Governance

The BDO Canada Board is committed to setting high standards of corporate governance based on the following principles:

• We strive to run our business ethically, to create an environment that is inclusive and equitable, and to prioritize the health and well-being of our people.
• Our clients depend on our firm to protect their confidential information, maintain independence, and provide sound business advice through our services.
• Our communities rely on our people to give back, protect our environment, and act in a principled manner while providing opportunities for those less fortunate.
• We provide clear insights into our path forward with regular progress reports.

“Trust is earned through consistent, transparent, ethical actions. At BDO, the very foundation of our value proposition is to deliver services that cultivate quality, credibility, and lasting relationships with our people, clients, and communities."

Amy Provvisionato
Chief Risk Officer

Principles of governance

The guiding components that inform our decision-making process and reflect our commitment to strong corporate governance include:

1. Our governance structure
2. Ethical behaviour, legal, and regulatory compliance
3. Risk and opportunity oversight
4. Data protection

Our governance structure

Our Board consists of 11 members, which include:

• Nine partners with representation from all four service lines across the firm, elected by the partners.
• Two external independent members appointed by the Board.

The Board acts in accordance with the terms of the BDO Canada LLP Partnership Agreement and its relevant policies. The Board has strategically established specialized committees to enhance its performance and assist in the execution of its oversight responsibilities. The firm’s Chief Legal Officer acts as Board Secretary and attends all Board and committee meetings as a non-voting member.

Our CEO, Bruno Suppa, is accountable to the Board. In his capacity as CEO, he leads an ELT consisting of the Chief Operating Officer (COO) and managing partners who lead the firm across Canada.

The Chief Risk Officer (CRO), Chief Legal Officer (CLO), and Head of Quality and Professional Standards have reporting responsibilities to the CEO.

BDO Canada Board: 2023-2024 reporting period

Anthony Marinelli is the Chair of the Board and a BDO Canada Partner. To support our commitment to enhancing Board effectiveness and good governance, the Board includes two independent members who bring a wealth of professional experience in risk management, innovation, strategy, technology, M&A, and industry experience that is relevant to BDO.

The Board is made up of the following service lines and members:

• 36% from Assurance
• 18% from Business Services & Outsourcing
• 18% from Tax
• 10% from Advisory
• 18% from outside of BDO (independent members)

For Board responsibilities, please see Appendix H.

Board skills matrix

On an annual basis, the Board reviews the evolving skills and desired experience to further strengthen its skill sets. The table in Appendix I provides further information on the Board’s desired skills and experience, based on the rapidly changing business environment in which we operate.

The key competencies and areas of knowledge that strengthen our Board’s ability to provide effective oversight and strategic guidance to BDO Canada’s management team are outlined in this table.

Key competencies and areas of knowledge

• Risk management and assessment
• Technology
• Data analytics
• Digital
• AI
• Cybersecurity
• Organizational management
• Talent strategy
• Human resources
• Executive performance review
• Business leadership
• Corporate and strategic planning
• Board
• Governance
• Regulatory environments
• ESG
• Legal
• Indigenous cultural knowledge
• Client engagement
• Crisis management
• Mergers and acquisitions
• Accounting and financial knowledge

Board committees

To support the Board in its mandate, we have constituted four sub-committees aimed at addressing critical organizational functions:

• Financial Oversight Committee
• Governance & Risk Committee
• Talent & Culture Committee
• Strategy & Execution Committee (ad hoc)

For further information on the purpose and composition of these committees, please refer to Appendix J.

Executive Leadership Team

Bruno Suppa, Chief Executive Officer

Dave Simkins, Chief Operating Officer

Service line leaders

Jeanny Gu, Managing Partner, Assurance

Robert Lawrence, Managing Partner, Business Services & Outsourcing

Rachel Gervais, Managing Partner, Tax

Jeff Chapman, Managing Partner, Advisory

Strategic accelerators

Mike Abbott, Managing Partner, Markets & Industry

Kerri Plexman, Managing Partner, Talent & Culture

Sonia Edmonds, Managing Partner, Innovation & Change

Ethical behaviour, legal, and regulatory compliance

Our teams make every effort to provide an exceptional experience to the clients we serve, one that is focused on quality, kindness, and trust. High ethical standards and transparency are integral to our role as professionals as we strive to maintain confidence in our services, decision-making processes, and work ethic.

Our success in the market hinges on our firm’s relentless pursuit of excellence and the resulting trust earned. We are dedicated to developing a culture of integrity and diligently work to promote ethical behaviour through training and compliance with prevailing laws, regulations, and internal policies.

How we uphold legal and ethical standards

Our Code of Conduct outlines some of the ways we comply with laws, rules, and regulations:

• We manage breaches of confidentiality and regulatory rules honestly and appropriately.
• We maintain a zero-tolerance policy towards any form of bribery, corruption, or other unethical practices in our business relationships.
• We are committed to fighting financial crime, corruption, money laundering, drug trading, and human trafficking.
• We adhere to the sanctions imposed by the Canadian government.
• We are committed to fair business practices and competition in all our services.
• We respect our regulators and are committed to work with them to fulfill our role in the public markets.

