Risk management

Risk management is a high priority and guides the way in which PwC South Africa is managed. Under the guidance of our Africa Risk Council, we’re constantly identifying potential risks and implementing plans to mitigate these. The current identified risks to the firm, and our responses to them, are shown here (a comprehensive breakdown is available upon request).

Quality and service delivery

Risks relating to the quality of client service; e.g audit/non-audit quality of service delivery.

All of our people undergo mandatory quality training, and our client and engagement acceptance and planning processes are robust. Contracts entered into include a limit to our liability, where appropriate, and approval for ‘high-risk’ engagements must be provided by Risk Management, with assignment of a second partner. Quality and service delivery form part of our people's annual appraisal process, and our Risk Management team conducts annual compliance, quality and business reviews.

Culture and values

Risks relating to adoption by individuals or groups, including joint business relationships/alliance partners and/or member firms, of values or behaviours that are inconsistent with PwC’s core values.

Our values, culture, purpose, ethics and code of conduct programmes are communicated regularly to our people. Elected champions and helpdesk facilities are available. Third parties and contractors are required to subscribe to our Code of Conduct, unless their own has been reviewed and accepted by us. Incident trends are monitored and appropriate social media use policies are in place. Ethics, anti-bribery and information security training is mandatory and breaches of these policies investigated. Any misappropriation of client data/information, malicious ‘loss’ or disclosure of sensitive client or internal data by members of staff resulting in reputational damage or adverse media attention is considered a serious offence.

Information and cybersecurity

Risks relating to cyberattacks resulting in a significant data breach and loss/disclosure of sensitive client (and PwC) data, or disruption of normal services, ransomware, and advanced persistent threat (APT) campaigns. Failure to safeguard confidential information resulting in data compromise, misappropriation of client data / information including incidents of bribery and corruption; and major hard data loss — including off-shored or outsourced repositories.

The necessary information security and access measures are in place to ensure the safeguarding of our information against cyberthreats, including ongoing staff awareness programmes. All staff are required to comply with the firm's policies and procedures.

Disruption/ Innovation

Risks relating to fundamental changes to one or more businesses by an existing competitor or a new entrant, e.g. Digital disruption backed by a technology shift which allows the disruptor to offer a radically more relevant or more price competitive proposition, which may also relate to inadequate investment by the firm itself in similar advanced technology solutions to allow itself to compete; New business and evolving use of technology -- failure to adequately manage risks created by new businesses (innovations in service delivery) most of which include technology, risks include that new technology fails, creates unexpected issues, threatens established business approach and services or generate significant independence issues; and Failing to adopt new ways of working in order to realise investments in digital transformation or develop the appropriate mindset.

Innovation is key to how we do business, including priority account identification and management, creation of new and innovative products and services, and improved service delivery (e.g. use of data and analytics). We have a strategic secondment programme to other firms in the network to upskill our people in the use of these tools. We encourage our people to come up with simple solutions to deal with issues regarding these tools, and continually keep abreast of market trends and client expectations of us in a changing world, developing tools and processes aimed at delivering a more efficient and effective audit. We invest in leveraging and contributing to the existing technology capabilities in the global network, including automation of services. There is an ongoing joint effort across Africa and at global level to invest in technology.

Sustainable Business

Risks relating to not achieving the commercial success required to sustain and grow the business, including investing in our future, or ability to attract and retain key talent. Not building a sustainable business for all our stakeholders by, for example, excessive focus on maximising profits in the short term.

We are focussed on growing our firm in a responsible manner. Being commercial means that we think about ways to adapt our delivery models, but also investing for the future - with a particular focus on the development of our people.

Regulatory threats to business model

Risks related to the impact of regulatory change or reform and its potential constraint on growth, profitability and sustainability of the business.

Regulatory developments and their impact on the firm’s strategic priorities are considered on an ongoing basis. There is ongoing risk and quality oversight of regulatory registration and reporting, as well as rotation analysis to comply with rotation requirements. Portfolio diversification, priority account focus, regulatory relationship management and channel choice decisions are all dealt with at senior levels.

Purpose and trust

Risks relating to issues, especially where public debate contains a moral dimension, which may create significant and continued adverse media coverage and undermine the firm’s positioning on its purpose and trust.

Active management of the firm’s external communications, including media relations and social media platforms, is a full-time function. We regularly communicate our gift policy and maintain a gift register. Leadership communicates relevant firm and market developments and there are robust client, engagement and joint business relationship acceptance processes in place. Ethics training is mandatory.

Talent (People)

Risks related to the inability to attract, retain and develop key talent as a result of uncompetitive remuneration or lack of investment and development of our people, which undermines our service capability. Lack of preparation and capacity to deal with major human capital shifts e.g. increased automation. Aggressive competitor/client solicitation of key staff and partners, resulting in the loss of key talent, institutional memory, key clients and revenue.

