Risk Management in Accounting Firms: Overview of The New Australian Standards

At its most basic level, risk is defined as the probability of not achieving, or reaching, certain outcomes (goals). Risk is measured in terms of the effect that an event will have on the degree of uncertainty of reaching stated objectives. Risk is commonly thought of in this context as a negative connotation: the risk of an adverse event occurring.

This article discusses the risks faced by accounting firms in Australia, and gives an overview of the new risk management standard (APES 325) issued by the professional standards board.


In the context of the professional Accounting Firm, risk is not a new concept for practitioners: it has been attached to the profession for as long as accountants have offered services in a commercial setting. However, as the number and size of legal claims against professional public accountants has increased over the years, so too has the issue of risk and risk management also increased in importance.

Risk management is the system by which the firm seeks to manage its over-arching (and sometimes, conflicting) public-interest obligations combined with managing its business objectives. An effective risk management system will facilitate business continuity, enabling quality and ethical services to be supplied and delivered to clients, in conjunction with ensuring that the reputation and credibility of the firm is protected.


The Accounting Professional & Ethical Standards Board (APESB) recognised that public interest and business risks had not been adequately covered in existing APES standards, notably APES 320 (Quality Control for Firms). In releasing the standard, the APESB replaces and extends the focus of a range of risk management documents issued by the various accounting bodies. Accordingly, APES 325 (Risk Management for Firms) was released, with mandatory status from 1 January, 2013.

The intention of APES 325 is not to impose onerous obligations on accounting firms who are already complying with existing requirements addressing engagement risks. All professional firms are currently required to document and implement quality control policies and procedures in accordance with APES 320/ASQC 1. Effective quality control systems, tailored to the activities of the firm, will already be designed to deal with most risk issues that arise in professional public accounting firm. However, APES 325 does expect firms to consider the broader risks that impact the business generally, particularly its continuity.


The process of risk management in the Professional Accounting Firm requires a consideration of the risks around governance, business continuity, human resources, technology, and business, financial and regulatory environments. While this is a useful list of risks to consider, it will be risks that are relevant to the operations of the practice that should be given closest attention.


The ultimate objective for compliance with the Risk Management standard is the creation of an effective Risk Management Framework which allows a firm to meet its overarching public interest obligations as well as its business goals. This framework will consist of policies directed towards risk management, and the procedures necessary to implement and monitor compliance with those policies. It is expected that the bulk of the Firm’s quality control policies and procedures, (developed in accordance with APES 320) will be embedded within the Risk Management Framework, thus facilitating integration of the requirements of this standard and that of APES 320, and ensuring consistency across all the Firm’s policies and procedures.

A critical component of the Risk Management Framework is the consideration and integration of the Firm’s overall strategic and operational policies and practices, which also needs to take account of the Firm’s Risk appetite in undertaking potentially risky activities.

Whilst the standard allows for the vast majority of situations that are likely to be encountered by the accounting firm, the owners should also consider if there are particular activities or circumstances that require the Firm to establish policies and procedures in addition to those required by the Standard to meet the stated aims.

Establishing & Maintaining

Ultimately, it is the partners (or owners) of the Accounting Firm that will bear the ultimate responsibility for the Firm’s Risk Management Framework. So it is this group (or person if solely owned) that must take the lead in establishing and maintaining a Risk Management Framework, as with periodic evaluation of its design and effectiveness.

Often times, the establishment and maintenance of the Risk Management Framework is delegated to a single person (sometimes not an owner), so the Firm must ensure that any Personnel assigned responsibility for establishing and maintaining its Risk Management Framework in accordance with this Standard have the necessary skills, experience, commitment and (especially), authority.

When designing the framework, the firm requires policies and procedures to be developed that identify, assess and manage the key organisational risks being faced. These risks generally fall into 8 areas:

Governance risks and management of the firm;
Business continuity risks (including succession planning, and disaster recovery (non-technology related);
Business operational risks;
Financial risks;
Regulatory change risks;
Technology risks (including disaster recovery);
Human resources; and
Stakeholder risks.
The nature and extent of the policies and procedures developed will depend on various factors such as the size and operating characteristics of the Firm and whether it is part of a Network. In addition, if there are any risks that happen to be specific to a particular firm – caused by its particular operating characteristics – these also need to be identified and catered for. At all times, a Firms public interest obligation must be considered.

A key factor in any risk management process is the leadership of the firm, as it is the example that is set and maintained by the Firms leadership that sets the tone for the rest of the firm. Consequently, adopting a risk-aware culture by a Firm is dependent on the clear, consistent and frequent actions and messages from and to all levels within the Firm. These messages and actions need to constantly emphasise the Firm’s Risk Management policies and procedures.


An essential component of the Risk Management process is monitoring the system, to enable the Firm overall to have reasonable confidence that the system works. The system works when risks are properly identified and either eliminated, managed, or mitigated. Most risks cannot be entirely eliminated, so the focus of the system needs to be on managing risks down (preventing occurrences as far as practicable), or mitigating the risk (handling the event should it occur).

