By Hitesh D. Gajaria
Chartered Accountant
In his seminal tome
‘Against the Gods – The Remarkable Story of Risk’, Peter L.
Bernstein says that the revolutionary idea that defines the boundary between
modern times and the past, comprising thousands of years of history, is that of
the mastery of risk: the notion that the future is more than a whim of the gods
and that humans are not passive before nature. The book weaves across
generations to tell stories of thinkers whose remarkable vision showed the
world how to understand risk, measure it and weigh its consequences, converting
risk-taking itself into one of the prime catalysts that drives modern society.
This article is an
attempt to expose to a professional (other than one who has made risk
management itself as her professional calling) some facets of risk and give
pointers to develop an integrated risk management framework in which risk can
be understood and managed, if not entirely mitigated. While my experience has
almost wholly been as a professional practising in the area of taxation and my
thoughts will therefore reflect that bias, I am sure some of what I say may
have universal application for all professional service providers.
Globalisation of
the market place, advances in information technology, rapidly changing laws,
growing intolerance of compliance being only in letter but not in spirit, with
a simultaneous emphasis on good corporate governance, proliferation of
litigation and increased diversity in services offered and even the emerging
global megatrend of ‘tax morality’ are some of the current issues faced by a
professional. When one reflects on professional services firms, even as they
often are called in by clients to advise them on risk management, they
themselves are struggling to keep risks at bay in this Volatile, Uncertain,
Complex and Ambiguous (‘VUCA’) world.
Accounting firms
traditionally provide services to clients in three major areas: Audit or
Assurance, Tax, and Advisory Services. The business risk associated with each
of these three services includes loss of future income, loss of reputation and
exposure to legal liability. These risks are not mutually exclusive and, given
the inter-dependent way in which one or more services are often provided to the
same client, a professional firm may be exposed to one or more of the above
risks simultaneously. While external insurance protection is indeed available
and can, to an extent, mitigate financial risk, it cannot protect against loss
of reputation, which in my view is the biggest risk.
Fundamental to a
professional’s engagement is the premise that she will deliver quality services
and besides meeting clients’ expectations on this count, this is now more often
demanded by regulators and other third parties who may have relied on a
professional’s work. Though quality is often difficult to precisely define in
the professional services arena, professionals can and should ensure that they
adhere to the guiding principles on quality. A few of these are listed below (see
tabulation):
|
(a)
|
Proper scoping of the work laying down,
wherever possible, scope limitations and caveats;
|
|
(b)
|
Matching of the work to what has been
contracted for;
|
|
(c)
|
Proper planning of the engagement;
|
|
(d)
|
Involvement and engagement of partner or
other senior resources;
|
|
(e)
|
In complex situations or where stakes
are very high, involvement of a Quality Review Partner;
|
|
(f)
|
Where necessary, involvement of internal
or external experts, including counsel;
|
|
(g)
|
Where necessary, appropriate engagement
with regulators or authorities;
|
|
(h)
|
Appropriate and adequate documentation;
|
|
(i)
|
Suitable communication with clients;
|
|
(j)
|
Periodic and regular Quality Performance
Reviews and corrective actions.
|
A robust risk
management framework will also contain thoughtfully designed processes,
encompassing the entire life-cycle of a professional engagement. Some of these
are as follows:
(A) Independence
The importance of
being independent cannot be overemphasised. From very basic concepts such as
not performing a management or an employee function, this concept straddles
almost all situations, real or perceived, which can lead to compromising a
professional’s independence. The risk of blurring professional and personal and
financial relationships is sometimes fatal to continuing to serve clients
objectively.
(B) Client acceptance
This process is
critical to the long-term sustainability of a professional firm. In today’s
environment where perceptions often cloud reality, association with dubious
clients to whom a professional may have provided professional services can be a
significant barrier to maintain and enhance a spotless professional reputation.
