Risk management
TMF Group business is subject to risks and uncertainties both as a firm in our own right and as a partner to our clients in providing them with critical services within local rules and regulations. Our ability to provide clients with reliable services, safe from regulatory concerns, fraud, cyber-attack and other potential impacts is inherent to our reputation and proposition. So we see risk management as an integral part of our governance and client delivery and the most important thing for us to get right. It is a pillar in our One TMF framework and occupies a key part of our management agenda.
Our aim is not to eliminate risk, but to prevent and control risk by taking informed decisions. We manage risk following the standard three lines of our defence model; Business, which consists out of the business owners who are owning the risk, Group Functions, which oversee and specialise in risk management and Internal Audit Function, providing independent assessment. We also manage risk in an ERM (Enterprise Risk Management) framework to provide structure and focus. Regardless of these technical approaches to risk management, we believe that flawless risk management ultimately stems from leadership signalling that it matters. We therefore set a strong tone from the top at TMF Group, with regular discussion and challenge on risk in our staff communication, training, as well as management and board review sessions.
The risks that have the greatest potential impact on TMF Group are referred to as the ‘principal risks’. They have the potential to have a material adverse impact on our business, whether financial or reputational. The principal risks TMF Group currently recognises and is acting on are listed below, along with our actions to mitigate them. They are categorised as strategic, operational and financial and listed in that order.
Attract and retain talent (strategic)
Risk description
TMF Group is dependent on its ability to retain and attract the key people it needs to execute its strategy.
A higher turnover rate among employees could potentially increase recruitment and training costs and could materially adversely impact the quality of services TMF Group provides to its clients. At the most basic level, high staff turnover leads to poorer client service as well as weaker compliance with core procedures such as documentation and filing.
Controls and mitigations
TMF Group has made colleague engagement a KPI for its One TMF programme. That has ensured that we offer a competitive employee value proposition, but also that we invest in colleagues from their onboarding into TMF Group on to their performance management and personal development with us. We operate with the support of regional delivery centres (RDCs) to provide scaled, stable support for local teams that are often staffed by fewer people in highly mobile labour markets where all competitors suffer from elevated turnover.
Acquire or integrate new businesses (strategic)
Risk description
Since TMF Group's formation in 1988, we have grown significantly through acquisitions. Going forward, acquisitions will continue to be a driver of growth as we find businesses that add to our client capability and fit our strategy and culture. Potential uncertainties in the availability of appropriate targets and their successful integration into the organisation could mean TMF Group is unable to acquire businesses to achieve the inorganic growth component of strategic objectives. More likely, poor experience with candidate firm selection or integration could undermine our investors’ confidence in our ability to acquire successfully.
Controls and mitigations
TMF Group has a merger and acquisition team that possesses significant experience to scan the market for potential acquisition candidates and manage the M&A process. TMF Group also has an integration team in place to integrate new acquisitions in the business. We select businesses with great care for their cultural fit with TMF Group and make sure that we are only acquiring in parts of TMF Group that are well positioned to support their integration.
In 2023, TMF Group integrated the 7 acquisitions closed in 2023, two of which have been finalised before 31 March 2023. That included the acquisitions in EMEA (Goodbody Fund Management Ireland, Avanzia Taxand Malta, Premier Greece and Contexpert Romania), APAC (Sino Corporate Services Group Hong Kong and China and KPK India) and Americas (Partners Admin United States of America).
Changing market dynamics and regulation (strategic)
Risk description
Significant changes in TMF Group's competitive business environment and uncertainties in the regulatory environment, legislative or market changes and TMF Group's potential inability to successfully develop and market new products, could challenge delivery and may have a material adverse effect on TMF Group business. More fundamentally, TMF Group provides a number of services that are regulated in particular jurisdictions and require licences to operate. A regulatory sanction or loss of licence could have a significant financial and reputational impact.
Controls and mitigations
TMF Group has dedicated specialised teams that closely monitor, track and analyse developments of the regulatory and competitive landscape to identify new threats and ensure pro-active development of opportunities. These changes matter to our own compliance with relevant regulation, but also to our ability to help clients stay compliant. We operate an AI tool that scans relevant global regulation changes as an enhancement to our client offering and as a help to our own management of this risk.
We manage risk through our three lines of defence starting with practices and markets to do things in the right way and where necessary lead remedial work to correct things. We are continually investing in our risk management infrastructure including our global KYC function, ISO/ISAE quality certification and compliance monitoring.
