How to put in place a compliance plan

Peter ScottPeter Scott Consultingwww.peterscottconsult.co.uk

The scope of this session

• why all firms are going to need a compliance plan for the purposes of outcomes focused regulation;

• compliance procedures which will need to be covered by a compliance plan; and

• how a plan will need to be managed with a view to a firm not only being compliant and but also being able to demonstrate compliance.

Why do you need a compliance plan?

Rule 8.2 Authorisation Rules provide

An authorised body (i.e. a law firm) must at all times have suitable arrangements in place to ensure that:

1. the [firm], its managers and employees, comply with the SRA's regulatory arrangements as they apply to them, as required under section 176 of the LSA and Rule 8.1 above; and

2. the [firm] and its managers and employees, who are authorised persons, maintain the professional principles.

1. The [firm], its managers and employees, comply with the SRA's regulatory arrangements as they apply to them, as required under section 176 of the LSA and Rule 8.1 above

This will include all Principles, rules, outcomes and other requirements of the SRA Handbook

For example, under Chapter 7 of SRA Code the Outcomes

provide that firms must, inter alia .... - have appropriate systems and controls in place to achieve and comply with all

Principles, rules and outcomes and other requirements of the Handbook

- identify, monitor and manage risks to the achievement of all outcomes, rules, Principles and other requirements in the Handbook if applicable and take steps to address issues identified

Do you already have appropriate systems and controls in place to comply?

The Principles

• Uphold the rule of law and proper administration of justice

• Act with integrity

• Do not allow your independence to be compromised

• Act in the best interests of each client

• Provide a proper standard of service to clients

The Principles continued

• Behave in a way that maintains the trust the public places in you and in the provision of legal services

• Comply with your legal and regulatory obligations and deal with your regulators and ombudsmen in an open, timely and co-operative manner

• Run your business and carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles

• Run or carry our your role in the business in a way that encourages equality of opportunity and respect for diversity.

• Protect client money and assets

The outcomes in the Code cover these areas ...

• Client care• Equality and diversity• Conflict of interests• Your client and the court• Your client and introductions to third parties• Management of your business• Publicity• Fee sharing and referrals• You and your regulator• Relations with third parties • Separate businesses

The Guidance Notes to Rule 8 of the Authorisation Rules say a compliance plan should include .....

• clearly defined governance arrangements providing a transparentframework for responsibilities within the firm

• appropriate accounting procedures

• a system for ensuring that only the appropriate people authorisepayments from client account

• a system for ensuring that undertakings are given only when intended,and compliance with them is monitored and enforced

Rule 8 Guidance notes continued

• appropriate checks on new staff or contractors

• a system for ensuring that basic regulatory deadlines are not missede.g. submission of the firm's accountant's report, arranging indemnitycover, renewal of practising certificates and registrations, renewal ofall lawyers' licences to practise and provision of regulatory information

• a system for monitoring, reviewing and managing risks

• ensuring that issues of conduct are given appropriate weight indecisions the firm takes, whether on client matters or firm-basedissues such as funding

Rule 8 Guidance Notes continued ....

• file reviews

• appropriate systems for supporting the development and training ofstaff

• obtaining the necessary approvals of managers, owners andCOLP/COFA

• arrangements to ensure that any duties to clients and others are fullymet even when staff are absent.

2. The [firm] and its managers and employees, who are authorised persons, maintain the professional principles.

• that authorised persons should act with independence and integrity,

• that authorised persons should maintain proper standards of work,

• that authorised persons should act in the best interests of their clients,

• that persons who exercise before any court a right of audience, or conduct litigation in relation to proceedings in any court, by virtue of being authorised persons should comply with their duty to the court to act with independence in the interests of justice, and

• that the affairs of clients should be kept confidential

Where to start?

• Which areas will need to be covered?• Which areas should be given priority?

Begin by looking at your current procedures to see if they are:

- adequate?- Need upgrading?- Adding to?

Client care

For example:

• Procedures for accepting / terminating instructions• File opening• Complaints handling / records• Dealing with clients’ matters• Fee arrangements with clients• Engagement letters• Costs information• Financial benefits

Equality and diversity

For example:

• Written policies• Recruitment and interview procedures• Promotion and development criteria• Staff training records• Workplace diversity monitoring• References

Do your people know where to find your policies and know what they say?

