Getting Started with Your Risk Assessment Journey under SQMS 1

As the December 15, 2025 “go-live” date for SQMS 1 approaches, many firms—especially smaller practices - are now focusing on one of the most foundational components of the new standard: the risk assessment process.

SQMS 1 requires firms to design and operate a system of quality management that’s proactive, risk-based, and tailored to the nature and circumstances of the firm. The risk assessment is where that system truly begins.

Build Your Risk Assessment Journey

Start by structuring a risk assessment journey that sets out how you’ll identify, assess, and respond to risks that threaten achievement of your firm’s quality objectives. This journey doesn’t need to be complex - but it is needed to ensure that you clearly identify and document all areas of your risk assessment based on your firm’s size and structure.

Key early steps include:

• Establish your quality risk assessment team – This doesn’t have to be a large group - in a smaller firm, it might just be one or two partners plus a manager - but they should clearly understand your firm, have an ability to draft risks and normally should include the operational responsible individual.

• Understand your business – Consider your firm’s size, service lines, clients, and geographic reach – talk to the people who lead the service lines, geographic regions etc. A key output here must be the common understanding and definition of – What does Quality mean to our Firm.

• Understand your processes – How do you deliver services? Who is responsible for what areas? – Meet with firm leaders and conduct interviews to better understand these questions not forgetting the other key stakeholders like HR, IT, Operations etc.

• Identify conditions and events – What internal or external factors could adversely impact achievement of the quality objectives? – What degree do these factors impact quality objectives – like the impact of the size of your firm around the level of detailed contained in document policies.

• Hold a risk-brainstorming session – Bring together the team to discuss where things might go wrong in achieving quality – What are the risks? What could go wrong? What do we do to stop if from happening? Remember just because it hasn’t happened yet, doesn’t mean it never will and it is not a risk

• Assess quality risks – We have our risks, now we need to evaluate the likelihood and potential impact to confirm if they are quality risks. Remember documenting why something is a quality risk and something is not a quality risk is equally important, so consider the consistency of your assessment (use a ranking system).

• Develop responses – Link your existing responses:

  • Consider, what do I have in place now?

  • Do they address the risk in question – fully, partially, not at all?

• Develop your gap analysis – See what:

  • Is missing – 1) Potentially document informal practices. 2) Document where nothing exists today.

  • Needs more work – 1) Is incomplete. 2) Needs to updated to reflect how it actually works today vs. when it was drafted.

Bringing It All Together

Your risk assessment isn’t a one-off exercise - it’s the engine that drives your firm’s system of quality management. Start with what you know, document your thinking, and build out iteratively.

Remember, SQMS 1 is principle-based: it asks you to think about quality risks, not just to tick boxes. By focusing on the components of the standard and how they impact your firm you’ll set a strong foundation for compliance and, more importantly, for consistently high-quality work.