they provide reasonable, but not absolute assurance against such failure or material misstatement.

The Executive Board has reviewed the systems of internal control in operation during the year and is satisfied with their effectiveness.

On the tabs on the left, you can explore the risks faced by our business and the steps we’re taking to mitigate them.

Regulatory change including regulatory threats to business model

Risk: Failure to manage effectively the impact of changes in the multiple regulatory regimes, both UK and non-UK, under which the UK firm operates. Risks posed to the existing multidisciplinary business model may impact the sustainability of the audit practice within the UK.

Response:

Regular engagement and direct interaction, where possible, with governmental bodies and regulators to understand objectives and provisions of changes and the implications for our businesses.
Regular/continuous monitoring of the cumulative impact of changes in the regulatory environment on the firm’s ability to provide services to audit clients.
Regulatory affairs specialists who lead the firm’s efforts to track all changes in applicable regulatory regimes, of whatever origin, under which the UK firm operates.
Regular updating of firm processes and procedures to ensure compliance by all our people, on all our clients, with all applicable regulations.
Contingency planning.

Quality (audit and non-audit)

Risk: Significant quality failure in the UK firm or the PwC network due to either engaging with an inappropriate client or inadequate delivery of services leading to a potential service failing, litigation and/or regulatory action.

Response: Our internal quality management systems, which are designed to maintain and enhance quality, include:

Recruitment standards and staff development procedures.
Client engagement and acceptance processes.
Client engagement standards supported by methodologies and tools.
Quality reviews of PwC network firms, including the UK firm.
Monitoring and review of key performance indicators by the Executive Board.

People and talent

Risk: Failure to attract, develop and retain key talent.

Response:

Regular reviews of the market for student and experienced talent to understand the firm’s relative competitive position ensuring agile management of resources.
Use of various communication and discussion channels to engage with our people.
Continued practical focus on building people engagement and supporting retention.
Monitoring and review of key performance indicators by the Executive Board, including staff surveys, external Brand Health Index and regular client feedback.
Appointment of external Wellbeing advisors and internal Mental Health champions as part of an overall wellbeing programme.

Public perception and reputation

Risk: Failure to respond in an impactful and transparent manner to issues raised by the current environment, including adverse media coverage which impacts the firm’s reputation.

Response:

Embedding a culture of 'doing the right thing' for our people, our clients and our communities, as a matter of strategic intent.
Engage more fully in open and serious debate with relevant stakeholder groups on trust-related and public interest issues to inspire change.
Sharing of knowledge and insights on trust to sustain, widen and enrich the discussion.
More actively promote the firm’s positive contributions including those to our clients, to broader society and as a significant employer.

Regulatory compliance

Risk: Failure to comply with relevant independence, legal, regulatory or professional requirements leading to regulatory action and/or a client conflict of interest.

Response: Established compliance and independence management systems including:

Clear policies, procedures and guidance.
Mandatory annual training for all partners and staff.
Client and engagement acceptance procedures.
Annual independence and compliance submissions for all partners and staff enforced by penalties for non-compliance.
Regular monitoring and reporting to the Executive Board.

Instability and uncertainty caused by Brexit negotiations

Risk: Uncertainty faced by our clients and our people as the economic, legal and regulatory implications of exit from the European Union become clearer.

Response:

The Executive Board, supported by the Brexit Steering Committee, will manage the impacts based on contingency planning undertaken pre-referendum.
We work closely with our clients to help them adapt to, and thrive in, the new environment.
We provide support and practical advice to European Economic Area (EEA) staff working in the UK and UK staff on overseas assignments in the EEA

Information and Cyber Security

Risk: Non-protection, loss, theft or misuse of client (or the firm’s) confidential data. This risk encompasses electronic and hard copy documents, including off-shored or outsourced repositories, disclosure within social media and direct cyber-security threats.

Response:

Information Protection Governance Group, chaired by a member of the Executive Board, which provides overall strategic direction, framework and policies for information security.
The firm operates an ISO/IEC 27001:2013 certified information security management system which includes:
- Governance - including policies, processes, leadership (Cyber Committee) and assessment for client data and other information.
- Physical, technical and human resource controls.
- Threat intelligence.
- Incident response capability.
- Regular monitoring and independent review systems.
- Continual investment in established cybersecurity controls.

Criticality of IT to service delivery

Risk: Risk of being unable to perform or deliver assignments due to outages or failures in applications and/or the general IT environment.

Response:

Recovery of critical systems is assured by use of two geographically distant data centres. Failed systems are reinstated at the second data centre, in line with Business Impact Analysis priorities.
Continuing programme of testing provides indicators of assurance of our ability to rebuild systems from backups.
IT Incident management procedures identify key systems to determine the real time criticality of impacted systems to ensure appropriate prioritisation of actions.
Review of business critical systems.

Client assets

Risk: Failure to appropriately manage client assets, including major client administrations.

Response: Well-established procedures for dealing with client assets and related matters including:

Portfolio diversification policy.
Daily monitoring of credit and related ratings and maturities.
Internal controls and procedures.
Monitoring and independent review.
A Treasury Committee which receives regular updates on the above.

New business models and technology

Risk: Failure to manage adequately risks created by new businesses most of which are technology dependent, these include failure of new technology, creation of unexpected issues, threats to established business approaches and services or generation of significant independence issues.

Response:

Firmwide process for reviewing new business so that relevant risks are identified promptly and addressed.
Internal focus on relevant on-boarding and operating processes and procedures.

Technological change and relevance

Risk: Risk of reduced relevance of current product offerings and solutions due to new or advanced technology underpinning new business models and cost structures, under-investment in new and advanced technology or inadequate response to non-traditional disruption.

Response:

Significant investment in new and innovative digitising technology solutions for existing services.
Commitment to new platforms to allow efficient delivery of quality services.

Physical security

Risk: Failure to secure the physical security of all our people wherever deployed on the firm’s business including within our own premises in the UK.

Response:

Firmwide travel policy and processes for all our people, incorporating 24/7 tracking and, where appropriate, consultation with a dedicated security team.
Comprehensive security infrastructure covering all our premises.
Continuous monitoring of threat levels and issues in overseas travel destinations, and potential threats to our premises.

Litigation and regulatory sanction

Risk: Risks related to significant commercial litigation or regulatory sanction, regulatory investigation or other sensitive situation, including financial, commercial and reputational impact

Response:

In-house legal team with specialized resources in litigation, contract law, regulation, data privacy, compliance, sanctions and technology.
Development of efficient discovery processes using e-Discovery tools
Incident management protocols across all areas to allow rapid deployment of specialist resources.