APES 325 Risk Management for Firms

Objective

APES 325 Risk Management for Firms sets out mandatory requirements and guidance for members in public practice to establish and maintain a risk management framework in their firms in respect of the provision of quality and ethical professional services.

Scope and application

APES 325 was issued in December 2011 and revised in October 2015, December 2017 and September 2019. The revised standard requires members in public practice in Australia to incorporate appropriate amendments to their risk management framework by 1 January 2020. For members in public practice outside of Australia the provisions of APES 325 must be followed provided local laws and/or regulations are not contravened.

Objectives of a risk management framework

An effective risk management framework should assist a firm to meet its overarching public interest obligations as well as its business objectives.

The risk management framework should consist of policies designed to achieve the firm's objectives and procedures necessary to implement and monitor compliance with those policies. The risk management framework should be an integral part of the firm's overall strategic and operational policies and procedures. A firm's quality control policies and procedures, developed in accordance with APES 320 Quality Control for Firms, should be embedded within the risk management framework. A monitoring process shall be developed so that the risk management framework remains relevant, adequate and operating effectively. This is to ensure that relevant risks are completely identified, effectively assessed and managed. This ensures the firm achieves its business objectives. 

Establishing and maintaining a risk management framework for a firm

A firm must establish and maintain a risk management framework taking into consideration its public interest obligations and must periodically evaluate the design and effectiveness of the risk management framework.

The risk management framework must include policies and procedures that identify, assess and manage key organisational risks, which may include:

• governance risks
• business continuity risks (including succession planning)
• business risks
• financial risks
• regulatory risks
• technology risks (including cyber security)
• human resource risks
• stakeholder risks.

The nature and extent of the policies and procedures will depend on various factors such as the size and operating characteristics of the firm and whether it is part of a network. The management of risks in a firm involves the identification, assessment, treatment, and ongoing monitoring of the risks. The purpose of risk management is to identify a potential issue before it occurs so that preventative action can be taken to minimise or stop the risk event. 

The firm's chief executive officer (or equivalent) or, if appropriate, the firm's managing board of partners (or equivalent) must take ultimate responsibility for the firm's risk management framework. A firm must ensure that the personnel assigned responsibility for establishing and maintaining its risk management framework in accordance with this standard have the necessary skills, experience, commitment and authority.

Succession planning

A firm shall document its succession plan as part of its risk management framework. The succession plan should include specific actions that a firm will undertake in order to enable the firm to continue performing its professional obligations to its clients.

Refer to the standard for information concerning

• definitions
• monitoring a firm's risk management policies and procedures
• documentation.