Risk management
TMF Group business is subject to risks and uncertainties, both as a firm in our own right, and as a partner to our clients in providing them with critical services within local rules and regulations. Our ability to provide clients with reliable services, safe from regulatory concerns, fraud, cyber-attack and other potential impacts, is inherent to our reputation and proposition. We therefore see risk management as an integral part of our governance, setting our own risk safe environment that gives us the ability to be the compliant partner of our clients. It is also an integral part of our client delivery, maintaining our clients’ compliance and the most important thing for us to get right. It is a pillar in our One TMF framework and occupies a key part of our management agenda.
Our aim is not to eliminate risk, but to identify, prevent and control risk by taking informed decisions. We manage risk following the standard three lines of our defence model; Business, which consists of the business owners who are owning the risk; Group Functions, which oversee and specialise in risk management; and Internal Audit Function, providing independent assessment. TMF manages risk within a Company Risk Assessment framework, which ensures the visibility of the top-down risks and mitigations, and also provides an escalation route in case any material risks are identified from a bottom-up direction, which may impact TMF strategic objectives. Regardless of these technical approaches to risk management, we believe that flawless risk management ultimately stems from leadership signaling that it matters. We therefore set a strong tone from the top at TMF Group, with regular discussion and challenge on risk in our staff communication and training, as well as management and board review sessions.
The risks that have the greatest potential impact on TMF Group are referred to as principal risks. They have the potential to have a materially adverse impact on our business, whether the impact is regulatory, financial, operational, or reputational. The principal risks which TMF Group currently recognises and is acting upon are detailed in the following pages, along with our actions to mitigate them.
Changing market dynamics
Risk description
TMF Group operates in a global market constantly influenced by changes in laws and regulations. These changes may have a significant impact on our business and products if we are unable to develop and market new products or align with those changes and may consequently bring uncertainties to existing and prospective clients. Non-compliance with changes to laws and regulations may result in reputational damage, criticism, fines, disputes and litigation, and a loss of clients and business opportunities.
Controls and mitigations
TMF Group has dedicated specialised teams that closely monitor, track and analyse developments in the regulatory and competitive landscape, to identify new changes and ensure pro-active development of opportunities. These changes matter to our own compliance with relevant regulations, but also to our ability to help clients stay compliant. Identified potential new services are risk assessed with the support of the risk and compliance department. We operate an AI tool that scans relevant global regulation changes as an enhancement to our client offering and as a help to our own management of this risk.
Satisfying client requirements
Risk description
TMF Group's revenue and revenue growth are dependent on its ability to serve clients. Within that broad requirement, we rely on client renewal and expansion which in turn are driven by their satisfaction with our service. As such, we are exposed to any service deterioration that may impact our reputation with a particular client or more widely in our client community.
Controls and mitigations
TMF Group has a diversified client base, with limited revenue concentration (our largest client represents just 1.2% of group revenue). Nevertheless, we have made client care our first group value and treat our service of existing clients as the foundation for our growth. As such, we set a strong emphasis on client care in all our communication and, in particular, the need for prompt, corrective action at any point that a client issue may arise. We measure client satisfaction periodically (NPS metrics) and have implemented an event-driven system for monitoring client satisfaction and service quality. We have also created a specialised set of Client Service Directors and Managers for our largest and most complex relationships to ensure flawless co-ordination and day-to-day delivery.
Trade protectionism/geopolitical factors
Risk description
TMF Group is subject to political and legal dynamics in the countries in which it operates. As a broad rule, TMF Group performance is typically not affected by macro-economic or geopolitical factors given the critical, recurring nature of the services we provide. Also, most of our clients are already established in the countries where they seek our help and are aware of protectionism and geopolitical risk. Indeed, increasing complexity can increase demand for our services as it adds to the burden of operating compliantly in a given jurisdiction.
Regardless, increasing protectionism and geopolitical uncertainties in key markets for TMF Group may depress macro-economic performance (GDP growth), impacting client levels of business activity and investment in those locations. Part of our purpose is to help ‘make a complex world simple’ and we seek to play our modest part in encouraging simpler, more aligned rules for doing business.
