Eight Steps to Establish a Firm Risk Management Program

by Christopher Arnold, Head of SME/SMP and Research, IFAC and Monica Foerster, Chair, IFAC SMP Committee | July 21, 2019 |

Risk management is critical for all firms, including small- and medium-sized practices (SMPs). This is both in terms of protecting the assets, finances and operations of the firm and contributing to satisfactory legal compliance, corporate governance and due diligence. Effective risk management will protect the reputation, credibility and status of the firm.

It is important to establish a risk management “culture” in the firm. This emphasizes the importance of managing risk as part of each staff member’s daily activities at all levels of the firm. The goal of creating a risk management culture is to create a situation where partners and staff instinctively look for risks and consider their impacts when making effective operational decisions.

This article is part of a risk management series covering the benefits and steps of establishing risk management program. The second article will highlight 10 steps for successful risk management and the third focuses on business continuity planning and risk mitigation strategies. The articles are a result of discussions at recent IFAC SMP Committee meetings, which involves practitioners from around the world sharing their perspectives and insights and material included in the Guide to Practice Management for Small- and Medium-Sized Practices, which includes a whole module on risk management, including professionalism and ethics, client engagement, quality control and business continuity planning and disaster recovery.

Implementing a risk management program provides many benefits, including:

  • More effective strategic planning;
  • Better cost control through enhanced workflows, client evaluation and engagement processes;
  • Increased profitability through better client and job controls;
  • Reduced risks of litigation as a consequence of processes and contingency plans;
  • Increased knowledge and understanding of exposure to risk;
  • A systematic, well-informed and thorough method of decision-making;
  • Less disruption and less rework through better understanding of process by all staff in the firm; and
  • Setting the scene for continual improvement within the firm.

Establishing a Risk Management Program

Eight steps to establishing a risk management program are:

  1. Implement a Risk Management Framework based on the Risk Policy
    When developing the firm’s risk management framework, consideration should be given to the services offered, marketing and communication, staff and human resources issues, information and resource management, regulatory obligations, IT issues and security, succession planning, acceptance and continuance of clients and cash flow management.

  2. Establish the Context
    Consider the goals and objectives of the firm and the environment in which it operates (e.g. cultural, legal and operational). Identify internal and external stakeholders (e.g. clients, personnel, consultants, agents, internal systems, third parties, suppliers, etc.).

  3. Identify Risks
    Identify existing and potential risks as well as existing controls. The potential risks can be categorized as services performed, contract risk, acceptance or continuance risk and performance risk.

  4. Analyze and Evaluate Risks
    Analyze and evaluate the risks on a continuing basis. This involves a comparison of exposure levels against a predetermined tolerance level, the degree of control, potential or actual losses and benefits and opportunities presented by the risk. One of the simplest models to identify the cost of the controls and their adequacy is to consider the likelihood of occurrence of an event and the consequences of that event e.g. Risk = Likelihood x Consequence.

    In assessing the level of the risk and identifying high and low risks, the process should include the firm’s existing and anticipated areas of practice; the composition, experience and expertise of the firm; the management and internal control procedures; the likelihood of being sued and the process to assess new and existing clients.

    When assessing the kind of risks the firm is exposed to, it is important to consider both the internal risks and the external risks. Internal risks may include staff, the business premises and location, threats to goodwill and reputation and information technology. External risks may include clients and both current and potential competitors.

  5. Treat and Manage Risks
    Develop strategies to manage the identified risk. Options can include accepting, avoiding, transfer (in part or full), reducing the likelihood and/or consequence and retaining the risk. Action plans can be developed based on the current levels of risk exposure, benefits from actions/ controls, the duration of time to implement actions and the available budget.

    In areas identified as high risk, actions may include reconsidering that area and its development, retraining staff and reviewing the engagement with clients. Risk management procedures can include:

    • Clarity on the terms of the engagement;
    • Obtaining adequate insurance and controlling claims once they have occurred;
    • Maintaining accurate documentation;
    • Ensuring timeliness of action and diary systems;
    • Only practicing in those areas where there is sufficient expertise; and
    • Implementing strict selection criteria for clients and consultants or agents used.

  6. Communicate and Consult
    Communicate and consult with all parts of the firm, as well as outside parties, to ensure that all are kept well informed. For example, to avoid having to assume responsibility for the client’s risk-taking, advise the client in writing of relevant dates and consequences in the event of failure by the client to act. This will transfer the risk of noncompliance back to the client to act and/or follow-up.

  7. Monitor and Review
    Monitor and review the risk management strategies on an ongoing basis. Over time, new risks are created, existing risks are increased or decreased, risks no longer exist, the priority of risk may change or the risk treatment strategies may no longer be effective. Monitoring should comprise: monitoring existing risks, identifying new risks, identifying any trouble spots and evaluating the effectiveness of current risk treatment strategies.

    Monitoring ensures that new measures are introduced to control new risks as these emerge. Ongoing review is required to ensure that strategies remain relevant, and that the overall risk control position is relative to the potential costs of the risk.

  8. Record
    Keep a written record of all policies and procedures, including documentation of the assessment process, major risks identified and the measures designed to reduce the impact of these major risks. Failure to document policies can lead to breaches in performance due to misunderstanding or misinterpretation. A written set of policy statements supplied by documented procedures provides a constant reference, a guide to action and a framework for checking that the operations are conducted in the manner intended by the firm.