Managing risks as your engineering firm scales operations

As professional services firms increase in scale, organizations need to consider the balance between pursuit of growth and changes in the risk profile of the organization. Engineering firms may be expanding scope of services, operating in new geographies or implementing innovative technologies and tools to enhance service and product delivery. In addition, contracts tend to be complex and subject to changes, especially as the industry evolves. To effectively support firm governance from an internal firm management perspective as well as strengthen client-facing processes, firms can benefit from implementing a risk management framework and relevant internal controls to mitigate risks to a tolerable level.

Effective risk management frameworks can be scaled from the firm’s current state to support expected growth that is aligned with the firm strategy, while maintaining efficiency, productivity and revenue.

Multiple benefits emerge from the integration of a risk management framework¹ with the organizational strategy, including but not limited to:

• Identifying new opportunities as a result of changes in the risk profile
• Managing risks effectively across an entire business rather than in silos
• Limiting costly surprises of emerging risks and the impact on organizational performance
• Boosting resilience and response to risks across the organization
• Prioritizing resource deployment to areas of highest impact

This article will address:

1. Common practices for establishing firm risk management
2. Areas of particular risk for engineering firms

Who owns enterprise risk management for the firm?

While risk management and the effective implementation of controls is everyone’s responsibility within a firm, it is important to ensure that responsibility for building out a risk management framework is anchored to a champion with the appropriate stature and ability to influence within the firm. This individual oversees foundational activities associated with defining the scope and scale of the risk management framework, the implementation of the framework including key process and control identification, and the integration of the framework into the firm’s day-to-day operations.

What does enterprise risk management mean for the firm?

The selection and implementation of an appropriate enterprise risk management framework requires significant thought and input from key stakeholders. In simplistic terms, an organization holistically considers risk exposures as a result of its operations and identifies the potential impact in the absence of controls. Some risks may be less controllable (systemic, environmental, regulatory) and others may be more controllable (operational – related to people, processes and systems). This can be followed by the identification of key controls to mitigate organizational risks to a tolerable level – in particular, which controls may already be in place or which need to be designed and implemented. Risk tolerance can vary by risk and should be closely monitored by the organization’s governance bodies, to support the ongoing effectiveness of the overall enterprise risk management framework against firm strategy, and stakeholder requirements and expectations.

Choosing an internal control framework

While there are various internal control frameworks from which to choose, a framework that is common across industries and geographies is the COSO Framework².COSO defines internal control³ “as a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.” Internal controls can be identified across the firm (entity level controls) supporting the general tone at the top as well as across key organizational processes – some examples are described below.

Examples for engineering firms

While engineering firms may be at different stages of maturity in terms of strategy, scale, and complexity, an appropriately sized risk management and control framework can be applied. Areas of focus may not significantly differ from firm to firm, however, the nature of risks and strength of controls can vary among firms. More mature firms may have built up a view on risks and controls over time and may take the opportunity to streamline; less mature firms may be starting to build the foundation. Consider using independent subject matter expertise to support activities that are tailored to fit your firm’s needs.

Illustrative examples of risk for an engineering firm can include:

• Reputational risk which is related to damages to a firm’s reputation;
• Strategic risk which is related to the firm’s ability to achieve its strategic objectives;
• Operational risk which includes risks associated with people, processes and systems;
• Privacy risk which is related to the loss or leakage of data; and
• Third party risk which includes firm service delivery risk as well as the extension of other risks beyond the firm’s people, processes and systems.

Relevant business processes might include:

• Firm management matters including firm acquisitions and succession planning;
• Client acquisition processes including client acceptance, bidding and contracting;
• Financial reporting processes relating to accounts receivable; 
• Information technology (IT) management including systems security; and
• Privacy matters including employee and client data security.

Firm acquisitions

Engineering firms may be growing through acquisitions of other professional practices. As part of the due diligence process, it is important to give consideration to the acquired firm’s risk management approach. Understanding how an acquisition may change the overall risk profile of the acquiring firm can help to ensure that processes and controls are strengthened to maintain the firm risk profile within tolerable levels. This is an area that should continue to be monitored through the firm integration phase as well, keeping in mind that the integration efforts themselves may lend themselves to integration risk – an impact on existing people, processes and technology.