Controls and mitigations
TMF Group monitors its competitive landscape, identifying new threats and opportunities, including changes to the macro-economic, regulatory or political environment which could potentially affect TMF Group's performance and IT and governance set up. We also encourage companies operating in such jurisdictions to have simple, effective rules for doing business. We publish our annual Global Business Complexity Index (GBCI), which ranks a significant number of jurisdictions on their ease of doing business across employment, legal and fiscal rules, and is available in several languages. We use it as a platform to encourage governments to take action to improve their ranking.
The impact of geopolitical factors on TMF Group's operations in 2024 was limited.
Technology innovation risk
Risk description
The technological environment in which TMF Group services are delivered is rapidly changing. This includes new platforms with enhanced functionality, new tools for digitising and automating previously manual processes, and more radical innovations using artificial intelligence (AI) technology. TMF Group continues to adopt this technology because we recognise the risk of not adopting it quickly enough or that modern technologies may reduce the value of our historic business model of expert-driven presence on the ground, making us a simple transaction processor with an equal impact on our margins.
Controls and mitigations
TMF Group’s digital strategy brings together transformative and disruptive technology capabilities to create new digital delivery models, enhance client experience, and provide our clients with valuable insights as they run their business or investments around the world.
We continue to focus on developing and investing in the best technologies to serve our clients, including evolving our use of technology to help clients with data insights that add value beyond the core service of managing their processes compliantly. In 2024, the total amount from investments that went live during the year concerning investment in software, licenses, and equipment was €59 million (2023: €57 million).
As we continue to digitise our delivery model, a core aim of our Market Delivery teams is to build a greater capability for colleagues to focus on quality and flawless service to clients. In support of this and as of the end of 2024, we now have 2,862 processes (or sub-processes) automated, totalling over 371 thousand hours of manual work reduction.
A key part of this digital journey is our next generation digital client platform, TMF KRAIOS – which is transforming the way our Accounting, Tax, Company Secretarial, Entity Management and Fund Administration clients engage and interact with our teams and suite of services, wherever they are on their journey with us. As well as this, more than 3,600 entities and 160,000 client employee users are on Horizon, our comprehensive portal providing HR administration and payroll services.
At TMF Group, we see artificial intelligence as a significant and transformative opportunity to enhance our services, streamline operations, and deliver value to our stakeholders. While we currently leverage AI tools thoughtfully and at a moderate scale, we remain committed to exploring innovative solutions that complement our human expertise. Our focus is on using AI responsibly, ensuring data privacy and security, and creating meaningful impact while staying aligned with our core values of trust and transparency.
Information security management (ISM)
Risk description
TMF Group may be the target of attempts to gain unauthorised access to its IT systems, data and funds. The nature and size of the significant inherent information security risks that the industry faces may result in loss of or unauthorised use of sensitive and confidential information. Cyber-attacks in general have been increasing over the last years, further accelerated over the past years of disruption and homeworking. At the same time, regulations such as GDPR are clear about the sanctions attached to data breach and misuse.
Controls and mitigations
TMF Group has a continually improving Information security and data protection framework in place to mitigate the evolving threats in information and cyber security, in order to safeguard our critical assets, and to maintain the trust of our stakeholders. We remain committed to continually enhancing our security posture to address emerging threats and to ensure the resilience of our operations. At the end of 2024, a total of 114 TMF Group offices had successfully achieved ISO/IEC 27001:2022 accreditation, demonstrating our adherence to the highest international Information Security Management System (ISMS) standards. All staff in TMF Group are required to complete annual awareness training programmes and we issued strong communication within the organisation about information security and data protection. We recognise that cyber security is an arms race against criminal actors and is therefore never done. As such, we undertake regular monitoring, risk enhancements and auditing, in alignment with Risk & Compliance, data privacy and legal experts, to help the organisation stay ahead in that race. We also follow strict procedures around payments to minimise the chance of successful fraud.
Attract and retain talent
Risk description
TMF Group is dependent on its ability to retain and attract the key people which we need to execute our strategy.
A higher turnover rate among employees could potentially increase recruitment and training costs and could materially adversely impact TMF Group’s compliance status and the quality of services we provide to our clients. At the most basic level, high staff turnover leads to poorer client service, as well as weaker compliance with core procedures such as documentation and filing. It also leads to a lower level of clients’ knowledge and monitoring, which may impact our ability to complete our compliance and reporting obligations.
Controls and mitigations
TMF Group has made colleague engagement a KPI for its One TMF programme. That has ensured that we offer a competitive employee value proposition, but also that we invest in colleagues from their onboarding into TMF Group, through to their performance management and personal development with us. We operate with the support of regional delivery centres (RDCs) to provide scaled, stable support for local teams that are often staffed by fewer people in highly mobile labour markets where all competitors suffer from elevated turnover.
