By taking a planned, rational and strategic approach to managing risk, practice owners can mitigate potential damage and sleep better at night, Phil Shohet suggests
This article was first published in the April 2019 UK edition of Accounting and Business magazine.
Every year many thousands of businesses – accounting practices included – sleepwalk their way into disaster because they have failed to recognise and plan for risks that are often plain to see and easy to avoid.
Systematic but straightforward risk assessment can eliminate dangers that, if not terminal, could result in huge expense. And the approach and techniques that might save an accountancy practice can equally be applied as a fee-earning service, assisting clients to keep out of trouble.
Yet gather together a group of practitioners, and a rather blinkered view of risk exposure will often emerge – one guided by regulatory requirements, but distorted by the huge publicity attracted by the failures of a number of leading firms to meet requirements. These failures have often led to public censure and hefty fines, and occasionally to existential threat. Arthur Andersen’s failure demonstrated that even those operating at the very pinnacle of the profession can be vulnerable when practice standards are compromised.
Given this publicity, it is perhaps unsurprising that such a group of practitioners will focus on the many regulatory hurdles that threaten to ensnare their firms. Given the sheer quantity and range of regulation, this is understandable. However, there are many other ways in which problems arise – problems that can sometimes be just as disastrous as those posed by regulatory failings.
Find your weak spot
The first challenge is to take a step back and carefully review your practice’s risk vulnerability by answering the following questions:
- Have the partners identified and listed the major risks by scale of the threat they represent? Is this list reviewed regularly?
- Do the partners devote enough time to the regular review of these risks? Is the review process sufficiently detailed and probing, and sufficiently resourced with partners experienced in risk management?
- Does the risk management process cover all areas of risk – in particular, the four major risk areas: strategic, operational, financial and hazard?
- Is there clear, effective communication of the risk assessment to all the relevant staff at every level of the firm?
A ‘no’ answer to any of these questions is a clear signal that the practice faces unnecessary risk in one of those four major risk areas.
For example, it is not sufficient to consider that you’ve got hazards covered just because you have insurance and comply with health and safety legislation. Insurance does not protect against the consequences of disaster, so having insurance alone is not a strategy but should be part of overall risk management and contingency planning. Analysis needs to dig deeper into what will be required if the business premises are destroyed by fire. Are there contingency plans for finding and moving to alternative premises, and for backing up data and other records?
Risk is not a one-size-fits-all consideration; it varies according to circumstances. It is likely that a multi-office, multi-partner practice will have more natural resilience than a sole practitioner. However, the process for assessing, reducing, eliminating or living with risk is the same for every firm.
Multiplicity of risks
Strategic risk should be an area of particular concern to any practitioner, especially given the intensity of competition and client demand for increasingly complex services. This requires new skills and substantial investment, along with a clear vision of market direction and the opportunities and threats this presents to the practice.
The risks multiply, given the management and communication skills required to shift the team in the right direction and execute the business plan. Execution often falls short – especially where the chosen route to growth is a merger but integration is poorly implemented and value destroyed.
Then there is the aforementioned regulatory risk, which comes in different shapes and sizes. In the case of audit, the risks are widely appreciated – so much so that many smaller firms have now given up this area of practice entirely. Though even here, awareness of the regulatory requirements has not entirely eliminated poor practice and the risk this poses (for instance, to the validity of professional indemnity cover).
Perhaps more worrying is that other regulatory requirements do not appear to be working as intended. In particular, money-laundering rules do not seem to be generating the number of reports they should. While there is no suggestion of deliberate failure to make reports, it may be that failure to appreciate the true scope of the rules plus an element of complacency have led to under-reporting and dangerous levels of risk.
Still more worrying is the extent to which practices fall short in operational and financial situations, particularly in cash flow control and planning, which should be areas of great competence. Yet many have poor internal accounting controls, with the result that work in progress and debtors are at unacceptably high levels. Many are simply unaware of the risks they face in not practising what they preach.
Just as obvious are cyber threats, which can cause problems of catastrophic dimensions and are one of the greatest threats to the viability of the smaller practice. A serious problem is a virtual certainty at some point, but with appropriate business continuity management strategies in place, problems need not be disastrous. But despite the obvious risks, there are still plenty of practices relying on little more than good luck.
Probably the most threatening operational risk lies in HR. Well-documented danger areas include age discrimination, maternity leave and allowances. But just as threatening, especially to firms not large enough to justify a full-time HR professional, are an abundance of issues relating to the hiring, firing and management of staff. Often these will only emerge after the damage has been done – whether in upsetting client relationships or causing internal problems.
Discrimination and discipline can swiftly escalate to litigation, involving great expense and reputational damage. While it may not always be possible to avoid these dangers, with a constant eye on the potential problems it should be possible to recognise and counter them before they get out of hand.
Time to be proactive
Disparate as all these risks are, there is a common thread to combating them, which involves logical and structured forward-thinking. Many accountants only react after the event, engaging in a debilitating and constant battle to extinguish problems that have got out of hand, while averting their eyes from those they should be aware of, hoping that if ignored they will go away. In wishing problems away, the danger is of storing up far greater difficulties for the future. By tackling them proactively, accountants have the chance of developing skills of real economic value, both in saving expense to the practice and in developing fee-earning services for clients.
Phil Shohet is senior consultant at Foulger Underwood
"Disparate as these risks are, there is a common thread to combating them, which involves logical and structured forward-thinking"