The top ten risks: how to protect your practice

The top ten risks: how to protect your practice
24 April 2024

We examine the professional risks and claims that your practice could face, and how to take action to prevent them.

Key Points

What is the issue?

Issues with clients can cause claims, loss of fees, reputational damage and loss of future income streams.

What does it mean to me?

Many tax advisers may find it difficult to review their processes to ensure that they are applying the regulatory and insurance requirements correctly and minimising risk.

What can I take away?

By identifying the true root cause, firms can improve and learn from past problems to become a better business. The saying that ‘there are no mistakes, only learning opportunities’ is never truer than in risk management.

As all members of CIOT and ATT will be aware, the duty to manage their professional risk is an increasing obligation. Professional indemnity insurers ask searching questions in the proposal forms.

Firms that have had claims made against them may have to explain what risk management measures have been taken to prevent similar issues arising in the future. This also applies to firms that have notified matters which haven’t resulted in payments but have significant reserves (insurers’ estimates of what the matter might ultimately cost them).

Facing the true cost

Members have to act in accordance with the Professional Rules and Practice Guidelines, which set out clearly the duties to be followed.

Even more concerning than the regulatory and insurance requirements, however, is the fact that many issues which could easily be avoided have the potential to seriously damage – and in extreme cases destroy – a business.

In over 30 years that we have been dealing with professional risks and claims, we have seen cases where businesses have folded or business owners have lost their homes as a result of failing to take the relevant preventative steps. These cases are rare, but they do exist.

In practice, however, many members may find it difficult to review their processes to ensure that they are applying the rules correctly and minimising risk so as to prevent difficulties with their professional body and with their clients.

Issues with clients can cause claims, loss of fees, reputational damage and loss of future income streams – an unhappy client is hardly likely to recommend the firm to their network. And that is on top of the problems with getting professional indemnity insurance once claims have arisen. Therefore, in addition to the cost of dealing with the actual client dispute (which can be significant), the true hidden cost of a claim can be far greater than the immediate problem at hand.

Prevention is better than cure. But too many people feel overwhelmed by the scale of the issue. All too often risk management is put on the ‘deal with later’ pile, and it never gets dealt with.

Overcoming the risks

We have considered the ten key risks to professional firms, which are outlined below, together with practical tips to manage the common issues that arise in those areas. Practitioners who work through these ten key risks will have a good grounding in managing their overall risk exposure.

1. Securing the engagement letter

One common problem is that an engagement letter isn’t issued or hasn’t been returned before work is started. Quite often, no chaser is sent out for the return of the engagement letter, as the chaser isn’t triggered until the engagement letter itself has been sent out – so if no letter is sent, the chaser isn’t created!

The result is that the whole transaction between the tax adviser and client proceeds without a formal letter in place. This means that the scope of the retainer (what the adviser has agreed to do and not do, who they are working for, etc.) isn’t clear when the work is done, resulting in ambiguity and significant risk.

This issue can be resolved by having stronger processes in place. The trigger to chase your potential client for the return of the engagement letter should be created at file opening stage, so that any failure to send out an engagement letter does not cause the process to ‘fall over’.

We also see fee creep – where the actual fee charged can be significantly in excess of the estimate given at the outset. Often, this increase happens with no prior warning to the client and almost invariably gives rise to a dispute.

Having an alert on the file to warn when fees incurred have reached, say, 75% of the estimate, gives you a chance to assess where you are on the matter. If the work is not almost complete, you can assess why not. Is it because there has been scope creep (see below)? Is it because the client is difficult (and if so, why)? Or are there internal issues with a fee earner? This alert allows you to resolve any problems before it becomes too late.

2. Drafting the engagement letter

All too often, there is ‘lazy’ drafting of the engagement letter with a lack of clarity as to who is the client and what work is going to be carried out under the terms of the retainer. This ambiguity gives rise to claims by parties not anticipated by the adviser or for work not expected by them.

Include a simple list of questions establishing at the outset who the client is, and what work is going to be done, not done, who for and why. This will overcome any risks, and enable the client to correct any wrong assumptions as to the facts and purpose of the retainer from the outset.

3. Acting outside the scope of retainer

This is a key area of risk. It occurs when an adviser is instructed to undertake a particular task for a client (and agrees a fee for doing so). However, during the course of the retainer, the client asks ‘quick questions’ and advisers find themselves undertaking a number of additional tasks that are not covered by the protections in the engagement letter and for which no fee has been agreed.

A simple solution involves including an ‘agreed further services’ clause in the engagement letter, along with a policy and process for how to do the extra work and what extra work can be done under that clause. This enables the adviser to take on extra work, and can turn a high-risk unprofitable client into a low-risk profitable one.

4. Liability caps

Liability caps exist to protect firms against excessive claims that go beyond the limit of their professional indemnity insurance. All too often, we see liability caps that are likely to fail because they are poorly worded or are poorly calculated. The relevant legislation has specific requirements, which are often overlooked.