Onboarding and monitoring of our portfolio of clients (strategic)
Risk description
TMF Group’s ability to service clients is dependent on its compliance with local laws, regulations, international recommendation and sanctions. A breach of this regulatory framework could expose TMF Group to a significant financial loss, regulatory or legal sanctions (including potential loss of license to operate) and reputation damage.
Controls and mitigations
TMF Group has a robust regulatory compliance framework composed of Policies and Procedures including KYC and AML/FT requirements which are enhanced on a regular basis to adapt with the regulatory environment changes. When specific local laws in location where TMF Group operates imposed specific requirements those requirements are integrated in the policies and procedures for that specific location. TMF Group maintains ongoing screening of its portfolio of clients and reassessment of the clients mandates on a Risk Based Approach. All staff and third parties, including subcontractors and joint ventures where TMF Group has operational control, are required to operate in accordance with TMF Group’s regulatory compliance framework. Global communication and mandatory training programs are in place to increase compliance awareness.
Compliance with laws and regulations (operational)
Risk description
TMF Group operates a in global market constantly influenced by changes in laws and regulations. These changes may have significant impact on TMF Group's business and products and bring uncertainties to existing and prospective clients. Non-compliance with changes to laws and regulations may result in reputation damage, criticism, fines, disputes and litigation.
Controls and mitigations
TMF Group has a Group Risk and Compliance Function and a Global Legal Function with dedicated risk & compliance and legal specialists that monitor, track and analyse developments of the regulatory landscape closely to identify changes. New laws and regulations, or changes therein and their impact on TMF Group operations are pro-actively shared, included in policies and procedures and in (compulsory) training programs. Where and when required, TMF Group's processes, services, products and business are reviewed and adjusted for compliance with laws and regulations. TMF Group companies will comply with the higher of local regulatory/legislative requirements or TMF Group compliance policies.
Satisfy client requirements (operational)
Risk description
TMF Group's revenue and revenue growth are dependent on its ability to serve clients. Within that broad requirement, we rely on client renewal and expansion which in turn are driven by their satisfaction with our service. As such, we are exposed to any service deterioration that may impact our reputation with a particular client or more widely in our client community.
Controls and mitigations
TMF Group has a diversified client base, with limited revenue concentration (our largest client represents just 2.3% of group revenue). Nevertheless, we have made client care our first group value and treat our service of existing clients as the foundation for our growth. As such, we set a strong emphasis on client care in all our communication and in particular the need for prompt, corrective action at any point that a client issue may arise. We measure client satisfaction periodically (NPS metrics) and have implemented an event-driven system for monitoring client satisfaction and service quality. We have also created a specialized set of Client Service Directors and Managers for our largest and most complex relationships to ensure flawless co-ordination and day-to-day delivery.
Trade protectionism/geopolitical factors (operational)
Risk description
TMF Group is subject to political and legal dynamics in the countries in which it operates. As a broad rule, TMF Group performance is typically not affected by macro-economic or geopolitical factors given the critical, recurring nature of services we provide. Also most of our clients are already established in the countries where they seek our help and are aware of protectionism and geopolitical risk. Indeed, increasing complexity can increase demand for our services as it adds to the burden of operating compliantly in a given jurisdiction.
Regardless, increasing protectionism and geopolitical uncertainties in key markets for TMF Group may depress macro-economic performance (GDP growth), impacting client levels of business activity and investment in those locations. Part of our purpose is to help ‘make a complex world simple’ and we seek to play our modest part in encouraging simpler, more aligned rules for doing business.
Controls and mitigations
TMF Group monitors its competitive landscape, identifying new threats and opportunities, including changes to the macro-economic, regulatory or political environment which could potentially affect TMF Group's performance. We also encourage companies operating in such jurisdictions to have simple, effective rules for doing business. We publish our annual Global Business Complexity Index (GBCI) which ranks significant number of jurisdictions on their ease of doing business across employment, legal and fiscal rules, available in several languages. We use it as a platform to encourage governments to take action to improve their ranking.
The impact of geopolitical factors on TMF Group's operations in 2023 was limited.
Technology innovation risk (operational)
Risk description
The technological environment in which TMF Group services are delivered continues to change rapidly. That ranges from new platforms with enhanced functionality, new tools for digitising and automating previously manual processes and more radical innovation using artificial intelligence (AI) technology. TMF Group continues to adopt this technology, because we recognise the risk that we do not adopt it fast enough or that modern technologies reduce the value in our historic business model of expert-driven presence on the ground, making us a simple transaction processor with equal impact on our margins.
