Risk Management

How we identify and manage key risks and engage with our stakeholders

Identifying, managing and mitigating risk is an essential part of running any business. At PwC, we work with many organisations to help them deal with the growing risks they face in our increasingly complex and challenging world. We also invest significant time and resources into anticipating and managing risks to our own business.

At PwC, the Africa Governance Board provides oversight, review and approval of our network’s enterprise risk management (ERM) approach and focus. The Africa Leadership Team provides strategic direction (including in the area of ERM). The Chief Risk Officer (CRO) is responsible for network risk management, including ERM. The PwC network and its member firms take a systematic approach to ERM. The risks with the highest potential impact for the PwC network are reviewed on an annual basis. These Key Network Risks (KNRs) and their related significant mitigation plans are reviewed by the PwC Global Board. KNRs are risks which have the potential to either undermine the achievement of the network strategy and business objectives, or fundamentally damage the network and compromise its future. These global KNRs as well as local facts and circumstances are considered when determining the key risks for the firm.

In assessing the significance of risks, consideration is given to the impact on:

client and service quality, and the network’s ability to fulfil its obligations to clients and regulators and to meet the expectations of other stakeholders
the trust of clients and other key stakeholders (including regulators and governments)
legal and regulatory compliance across the network
achievement of the network and local firm strategy, including its purpose
the ability of individual member firms to recruit and retain key talent
revenues across the individual member firms

People

Inability to offer a competitive People value proposition to future and current talent which restricts our ability to attract and retain talent, develop skills and leaders for the future business and our ability to anticipate and adapt to changing workforce, business and client needs.

Geopolitical and macro-economic*

Risks related to negative major shifts in the politics or the economy of a country or region which may stem from a downturn in economic conditions or uncertainty in future economic conditions.

Regional instability*

Risks related to political and social instability in a region or country brought about by negative macroeconomic conditions, religious tensions and extremism and governance mismanagement resulting in an increasingly fragile operating environment.

Financial performance

Inability to responsibly and sustainably grow our business where business market conditions are challenging, impacting our ability to invest in talent, technology, products or services to further grow the business.

Societal trust and brand

Risk related to exhibiting an inconsistent brand narrative resulting in lack of cohesion and brand distinction. Risk related to a failure to sufficiently anticipate, understand and respond to market and societal expectations resulting in a loss of trust.

Quality and ethics

A significant failure in evaluating the risks associated with accepting or continuing with a client or engagement or a significant service delivery failure could impact our reputation and lead to litigation or regulatory action. Failure to manage and respond to ethical expectations and requirements related to the profession.

Purpose, values and behaviour

Risks relating to adoption by individuals or groups, including joint business relationships (JBRs) or alliance partners and/or member firms, of values or behaviours which are inconsistent with the PwC values or unethical in nature.

Physical security*

Risks relating to the physical security of PwC staff and infrastructure wherever deployed.

Business continuity management

Inability to withstand an economic, physical/structural disaster; terrorist strike; information system collapse, infectious disease outbreak or environmental and natural threats due to inadequate contingency planning.

Information security and cyber resilience

Risks relating to our inability to proactively harness information and data to capture the upside of trends. Inadequate resilience in information and data security which may result in major cyber events, misuse of data and information/data breaches which may result in regulatory action.

Climate resilience and ESG*

Failure to adequately respond to the growing importance of climate related events and ESG within the corporate environment which negatively impacts perception of the firm, investment returns, brand strength and recognition.

^{Footnote: Items marked with * denote an external risk}

The most significant risks facing our network are inherent to the nature of our business and the external environment.

The risks we face around ensuring the quality of our services, meeting our applicable legal obligations, and adhering to the professional regulations and standards under which we operate (including those related to auditor independence) remain as important as ever. The same goes for the security and resilience of our systems and technology infrastructure; the strength of the individual member firms that provide our global reach and capability; and our ability to recruit, retain and develop the staff both to service our existing clients and develop opportunities for growing the business.

We remain acutely aware of our impact on the world around us and the need to work with our stakeholders to manage those impacts more effectively.

Material issues impacting stakeholders

The issues that are of concern to our key external stakeholders are assessed and taken into account as part of the process of identifying KNRs.

