ICAEW.com works better with JavaScript enabled.

Managing risk

Based on their experience reviewing over 2,000 firms each year, the QAD offers advice on best practice in terms of managing risk.

How can the firm identify risks?

Senior management is best placed to identify the significant risks facing a firm; for example, in a facilitated workshop. These risks should be high-level; ask yourself 'What would be the firm’s worst nightmare?' And they should be owned by a member of the firm’s management or executive board. Some risks will be generic to all professional services firms; others will emerge from the type of work, client, and location.

Don’t have too many risks. Stick to the significant ones and don’t make them too detailed. The likelihood of a risk crystallising should be measurable and capable of being reported to risk owners and those responsible for governance of the firm.

Once you’ve identified the firm’s risks, review them periodically to take account of any changes in the business environment.

How can the firm mitigate and monitor the risks?

Once you’ve identified the risks, make sure you have procedures, policies and plans in place to address them. The firm may have some difficulty mitigating some risks (eg, regulatory changes) as they’re largely out of the firm’s control; but you can contribute to any consultation and have plans in place for any proposed changes.

You can monitor the likelihood of a risk crystallising by assessing the effectiveness of the procedures, policies and plans in place, monitoring compliance with those procedures and policies and testing action plans. Demonstrate this to those charged with governance of the firm by regularly reporting the results of these activities, and grade them to demonstrate effectiveness (eg, red, amber, green). To maximise the effectiveness of this reporting, make sure all departments measure results the same way and report them in the same format.

Senior management needs to make expectations clear

This is our number one recommendation. If the tone at the top set by senior management about the importance of quality and risk management is clear, strong and sincere, this will drive the right culture through the firm. Senior managers who make clear to staff and principals the quality they expect in terms of clients, staff and services, and who ensure action is taken when these expectations are not met, have a head start in the risk management stakes.

You need effective client and engagement take-on procedures

Good client and engagement take-on procedures are key. These procedures need to:

  • help the firm take on clients and work that fits its ethos, capability and strategy;
  • ensure that the client relationship and the engagement comply with both the APB Ethical Standards and ICAEW’s Code of Ethics; and
  • include anti-money laundering (AML) risk-based client due diligence (CDD).

It’s important that firms clearly explain and demonstrate to their principals and staff the importance of conducting and documenting client and engagement take-on procedures correctly. If firms don’t do this, staff and principals may view these processes as a box ticking exercise that’s just getting in the way of starting an engagement. This could lead to you taking on a wrong client or, worse still, taking on a client or engagement that you aren’t ethically or lawfully allowed to do.

You must also train your staff in risk-based AML CDD. QAD sees a number of instances where CDD is not obtained on a risk basis. This can lead to you either not obtaining sufficient CDD or obtaining more than the required amount, especially in cases where you have met an individual face-to-face and the client is normal risk.

Make sure you recruit the right staff and give them the right training

Staff must have the right levels of competence to carry out their work to a good standard and conduct themselves to reflect the culture and ethos of the firm and of the profession. You must train your staff well and need to have programmes in place to maintain staff and principals’ competence at the right level. Most firms do this by delivering tailored experienced hire induction and offering CPD programmes.

A good experienced hire induction programme includes sessions on the firm’s culture, strategy and ethos, ethics (both audit and Code of Ethics), the importance of take-on procedures and how to handle complaints as well as required sessions such as AML and health and safety.

You should have a compulsory element to your CPD programmes to ensure that all staff attended a minimum amount of training. Specific training needs are best identified at appraisal.

Service-line procedures

Before your firm gets beyond the size where your principals know and can control the quality of work carried out throughout the firm, it’s advisable to develop and devise standard procedures and documents for your principals and staff to use across all service lines.

Smaller firms can buy in some procedures from training providers or other publishers. You should train existing staff to use such procedures when you introduce them and include training as part of the induction of new staff and partners. Standard procedures promote consistent quality and documentation of work and make it easier to review and compare work.

Data protection

The media often report cases where personal data has been lost by companies, firms and public bodies. The effect on an entity’s reputation is hugely damaging. Accountants are, by nature, very protective of clients’ data. Technology has, however, provided us with many new and changing ways of storing and processing data and you should ensure that this is done in a secure way, Secure methods include:

  • encrypting laptops and USB storage devices;
  • password-protecting access to firm’s systems and devices (including smartphones);
  • using PIN numbers where possible;
  • encrypting emails;
  • restricting or banning the use of USB storage devices; and
  • using secure web-based portals for clients to access their information rather than emailing it to them.

You should also make sure any work that is outsourced is carried out in a secure way. Staff must understand the firm’s IT security policy and any restrictions on use, such as internet usage or security of laptops or mobile data storage devices both in and outside the office.

Whole-firm procedures

Make sure any procedures that relate to the whole firm are clear and that lines of responsibility are unambiguous. Three particular areas often trip firms up.

Clients’ money

Our Clients’ Money Regulations are detailed and firms can easily find that they are not complying with an aspect unless the correct procedures are in place and are diligently followed. Firms that do this well have one principal who is responsible for clients' money and clients' money is administered centrally. Reconciliations are reviewed monthly and a detailed clients' money review is conducted annually. Our Clients' Money Regulations compliance checklist provides a useful review programme.

Anti-money laundering

Many firms find this a complex area to comply with, particularly risk-based client due diligence for all clients. The key is to have straightforward AML procedures in place and comprehensive training that not only explains the requirements of the legislation but brings out the need for it by illustrating some real life examples.

Our AML compliance review checklist provides a useful summary of all the key areas that firms should consider.


Make sure all staff and partners know what to do if a complaint comes their way. Create a culture where it’s easy to disclose that a complaint has been made. Many complaints can be dealt with by swift action, usually involving a meeting or discussion with the complainant.

Reduce risk by regular monitoring

You can have as many policies and procedures in place as you want but these will have little or no impact unless they’re followed. Conduct monitoring activities with either an internal of external monitoring team to assess the level of compliance with the firm’s policies and procedures and the quality of work. If a firm is part of a network, it is often reviewed by a team from another firm in the network or by a central network team. These activities can take a number of forms and can be a mixture of high level or detailed review. Firms that carry out these monitoring activities tend to make sure that they cover all principals and managers across the firm over a period of about three years. Examples of the types of monitoring firms conduct are:

  • portfolio reviews
  • cold-file reviews; quality review for all service lines
  • whole-firm compliance reviews; a number of these are required such as client money, AML, audit whole-firm
  • service-line compliance reviews; directed at compliance with the firm’s procedures rather than quality.

The larger the firm, the greater the risks can be

The larger your firm gets, the more difficult it is for the partners or executive of the firm to control the risks to the firm. Some kind of framework is needed to control and manage them. We have outlined above some of the ways larger firms do this. Think how these might apply to your firm and make sure you have the appropriate structure and regime in place to manage risk and quality in your practice.