Controls and mitigations
TMF Group’s digital strategy brings together transformative and disruptive technology capabilities to create new digital delivery models, enhance client experience and provide our clients with valuable insights as they run their business or investments around the world.
We continue to focus on developing and investing in the best technologies to serve our clients, including evolving our use of technology to help clients with data insights that add value beyond the core service of managing their processes compliantly. In 2023, the total amount from investments that went live during the year about investment in software, licenses and equipment was €57 million (2022: €32 million).
As we continue to digitise our delivery model, a core aim of our Market Delivery teams is to create more ability for colleagues to focus on quality and flawless service to clients. In support of this and as of the end of 2023, we now have 1,800 processes (or sub-processes) automated totalling over 48,000 of hours of reduction of manual work.
Our digital strategy and investments bring together transformative and disruptive technology capabilities to create new digital delivery models, enhance client experience and provide our clients with valuable insights as they run their business or investments around the world. A key part of this digital journey is our next generation digital client platform, TMF KRAIOS – which is transforming the way our Accounting, Tax, Company Secretarial, Entity Management and Fund Administration clients engage and interact with our teams and suite of services, wherever they are on their journey with us. As well as this, more than 3,000 entities and 100,000 client employee users are on Horizon, our comprehensive portal providing HR administration and Payroll services.
Information Security Management (operational)
Risk description
TMF Group may be the target of attempts to gain unauthorised access to its IT systems, data and funds. The nature and size of the significant inherent information security risks that the industry faces may result in loss of or unauthorised use of sensitive and confidential information. Cyber attacks in general have been increasing over the last years, further accelerated over the past years of disruption and homeworking. At the same time, regulations such as GDPR are clear about the sanctions attached to data breach and misuse.
Controls and mitigations
TMF Group has a continually improving IT security and data protection framework in place to mitigate the evolving threats in information and cyber security, safeguard our critical assets, and maintain the trust of our stakeholders. We remain committed to continually enhancing our security posture to address emerging threats and ensure the resilience of our operations. At the end of 2023, a total of 111 TMF Group offices had successfully achieved ISO/IEC 27001:2013 accreditation, demonstrating its adherence to the highest international standards of data security and information security management. All staff in TMF Group are required to complete annual awareness training programmes. TMF Group implemented a strong communication within the organisation about Information Security and Data Protection. We recognise that cyber security is an arms race against criminal actors and is therefore never done. As such, we do regular monitoring, risk enhancements and auditing in alignment with Risk & Compliance, data privacy and legal experts, to help the organisation stay ahead in that race. We also follow strict procedures around payments to minimise the chance of a successful fraud.
Reliance on third parties (operational)
Risk description
TMF Group works with and relies on third party sub-contractors (typically, where TMF Group enters into master service agreements to provide client service in jurisdictions where TMF Group does not have presence). Potential failure of a third party including joint ventures and suppliers, to deliver services to agreed specification could lead to TMF Group's inability to fulfil client requirements, resulting in penalties, loss of client contracts and reputational damage.
Controls and mitigations
TMF Group performs due diligence on all potential partners prior to contracting to ensure robust financial and operational resilience and their alignment with TMF Group standards.
Exchange control restrictions (financial)
Risk description
Exchange control restrictions or other restrictions regarding the repatriation of funds from certain countries in which TMF Group operates including regulatory capital restrictions could hinder our ability to make foreign investments and procure foreign denominated financing.
Controls and mitigations
TMF Group regularly repatriates cash to avoid high cash balances accumulating in local offices. With the exception of Russia and in respect of international sanctions, TMF Group currently does not face any restrictions to repatriate cash from local offices, albeit that certain countries only permit a delayed repatriation via dividends. The Group is required to maintain a specified level of local liquidity in certain of the jurisdictions in which it is regulated, which amounted to €2.8 million (2022: €1.9 million) across all jurisdictions as at 31 December 2023.
Foreign currency exchange risk (financial)
Risk description
TMF Group operates internationally and is exposed to foreign exchange risk arising from various currency exposures, primarily with respect to the US Dollar and related currencies. In several markets client contracts are denominated in Euros or US Dollars although this is not the functional currency in these markets. Foreign exchange risk arises from future commercial transactions, recognised assets and liabilities and investments in foreign operations.
Controls and mitigations
Currency exposure arising from the net assets of TMF Group's foreign operations is managed primarily through limiting the net assets in foreign operations to the extent possible. Furthermore, TMF Group aims as much as possible to invoice revenue in local currency to align with the cost base. No further hedging of foreign exchange risk takes places. As at 31 December 2023, if Euro had strengthened by 5% against the US Dollar with all variables held constant, net result would have been €4.7 million (2022: €4.4 million) lower.