Client acceptance

Client acceptance processes at a firm should be sufficiently robust to support a view on the extent of risk relating to acquiring the new client. The nature of the client as well as the scope of services planned to be provided can change the firm risk profile. For example, adding a new industry to the client portfolio or requiring a new skillset to deliver the service can impact risk and accordingly, the decision-making process should be supported by appropriate review and approval controls. This can also help to ensure new client acceptances are aligned with the firm’s broader market strategy.

Bidding and contracting

Consistency of firm processes across specialized teams relating to bidding and contracting activities is an ideal end-state. However, consistency should not sacrifice the need for flexibility to respond to market opportunities. Understanding the inherent risks within these processes, and ensuring that appropriate guidelines, including review and approval controls are in place, is critical to containing the risk. Areas of risk exposure can include:

• potential or perceived conflicts of interest with clients or third parties (client procurement teams, engagement contractors or sub-contractors)
• engaging with third parties who are not sufficiently vetted or could expose the firm to risks inadvertently (i.e., being associated with a cause that is misaligned with the firm’s values or code of conduct)
• firm compensation metrics that could drive undesired bidding and/or contracting behaviours
• excessive rate discounting or underpricing work effort that could result in undesired project delivery risk
• non-standard contracts with unapproved additions or deletions

A strong control environment should include clarity of review and approval expectations across firm management, with clear accountabilities for decisions, as well as processes that permit a tolerable degree of judgement and flexibility, with close monitoring for undesirable behaviours given competitive pressures. Another factor is the extent to which external guidelines (regulatory, public sector, industry) should also be adhered.

Financial reporting

Financial reporting for an engineering firm includes revenue recognition, work in process valuation, accounting for gross and net accounts receivable, partner compensation and operating expenses. Financial reporting risk relates to the risk that financial information to manage the business as well as provide a financial statement view is not appropriate – incomplete, inaccurate or misstated. Controls to mitigate financial reporting risk generally include segregation of duties; authorization, review and approval; and reconciliation. The extent of control required by a firm to respond to financial reporting risk will vary with the size and complexity of the firm, whether the firm has a standalone Finance function, and if the firm is required to produce independently audited financial statements.

Information technology system security

Firms are exposed to cyber security risk by virtue of using IT systems, social media and sharing of data across the firm and potentially with clients. A thorough understanding of potential exposures within a firm’s information technology system, including connectivity and data sharing with third parties, helps to assess the extent of the risk and to implement an appropriate response. A controls-based response will generally align with a view to “Identify, Protect, Detect, Respond, and Recover”⁴. Simplistically, potential threats are identified; controls are implemented to protect against those threats supported by ongoing monitoring to detect events that have taken place; and protocols are put into place to respond and recover in the event of an incident. The extent of controls required will depend on the complexity of the information technology system. Education of firm staff on security protocols, and having an in-house IT team or outsourced IT function to oversee the company’s critical infrastructure are also important steps to mitigating risk.

Privacy

How internal and external data is managed within the firm is another area of critical risk. The types of data could include employee data, firm management information and client data. The effectiveness of controls around mitigating the risk of data breaches can significantly impact the reputation of the firm. This topic is also becoming more common in client engagement contracting discussions due to a client’s need to ensure their data is secure with third party firms prior to entering into an arrangement. Sharing of data with third parties to the firm also elevates this risk as the onus for ensuring the privacy of internal and external data may extend beyond the firm’s structure and staff. This could also have an impact on a firm’s profitability due to increased risk of litigation or financial penalties.

Firm response

Engineering firms are not unique in terms of exposure to risks across a spectrum of the ability to control those risks. However, the operations of a firm in terms of global reach, scale, publicity and maturity can impact the potential severity of specific risks. A thorough understanding of the risks associated with the firm’s unique operations and an appropriately scaled and manageable controls-based response can help a firm navigate towards its strategic goals.

¹ Enterprise Risk Management: Integrating with Strategy and Performance - Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission, June 2017

² Committee of Sponsoring Organizations of the Treadway Commission

³ Internal Control – Integrated Framework, Executive Summary, Committee of Sponsoring Organizations of the Treadway Commission, May 2013

⁴ National Institute of Standards and Technology Cyber Security Framework