As an accounting firm owner I believe it wise for you to spend a little time considering what might go wrong in your business and what your “Plan B” will be. I was prompted to think about this by an unexpected event for me in January. I tried Pickle Ball (in South Australia while visiting friends) for the first time and loved it, but am now the owner of what seems like the worlds biggest moonboot (up to just below my knee), crutches and a knee scooter, thanks to a tear of my left Achilles lateral ligament and a couple of other minor misdemeanours!
Here are just some scenarios you would want to have a Plan B for:
- Death or permanent disability of you and/or another key team member
- A cyber incident such as being hacked, ransomware attack, denial of service
- Your power goes off for days or more or you are flooded – as has recently occurred in North Queensland
- Loss of internet access for an extend period
- Your office burns down (happened to me in 1985!)
- Your laptop, phone or other critical device is stolen or lost
- Key people leave for a competitor or other place perceived to have greener grass
- A global pandemic (I know…been there done that)
- Loss of significant clients
You will probably think of lots more things to add to the list. What we are talking about here is identifying some risks and thinking about:
- How we could avoid them (and the answer often is we don’t have enough control to be sure we can avoid them).
- If we can’t avoid them, how can we minimise the negative impact if they occur.
I learned a lot about risk when I worked for the Sydney Organising Committee for the Olympic Games (SOCOG). As head of the Administration Program it was my responsibility to consider the two questions above on a regular basis. The good news for accountants is that there is some guidance in place to help you.
I’m surprised at how few accountants are familiar with APES 325 Risk Management for Firms . The latest version was revised March 2023 for application from 1 April 2023. Compliance is mandatory for CAANZ, CPAA and IPA members in public practice. Let me remind you of what it requires. There is quite a bit to absorb so stick with me…..
Para 4.1
A Firm shall establish and maintain a Risk Management Framework taking into consideration its public interest obligations. The Firm shall periodically evaluate the design and effectiveness of the Risk Management Framework.
Para 3.1 (objectives of RMF)
An effective Risk Management Framework should assist a Firm to meet its overarching public interest obligations and well as its business objectives by:
- Facilitating business continuity;
- Enabling quality and ethical Professional Services to be provided to Clients; and
- Protecting the reputation and credibility of the Firm
Para 3.2
The Risk Management Framework should consist of policies designed to achieve the objectives set out in paragraph 3.1 and procedures necessary to implement and monitor compliance with those policies. The Risk Management Framework should be an integral part of the Firm’s overall strategic and operational policies and procedures and should take account of the Firm’s risk appetite.
Para3.3
Quality management policies and procedures or responses developed in accordance with APES 320 Quality Control for Firms should be embedded within the Risk Management Framework….
Para 4.2
The Risk Management Framework shall include policies and procedures that identify, assess and manage key organisational Risks, which may include:
- Governance Risks
- Business continuity Risks (including succession planning)
- Business Risks
- Financial Risks
- Regulatory Risks
- Technology Risks (including cyber security)
- Human resources Risks
- Stakeholder Risks
Para 4.4
The Firm’s chief executive officer (or equivalent) or the Firm’s Managing Partner (or equivalent), if appropriate, the Firm’s managing board of Partners (or equivalent) shall take ultimate responsibility for the Firm’s Risk Management Framework.
Para 4.6
A Firm shall ensure that the Personnel assigned responsibility for establishing and maintaining its Risk Management Framework in accordance with this Standard have the necessary skills, experience, commitment and authority.
Para 5.1
A Firm shall establish a Monitoring process designed to provide reasonable confidence that the Risk Management policies and procedures relating to the Risk Management Framework are relevant, adequate and operating effectively, and that instances of non-compliance with the Firm’s Risk Management policies and procedures are detected.
Para 5.2
A Firm shall establish a process whereby instances of non-compliance with the Firm;s Risk Management policies and procedures are brought to the attention of the Firm’s leadership who shall take appropriate corrective action.
Para 6.1
A Firm shall document its Risk Management Framework
Para 6.3
A Firm shall document its Risk Management policies and procedures and communicate them to the Firm’s Personnel.
Para 6.5
The documentation of a Firm’s Risk Management Framework should include:
- Procedures for identifying potential Risks
- The Firm’s Risk appetite
- Risk identified
- Procedures for assessing and managing Risks
- Treatment of identified Risks
- Documentation processes
- Procedures for dealing with non-compliance
- Training of Staff in relation to Risk Management
- Procedures for regularly reviewing the Risk Management Framework
Para 6.6
A Firm shall document its succession plan as part of its Risk Management Framework
Para 6.8
A Firm shall retain all relevant documentation for a sufficient time to permit those performing the Firm’s Monitoring process to evaluate its compliance with its Risk Management Framework and to comply with applicable legal or regulatory requirements for record retention.
Para 6.9
A Firm shall document all instances of non-compliance with the Firm’s Risk Management policies and procedures detected through its Monitoring process and the actions taken by the Firm’s leadership in respect of those instances of non-compliance.
While this sounds like a lot, I’ve helped a few firms with this and it doesn’t have to be massive. But it is in my view good business to be considering risks.
When was the last time your reviewed your risk management framework?