This includes:

the quality of work performed for clients and delivery of sustained outcomes
our compliance with applicable laws, regulations, professional standards, rules and internal policies. This includes our member firms’ compliance with audit and assurance independence rules and regulations
our ability to meet the evolving requirements of regulatory and public policy
our member firms’ compliance with applicable data management standards
our member firms’ ability to safeguard and manage data appropriately
the quality of our information and cybersecurity processes and procedures
the actions of our people and member firms aligning with our values and societal expectations
the resilience of member firms to withstand economic, regulatory and political shocks
the resilience of critical technology systems across our network and member firms
our ability to attract, retain, train and deploy the right people to ensure high-quality delivery and innovation
the maintenance of the PwC brand and the confidence it gives in our work and deliverables

Engaging with our stakeholders

PwC engages with stakeholders at both network and individual member firm levels.

Some examples of how PwC engages as a network are described below. These examples are by no means exhaustive. They are an indication of the many ways that we actively engage with our stakeholders on key issues throughout the course of the year.

Our people — we engage with our people across the continent via a variety of platforms including global and local surveys as well as in-person interactions
Clients — we work with clients across the continent, ranging from individuals to the world’s largest corporations
Standard setters — we actively participate in the process of commenting on both financial and non-financial reporting consultations
Regulators — we work closely with our regulators across the continent, particularly on efforts to enhance audit quality and support the effective operation of tax systems around the world
Think tanks and NGOs — participating in discussions on key issues such as climate change and social inequality is a top priority for PwC and a key part of our work to fulfil our purpose
Investors — as one of the world’s largest network of audit firms, we play a key role in the functioning of capital markets. Understanding the views and needs of investors is very important to us
Alumni — the thousands of PwC alumni across the world remain an important part of the PwC community

PwC’s approach to client acceptance

We have implemented global, cloud-based technology to manage client and engagement acceptance and continuance. This helps us make better decisions about who we choose to work with and the services we agree to provide. It also helps us to manage the risks associated with potential conflicts, and, as a result, to continue to foster trust with our stakeholders.

Our ethics and compliance standards and policies set out how our member firms should mitigate the risk of inadvertently becoming involved in actual or potential money-laundering activities, and these form an important part of our approach to client acceptance. As most legislation on anti-money laundering is based on the Financial Action Task Force’s recommendations, our standard is consistent with these recommendations. In addition to the PwC standards, member firms are required to comply with local laws and professional regulations.

The PwC standards require each PwC member firm to establish systems, policies and procedures to mitigate the risk of being directly or indirectly involved in money-laundering, terrorist financing or any kind of financial crime.

The standards also set out the core requirements and prohibitions for all PwC partners and staff. They make clear that engaging in money-laundering practices is illegal and unacceptable behaviour, and partners and staff have obligations to assist in the prevention of money laundering. Specifically, as part of client acceptance, PwC partners and staff must:

establish their client’s identity (including the identification of ultimate beneficial owners where required)
not provide any service, or enter into any business relationship, that could constitute being directly or indirectly involved in money-laundering activities. Our policy and guidance provide practical and detailed explanations that outline concepts such as what to look for.

We have established reporting procedures whereby any partner or staff member can report any knowledge or suspicion of money laundering.

Ethics and independence

Ethics codes and practices

At PwC, we adhere to the fundamental principles of ethics set out in the International Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants (IESBA). These are:

to be straightforward and honest in all professional and business relationships

to not allow bias, conflict of interest or undue influence of others to override professional or business judgements

to maintain professional knowledge and skill at the level required to ensure that a client or employer receives competent professional services based on current developments in practice, legislation and techniques; and to act diligently and in accordance with applicable technical and professional standards

to respect the confidentiality of information acquired as a result of professional and business relationships. This includes not disclosing any such information to third parties without proper and specific authority, unless there is a legal or professional right or duty to disclose, and not using the information for the personal advantage of the professional accountant or third parties

to comply with relevant laws and regulations and avoid any action that discredits the profession

All member firms must also comply with our network standards, which cover a variety of areas related to ethics and compliance, including ethics and business conduct, independence, anti-money laundering, anti-trust and fair competition, anti-corruption, information protection, firms’ and partners’ taxes, sanctions laws, internal audit and insider trading. We take compliance with these ethical concerns seriously, so we strive to embrace the spirit and not just the letter of these requirements. We require our people to undertake annual mandatory training and submit annual confirmations of their individual compliance as part of our system to support appropriate understanding of the ethical requirements under which we operate. Our partners and staff are expected to uphold and comply with our ethics standards.

