Practice disaster… how to manage commercial risk

Every year many thousands of UK businesses sleep-walk their way to disaster – plenty of accountancy practices among them - through the simple failure to recognise and plan for risks that are often plain to see and easy to avoid.

Systematic, but straightforward, risk assessment can eliminate dangers that, if not terminal, could result in huge expense. The approach and techniques that might save an accountancy business can even be applied as a fee-earning service, assisting clients to keep out of trouble.

Yet gather together a group of practitioners, and more than likely a rather blinkered view of risk exposure will emerge – one guided by the regulatory requirements of the profession but distorted by the huge publicity attracted by the failures of a number of leading firms to meet requirements. Failures that all too often, have led to public censure and hefty fines – occasionally to existential threat and, as in the case of Arthur Andersen, demonstrating that even those operating at the very pinnacle of the profession can be vulnerable when practice standards are compromised.

Given this publicity, it is perhaps only to be expected that our group of practitioners will focus on the many regulatory hurdles that threaten to snare their practices when carrying out client work. Given the sheer quantity and range of regulation, this is understandable. However, the danger is to overlook the many other ways that problems arise – problems that can sometimes be just as disastrous as those posed by regulatory failing.

Risk review

So, the first challenge is to take a step back and carefully review your practice’s risk vulnerability by answering the following questions:

·         Have the partners identified and listed the major risks, by scale of the threat they represent? Is this list reviewed regularly?;

·         Do the partners devote enough time to the regular review of these risks/threats? Is the review process sufficiently detailed and probing? Is it sufficiently resourced with partners experienced in risk management?;

·         Does the risk management process cover all areas of risk? In particular, the four major risk areas: strategic, operational, financial and hazard?; and

·         Finally, is there clear and effective communication of the risk assessment to all the relevant staff at every level of the firm?

A ‘no’ answer to any of the questions is a clear signal that the practice faces unnecessary risk.

Insurance’s limits

For example in the case of hazard - it is not sufficient to consider that because you have insurance and comply with health and safety legislation, you have the matter covered. Insurance does not protect against the consequences of disaster, and the insurance strategy should not therefore be considered on its own, but rather as part of overall risk management and contingency planning.

Analysis needs to dig deeper into what will be required if the business premises are destroyed by fire. Are there contingency plans for finding and moving to alternative premises? Also, for backing up and preservation of business records and computer systems?

It is critically important to remember that risk is not a ‘one-size-fits-all’ consideration. It varies according to circumstances. It is likely that a multi-office, multi-partner practice will have more natural resilience than a sole practitioner or a practice led by a couple of partners. However, the process for assessing, reducing, eliminating or living with risk is the same for every firm.

Strategic risk

Strategic risk should be an area of concern to any practitioner, especially with the intensity of competition and the client demand for increasingly complex services. This requires new skills and substantial investment, along with a clear vision of market direction and the opportunities and threats this presents to the individual practice.

The risks multiply, given the management and communication skills required to shift the team in the right direction and to execute the business plan. All too often, experience demonstrates that execution falls short. More so where the chosen route to growth is merger, but where merger integration is poorly implemented - with value destruction the unintended consequence.

Science of compliance

Regulatory risk comes in different shapes and sizes. In the case of audit, the risks are widely appreciated – so much so that many smaller firms have now given up this area of practice entirely. Though even here, awareness of the regulatory requirements has not entirely eliminated poor practice and the risk this poses (for instance to the validity of PI cover).

Perhaps more worrying, other regulatory requirements do not appear to be working as intended. It’s noticeable that the money laundering rules do not seem to be generating the number of reports that they should. While it is not suggested that there is deliberate failure to make reports, it may be that failure to appreciate the true scope of the rules plus an element of complacency may have led to under-reporting and dangerous levels of risk.

Still more worrying is the extent to which practices fall short in operational and financial situations. In what should really be an area of great competence, one in which they present themselves as key advisers: that of cash flow control and planning. Yet upon investigation, many have found themselves to have poor internal accounting controls with the result that work in progress and debtors are at unacceptably high levels. Worse still, many are simply unaware of the risks they face in not practising what they preach.

Just as blindingly obvious, because of the constant media attention to virus infection and internet scams, is the danger of IT problems. There could scarcely be a greater threat to the viability of the smaller practice. A serious problem is a virtual certainty at some point. But when anticipated and the appropriate business continuity management strategies put in place, problems need not be disastrous. Sad to say and despite the obvious risks, there are still plenty of practices relying on little more than good luck.

Probably the most threatening operational risk lies in the HR area, where staff can truly be described as hazards. There are well documented dangers such as the age discrimination legislation that has affected many practices - ditto maternity leave and allowances. But just as threatening, especially to those not large enough to justify a full-time HR professional, are an abundance of issues relating to hiring, firing and management of staff.

Often these will only emerge after the damage has been done – whether in upsetting client relationships or causing internal problems. Discrimination (often inadvertent) or discipline (whether deserved or not) can swiftly escalate to litigation, involving immense expense and sometimes reputational damage. While it may not always be possible to avoid these dangers, with a constant eye to the possible problems, it should be possible to recognise and counter them before things get out of hand.

Structured approach

Disparate as all these risks are, there is a common thread to combatting them. That involves logical and structured forward thinking. Too many accountants only react after the event, engaged in a debilitating and constant battle to extinguish problems that have got out of hand, meanwhile averting their eyes to those of which they should be aware, desperately hoping that if ignored they will go away.

In fruitlessly wishing problems away, the very real danger is of storing up far greater difficulties for the future. Tackle them proactively and thoughtfully and there is every prospect of developing skills of real economic value, both in saving expense to the practice and in developing fee-earning services for clients.     

Phil Shohet is a senior consultant at Foulger Underwood.

Please get in touch with us and we can guide you through the process of risk due diligence, along with strategic and operational support.