Who needs risk management? All firms do.The passage of the Sarbanes-Oxley Act of 2002 has resulted in significant legal and regulatory changes affecting auditors of publicly traded companies. Given the current litigious climate, the inherent danger of auditing nano- and small-cap firms, and most firms doing larger and larger engagements, risk management may soon become one of the top five issues in managing an accounting practice.
My work in this area shows that there are seven basic best practices that firms can embrace to reduce risk, since it can never be totally eliminated.
1. Make everyone a risk manager. Managing risk is not just for the quality control partner or chief risk officer; everyone in your firm needs to be aware of how they create risk for a firm.
Firms that have created an open and trusting culture are more likely to succeed here. These firms encourage their people to seek solutions to problems, talk honestly when they need help, and not sweep problems under the rug. This is, of course, difficult, but firms must strive to create a culture where people are not afraid to show their mistakes.
These firms also involve everyone in risk management activities. The more staff know about potential client problems, the better they can manage them. There are countless horror tales of clients who were not properly served.
2. Hire a chief risk officer. Only a handful of large firms have a chief risk officer, so it may take a few years before the midsized firms start hiring for this position.
In the meantime, here is what you can do to keep risk management at the forefront: Make risk management a topic at every owner's meeting and retreat. Ask your fellow owners to think about a major risk that keeps them up at night. Start working to eliminate or lessen the risks they mention. Finally, set up a risk management committee that has to sign off for all new business.
3. Communicate and report regularly. Most firms today are doing a great job in reporting marketing activities and new business and projects. Why not do the same thing with risk management activities?
Use the firm's intranet to securely communicate with everyone in the firm. All owners should be aware of claims and potential claims against the firm. Hold quarterly risk management meetings for all firm leaders. And encourage everyone in the firm to discuss client mistakes immediately.
4. Create risk management teams. Create risk management teams for each service area and for each industry team that the firm has. For major clients that receive multiple firm services, create a multi-disciplinary risk management team that reviews at least annually the risk potential of the client.
5. Train everyone in the firm. Experience has shown me that unless we train partners and staff to do things differently, nothing will change. If you are serious about implementing a risk management program, then training will be the key to your success.
First, develop risk management processes, so that staff know what to do each step of the way. Key risk management processes include client screening and acceptance, client continuance, accounts receivable, and mergers and acquisitions. Next, develop and offer internal training programs and workshops. Finally, make sure that the training is working. Provide case studies for people to analyze and show that they know how to apply the theory and the processes.
6. Use basic risk management tools. Scenario analysis (or "what-if") is a practice that we use everyday: "What if I do this, then ...?" All that is required is that you think about what could happen based on various actions. "If I sue the client, will the client sue us?"
Another useful tool is business risk mapping. Exhibit I is a standard risk evaluation map. Simply plot the potential risks by their severity and frequency. Where the risk falls will tell you what actions you will need to take.
7. Tie compensation to risk management. As with any aspect of the practice that you want to really change, you need to put some teeth into the program. The only way to do this is to identify specific risk indicators and measure how well the firm and individual areas are doing. Risk indicators can include the number of signed engagement letters on file, the number of change orders issued, the number of client complaints, the number of audit issues identified, etc.
Start your risk management program today, so that you don't get caught off guard. Who knows what risks may be lurking right around the next corner?
August Aquila is a consultant to the accounting profession, specializing in partnership issues, mergers and acquisitions, compensation, and strategic planning. Reach him at aaquila@thegrowthpartnership.com or (952) 930-1295.