Each member firm is required to uphold the PwC purpose and values. In addition, each member firm must adhere to the PwC network standards, including the PwC Global Code of Conduct.

All PwC people are expected to live by the values expressed in the Code over the course of their careers at PwC. They have a responsibility to report and express concerns, and to do so fairly, honestly and professionally when dealing with a difficult situation or when they see any instances of behaviour inconsistent with the Code.

PwC’s approach to anti-corruption

PwC is opposed to corruption in any form and recognises the importance of making smart choices when it comes to its business relationships. Our ethics and compliance standards and policies specifically set out how member firms are expected to identify and mitigate the risk of bribery and corruption in their activities. The standards require each member firm to establish systems, policies and procedures to prevent bribery and corruption. They set out specific requirements for each member firm, including:

appointing an experienced individual who, with appropriate leadership oversight, is responsible for implementing the standards’ requirements
annually preparing a risk assessment to evaluate (a) the level and type of risks the firm faces, and (b) the policies and procedures the firm uses to comply with this standard and/or to respond to local risks
training all personnel (including new joiners) annually on policies and guidance that apply locally and across our network
taking steps to identify and resolve any departures from, or violations of, policies in place locally
annually undertaking monitoring to assess compliance with these standards as well as policies and guidance that apply locally or across our network, and resolving any deficiencies, where identified

Each year, all partners and staff at PwC member firms are required to sign a personal confirmation of their anti corruption compliance.

Objectivity and independence

As auditors of financial statements and providers of other types of professional services, PwC member firms and their partners and staff are expected to comply with the fundamental principles of objectivity, integrity and professional behaviour. Independence underpins these requirements in our work with assurance clients. Compliance with these principles is essential to serving our clients and thereby instilling confidence in the capital markets.

The PwC Global Independence Policy is based on the IESBA International Independence Standards, supplemented by the independence requirements of the US Securities and Exchange Commission (SEC), the US Public Company Accounting Oversight Board and the EU Audit Regulation of 16 April 2014. It contains minimum standards with which PwC member firms have agreed to comply, including processes that are to be followed to maintain independence from assurance clients.

We have a designated partner (known as the Partner Responsible for Independence or PRI) with appropriate seniority and standing. This partner is responsible for implementing the PwC Global Independence Policy, including managing the related independence processes and providing support to the business. The partner is supported by a team of independence specialists.

Independence-related systems and tools

As members of the PwC network, PwC Africa firms have access to a number of systems and tools which support them and their personnel in executing and complying with their independence policies and procedures.

Central Entity Service (CES) contains information about corporate entities including all PwC audit clients and their related entities (including all public interest audit clients and SEC-restricted entities) as well as their related securities. CES assists in determining the independence restriction status of clients of the PwC firm and those of other PwC firms before entering into a new non-audit service or business relationship. This system also feeds the Independence Checkpoint and the Authorisation for Services systems.
Independence Checkpoint facilitates the pre-clearance of publicly traded securities by all partners and practice managers before acquisition and is used to record their subsequent purchases and disposals. Where a PwC firm wins a new audit client or there is a change in the restriction status of a security, this system automatically informs those holding relevant securities of the requirement to sell the security where required.
Authorisation for Services is a global system that facilitates communication between a non-audit services engagement leader and the audit engagement leader, regarding a proposed non-audit service, documenting the analysis of any potential independence threats created by the service and proposed safeguards, where deemed necessary, and acts as a record of the audit partner’s conclusion on the permissibility of the service.
Joint Business Relationships (JBR) is a global system used to clear joint (close) business relationships from an independence perspective. JBR is used to facilitate PwC firms’ compliance with JBR requirements for new and existing joint business relationships. It assists independence specialists in gathering information to assess, from an independence perspective, the permissibility of proposed joint business relationships and in monitoring the continued permissibility of previously approved existing joint business relationships.
Global Breaches Reporting is used to report any breaches of external auditor independence regulations (e.g. those set by regulation or professional requirements) where the breach has cross-border implications (e.g. where a breach occurs in one territory which affects an audit relationship in another territory). All breaches reported are evaluated and addressed in line with the Code.
My Compliance Dashboard is a standardised compliance platform available to partners and staff in all PwC member firms. It is used by firms to issue, manage and report on confirmations obtained including the annual compliance confirmation.
Automated Investment Recording simplifies portfolio maintenance for PwC partners and staff in the Independence Checkpoint by automatically recording security transactions using regular direct feeds from participating brokers