Cooperation with third parties
Risk description
TMF Group works with and relies on third party sub-contractors (typically, where TMF Group enters into master service agreements to provide client services in jurisdictions where TMF Group does not have presence). In certain jurisdictions where TMF Group operates, a third party supplier might be required to render specific services. Potential failure of a third party, including joint ventures and suppliers, to deliver services to agreed specifications could lead to our inability to fulfil client requirements, resulting in penalties, loss of client contracts and reputational damage.
Controls and mitigations
TMF Group performs due diligence on all potential partners prior to contracting, to ensure robust compliance, financial and operational resilience, and their alignment with TMF Group standards. Our Outsourcing framework provides for ongoing monitoring to ensure the quality of sub-contractors or third party suppliers and the quality of services delivered to our clients.
Compliance with laws and regulations
Risk description
Significant changes in TMF Group's regulatory environment, legislative or market changes and TMF Group's potential inability to successfully align with those changes may have a material adverse effect on our business. More fundamentally, we are subject to regulatory and compliance obligations and reporting obligation and we provide a number of services that are regulated in particular jurisdictions and require licences to operate. A regulatory sanction or loss of licence could have a significant financial and reputational impact.
Controls and mitigations
TMF Group has a Group Risk and Compliance Function and a Global Legal Function with dedicated risk & compliance and legal specialists that monitor, track and analyse developments of the regulatory landscape closely to identify changes. New laws and regulations, or changes therein and their impact on TMF Group are pro-actively shared and assessed, included in policies and procedures and in (compulsory) training programmes. Where and when required, our processes, services, products and business are reviewed and adjusted for compliance with laws and regulations. TMF Group companies will comply with the higher of local regulatory/legislative requirements or TMF Group compliance policies.
We manage risk through our three lines of defence, starting with an expectation for practices and markets to do things in the right way and where necessary lead remedial work to make corrections. We are continually investing in our risk management infrastructure, including our global KYC function, ISO/ISAE quality certification and compliance monitoring.
Onboarding and monitoring of our portfolio of clients
Risk description
TMF Group’s ability to service clients is dependent on its compliance with local laws, regulations, international recommendations and sanctions. A breach of this regulatory framework could expose TMF Group to a significant financial loss, regulatory or legal sanctions (including potential loss of license to operate) and reputational damage.
Controls and mitigations
TMF Group has a robust regulatory compliance framework composed of policies and procedures, including KYC and AML/CFT requirements which are enhanced on a regular basis to adapt with the changes in the regulatory environment of the clients’ portfolio. When specific local laws in locations where we operate impose specific requirements, those requirements are integrated into the policies and procedures for that specific location. We reassess our compliance tooling environment on a regular basis to ensure alignment with the latest changes in AML/CFT obligations. We maintain a Risk Based Approach to the ongoing screening of our portfolio of clients and to the reassessment of client mandates. All staff and third parties, including subcontractors and joint ventures where TMF Group has operational control, are required to operate in accordance with our regulatory compliance framework. Global communication and mandatory training programmes are in place to increase compliance awareness.
Monitoring of client transactions
Risk description
TMF Group’s compliance obligation with local laws, regulations, international recommendations and sanctions is not limited to the identification of clients and beneficial owners. Our compliance obligation is also linked to the activities of our clients; and that compliance obligation is combined with TMF Group capacity to be the compliance partner of its clients. Any transaction that appears to be suspicious from a regulatory environment or from a client’s profile perspective must be assessed. A breach of this obligation could expose TMF Group to a significant financial loss, regulatory or legal sanctions (including potential loss of license to operate) and reputational damage.
Controls and mitigations
TMF Group has a robust transaction monitoring procedure in place and reference to transaction monitoring is present in our regulatory compliance framework. In locations where we operate where specific local laws impose specific requirements, those requirements are integrated into the policies and procedures for that specific location. We review our transaction monitoring approach on a regular basis to align with specific local requirements and services provided, and to assess how those local changes and service specifics can help enhance our transaction monitoring process. Transaction monitoring is a key element of our global communication and mandatory training programmes.
