Skip to main content

Risk management is critical for all firms, including small- and medium-sized practices (SMPs). This is both in terms of protecting the assets, finances and operations of the firm and contributing to satisfactory legal compliance, corporate governance and due diligence. Effective risk management will protect the reputation, credibility and status of the firm.

It is important to establish a risk management “culture” in the firm. This emphasizes the importance of managing risk as part of each staff member’s daily activities at all levels of the firm. The goal of creating a risk management culture is to create a situation where partners and staff instinctively look for risks and consider their impacts when making effective operational decisions.

This article is part of a risk management series covering the benefits and steps of establishing risk management program. The second article will highlight 10 steps for successful risk management and the third focuses on business continuity planning and risk mitigation strategies. The articles are a result of discussions at recent IFAC SMP Committee meetings, which involves practitioners from around the world sharing their perspectives and insights and material included in the Guide to Practice Management for Small- and Medium-Sized Practices, which includes a whole module on risk management, including professionalism and ethics, client engagement, quality control and business continuity planning and disaster recovery.

Implementing a risk management program provides many benefits, including:

  • More effective strategic planning;
  • Better cost control through enhanced workflows, client evaluation and engagement processes;
  • Increased profitability through better client and job controls;
  • Reduced risks of litigation as a consequence of processes and contingency plans;
  • Increased knowledge and understanding of exposure to risk;
  • A systematic, well-informed and thorough method of decision-making;
  • Less disruption and less rework through better understanding of process by all staff in the firm; and
  • Setting the scene for continual improvement within the firm.

Establishing a Risk Management Program

Eight steps to establishing a risk management program are:

  1. Implement a Risk Management Framework based on the Risk Policy
    When developing the firm’s risk management framework, consideration should be given to the services offered, marketing and communication, staff and human resources issues, information and resource management, regulatory obligations, IT issues and security, succession planning, acceptance and continuance of clients and cash flow management.

  2. Establish the Context
    Consider the goals and objectives of the firm and the environment in which it operates (e.g. cultural, legal and operational). Identify internal and external stakeholders (e.g. clients, personnel, consultants, agents, internal systems, third parties, suppliers, etc.).

  3. Identify Risks
    Identify existing and potential risks as well as existing controls. The potential risks can be categorized as services performed, contract risk, acceptance or continuance risk and performance risk.

  4. Analyze and Evaluate Risks
    Analyze and evaluate the risks on a continuing basis. This involves a comparison of exposure levels against a predetermined tolerance level, the degree of control, potential or actual losses and benefits and opportunities presented by the risk. One of the simplest models to identify the cost of the controls and their adequacy is to consider the likelihood of occurrence of an event and the consequences of that event e.g. Risk = Likelihood x Consequence.

    In assessing the level of the risk and identifying high and low risks, the process should include the firm’s existing and anticipated areas of practice; the composition, experience and expertise of the firm; the management and internal control procedures; the likelihood of being sued and the process to assess new and existing clients.

    When assessing the kind of risks the firm is exposed to, it is important to consider both the internal risks and the external risks. Internal risks may include staff, the business premises and location, threats to goodwill and reputation and information technology. External risks may include clients and both current and potential competitors.

  5. Treat and Manage Risks
    Develop strategies to manage the identified risk. Options can include accepting, avoiding, transfer (in part or full), reducing the likelihood and/or consequence and retaining the risk. Action plans can be developed based on the current levels of risk exposure, benefits from actions/ controls, the duration of time to implement actions and the available budget.

    In areas identified as high risk, actions may include reconsidering that area and its development, retraining staff and reviewing the engagement with clients. Risk management procedures can include:

      • Clarity on the terms of the engagement;
      • Obtaining adequate insurance and controlling claims once they have occurred;
      • Maintaining accurate documentation;
      • Ensuring timeliness of action and diary systems;
      • Only practicing in those areas where there is sufficient expertise; and
      • Implementing strict selection criteria for clients and consultants or agents used.

  6. Communicate and Consult
    Communicate and consult with all parts of the firm, as well as outside parties, to ensure that all are kept well informed. For example, to avoid having to assume responsibility for the client’s risk-taking, advise the client in writing of relevant dates and consequences in the event of failure by the client to act. This will transfer the risk of noncompliance back to the client to act and/or follow-up.

  7. Monitor and Review
    Monitor and review the risk management strategies on an ongoing basis. Over time, new risks are created, existing risks are increased or decreased, risks no longer exist, the priority of risk may change or the risk treatment strategies may no longer be effective. Monitoring should comprise: monitoring existing risks, identifying new risks, identifying any trouble spots and evaluating the effectiveness of current risk treatment strategies.

    Monitoring ensures that new measures are introduced to control new risks as these emerge. Ongoing review is required to ensure that strategies remain relevant, and that the overall risk control position is relative to the potential costs of the risk.

  8. Record
    Keep a written record of all policies and procedures, including documentation of the assessment process, major risks identified and the measures designed to reduce the impact of these major risks. Failure to document policies can lead to breaches in performance due to misunderstanding or misinterpretation. A written set of policy statements supplied by documented procedures provides a constant reference, a guide to action and a framework for checking that the operations are conducted in the manner intended by the firm.


Monica Foerster


Partner at Confidor, Chair of IFAC's SMP Advisory Group

Monica Foerster became Chair of the IFAC SMP Advisory Group (SMPAG) in 2017, after serving as its Deputy Chair. A SMPAG member since 2014, she was nominated by Conselho Federal de Contabilidade (CFC) and Instituto dos Auditores Independentes do Brasil (IBRACON). With 20 years of experience in the accountancy profession, Ms. Foerster is a partner at Confidor, an accounting, tax, and law firm with offices in Porto Alegre and São Paulo, Brazil.

Monica is currently a member of the Board of Directors of Ibracon Brazil (where she was the SMP Director and coordinator of the SMP Working Group for 6 years), and a board member at the Accounting Council (where she was also the coordinator of the Committee of Audit Studies (CRCRS) for 4 years. 

Monica holds an MBA in financial management, controllership and audit from the FGV – Fundação Getúlio Vargas, Brazil, and a degree in accounting from the Universidade Federal do Rio Grande do Sul – UFRGS, Brazil. 

Christopher Arnold


Christopher Arnold is a Director at the International Federation of Accountants (IFAC). He leads activities on contributing to and promoting the development, adoption and implementation of high-quality international standards, including the Member Compliance Program, Intellectual Property and Translations. Christopher is also responsible for IFAC’s SME (small- and medium-sized entities), SMP (small- and medium-sized practices) and research initiatives, which include developing thought leadership, public policy and advocacy. He was previously an Audit Manager for Deloitte and qualified as a professional accountant in a mid-tier accountancy practice in London (now called PKF-Littlejohn LLP). Christopher started his career as a Small Business Policy Adviser at the Association of Chartered Certified Accountants (ACCA).