Independence training and confirmations

Our firms provide all partners and practice staff with annual or on-going training in independence matters. Training typically focuses on milestone training relevant to a change in position or role, changes in policy or external regulation and, as relevant, provision of services.

Partners and staff receive computer-based training on their firm’s independence policy and related topics. Additionally, face-to-face training is delivered to members of the practice on an as-needed basis by their firm’s independence specialists and risk and quality team.

All partners and practice staff are required to complete an annual compliance confirmation, whereby they confirm their compliance with relevant aspects of the firm’s independence policy, including their own personal independence. In addition, all partners confirm that all non-audit services and business relationships for which they are responsible comply with policy and that the required processes have been followed in accepting these engagements and relationships. These annual confirmations are supplemented by periodic and ad-hoc engagement level confirmations for certain clients.

Independence monitoring and disciplinary policy

PwC Africa is responsible for monitoring the effectiveness of its system of quality management in managing compliance with independence requirements. In addition to the confirmations described above, as part of this monitoring, we perform:

compliance testing of independence controls and processes;
personal independence compliance testing of a random selection of, at a minimum, partners and practice managers as a means of monitoring compliance with independence policies; and
an annual assessment of our firm’s adherence with the PwC network’s standard relating to independence.

The results of PwC Africa monitoring and testing are reported to the firm’s management on a regular basis with a summary reported to them on an annual basis.

PwC Africa has an Accountability Framework and supporting disciplinary policies and mechanisms in place that promote compliance with independence policies and processes, and that require any breaches of independence requirements to be reported and addressed.

This would include discussion with the client’s audit committee regarding the nature of a breach, an evaluation of the impact of the breach on the independence of the PwC firm and the engagement team and the need for actions or safeguards to maintain objectivity. Although most breaches are minor and attributable to an oversight, all breaches are taken seriously and investigated as appropriate. The investigations of any identified breaches of independence policies also serve to identify the need for improvements in PwC Africa’s systems and processes and for additional guidance and training.

Controls over non-audit services

Before providing non-audit services to entities that are subject to independence restrictions, all member firms are required to obtain authorisation from the group audit engagement partner responsible for services to that entity (or a related entity).

To promote understanding of the independence requirements that apply, PwC has developed a comprehensive set of policy and supplementary guidance documents that address the provision of non-audit services to audit clients and their related entities. These documents are based on the requirements of the IESBA International Independence Standards, as well as the rules and standards issued by other regulatory authorities. We supplement this for any relevant local standards.

When our member firms are providing non-audit services to audit clients, they are allowed to provide only those non-audit services that are permissible under the applicable rules. In some instances, these non-audit services are required by law or regulations to be performed by the auditor. However, while we have controls in place regarding the provision of non-audit services to audit clients, we are also conscious of the threats to independence in appearance that can be created by providing non-audit services to our audit clients. So we assess this threat as part of our acceptance processes.

Our Network Risk Management Policy also requires that engagement teams who provide certain non-audit services to SEC-restricted entities obtain input from an independence specialist in our global SEC Centre of Excellence. The conduct of certain services to SEC issuer audit clients is closely supported and monitored through extended processes, including (as applicable):

review of audit committee pre-approval communications;
independence review of initial engagement communications with the client such as proposal materials;
pre-engagement independence coaching discussions for the service team; and independence in-flight review of the engagement through the course of the service.