Appropriate background checks before accepting a client has rightly become a
mandatory hygiene process. Firms may introduce additional filters on the basis
of their experience and expertise, for example, high-risk industries,
politically-connected persons, cash-based businesses, etc. to narrow down their
universe of serviceable clients. Further, the client acceptance process is not
a static one-time task. It needs to be renewed and reviewed periodically,
preferably at least once each year to check that nothing has adversely changed,
either with the client’s business or in the environment.
(C) Engagement acceptance
This is a document
created for every new engagement of an existing or new client and contains all
background information on the engagement and the nature of work to be
performed. It will document the applicable statutory provisions to be
considered, e.g., auditor independence and standards applicable to the
engagement; for example, the ICAI Code of Ethics. It will also lay out unusual
risk factors, if any, and their impact, as also steps taken to mitigate or
manage such risks. It will document third-party involvement, such as counsel
opinions to be obtained. It will also contain the names, designations and
experience of team members who will execute the engagement. And it will lay out
the range of fees that is usually charged by the firm for the type of
engagement.
(D) Engagement contract or letter
Externally, this is
perhaps the most important document, second only to the actual engagement
deliverable, and it forms the very basis of the contract for performance of
professional service. Having a well-laid-out clear and simple engagement
contract, containing the complete scope of work with all scope exclusions,
limitations and caveats, as also the fees that would be charged and the
milestones at which these would be charged, and the liability assumed for the
deliverable, reduces the possibility of disagreements later. It also restricts
the liability of any deliverable so long as the deliverable is properly
referenced to the engagement contract. And it contains usual clauses governing
the professional relationship, including a force majeure clause, and
lays down the roles and responsibilities of each party to the contract.
(E) Evaluation and on-boarding of third-party service
providers
This is assuming a
very important dimension because very often service providers are being held
responsible for not only their own deliverables but also for the actions and /
or inactions of other service providers who may have played a part in the
engagement. The processes described above, viz., independence, client
acceptance, etc., must also be carried out for each third-party service
provider. It must be ensured that third parties working together either as
co-partners or sub-contractors, share the same value systems as the
professional. Wherever necessary and feasible, the third-party service provider
must be imparted the relevant risk trainings to avoid any misunderstanding.
Clear documentation of the role, risks and rewards that will be shared with the
third-party service provider must be documented and assented to by that
provider as well.
(F) Data protection
– safeguards and developments in legal obligations
Professional firms possess and process a lot of sensitive professional
and personal data, especially of their clients and employees. Many clients,
too, expect adequate processes and compliance with local and global legal
regulations (like the European GDPR) as a pre-condition for engaging professionals.
These obligations span rules for gathering, storing, protecting and processing
of personal information as well as mechanisms to deal with breaches.
(G) Mandatory risk management trainings
Devising and
implementing risk management trainings frequently to all relevant staff
members, regardless of their designation and standing in a professional firm is
a sine qua non for the risk management strategy to survive in any
organisation. Over-communication of a professional firm’s risk management
policy and processes is a virtue and should not be viewed as an evil to be
tolerated. Here the tone must be set from the top, with senior-most partners
taking the lead on rolling out these trainings and frequently setting out
screensavers, posters, etc. in the workplace to keep reminding everyone about
the basic concepts.
(H) Insider-trading and other statutory regulations
Today, more than
ever, regulations are increasing the burden on professional firms and must be
followed in order to continue to discharge honourably the obligation that
society has cast on professionals. However, the ‘Gold Standard’ in a risk
framework must go beyond statutory compulsions and must inculcate a ‘smell
test’ foundation. The question, ‘What if this act is reported on the front page
of leading newspapers or anywhere in the media?’ must be the idea that needs to
be brought to life in any risk management framework.
(I) Mandatory
escalation of any breaches or perceived violations
The risk management
framework must be designed in a manner to encourage anyone in the firm to
independently report any real or perceived violations without any fear of
sanctions. Many risk-laden situations can be mitigated if escalated at the very
beginning of any breach or perceived violation.
(J) Zero tolerance
There ought to be
zero tolerance within the firm for anyone breaching risk rules, either
explicitly or impliedly, with graded financial sanctions to be imposed or even
dismissals and separations to be considered and enforced in serious situations
(especially where there is a violation of the firm’s ethics and / or involves
committing acts of moral turpitude).
