APES 325 - Risk Management for Firms


Under APES 325 Risk Management for Firms, members who are principals in firms are required to implement, document and monitor a risk management framework to embed a risk culture, assist in providing quality and ethical services in the public interest, and to meet their business objectives. This includes the development of policies and procedures that extend beyond those developed to address quality relating to engagement risks, as required by APES 320 Quality Control for Firms.

APES 325 references AS/NZS ISO 31000: 2009 as providing principles and generic guidelines on effective risk management practices. Any public, private or community enterprise, association, group or individual can use AS/NZS ISO 31000: 2009, so it is not specific to any industry or sector.

APES 325 Risk Management for Firms applies from 1 January 2013.

What is Risk Management?

Risk is uncertainty about an outcome. It is the threat that an event, action or non-action could affect a firm's ability to achieve its business objectives and execute its strategies successfully. Risk is an inherent component of all business activities and includes positive as well as negative impacts. So not pursuing an opportunity can also be risky. Risk types take many forms − business, economic, regulatory, investment, market, and social, just to name a few.

Risk management involves the identification, assessment, treatment and ongoing monitoring of the risks and controls impacting a firm. The purpose of risk management is not to avoid or eliminate all risks. It is about making informed decisions regarding risks and having processes in place to effectively manage and respond to risks in pursuit of a firm's objectives by maximising opportunities and minimising adverse effects.


When implemented and maintained, effective risk management protects the value of a firm by:

  • Increasing the likelihood of achieving business objectives
  • Encouraging proactive management of business processes
  • Improving compliance, reporting and governance
  • Strengthening and streamlining controls
  • Enhancing operational effectiveness and efficiency
  • Maximising the productive use of available resources
  • Minimising financial loses
  • Improving resilience and business continuity.


APES 325 requires the risk management framework to be documented. The sample and template spreadsheets provided will guide you through this process.

This guide provides a risk management framework that is suitable for sole practitioners, small and midsize firms (over five partners) to embed basic risk management within a practice. If the firm already conducts risk management, then use this guide to ensure the framework complies with APES 325.

A risk culture, which is integral to the firm’s strategic and operational decision making, will be created where senior management take the lead in developing this risk management framework, communicating it effectively with personnel and supporting those tasked with aspects of the implementation. See the full requirements of APES 325.

Use the following links to learn more about a risk management framework and to access useful tools and templates.

Risk management means coordinated activities undertaken by a Firm, to direct and control the activities of the Firm with regard to risk."

APES 325