Too many caps are set at a level that is too low and are not drawn to the client’s attention, both of which mean that they are unlikely to survive a challenge. In this case, they will be struck out, and as a result the firm’s liability is unlimited.

In order to have an effective cap, it is recommended that firms take advice and ensure that their caps are drawn to their clients’ attention, capable of negotiation and set at reasonable levels. Appropriate thought should go into setting the caps, rather than them being fixed at one level for all engagement letters irrespective of the risks.

5. Remote working

The increasing numbers of staff working away from the office can result in high levels of risk, and the issue of confidentiality in the home working environment needs to be addressed.

Confidentiality issues can often be easily resolved. Assess the home working environment of staff by asking simple questions in a questionnaire and provide appropriate support, which may include items such as privacy screens and headphones. Provide training and guidance on conducting conversations confidentially and managing paper.

Firms also need to prepare for the influx of requests for flexible working now that the law is changing. This doesn’t just mean requests to work from home, but can also mean requests for job shares, flexible hours, etc. Having clear policies in advance and planning for how such requests will be managed means that businesses can accommodate reasonable requests whilst still servicing client needs.

6. Emails and filing

Another area of risk relates to the lack of formal policies about who can send out emails containing advice without the approval of a senior team member.

Most firms, when asked, say that they have an ‘informal’ policy. That leads to risk as junior members might not be clear as to what can and cannot be sent. Issues can arise if an employee sends out emails containing incorrect advice and continues to do so. Managing that employee can be complicated if there is no formal policy in place.

Having a formal policy supports junior staff and assists in reducing risk with less compliant staff.

7. Targets for caseloads and capacity

Too often, we see fee earners with very high targets. We see that as a risk as it can lead to ‘time dumping’, which in turn can lead to fee disputes with clients. It can also mean that staff don’t take the time to go on training courses or take time off sick or do non-chargeable research, and can also impact on their mental well-being.

Working at too high a capacity can lead to errors and missed time limits, leading to claims against the firm. At a micro-level, it leads to a lower level of client service, leading to client dissatisfaction, which can lead to unmeritorious claims and client losses. By setting realistic targets and budgeting accordingly, staff will be under an appropriate level of pressure, and the firm will have realistic cashflows.

Look for the ‘leaks’ in the system. We often see areas where work has been done but the ability to recover the fees is hampered by poor processes. Instead of increasing the pressure on the fee earners to do more work, improve the systems and the recovery rates will improve – increasing the firm’s profitability with very little effort and often improving the risk profile at the same time.

8. Diary management and deadlines

One issue we see is where firms don’t have joined-up diary systems. Instead, important deadlines are managed on an individual basis. This means that if an individual is off sick, those deadlines can be overlooked. Having a team or firm-wide deadline system, with advance noting, can overcome and avoid potential very significant problems and is a relatively simple fix.

9. Artificial intelligence risks

No discussion of current risk would be complete without mentioning artificial intelligence. Many firms say that they don’t need to consider AI because they don’t use it in their business. But do they know if their staff are using it? Do they know if any of their IT programs use AI? Have they given training to their staff on how to use AI to ensure that client confidentiality isn’t breached? Is there a firm policy – even if that policy is that AI should not be used?

Firms should consider their position in relation to AI and include an appropriate provision in their terms of business, so that clients are advised. They should have a policy so that staff know what they can and cannot do in relation to the use of internal and external AI (including relying on information provided by any AI research), as well as breaching client confidentiality.

10. Managing claims and near misses

Professional negligence claims are sadly a fact of business life and ‘near misses’ will occur in most, if not all, businesses. It is important to log all claims, circumstances (issues that could give rise to a claim) and ‘near misses’ (issues that could have developed but were resolved it before it got to that point). Then you must identify the ‘root cause’ and put measures in place to prevent that from happening again.

What is a root cause? All too often, we hear that a firm has sacked a maverick partner who didn’t follow the rules, and therefore believe that they have solved the problem. However, that partner wasn’t the root cause. If the firm’s processes were robust, his behaviour would have been picked up early on, so that he wouldn’t have been able to undertake the activities complained of. By identifying the true root cause, firms can improve and learn from past problems to become a better business. The saying that ‘there are no mistakes, only learning opportunities’ is never truer than in risk management.


We appreciate that many firms find the idea of dealing with these issues overwhelming. We offer free monthly risk training with our RiskBites programme, which is free to CIOT and ATT members (see

We have also developed the ‘Risk insight report’. This takes less than 90 minutes to carry out and is available to CIOT and ATT members for the discounted price of £1,480 plus VAT. It provides members with a one page risk report with recommendations on any actions required. See or email us at contact quoting ATT or CIOT for further details.

© Getty images/iStockphoto