Home' Charter : 1211 Charter Contents 56 Charter I December 2011
Technical focus > Risk management
According to APES 325 Risk Management
For Firms, the recent standard issued by
the Accounting Professional and Ethical
Standards Board (APESB), risk is the effect
of uncertainty on achieving objectives. We
are becoming increasingly aware of the
signifcant impact of unexpected events. It
has been reported that around 50 per cent
of businesses fail after they have suffered an
Accounting frms will soon be required to
establish and document a risk management
framework under APES 325 Risk
Management For Firms. There are already
a number of standards and regulations that
address risk management strategies in public
practice in specifc areas (see table below).
Why a neW standard?
The APESB recognised the public interest
and business risks that had not been
covered in existing APES standards.
APES 325 replaces and extends the focus
of the Institute’s Guidance Note – N3
Risk Management Guidelines. Available
since 1996, N3 focuses on the legal risks
associated with professional engagements.
are there neW obligations?
APES 325 is not intended to impose onerous
obligations on members who are already
complying with existing requirements
addressing engagement risks. Firms are
required to document and implement quality
control policies and procedures in accordance
with APES 320/ASQC 1. Effective quality
control systems, tailored to the activities of
the frm, will already be designed to deal with
engagement, legal and regulatory risks.
the need to
What is risk and why is it worth addressing?
Story Catherine Kennedy FCA
However, APES 325 does expect frms
to consider the broader risks that might
impact business continuity, the delivery of
high quality services and the reputation and
credibility of the frm.
This requires a consideration of the risks
around governance, business continuity,
human resources, technology, and business,
fnancial and regulatory environments. While
this is a useful list of risks to consider, it will be
risks that are relevant to the operations of the
practice that should be given closest attention.
developing a risk management
Initially, identify and assess the frm’s risks
with reference to the context of the business.
This means reviewing all the frm’s activities
in relation to its goals, the environment in
which it operates and identifying internal and
external stakeholders. Such a review can also
highlight opportunities for the business and
identify internal resource savings.
The purpose of the risk management
framework is not to entirely eliminate all
risks identifed, but to develop strategies
to effectively mitigate those risks. Having
identifed the practice-specifc risks, they can
then be prioritised, based on their signifcance
in terms of likelihood and consequences.
Armed with this assessment of the risks,
strategies can be developed which will
provide a balance between realising the frm
objectives while mitigating possible losses.
However, any policies and procedures to
address identifed risks should also be workable
in relation to the size and complexity of the frm
and its operations. A sole practitioner providing
limited services would not be expected to have
a risk management framework of the same
complexity as a large practice. It must be a
usable document for the frm as a whole.
APES 325 rests responsibility for the
risk management framework with senior
partners and/or management. However,
the development of a risk management
framework should involve all levels of
personnel and be widely communicated,
embedding a business culture where every
decision taken is a risk-aware decision.
Use it, don’t lose it
Once the initial work has been done to
identify risks associated with the frm’s
activities, and the frm’s policies and
procedures have been documented, it is
important not to fle the risk management
framework away to collect dust. Evaluate it
periodically and have a monitoring process
in place to ensure that it remains relevant,
adequate and is operating effectively. You
will only know how robust the document is
when it is tested and reviewed against the
occurrence of some of the situations fagged
in the document.
APES 325 only requires frms to implement
a risk management framework which is
relevant to the size and complexity of
the business. However, undertaking this
process, with the necessary review of the
business activities and involving different
levels of personnel can throw up interesting
ideas about the way the business operates,
often leading to business improvements as
well as providing comfort that the frm is well
prepared for most eventualities.
The Institute will be developing material
to help members implement a risk
management framework for their
APES 320 Quality Control for Firms, and ASQC1 Quality Control
for Firms that Perform Audits and Reviews of Financial Reports and
Other Financial Information, and Other Assurance Engagements
Strategies to manage key engagement,
legal and regulatory risks
APES 305 Terms of Engagement
Focuses on contractual and legal risks
Regulation 4A Professional Indemnity Insurance
Tackles liability risks by requiring a
professional indemnity insurance policy
which meets Institute requirements
risk management strategies in existing standards and regulations
Links Archive 1111 Charter 0212 Charter Feb Navigation Previous Page Next Page