Conflict of interests

For example:

• Systems and controls to identify conflicts• Governance procedures to manage issues relating to conflict • Policies for different areas of work• Policies on use of information barriers• Register of partners’ interests

Confidentiality and disclosure

For example:

• Systems and controls to protect client confidential information• Policies on use of information barriers• Registers of outsourcing arrangements and confidentiality agreements

Introductions to third parties

For example: • Policies and procedures to be followed when referring clients to third

parties• Register of financial arrangements with third parties• Systems and controls to ensure clients are fully informed about financial

arrangements

Management and governance

For example:

• Documentation as to governance and reporting lines• Training and communication to all appropriate personnel in respect of policies • Systems and controls relating to compliance, including monitoring, reporting and remedial • action and the maintenance of financial stability• regular review of procedures• supervision arrangements• file reviews• outsourcing contractual arrangements• undertakings policies • management of regulatory deadlines, including practising certificates

Publicity

For example:

• systems and controls to ensure all information in publicity and stationary is accurate and not misleading

• protocols with external marketing advisers

Some other areas

For example:

• business continuity plan• business plan for each part of the firm• library register• procedures for risk assessments, audits and remedial procedures• training records• data protection• file closure / file storage / archiving• deeds storage• anti- money laundering

Some other areas continued ....

• record of claims and notifications to insurers• health and safety policies• intranet policies• email and internet policies• Bribery Act• Checks on new staff and contractors • office procedures not covered by the above

And of course, last but not least, governance procedures in relation to the COLP and COFA and how they will be supported in carrying out their roles.

Planning how to put in place a compliance plan

Your challenge

It will not be sufficient just to be compliant

“If you cannot demonstrate compliance we may take regulatory action”

SRA - OFR at a glance

1. Buy – in from everyone in your firm will be necessary

• Needs to be management driven, with top level buy-in

• Zero tolerance is required

• Managing compliance risk needs to be seen as ‘everyone’s job’ – a mind set change is needed

• Need a ‘no blame’ culture to encourage disclosure

• Above all – identify your ‘big gorillas’ and deal with them

Otherwise everyone is at risk

“Heavyweight gorilla”

“You can’t manage me.

I’m a big biller!”

“That’s a great idea …for the rest of you!”

Use education and training to obtain buy-in

Put in place a programme of education and training for all your people so they understand that everyone without exception needs to follow procedures

Otherwise everyone is at risk

2. Establish the resources you will need to put in place a compliance plan

For example:

• Internal or external?• Part time partners or professionals?• Paper records or use of IT• If IT is used - bespoke or ‘off the peg’ systems?• Do you have a budget?

You will need a team to help you put together your compliance plan

Build a team around you to deal with this- Assign responsibilities- Establish lines of accountability

TogetherEach Achieves More

Planning your resources

Carry out a cost / benefit analysis to establish the most resource effective method for you to put in place and then manage your compliance plan

Constructing a compliance plan

DIAGNOSIS

Identification and assessment

MITIGATION

Control, transfer and avoidance

MONITORING

Auditing, tracking and reporting

When a risk crystallises

LIMITATION

Minimising the effect of crystallised risks

A systematic approach is required

• Put in place a formal compliance risk management process to identify and manage every area of

compliance risk for the SRA Handbook and Code

• Establish a comprehensive database covering all compliance risk areas

• Standards such as Lexel and ISO 9000 are likely to help

• Use of IT systems?

Identifying and assessing your compliance risks

DIAGNOSIS

Identification and assessment

MITIGATION

Control, transfer and avoidance

MONITORING

Auditing, tracking and reporting

When a risk crystallises

LIMITATION

Minimising the effect of crystallised risks

Identifying and assessing your compliance risks

Do you know your compliance risks?

• What are your compliance risks?

• Where does the knowledge of your compliance risk reside?

• Can you access it?

• Do you have systems to monitor, review and

upgrade your knowledge?

