Content Summary
Objective
APES 325 Risk Management for Firms sets out mandatory requirements and guidance for members in public practice to establish and maintain a risk management framework in their firms in respect of the provision of quality and ethical professional services.
Scope and application
APES 325 was issued in December 2011 and revised in October 2015, December 2017 and September 2019. The revised standard requires members in public practice in Australia to incorporate appropriate amendments to their risk management framework by 1 January 2020. For members in public practice outside of Australia the provisions of APES 325 must be followed provided local laws and/or regulations are not contravened.
Objectives of a risk management framework
An effective risk management framework should assist a firm to meet its overarching public interest obligations as well as its business objectives.
The risk management framework should consist of policies designed to achieve the firm's objectives and procedures necessary to implement and monitor compliance with those policies. The risk management framework should be an integral part of the firm's overall strategic and operational policies and procedures. A firm's quality control policies and procedures, developed in accordance with APES 320 Quality Control for Firms, should be embedded within the risk management framework. A monitoring process shall be developed so that the risk management framework remains relevant, adequate and operating effectively. This is to ensure that relevant risks are completely identified, effectively assessed and managed. This ensures the firm achieves its business objectives.
Establishing and maintaining a risk management framework for a firm
A firm must establish and maintain a risk management framework taking into consideration its public interest obligations and must periodically evaluate the design and effectiveness of the risk management framework.
The risk management framework must include policies and procedures that identify, assess and manage key organisational risks, which may include:
- governance risks
- business continuity risks (including succession planning)
- business risks
- financial risks
- regulatory risks
- technology risks (including cyber security)
- human resource risks
- stakeholder risks.
The nature and extent of the policies and procedures will depend on various factors such as the size and operating characteristics of the firm and whether it is part of a network. The management of risks in a firm involves the identification, assessment, treatment, and ongoing monitoring of the risks. The purpose of risk management is to identify a potential issue before it occurs so that preventative action can be taken to minimise or stop the risk event.
The firm's chief executive officer (or equivalent) or, if appropriate, the firm's managing board of partners (or equivalent) must take ultimate responsibility for the firm's risk management framework. A firm must ensure that the personnel assigned responsibility for establishing and maintaining its risk management framework in accordance with this standard have the necessary skills, experience, commitment and authority.
Succession planning
A firm shall document its succession plan as part of its risk management framework. The succession plan should include specific actions that a firm will undertake in order to enable the firm to continue performing its professional obligations to its clients.
Refer to the standard for information concerning
- definitions
- monitoring a firm's risk management policies and procedures
- documentation.
Related resources
APES Technical update September 2019
Developing your risk management framework: Recorded webinar
Risk Management Framework Tool
This online tool helps you develop a custom Risk Management Framework for your practice
- Public practice
- Governance and risk
Public practice
Resources for public practitioners, from how to get certification to firm management, industry research and news
- Public practice
Discover more
Modern slavery: can Australia do more?
1 July 2023 | Despite the growing global push to eradicate modern slavery worldwide, the number of people trapped has increased in recent years. Can Australia’s Modern Slavery Act 2018 be fine-tuned for greater impact?
- Ethics
- Governance and risk
Published on13 min read timeAPES 210 Conformity with Auditing and Assurance Standards
This overview is not a replacement of the standard and therefore should be used in conjunction with, and not instead of, the standard
- Ethics
- Governance and risk
APES 320 Quality Management for Non-Assurance Services
This overview is not a replacement of the standard and therefore should be used in conjunction with, and not instead of, the standard.
- Ethics
- Governance and risk
APES 330 Insolvency Services
This overview is not a replacement of the standard and therefore should be used in conjunction with, and not instead of, the standard
- Ethics
- Governance and risk
APES 215 Forensic Accounting Services
This overview is not a replacement of the standard and therefore should be used in conjunction with, and not instead of, the standard
- Ethics
- Governance and risk
APES 315 Compilation of Financial Information
This overview is not a replacement of the standard and therefore should be used in conjunction with, and not instead of, the standard
- Ethics
- Governance and risk