Risk Management


1. Risk management is subjective

2. The 3 C's: 3. Establishing risk management policies

4. Reviewing compliance with risk management policies
Attached PDF

Risk Management is subjective

1. Risk management is a subjective and qualitative process. A "colour by numbers" type of approach is not likely to keep clients, staff or stakeholders happy. Rules are important, but they should be overlaid on the subjective framework. Good risk management processes are a market differentiator.

THE "3 C'S"

2. Risk management, in my opinion, involves "3 C's":
  • Communication.
  • Concentration
  • Contractual responsibility.
3. But in the end, it is probably just: Communication, Communication, Communication! If there is one word that sums up risk management is "communication". Everything about risk management comes back to communication. Proper communication with clients, staff, and stakeholders is the key.

Communication: Preliminary Discussions

4. When first approached by a client in relation to a project, communicate this to all persons responsible for making decisions. Find out if any work has previously been done for the client, or for a similar project. It is extremely important to know about any other work that is being done for the same client.

5. Find out if any work is being done on a similar project. Not only will this save time, but it will also ensure consistency in output and delivery.

6. Ensure that no new work can be taken on without informing a person in a decision-making capacity of the proposal for the work.

7. If the job is for a new client, talk to them about matters other than those that relate only to the project. Find out about their history, objectives and, most importantly, their motivation in seeking your assistance. For example, presenting a plan designed to save tax to a client whose only motivation is to fully comply with the tax laws, would probably be unwise.

8. Steer the initial discussion with the client towards ensuring proper compliance, rather than tax minimisation. Make sure they understand that it is proper compliance that requires the assistance of an expert with a thorough knowledge of tax law.

9. Keep a written record of all formal and informal communication with a client.

Concentration: Internal And External Communication To Get The Job Done Well

10. Concentrate on work that is within the capability of all persons likely to be involved. Do not undertake assignments that require work to be done that the staff are not capable of doing.

11. Communicate progress on a regular basis to all staff members involved in the project.

12. Concentrate on the work and ensure the best available resources are used to perform the work.

13. Limit communication regarding the work to those actually involved, once the work has commenced. Ensuring that client confidentiality is maintained is a key requirement.

14. Make sure that all work is carefully reviewed by qualified personnel. To be proud of the work that is done, it is essential that it is done well in the first place.

15. Communicate the people to whom questions can be directed, and their respective qualifications. Make it clear that answers provided by lower-level personnel cannot be relied on unless approved by fully qualified personnel.

16. Do not unnecessarily expand the areas of expertise: it is possible that concentration and focus in that case could be "spread a bit thin".

17. Keep the client fully abreast of progress. Promptly communicate potential delays to the client.

Contractual Responsibility: Communication of roles, responsibilities, constraints and liability

18. Clearly communicate the contractual basis on which work is taken on.

19. Specify the scope of the work, the information on which the output is based, the qualifications of the personnel involved, and the timeframe within which the output will be delivered.

20. Ensure that the provision of the information on which the output is based is the client's responsibility.

21. Communicate the limitation of liability.

22. Keep a written record of the contract signed by all parties, and ensure that any variations are promptly agreed by all relevant parties in writing.

Independence Issues

23. Independence gives rise to additional risk management requirements.

24. Communication with the audit partner is essential in order to:
  • Identify audit clients.
  • Conform with service limitations required in the case of audit clients.
  • Communicate identified areas of concern (if any).
25. There will in all likelihood, be an established procedure to follow in relation to independence checks.


26. Risk management policies are best established using a clean sheet of paper. For that reason I've shied away from providing checklists of various sorts.

Client Acceptance And Review And Assignment Acceptance

27. Establishing a policy for client acceptance and review is of the utmost importance.

28. Client acceptance should be based on:
  • Personal knowledge.
  • Professional referrals or referrals from bona fide people.
  • A good understanding of the history and background of the new client.
  • Proof of ability to pay for services provided.
29. Client lists should be periodically reviewed to ensure that retention of ongoing clients is consistent with the client acceptance and review policy.

30. Assignments should only be accepted on the following basis:
  • Assignments of the type that are routinely undertaken.
  • One-off assignments of a type that have been previously successfully undertaken.
  • One-off assignments that have not been previously undertaken but that are fully within the capabilities of the staff that will be involved.
31. All other assignments should be referred to appropriately qualified colleagues or external experts.

Internal Work Management Policy

32. Establish a policy for internal teams working on client assignments. The team should consist of, for example, a junior staff member, an intermediate staff member and a senior staff member.

33. Ensure that junior staff members get exposure to a variety of different assignments.

34. Establish a framework for stepped on-the-job training and external training and communicate the training framework to all staff.

35. Require that a written record be maintained of all conversations with external people: clients and/or external experts.

36. Establish a policy for answering client queries: for example, if a junior staff member answers the query, the answer should be confirmed with a senior staff member and this should then be communicated back to the client.

37. Establish a policy for regular internal client team meetings so that all staff members are aware of work required to be done and progress on assignments.

38. Work towards establishing an internal mindset to be able to work to deadlines.

39. Establish an assignment review policy : ideally all work should be reviewed by at least two fully qualified personnel.

40. Establish a policy for identifying high-risk assignments and the internal risk management requirements relating to such assignments.

41. Establish a policy for signing external communications: for example, expressions of opinion should only be signed by persons with decision-making responsibility.

Engagement Documentation

42. An appropriate engagement letter should be developed in conjunction with a solicitor or in-house legal expert.

43. The significant matters which should be addressed are:
  • The specifications of the assignment itself.
  • Specification of the information, legislation and regulations on which the output will be based.
  • Areas that will not be covered.
  • The responsibilities of each of the parties involved in relation to provision of information and delivery of output.
  • The timeframe for delivery of output.
  • Specification of the people who can rely on the output.
  • The staff who will be involved and their qualifications.
  • If warranted, details of how progress on the assignment will be communicated.
  • The terms of business and limitation of liability.
Independence Policy

44. Audit firms will have an established policy of ensuring client independence. The policy should be regularly reviewed to ensure that:
  • Non-audit work that can be performed is not unnecessarily turned away.
  • Changes in laws and regulations are promptly incorporated into the policy.
  • The process to be followed is streamlined so as to minimize the "red tape".

45. A policy should be established for a regular review of adherence to risk management requirements. Ideally the review should involve a detailed interview with individual staff members so as to understand:
  • Their familiarity with the risk management policies.
  • The extent of their adherence to these policies.
46. Awareness of risk management policies and active participation in their implementation should be made a key performance indicator in staff reviews and in relation to promotions.

© by DavidCo Ltd.
Design by [x|c media]