Independence and compliance

Independence requirements applicable to professional services firms are set out in laws, professional standards, and applicable regulations. Maintaining the independence of our firm, partners, and employees is critical to our business and is upheld through comprehensive independence policies, systems, and procedures.

These policies and processes are based on applicable independence standards and include the following:

• The CPA Code of Professional Conduct of the applicable province or territory;
• The Quebec CPA Order’s Code of Ethics; and
• The International Code of Ethics for Professional Accountants by the International Ethics Standards Board for Accountants (IESBA).

Independence is maintained by providing only permissible services to our clients and ensuring appropriate business, employment, and personal relationships.

All partners, employees, and personnel of the firm, including contractors and non-client facing employees, are required to maintain independence in both fact and appearance. Our people are required to confirm this through an annual independence and ethics confirmation.

As part of our processes, we assess independence through our client procedure and engagement acceptance and consider it throughout the delivery of our services. As part of our commitment to independence, client facing teams receive training on this process.

Risk and opportunity oversight

Our approach to managing and identifying risk

Effective risk management is a foundational element of our governance strategy, helping ensure the resilience and success of our firm. Through our Enterprise Risk Management (ERM) program, we have identified and assessed risks that could impact our ability to achieve our objectives, with a focus on priority risks, emerging risks, and appropriate and sufficient mitigation strategies.

The ERM program, based on the Committee of Sponsoring Organizations (COSO) framework, is executed by the Chief Risk Officer, Risk Owners, and the ELT, and has Board oversight.

ERM program objectives

Our objectives for ERM include:

• Providing a structured basis for strategic planning and decision-making.
• Assisting the firm in achieving its strategic objectives.
• Enhancing the firm’s governance and corporate management processes.
• Encouraging decision-makers to identify sound business opportunities that will benefit the firm without exposing it to unacceptable levels of risk.
• Providing a practical, useable framework for partners and staff to identify and assess risks inherent in the decisions they take.

Risk identification

Organizational risks and opportunities are identified, rated in terms of likelihood and consequence, and reviewed against the adequacy of controls currently in place.

Risks and opportunities may be identified by:

• Assessing our strategy against current and emerging market conditions.
• Assessing and monitoring legislative or regulatory changes and their effect on our firm or individual service lines.
• Considering each of the risk categories included in our risk management framework.

Risk mitigation controls are assessed by reviewing existing local and national policies, and assessing whether controls are sufficient to mitigate risks to an acceptable level for our firm.

The risks and opportunities listed below are those that, effective December 2022, are considered to have the greatest significant ratings and impact on our ability to achieve our strategic priorities, should they materialize.

Strategic risks and opportunities

• Firm strategy
• Innovation
• IT strategy

Operational risks and opportunities

• Data confidentiality and security
• Cybersecurity
• IT infrastructure
• Economic uncertainty
• Talent resources
• Engagement processes

Regulatory risks and opportunities

• Regulatory compliance

Risk mitigation and risk monitoring

The risk environment is constantly changing and as a result, our priorities and objectives evolve with it. The risks we identified in our 2022 ESG Annual Report continued to be significant factors in 2023. We continuously monitor and regularly review our risk management process to ensure our ERM program is effective and continues to align with current and emerging risks and our overall strategy.

Monitoring and reviews take place during all stages of the ERM program and feedback is provided to ensure continuous enhancement of risk management processes. The results of risk monitoring and review activities are incorporated into our risk reporting.

Communication of risk to the Board and ELT

Ultimate responsibility for the periodic review of the risk management framework resides with the Board through the Governance & Risk Committee as a sub-committee of the Board.

Effective information and communication flows are essential for our risk management framework to operate effectively. Reporting flows enable the Board to monitor the effectiveness of risk systems and controls and to oversee management’s performance in managing risk. Formal reports are provided on an annual basis. 

Risk policies and procedures

Risk management is further supported by our Code of Conduct, targeted policies, training, and procedures. These processes support the firm both in providing the highest quality services and in confirming compliance with the BDO Code of Conduct and CPA Codes of Professional Conduct of the various provincial bodies.

Specific risk processes are addressed and made available to all firm personnel through our Risk Management Manual. Key detailed processes include:

• Quality assurance reviews
• Conflict of interest assessments
• Independence procedures and assessments
• Client acceptance
• Engagement acceptance
• Risk rating assessments
• Mandatory risk training
• Compliance with sanctions regulations
• Compliance with anti-money laundering regulations

International standard on quality management

Canadian and international regulators have required professional services firms to enhance their system of quality management.

In December 2020, the Auditing and Assurance Standards Board (AASB) issued the International Standard on Quality Management 1 (ISQM1). It was adopted for application in Canada as the Canadian Standard for Quality Management (CSQM1). Both ISQM1 and CSQM1 required that firms design and implement compliant systems of quality management by Dec. 15, 2022, and test those systems for operating effectiveness by Dec. 15, 2023.