Data privacy
Risk description
The non-respect of Data Privacy regulations or a data breach could expose TMF Group to significant financial loss, regulatory or legal sanctions (including potential loss of license to operate) and reputational damage.
Controls and mitigations
TMF Group has a robust data protection compliance framework, with overarching Binding Corporate Rules. Local data privacy regulations, their implementation, enhancement and changes are monitored closely and the TMF Group data privacy framework is enhanced accordingly. All staff and third parties, including sub-contractors and joint ventures where TMF Group has operational control, are required to operate in accordance with TMF Group's Binding Corporate Rules under the TMF Group Supplier Code of Conduct and Data Privacy. This represents a key element when selecting a sub-contractor. Global communication and mandatory training programmes are in place to increase compliance awareness. Global data protection compliance is managed centrally by the Global Head of Risk and Compliance and the Group Privacy Office, together with a network of data protection experts, compliance experts and legal counsels in the markets TMF Group operates in. Adherence to Binding Corporate Rules is audited at regular intervals by an independent Internal Audit function.
Non-compliance of Company’s principles and values
Risk description
Unethical and/or fraudulent activities perpetrated by our employees, our clients or third parties, could expose TMF Group to significant financial loss, regulatory or legal sanctions (including potential loss of license to operate) and reputational damage.
Controls and mitigations
TMF Group has a robust regulatory and operational control framework, with an overarching Code of Conduct. TMF Group maintains a ‘zero tolerance’ regime for any employee who knowingly breaches any laws or regulations, with all such actions reported to the Management Board, and potentially resulting in disciplinary action up to and including dismissal. All staff and third parties, including sub-contractors and joint ventures where TMF Group has operational control, are required to operate in accordance with the TMF Group's Code of Conduct, and specifically the TMF Group Supplier Code of Conduct. Global communication and mandatory training programmes are in place to increase compliance awareness.
TMF Group companies will comply with the higher of local regulatory/legislative requirements or TMF Group compliance policies.
Legal claims
Risk description
Current, potential and pending legal or administrative proceedings may adversely affect TMF Group. Such proceedings may be initiated or are to be initiated against TMF Group and any resulting judgement, settlements and orders are rendered by competent authorities and may increase during periods of economic downturn.
Controls and mitigations
TMF Group has a Global Legal function with experienced legal counsels, both centrally (at a Group level) and at a market level, that work together and connect on the management of this risk. TMF Group has compliance and operating policies and client acceptance procedures, as well as strict contracting procedures, in place to limit possible exposure when accepting clients. TMF Group has strict reporting and management policies and procedures in place. Claims and litigations are managed centrally by the Global Head Claims & Litigation within the Group Legal team, in conjunction with market legal counsels, external counsels and other relevant stakeholders. Every case is reviewed and evaluated and, if necessary, provided for. TMF Group maintains appropriate insurance.
Legal responsibility management
Risk description
A client’s contractual framework may adversely affect TMF Group. Non-respect of TMF Group standard contractual terms (terms of reference) may lead to excessive responsibility taken on by TMF Group and/or restrict the ability for TMF Group to terminate a business relationship that exceeds our risk appetite.
Controls and mitigations
TMF Group has a Global Legal contractual function with experienced legal counsels, both centrally (at a Group level) and at a market level, that work together and connect on the management of this risk. TMF Group has terms of reference and an escalation route for deviation in place to ensure centalisation and complete monitoring of any deviations. Legal counsels have specific expertise linked to specific types of transactions on which TMF Group is asked to provide services, to ensure the complete understanding of TMF Group’s obligations and responsibilities.
Exchange control restrictions
Risk description
Exchange control restrictions or other restrictions regarding the repatriation of funds from certain countries in which TMF Group operates including regulatory capital restrictions could hinder our ability to make foreign investments and procure foreign denominated financing.
Controls and mitigations
TMF Group regularly repatriates cash to avoid high cash balances accumulating in local offices. With the exception of Russia and in respect of international sanctions, TMF Group currently does not face any restrictions to repatriate cash from local offices, albeit that certain countries only permit a delayed repatriation via dividends. We are required to maintain a specified level of local liquidity in certain jurisdictions in which we are regulated, which amounted to €3.7 million (2023: €2.8 million) across all jurisdictions as at 31 December 2024.