Reward specialists ensure that our remuneration remains competitive. A transformation strategy aimed at retention is in place. Change strategies are in place around our new finance and people management systems, and an Africa People Partner takes responsibility for the human capital change process. Employee wellness programmes are in place, along with proactive mobility planning to enhance skills development. Talent mapping, succession planning and critical role identification are focus areas. The Learning & Development partner takes responsibility for training compliance. The annual Global People Survey results guide our policies.

Independence

Risks relating to breach/non-compliance with relevant independence requirements leading to regulatory action and/or client conflict of interest, adverse media coverage and reputational damage.

We have appointed an Ethics and Business Conduct Leader (E&BCL) and a Partner Responsible for Independence (PRI), who are both senior partners within the firm, supported by a team of specialists to help the firm apply comprehensive and consistent ethics and independence policies, procedures and tools. Annual independence declarations are mandatory for all of our partners and staff, to ensure that we are objective in all of our dealings with clients. ‘Know your client’/adverse data searches are conducted regularly. There is centralised relationship checking and review of partner rotation data, and the risk and quality team is involved in the business operations solutions project. The independence team monitors and communicates policy changes.

Legal and regulatory compliance (litigation risk)/breach of sanctions

Risks relating to breach/ non-compliance with laws and regulations other than independence e.g failure to comply with professional institute obligations; non-compliance by either the firm or its partners with local tax laws; failure to comply with anti-money laundering rules, failure to comply with applicable anti-corruption legislation whether local or international; litigation following significant troublesome practice matters; and breach of sanctions (US/EU/UN) resulting in reputational damage, fines and revocation of credit lines.

Our risk & quality function provides mandatory annual training and monitors compliance with policies and standards during internal reviews. Quality improvement plans are in place for each of our lines of service and we undertake regular updates on policies and standards (e.g. sanctions, insider trading, anti-bribery and corruption etc). We advocate a culture of doing the right thing, always underscored by our values and code of conduct. In the event of breaches, we have a robust approach to litigation.

Increasingly stringent nationalisation/transformation targets (regulatory change)

Risk relating to an inability to meet the transformation targets as these become increasingly onerous — e.g. inability to retain African, Coloured and Indian (ACI) talent to meet ownership and employment equity targets; political shifts — uncertainty around ownership targets; aggressive transformation drive by competitors; creating an environment in which we are unable to respond and compete.

The Africa Human Capital Partner is responsible for monitoring implementation of key ACI talent retention plans and pipeline management by line of service leaders. The South Market Area Transformation Partner drives the implementation of the firm’s transformation strategy, including working with leaders responsible for the various elements of the scorecard (Human Capital, recruitment, procurement, enterprise and supplier development, and corporate responsibility). Scorecards are monitored throughout the year, as are regulatory developments in the BEE space and competitor transformation activity, including B-BBEE scorecard ratings and ownership levels.

Geopolitical or macroeconomic disruption

Risks relating to potential major shifts in the politics or the economy; e.g. a Downturn in global economic conditions, or uncertainty in future economic conditions, and/or continued stagnation/further decline of commodity prices resulting in contractionary fiscal policy/reduced government spend/a major non-payment risk; Political destabilisation/geopolitical disruption -- reduction in opportunities and revenues due to election cycles; Credit rating downgrade; and major sovereign/client default resulting in major non-payment risk.

The firm considers political destabilisation/geopolitical disruption risks against its strategies and objectives, to ensure that changes or adjustments are factored in to reduce both the likelihood and impact of the risk. The firm monitors indicators and warnings of risk via the Africa Business Resilience Team and leverages network resources as required. Withstanding short-term setbacks and anticipating long-term trends are intrinsically linked to the operating environment and business strategies across the region. Certain industry sectors will be more impacted than others by political and climatic cycles, which informs geographical and industry profiling and focus. Monitoring PwC business intelligence provides insight into the posture industry leaders will take in event of enhanced risk across the region.

Plans include identifying territories most likely to be impacted, and reassessing strategic focus; identifying and managing clients likely to be most impacted and strategically reassessing our relationship with them; proactive participation in key industry/sector forums; proactive management/monitoring of debtors; priority account identification and management; building strong client relationships, and internal understanding of market developments, opportunities and internal resource capacity.

Business continuity and disaster preparedness

The holistic management process that identifies potential threats to an organisation and the impacts to business operations of those threats. This process provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders,reputation, brand, and value-creating activities.

Business continuity is embedded through a virtual network of individuals and teams across PwC Africa. We work with key stakeholders within PwC Africa to build towards ISO 22301 (International Standard for Business Continuity) re-certification from BSI. A virtual team of business continuity practitioners operates within each member firm, coordinated centrally. Incident management teams, supported by in-country business continuity staff, to coordinate responses to a disruption and provide an organised and timely process and execution of activities to include escalations to incident management teams to manage the event impacting the member firm(s). We leverage our global network’s experience and expertise to reinforce capacity within PwC Africa.