Risk managementRisk approach
Adapting to changes in a volatile business and social environment, risk management is key for our sustainable success. Trends in the environment in which we operate require a structured risk approach. Main trends that impact our business activities and ask for a risk response are changing public opinions and views, increasing regulation, geo political developments, new technologies and delivery models, disruption, cybercrime and sustainability.
EY is committed to doing its part in building a better working world. This commitment drives our business values that underpin our belief to conduct all of our business activities in conformity with the highest ethical standards. Our risk management approach is tied in with our values and Vision 2020 to identify, assess and pro-actively manage risks and opportunities. The main objectives in our risk approach are diversification and focus on our portfolio management, trustworthy stakeholder management, sustainable client relationships and business operations.
Our risk profile is based on an enterprise-wide risk management framework owned by the EY Global Risk Management function. In our framework, all risk types are identified to provide an integrated view on EY’s risk profile. The Board of Directors of Ernst & Young Nederland LLP, through the combined Regional Leadership Team of Belgium and the Netherlands, has overall responsibility to review and address EY’s risk profile. Main elements for assessing EY’s risk profile and to understand our risk drivers are our risk taxonomy, risk governance, risk appetite and risk tooling. Our risk profile is embedded in a risk culture by means of communication and awareness.
Our risk taxonomy is the classification of the risks to which EY is exposed into different risk types. In FY 2015/2016 EY initiated a program to further enhance this risk classification and risk assessment methodology. A formalized risk management strategic assessment approach across all service lines was introduced, including a focus on internal and external factors, in order to provide full coverage of the organization and its major risk exposures.
In FY 2016/2017 we will continue our work on the risk taxonomy in order to provide a common risk language and to further increase our risk analysis capabilities and to consistently aggregate risks across our organization.
Our risk management governance starts with clear risk ownership. Whilst enterprise-wide risk management is under the responsibility of the risk management function at corporate level, risk management is the responsibility of every professional. This responsibility includes acting in conformity with external and internal regulations, policies and standards whilst carrying out our professional duties, and to always consult and live our values.
The risk management function is positioned at corporate level under the leadership of the BeNe Risk Management Leader who is a member of the combined Regional Leadership Team. A three lines of defense model provides a clear division of responsibilities regarding risk ownership (all partners and employees responsible for professional services execution and support), risk control (functions responsible for policy setting, risk monitoring and reporting and ensuring that all professionals take risk ownership) and risk assurance (evaluating the effectiveness of risk controls both at the level of governance as well as in underlying processes by means of quality reviews and through the activities of Global Internal Audit).
Our risk appetite determines the level and nature of risk EY is willing to take to achieve our strategic objectives taking into account stakeholders considerations and the nature of our business activities. Depending on the nature of the risks, more critical tolerances apply. For certain risks, such as integrity risk, we have a zero tolerance approach as these directly impact our license to operate. For other types we apply a more calculated risk approach.
Important elements that influence our risk appetite are
- The role of EY in society where trust is our most valuable asset
- Social attitudes and values
- Rules and regulations including independence requirements
- Professional and know-how requirements
- Sector concentration
- No surprise culture
- EY global and local policies
Risk identification, measurement, mitigation, monitoring and reporting mechanisms are established through our risk management framework consisting of a set of policies, procedures and processes covering all aspects and stages of our business activities such as client and engagement acceptance and continuance policies and procedures, independence checks, consultation processes and quality reviews.
We foster a risk culture in which all of our people understand the risks associated with their professional activities and know how to act accordingly. Our stance consistently is that no single client and no single partner is more important than professional reputation – the reputation of EY NL and the reputation of our individual professionals. Partners and employees are expected to understand the risk drivers that influence our risk profile and to take firm ownership of these risks whilst executing their professional activities. We aim to continuously improve our risk awareness by means of learning initiatives and by evaluation mechanisms.
Legal and contractual restrictions apply to the level of transparency regarding proceedings. In this report we share the comparative number of proceedings, for more detail we refer to the Transparency report.
The main risks that our company faces at EY NL level and that could threaten the achievement of our strategic objectives are summarized below as well as the mitigating actions that have been identified to manage following risks:
In control statement
The Board of Directors of Ernst & Young Nederland LLP has final responsibility for designing and operating effective risk management and internal control systems. This includes a broad range of policies and procedures, processes and guiding people’s behavior in such a way that the firm can achieve its objectives. Measures regarding the general control environment such as the Global Code of Conduct, the firm’s risk management principles, authority schedules as well as client acceptance and continuance procedures are important elements in our system of controls.
The Board of Directors acknowledges the importance of risk management and internal control systems and has initiated the establishment of a more comprehensive insight in internal control effectiveness by means of a phased implementation of an internal control framework based on the COSO model.
The risk management and control systems are designed to provide reasonable but not absolute assurance that the significant risks to which the firm is exposed are managed.
Due to its inherent limitations, these systems do not provide complete assurance on the realization of business objectives and cannot at all times prevent inaccuracies, fraud and non-compliance with rules and regulations.
In the course of this review of effectiveness of internal controls we have not identified any significant weaknesses. However we have identified actions which we believe will further strengthen controls to mitigate EY’s significant risks. Cognizant of the limitations above, the Board concluded that there was reasonable assurance regarding the operational effectiveness of the internal control framework and that the financial statements FY 2015/2016 do not contain any material misstatements.
The evaluation of the adequacy of the risk management and control systems and actions identified to improve these systems are discussed with the Supervisory Board.
Rotterdam, September 28, 2016