Some recent events involving a few people I know have highlighted the importance of considering risk and also highlighted how personal this needs to be, particularly for firms with a single owner. I’ll come back to the details of what happened, but for now a reminder that every accounting firm has an obligation to address risks as required by APES 325 Risk Management for Firms (APES 325). It sets out mandatory requirements and guidance for firms to establish, maintain, monitor and document a risk management framework.
It’s very easy to defer serious consideration of risk matters and have it on the “one day some day list”. And yet when things go wrong you will be grateful for the investment you made.
Example 1
Take for example a single owner accounting firm recently where the owner suffered a “savage” heart attack and is very lucky to have survived. Not surprisingly that person has had a significant amount of unexpected time out of their business. If you are the sole owner, or perhaps one of two or three owners of your firm, could the business survive for long without you? There was no warning and no chance to prepare for an extended absence.
The good news for the person is they had an agreement with another firm that in the event of something like this, another owner would step in to help keep things running. What a great idea, and yet I know very few small firms have put such an arrangement in place.
Example 2
Another sole owner found themselves in hospital unexpectedly with heart related issues. The business faltered in their absence but will survive. If the issues persisted for much longer that may not have been the case as there was no back up plan.
Example 3
Yet another sole owner who suffered an unexpected heart event which caused some minor disruption but was a wake up call about what could happen if preventative measures were not put in place.
For these three people, risk management suddenly became very personal. All three involved heart issues and it strikes me that once we get to a certain age some testing / scanning / monitoring would make a lot of sense. For example it is possible to have a scan of the heart and its arteries to see if there are any signs of heart disease. I’m told that once damage is done it is almost impossible to reverse so we want to catch this stuff very early.
So here are a few things I reckon we should all do:
- Have a plan in place for what happens if you are not able to work in the business.
I mean a proper plan that is documented and accessible to key people and makes it clear what the next steps are. - Take health seriously and have some diagnostics done earlier rather than later.
Remove the surprise element that was in place in the 3 examples above, to the maximum extent possible. - Revisit the requirements of APES 325 to make sure we comply with the obligations it imposes. I’ve included a ChatGPT generated summary below which is a good place to start, but APES 325 is not a big document either. Use this link to access it: Risk Management for Firms – Home
While my examples cover health related risks for key people there are many other risks, particularly in the technology space, that it is wise to contemplate on advance and find ways to:
- Reduce the likelihood of the risk playing out
- Mitigating the impact that they have
- Have a clear plan for “recovery”.
These three things are just good business sense really.
At a glance: APES 325 requires an accounting firm to have a documented, leadership-owned, regularly reviewed risk management framework that identifies, manages and monitors the firm’s key risks and communicates expectations to staff.
| 1. Put a framework in placeThe firm must establish and maintain a Risk Management Framework. It should be part of the way the firm is run, not a separate document that is ignored.
2. Cover the firm’s main risks The framework should identify, assess and manage key organisational risks such as governance, business continuity, succession, business, financial, regulatory, technology/cyber, human resources and stakeholder risks. 3. Leadership must own it Ultimate responsibility sits with the CEO, managing partner or managing board. The people responsible for risk management must have appropriate authority, skill and experience. |
4. Monitor and review itThe firm must have a monitoring process to give reasonable confidence that policies remain relevant, adequate and effective. Non-compliance needs to be detected, escalated and corrected.
5. Document and communicate it The firm must document the framework, the firm’s risk appetite, risk identification and treatment processes, team member training, review procedures and responses to non-compliance. These policies must be communicated to all team members. 6. Include succession planning A documented succession plan is specifically required so the firm can continue meeting its professional obligations to clients if a key principal or leader exits or becomes unavailable. |
||
Practical compliance checklist
| ☐ Written risk management framework | ☐ Defined risk categories and risk appetite | ☐ Leadership responsibility assigned |
| ☐ Monitoring and review cycle | ☐ Documented succession plan | ☐ Evidence of breaches and corrective action |
Source: APES 325 Risk Management for Firms, revised March 2023.