Foreign currency exchange risk
Risk description
TMF Group operates internationally and is exposed to foreign exchange risk arising from various currency exposures, primarily with respect to the US Dollar and related currencies. In several markets client contracts are denominated in Euros or US Dollars although this is not the functional currency in these markets. Foreign exchange risk arises from future commercial transactions, recognised assets and liabilities, and investments in foreign operations.
Controls and mitigations
Currency exposure arising from the net assets of TMF Group's foreign operations is managed primarily through limiting the net assets in foreign operations to the extent possible. Furthermore, TMF Group aims as much as possible to invoice revenue in local currency to align with the cost base. No further hedging of foreign exchange risk takes place. As at 31 December 2024, if the Euro had strengthened by 5% against the US Dollar with all variables held constant, the net result would have been € 9.9 million (2023: €4.7 million) lower.
Interest rate risk
Risk description
Interest rate risk is the risk that unexpected interest rate changes negatively affect TMF Group's results, cash flows and equity.
Controls and mitigations
It is part of TMF Group policy to mitigate the effects of interest rate volatility on its results, cash flows and balance sheet within certain boundaries. TMF Group interest rate risk mainly arises from long-term borrowings. At 31 December 2024, the interest on external borrowings in Euros is hedged for 76% (2023: 84%) and on external borrowings in US Dollars for 70% (2023: 70%). The remainder of the interest is variable and linked to Euribor and USD TERM SOFR CME.
At 31 December 2024, if market interest rates had been 100 basis points higher with all other variables held constant, then the net result would have been €2.2 million lower (2023: €4.0 million). If market interest rates had been 100 basis points lower with all other variables held constant, then the net result would have been €7.5 million higher (2023: €5.1 million).
Inaccurate sales forecasting risk
Risk description
TMF Group makes estimates and assumptions on new clients targets for the year and revenue generated that are included in its budget. The inconsistency and overvalued expectations may impact TMF Group’s ability to maintain its results aligned with its budget and affect the confidence of its investors for future investments in innovation and development.
Controls and mitigations
TMF Group has an experienced business development team that works closely with the group finance team reporting to the Chief Financial Officer. The business development team has extensive knowledge of the local markets and their opportunities. With the support of the group finance team, risk-based approach is considered to avoid overvalued expectations. Business development expectations are reviewed on an ongoing basis and shared with the board.
Accounting estimate risk
Risk description
TMF Group makes financial estimates and assumptions for the future. The resulting accounting estimates will, by definition, rarely equal the related actual results. The critical accounting estimates and assumptions that may affect reported amounts of assets, liabilities income and expenses within the next financial year are:
impairment of goodwill,
recognition of and measurements of provisions and contingencies.
Controls and mitigations
TMF Group has an experienced group finance team reporting to the Chief Financial Officer. This team is primarily responsible for proposing material accounting estimates approved by the Audit Committee. TMF Group uses input from other departments where required. We have summarised accounting policies as part of a Digital Accounting Manual.
Estimates and underlying assumptions are reviewed on an ongoing basis and represent the best estimate by the management.
Acquire new businesses
Risk description
Since TMF Group's formation in 1988, we have grown significantly through acquisitions. Going forward, acquisitions will continue to be a driver of growth as we identify businesses that add to our client capability and fit our strategy and culture. Potential uncertainties in the availability of appropriate targets could mean that TMF Group is unable to acquire businesses to achieve the inorganic growth component of our strategic objectives. More likely, poor experience with candidate firm selection could undermine our investors’ confidence in our ability to acquire successfully.
Controls and mitigations
TMF Group has a merger and acquisition team that possesses significant experience to scan the market for potential acquisition candidates and manage the M&A process. We select businesses with great care for their cultural fit with TMF Group and make sure that we are only acquiring in parts of TMF Group that are well positioned to support their integration.
In 2024, TMF Group integrated the 8 acquisitions closed in 2024. That included the acquisitions in EMEA (2), APAC (3) and Americas (3).
Integrate new businesses
Risk description
The continuous growth of TMF Group through acquisition may lead to potential uncertainties in the successful integration into the organisation. This could mean we are unable to fulfill our compliance and governance expectations, our ability to ensure full clients’ identification and ongoing monitoring, and to complete our reporting obligations. This could also lead to the non-capacity of TMF Group to ensure the quality of services rendered to our clients.
Controls and mitigations
TMF Group select business that fits with its compliance and cultural environment. We also have an integration team in place to integrate new acquisitions into the business. The integration team works closely with the local market delivery department and risk and compliance department.