Do as I say, or Do as I do? Managing Risk in the Professional Services Sector

Posted by Simon Persin on 7 August 2017
Simon Persin

Running an organisation in a compliant manner is becoming a far more complex challenge. Regardless of the industry sector or size of the business, many organisations are finding that audit requirements are becoming far more stringent and the digitalised economy introduces a significant and fast-moving threat to traditional business operations.

nigel-tadyanehondo-196596.jpg

Professional Services organisations are particularly susceptible to many such risks as their business model is often based upon staying up to date with the latest emerging skills or trends. Often with a services related revenue stream, reputational damage and people’s delivery skillsets are the biggest threats that they face. Failure to get up to speed on the latest and greatest industry trends leaves companies racing to catch up with their peers as they watch the opportunities pass them by. If key individuals leave the organisation or high-profile adverse media attention comes their way, this can also lead to significant damage to the revenues and profitability alike.

Access Control – Although the specific access requirements of a professional service organisation are not that different to standard business models, there is an additional duty of care to consider. There may well be additional sensitivity for handling customer projects or information. Holding vital customer records for justifiable purposes is fine but it comes with an additional duty of care considering that the professional services organisation now must protect that information to the correct levels. This will become even more critical as the GDPR legislation comes into effect on 25th May 2018. There may be a requirement to have individuals accessing that information only during periods where they’re on the engagement but would need to have that access revoked as soon as the engagement completes or their involvement with it concludes. This adds a dynamic nature to the access requirement over and above their substantive job role.

Process Control – can also add great value to professional service institutions. These organisations may be subject to the same regulations as their clients and therefore, as well as advising, they may need to eat their own lunch and define appropriate controls to govern themselves. As well as the standard checks for good corporate and financial governance, Professional Services may wish to look at their particular risks to drive better business insight. For example, percentage of revenue coming from short term consulting engagements or a high percentage of revenue from a single source.

Business Integrity Screening – should be a key focus for professional service organisations. Screening their own staff to check for compliant behaviours or to watch out for those tell-tale signs that their key individuals may be looking to move on would allow for effective succession planning. Also screening potential new customers to ascertain whether they are likely to be exposing the organisation to significant risk by association. Representing a certain client in their dubious deals or failing to potentially uncover poor financial practices during an auditing could be hugely damaging merely through association if not through actual liability. This is all in additional to the usual checks for standard corporate centre processes of financial governance, supply chain risks and the reduction in the opportunity for fraudulent activities.

The time of professional services institutions getting away with “do as I say, not what I do” is definitely coming to an end.

Topics: SAP Process Controls SAP Access Controls sap grc

We would love to hear your thoughts. Please leave a comment.