Interest rate risk (financial)
Risk description
Interest rate risk is the risk that unexpected interest rate changes negatively affect TMF Group's results, cash flows and equity.
Controls and mitigations
It is part of TMF Group policy to mitigate the effects of interest rate volatility on its results, cash flows and balance sheet within certain boundaries. TMF Group interest rate risk mainly arises from long-term borrowings. At 31 December 2023, the interest on the external borrowings in EUR is hedged for 84% (2022: 70%) and on external borrowings in USD for 70% (2022: no USD borrowings). The remainder of the interest is variable and linked to Euribor and USD TERM SOFR CME.
At 31 December 2023, if market interest rates had been 100 basis points higher with all other variables held constant, then the net result would have been €4.0 million lower (2022: €2.1 million) and if market interest rates had been 100 basis points lower with all other variables held constant, then the net result would have been €5.1 million higher (2022: €0.9 million).
Accounting estimate risk (financial)
Risk description
TMF Group makes estimates and assumptions for the future. The resulting accounting estimates will, by definition, rarely equal the related actual results. The critical accounting estimates and assumptions that may affect reported amounts of assets, liabilities income and expenses within the next financial year are:
valuation of intangible assets in relation to acquisition of TMF Sapphire Topco B.V. (purchase price allocation),
impairment of goodwill,
recognition of and measurements of provisions and contingencies.
Controls and mitigations
TMF Group has an experienced group finance team reporting to the Chief Financial Officer. This team is primarily responsible for proposing material accounting estimates approved by the audit committee. TMF Group uses input from other departments where required. TMF Group has summarised accounting policies as part of a Digital Accounting Manual and has an experienced Manager Technical Accounting.
Estimates and underlying assumptions are reviewed on an ongoing basis and represent best estimate by the management.
Data privacy (legal and compliance)
Risk description
The non respect of Data Privacy regulations, a data breach, could expose TMF Group to significant financial loss, regulatory or legal sanctions (including potential loss of license to operate) and reputation damage.
Controls and mitigations
TMF Group has a robust data protection compliance framework, with overarching Binding Corporate Rules. All staff and third parties, including subcontractors and joint ventures where TMF Group has operational control, are required to operate in accordance with TMF Group's Binding Corporate Rules under the TMF Group Supplier Code of Conduct. Global communication and mandatory training programs are in place to increase compliance awareness. Global data protection compliance is managed centrally by the Global Head of Risk and Compliance and the Group Privacy Office, together with a network of data protection experts, compliance experts and legal counsels in markets TMF Group operates in. Adherence to Binding Corporate Rules is audited on regular intervals by an independent Internal Audit function.
Compliance (legal and compliance)
Risk description
Unethical and/or fraudulent activities perpetrated by our employees, our clients or third parties, could expose TMF Group to significant financial loss, regulatory or legal sanctions (including potential loss of license to operate) and reputation damage.
Controls and mitigations
TMF Group has a robust regulatory and operational control framework, with an overarching Code of Conduct. TMF Group maintains a ‘zero tolerance’ regime for any employee who knowingly breaches any laws or regulations, with all such actions reported to the Management Board, and potentially resulting in disciplinary action up to and including dismissal. All staff and third parties, including subcontractors and joint ventures where TMF Group has operational control, are required to operate in accordance with TMF Group's Code of Conduct respectively TMF Group Supplier Code of Conduct. Global communication and mandatory training programs are in place to increase compliance awareness.
TMF Group companies will comply with the higher of local regulatory/legislative requirements or TMF Group compliance policies.
Legal claims (legal and compliance)
Risk description
Current, potential and pending legal or administrative proceedings may adversely affect TMF Group. Such proceedings may be initiated or are to be initiated against TMF Group and any resulting judgement, settlements and orders are rendered by competent authorities and may increase during periods of economic downturn.
Controls and mitigations
TMF Group has a Global Legal function with experienced legal counsels, both centrally (at a group level) and at a market level, that work together and connect on the management of this risk. TMF Group has compliance and operating policies and client acceptance procedures, as well as strict contracting procedures in place to limit possible exposure when accepting clients. TMF Group has strict reporting and management policies and procedures in place. Claims & litigations are managed centrally by the Global Head Claims & Litigation within the Group Legal team, in conjunction with market legal counsels, external counsels and other relevant stakeholders. Every case is reviewed and evaluated and – if necessary – provided for. TMF Group maintains appropriate insurance.