The Requirements of APES 325

The following table sets out the mandatory requirements of APES 325 - Risk Management for Firms, which are the minimum requirements for conducting risk management and complying with this standard.

APES 325
REFERENCE
MANDATORY REQUIREMENT
1.4 Members in Public Practice conducting the operations of a firm in Australia shall follow the mandatory requirements of APES 325.
1.5 Members in Public Practice conducting the operations of a firm outside Australia shall follow the provisions of APES 325 to the extent to which they are not prevented from so doing by specific requirements of local laws and/or regulations.
1.6 Members in Public Practice shall be familiar with relevant Professional Standards and guidance notes when providing Professional Services. All members shall comply with the fundamental principles outlined in the code.
4.1 A firm shall establish and maintain a risk management framework taking into consideration its public interest obligations. The firm shall periodically evaluate the design and effectiveness of the risk management framework.
4.2 A firm's risk management framework shall include policies and procedures that identify, assess and manage key firm risks, which may include:
  • Governance risks
  • Business continuity risks (including succession planning)
  • Business risks
  • Financial risks
  • Regulatory risks
  • Technology risks
  • Human resources risks
  • Stakeholder risks.
Additional risks specific to the firm can be identified through the use of other relevant standards or guidance.
4.4 A firm's chief executive officer (or equivalent) or, if appropriate, the firm's managing board of partners (or equivalent), shall take ultimate responsibility for the firm's risk management framework.
4.6 A firm shall ensure that the personnel assigned responsibility for establishing and maintaining its risk management framework in accordance with APES 325 have the necessary skills, experience, commitment and authority.
5.1 A firm shall establish a monitoring process designed to provide reasonable confidence that the risk management policies and procedures relating to the risk management framework are relevant, adequate and operating effectively and that instances of non-compliance with the firm's risk management policies and procedures are detected.
5.2 A firm shall establish a process whereby instances of non-compliance with the firm's risk management policies and procedures are brought to the attention of the firm's leadership who shall take appropriate corrective action.
6.1 A firm shall document its risk management framework.
6.3 A firm shall document its risk management policies and procedures and communicate them to the firm's personnel.
6.6 A firm shall retain all relevant documentation for a sufficient time to permit those performing the firm's monitoring process to evaluate its compliance with its risk management framework and to comply with applicable legal or regulatory requirements for record retention.
6.7 A firm shall document all instances of non-compliance with the firm's risk management policies and procedures detected though its monitoring process and the actions taken by the firm's leadership in respect of those instances of non-compliance.