As part of the system, a process needs to be installed that constantly ensures that the Framework is – and will continue to be – relevant, adequate and operating effectively, and that any instances of non-compliance with the Firm’s Risk Management policies and procedures are detected and dealt with. This includes bringing such instances to the attention of the Firm’s leadership who are required to take appropriate corrective action.

The Framework needs regular monitoring (at least annually), and by someone from within the Firm’s leadership (either a person or persons) with sufficient and appropriate experience, authority and responsibility for ensuring that such regular reviews of the Firm’s Risk Management Framework occurs when necessary.


Posted in Uncategorized | Tagged , | Comments Off

The Risk Management Process – A Practical Technique for Identifying Risks

Risk management is one of the most fascinating processes that you encounter if you manage projects, organizations or strategy. Fascinating, because the identification and assessment of risk is a process that is both creative and systematic, using the right and left side of your brain.

You engage your right brain creative, intuitive energy where you anticipate, uncover and discover your potential risks. It’s your opportunity to do some divergent thinking. You are not constrained to think in a certain way, or to fit your ideas into a pre-set framework. Studies show that our capacity for divergent thinking reduces significantly as we get older, so consider it an opportunity to exercise those neurons that haven’t had a workout any time recently.

But to be effective, you need to bring the left side of the brain into play as well. This occurs when you categorize risks in a logical, rational and patterned way, so that you can assess their impacts and how you should respond to them.

For now, let’s look at a practical risk management technique that helps get those brain neurons firing and works well for identifying risks. Here are the four steps:

Step 1: Get the team together. Most project teams are blended, with a combination of more senior and experienced team members, who mine their historic data banks to identify project risks; and the new and less experienced members who look at project risks with fresh eyes. Your team members are also likely to be a mixture of personality types across the full introversion-extroversion spectrum. Your challenge is to bring together complementary viewpoints and diversity, to yield the richness of project risks that you want to identify.

Traditionally, getting the team together involves a face-to-face session, where everyone contributes their ideas verbally. Extroverts love this approach, they shine in a social environment, and enjoy the thrust and parry of a vigorous debate. But you run the risk of missing out on contributions from the quieter, more introverted members of your team, who value the time and opportunity to reflect on issues, and often feel more comfortable delivering their thoughts in writing. So aim to create an environment that encourages equal contributions from all team members regardless of their rank or personality type. One option is to bring your team together online or virtually. It is efficient and cost-effective, especially if you have a geographically dispersed team, and you are likely to get a more complete contribution from all team members.

Step 2: Each team member contributes risks. When you have assembled your team, either face-to-face or online, then ask each team member to contribute a set number of risks. Depending on the size of your project, 5 to 10 risks from each team member is realistic. Requesting these risks in writing has the advantage that each team member thinks individually and separately about the risks. This independent thinking, which is not the lead or influenced by other, perhaps more dominant, team members, leads to a more divergent range of risks, with more potential risks being identified.

If your team session is face-to-face, then each team member writes their risks on post-it notes which go into a central container.

If you are meeting virtually or online, team members e-mail their identified risks to a central coordinator. This can be asynchronous. You can ask team members to deliver their 10 risks to you by an agreed date, it does not need to be done at the same time. This gives team members the flexibility to fit this task into their personal work schedules.

Step 3: Collate and group the risks. Now it’s time to move into left brain territory for some convergent thinking. After you have collected the risks, you combine any duplicate risks and then sort them into categories. Grouping risks into categories, groups them together in an ordered, structured way. Typically you have between 10 and 15 high level categories. For instance, the three project constraints: Cost, Time and Scope are typical risk categories. The number and type of categories will depend on the project, as well as your organization’s management systems.

Step 4: Use a mind map to display risks visually. Mind mapping is a powerful technique to display a large number of risks in an ordered and compact visual form. A mind map is a diagram based on a central concept. In our case the central concept is Project risks. Mind maps use a non-linear graphical format to build a framework of ideas around the central concept. Visually, think of a spider web or the spokes of a wheel.

Your high level risk categories such as Cost, Time and Scope fan out from the central core like spokes on a wheel. And then the specific risks radiate out from each category node. For example, under Time, risks might include: schedule overruns, tasks omitted from the schedule, and the opportunity to compress the schedule, because risks can have positive as well as negative effects.

Using a mind map, risks can be categorized and records kept in real-time during face-to-face or virtual sessions and displayed on-screen, so that all participants see a running record of the risks identified. As well as engaging your team, it forms a tidy summary of the risks.

Now that risks are identified, it’s time to move on to assess risks, so that you can prioritize them and develop risk treatment plans.

A sound risk management process uses divergent and convergent thinking to help you extract the maximum value in identifying risks. If this exercise isn’t completed effectively, you might be surprised at how many project risks slip through the net.

Vivian Kloosterman is the founder of Continuing Professional Development with over 30 years of professional experience in the fields of professional engineering, business leadership, governance, risk management and project management.

Posted in Uncategorized | Tagged , , , , , , | Comments Off