We conducted a risk assessment that involved setting quality objectives, identifying and assessing quality risks, and designing responses for each quality component. Based on this risk assessment, we completed a full evaluation of our systems in accordance with CSQM1 requirements and within the given timeframe.

Ethics and whistleblower policy

High standards of honesty, integrity, ethics, transparency, and professionalism are required by all BDO personnel. Our people are expected to comply with all applicable laws, regulations, and professional obligations as they conduct their duties and responsibilities.

Our firm has a robust whistleblower policy outlining the ways our people can confidentially report complaints or concerns. All members of our firm are required to read and comply with this policy, which outlines the ways complaints or concerns can be reported, either directly to the firm or anonymously through our whistleblower hotline.

Our whistleblower hotline allows BDO personnel and external parties to anonymously report concerns about inappropriate conduct related to the firm. The hotline is maintained by a third-party service provider, ClearView Connects, an independent company that specializes in hosting whistleblower reporting systems for organizations in Canada.

A link to the whistleblower hotline is published internally on our intranet and externally on our website. We provide our people with training on how to use the hotline to submit a report.

Anti-corruption commitment

We are committed to ethical behaviour in the provision of all services and to the elimination of corruption in all forms. Anti-corruption requirements that apply to the firm are reflected in Canadian legislation, regulations, and professional standards, as well as in international legislation where our services cross jurisdictions.

One of the ways we proactively deter corruption is by maintaining an express prohibition on certain expenses and imposing a policy regarding gifts and hospitality. Our whistleblower hotline further provides a direct channel for reporting breaches or concerns relating to corruption.

We are also aligned with BDO Global’s policy on anti-bribery and anti-corruption, which sets out clear principles and standards for all network firms. As part of our ongoing efforts to foster a culture of integrity and transparency, we are developing our own anti-bribery and anti-corruption policy, along with comprehensive training for all our people.

Data protection

Privacy policy

Safeguarding personal information is at the heart of our firm’s operations. We take appropriate technical and organizational measures designed to achieve privacy goals, including:

• Collecting, using, and disclosing personal information in accordance with our Privacy Statement, policies, and governing legislation.
• Protecting against the misuse and accidental loss or disclosure, and from unauthorized or unlawful processing, destruction, or alteration of personal data.
• Promptly responding to requests for access, rectification, erasure, and complaints.
• Complying with applicable laws in the event of a personal data breach.

To ensure the confidentiality and the protection of our clients’ and people’s data, we have implemented comprehensive policies and procedures, including:

• Regular mandatory firm-wide privacy awareness training to educate personnel on our personal information-handling policies.
• The Employee Personal Information Protection Policy, which outlines our handling of employees’ personal information.
• The Privacy Code of Conduct, which outlines the personal data-handling principles we expect our people to follow.
• The Privacy Incident Response Protocol, which outlines the steps our people are expected to take and how to contact the Privacy Office if they suspect personal data may have been subject to unauthorized disclosure or access, loss, theft, misuse, or alteration.
• An Information Security Incident Response Plan, which outlines the steps to be taken in the event of an information security incident.
• The Search Warrant, Subpoena, Production Order, and Law Enforcement Access Policy, which outlines the process for handling requests to access data in our possession or control by legal authorities.
• The Service Provider Technology, Security, and Privacy Governance Process to assess the technical and organization methods employed by any service provider that will have access to information or systems in our control or possession.

Information security statement

We are committed to protecting the confidentiality, integrity, and availability of data obtained through our business as a professional services firm.

Information security is fully embedded into our organizational culture and operations. This is reflected in all solutions and services, making our firm one of the information security leaders within the global BDO network.

As a data custodian and trusted service provider for our clients, our firm has implemented information technology processes and policies that align with ISO 27001, an internationally recognized standard for information security. We are compliant with the BDO Global Member Firm Accreditation Program and Canadian cybersecurity principles, including, but not limited to, the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canadian Anti-Spam Legislation (CASL).

Our Cybersecurity team uses a risk-based, continuous evaluation process to expand and mature our security program to:

• Design and maintain highly available and secured systems.
• Prevent unauthorized exposure of personally identifiable information (PII) and confidential data.
• Hold our technology partners to the same security standards.
• React quickly and efficiently to incidents and the changing cyber threat landscape.
• Train our users to be information security incident preventers.
• Provide clear security assurances to our clients and their clients.

Protecting client data

Meeting the data protection requirements of our clients is integral to our success. Our information security governance emphasizes the protection of client data as a firm priority and is embedded in our operations.

As part of our robust information security program, two BDO Canada offices participated in the Government of Canada Contract Security Program in 2023. We had one Company Security Officer (CSO) and six alternate CSOs for the BDO offices that were part of the Contract Security Program. The CSO is responsible for protecting sensitive government information and assets entrusted to them and developing the essential practices that build a culture of security so that information and assets are not compromised. We also maintained high-security programs and working areas in our offices.

Aligning governance with evolving challenges

We are continuously evaluating the business, economic, and regulatory landscapes to monitor how risks are changing and impacting our operations. As such, we are well positioned to ensure we have the appropriate governance structure in place to meet the commitments outlined in this report.