Failure to manage your knowledge will involve serious risk

Compliance / Risk Management

Knowledge

Management

Law firm risks

Peop

le

Operational

Regulatory

IT

Com

petiti

on

/bus

ines

s

Econ

omic

,po

litica

l,fis

cal

Financial

Asset

Reputational

Management

Compliance Risk Mapping

IMPACT High

High impact/ low incidence

High impact/ high incidence

Low impact/ low incidence

Low impact/ high incidence

Low Low High INCIDENCE

Some key factors in identifying and assessing risks

• Areas of law practiced• Claims record • Number and location of offices • Fee income / size of firm• Commitment to best practice • Knowledge management• Are risk management procedures already in place?• Supervision levels

Some examples of compliance risks

• Lack of management commitment to best practice and compliance risk management

• Lack of knowledge by management • Lack of supervision• High risk work• Lack of client vetting / fraud• Lack of client care / matter care• Lack of resource capability• Lack of knowledge / expertise / experience• Precedents / multiple use of advice• International work / overseas offices• Mergers

Assessment of compliance risks

Consider the impact of, inter alia:

• Disciplinary action

• Bad publicity and loss of reputation

• Lost clients

• Complaints and claims

• Increased P.I. premiums

Using ‘brainstorming’ as a method of identifying and assessing compliance risks

‘Top down – bottom up’ brainstorming sessions in each group in your firm to:

- to identify every compliance risk area - are we achieving every Outcome under the new Code? - are we compliant in every area? - do we have gaps? - what will be required to fully comply? - to what standards should we comply? - how should we prioritise our efforts?

Risk Diagnosis

Assess severity of high-level risks

Identify high level risks

Set criteria for assessing risks

Identify detailed risks

Assess severity of detailed risks

Risk map

Risk summary

Mitigating compliance risks

DIAGNOSIS

Identification and assessment

MITIGATION

Control, transfer and avoidance

MONITORING

Auditing, tracking and reporting

When a risk crystallises

LIMITATION

Minimising the effect of crystallised risks

Compliance risk Mitigation

Designed to:-

• Ensure effective compliance

• Avoid / reduce non compliance

• Avoid / reduce incidence of risks

• Transfer some risks

Risk mitigationRisk map

Risk summary

Consider impact / probability

correlation

Required controls

summary

Insurance requirements

summary

Contingency plan

requirements

Residual risk

summary

Consider available mitigation techniques

Monitoring compliance risks

DIAGNOSIS

Identification and assessment

MITIGATION

Control, transfer and avoidance

MONITORING

Auditing, tracking and reporting

When a risk crystallises

LIMITATION

Minimising the effect of crystallised risks

Compliance risk monitoring involves…

• Auditing, tracking and reporting

• Comparing actual outcomes to pre-set indicators

• Confirming effectiveness of your risk responses

• Reporting compliance and exceptions

• Establishing [annual / periodical] compliance risk management reports

NB – COLP and COFA reporting obligations to SRA

Risk monitoring

Required controls summary

Contingency plan requirements

Insurance requirements

summary

Set risk indicators and methods to monitor

them

Annual Risk Management Report

Limitation of compliance risks

DIAGNOSIS

Identification and assessment

MITIGATION

Control, transfer and avoidance

MONITORING

Auditing, tracking and reporting

When a risk crystallises

LIMITATION

Minimising the effect of crystallised risks

Risk limitation involves

• Risk crystalisation scenarios • Contingency plans• Limitation procedures• Post event assessment

NB – COLP and COFA reporting obligations to SRA

Advantages of a formal compliance and risk management process for the new SRA Code?

• Structured approach focuses on key compliance risk areas

• Can demonstrate how a firm is complying and the effectiveness of compliance / outcomes

• Continuous monitoring ensures management of compliance and risk is “lived” day to day

• Universal application to all compliance and risk areas

• Comfort / assurance to PI insurers [and SRA?]

Use of IT systems for compliance and risk management?

Use an integrated compliance risk management system to cost effectively manage compliance risk areas by:

– creating and maintaining one central, up to date compliance and risk database

– providing information access to all who need it in relation to exposure to risk

– embedding compliance and risk management procedures – e.g. client inception procedures

– streamlining identification, assessment, mitigation and monitoring of compliance risks

Some areas of particular FOCUS in relation to managing compliance risks

• Top level buy-in – management must not only drive compliance but also live it

• Zero tolerance – just do it!

• Training and education programmes to build awareness and change mind sets

• Continuous and systematic monitoring and reporting

Above all, you will need to continuously challenge and stress test the effectiveness of your compliance procedures

“We should always be able to do better”

Any questions?