(K) Risk management framework review process
It is a good practice to have at least two or three types of reviews
done periodically. The first is to internally refresh the entire Risk
Management Framework – ideally at least once thoroughly every two years and a
refresh to be carried out every year. This is in addition to external events
which can necessitate an immediate modification or addition to the framework.
The second is to have another independent firm peer-review the risk framework
and mutually share best practices. Yet another could be to adopt and customise
a few best practices that one may pick up in international professional
seminars and conferences.
RISK OF OBSOLESCENCE AMIDST CHANGE
Finally, one of the
biggest risks that a tax professional faces today is the rapidly changing
landscape of tax services. The quest to stay relevant to society is now more
acute than ever before. Going forward, in my opinion the entire platform of tax
services will rest on three main pillars. These will broadly define how tax
professionals may need to specialise their skill sets and garner focused
experience. These are (1) Technology-enabled tax compliance, (2) High-end
advisory services, including on complex transactions, and (3) Litigation.
The astute
professional realises that tax services can no longer be delivered in the same
fashion as has endured for some years now. Technology is ruthlessly being
embraced – not only by clients but also by the authorities. The professional
must learn to adapt and even master technology to stay ahead of the game.
Technology tools using Artificial Intelligence (AI) and Machine Learning (ML)
must take over a considerable number of repetitive tasks; and leveraging on cost-effective
resources will be the new normal soon. Further, non-professional technology
firms already have disrupted and usurped the lower end of the compliance
market.
Simultaneously,
there are attempts to achieve a global consensus on the tax basis and methodologies
on the back of a relentless drive to stop tax-base erosion. This has resulted
in radical changes in domestic and international laws and the emergence of and
seeping in of transaction tax type levies, giving rise to fresh challenges for
the professional to overcome. Today’s professional reality is the coming
together of accounting and tax principles, giving clear preference to the
doctrine of substance over form and with new and ever-changing company law,
foreign exchange and SEBI regulations. A clear need has arisen for
professionals who have experience in more than just one or two core areas and
also for those professionals who can collaboratively work together with other
professionals in different disciplines to evolve solutions to overcome complex
problems which do not fall foul of any regulations. In this arena, too, it is
common experience that sister professions are nibbling away at pieces of work
that Chartered Accountants traditionally performed. This calls for a
longer-term strategy to develop and nurture appropriate talent.
Given the complexity in tax laws and the tendency of both taxpayers and
tax assessors to be aggressive, a professional will need to master Litigation
Strategy, if she must perfect the tools of her trade. Today, more than ever,
clients need hand-holding and guidance on which litigations to pursue and which
ones not to, having regard to the alternate forums of dispute resolution
available under domestic laws as well as under India’s tax treaties.
Both individuals
and firms are busy meeting many of the challenges highlighted above. Broadly,
any strategy must include devising a detailed compliance framework, including
establishing a crisis management plan, purchasing appropriate insurance cover,
implementing the right technology and systems, and creating a culture of
compliance throughout the organisation.
Finally, managing
risk is very different from devising economic strategy to grow and be
successful. Risk management must focus on the negative – dangers and failures rather
than opportunities and achievements. And it’s tempting to relegate risk
management as a ‘good to have’ rather than a ‘must have’. Instances of failure
of other professionals is often viewed as being specific to those sets of
individuals and is rarely acknowledged as a shortcoming of the way a
professional firm is run on a daily basis. It’s also antithetic to a culture of
‘winning more and winning bigger’, hence tends to find few takers willing to
invest both time and money now, in order to avoid an unknown future problem
that may not even occur. However, as the history of humankind has shown,
vulnerabilities have existed through various times – good and bad – and the
foundation of any long-term sustainable and successful strategy must include a
robust risk management system. After all, any firm’s ability to weather a storm
depends very much on how seriously top management takes its risk-management
function when the sun is shining brightly, with scarcely a cloud on the
horizon.
