Effective Identification and Management of Compliance Risks Peter Scott, Peter Scott Consulting 1 What is risk? Exposure to the possibility of suffering or harm The chance of bad things happening The probability of which may or may not be measurable – Seldon & Pennance Everyman’s Dictionary of Economics What gets measured effectively and as a result has a consequence, gets done 2 Why manage risk? “It has got to make financial sense, but you have to see risk management as one of your strategic objectives. Business resilience is actually a competitive advantage” – Cedric Lenoire, head of FM Global’s business risk consulting division (‘The Times’ 21 January 2013 But it is also now mandatory for law firms. Principle 8 in the SRA Handbook requires you to “Run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles” It is now not a question of if law firms manage their risks but how they do so 3 And the scope and volume of compliance now requires a different approach For example, under OFR firms must: have appropriate systems and controls in place to achieve and comply with all Principles, rules and outcomes and other requirements of the Handbook identify, monitor and manage risks to the achievement of all outcomes, rules, Principles and other requirements in the Handbook if applicable and take steps to address issues identified Ensure compliance with all the reporting and notification requirements in the Handbook Scope of today’s session 1. Identifying and assessing compliance risks •y 3. Monitoring and reviewing the t effectiveness of your risk o management procedures o n e 2. Developing effective control measures However there is one thing which is fundamental to the ability to manage risks ….. Knowledge “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know”. Donald Rumsfeld One of the primary purposes of knowledge management (KM) should be to help a law firm manage its risks 6 Law firm risks Operational Establishing and evaluating knowledge 7 Failure to manage knowledge is itself a risk What knowledge (if any) do you have about each aspect of your business? Where is that knowledge? Has it been captured or is it in someone’s head? If recorded, is it under your control and can it be freely accessed? If in someone’s head, how can you ensure that person remains with you and shares that knowledge? 8 Failure to manage your knowledge will involve serious risk Compliance / Risk Management Knowledge Management 1. Identifying and assessing compliance risks •y 3. Monitoring and reviewing the t effectiveness of your risk o management procedures o n e 2. Developing effective control measures Some processes to identify compliance risks A combination of Pre – file opening [online] mandatory matter level risk management questionnaires Exception reporting ‘Independent’ file reviews Positive confirmation of compliance Voluntary reporting? Claims and complaints monitoring Financial measurement and reporting Supervision Gap analysis Such processes are likely to identify the existence, the frequency, the severity and the causes of compliance failures 11 Some examples of compliance risks identifiable in these ways …. Failure to achieve SRA Principles and outcomes Client inception Matter inception Doing the work Financial controls SRA Accounts Rules 2011 Management of your firm Your people 12 SRA Code of Conduct outcomes Use gap analysis and group brainstorming sessions to identify the gaps in your compliance Are we achieving this outcome? If not, where are the gaps? Why are we not achieving this outcome? What will we need to do to achieve this outcome? What could be the consequences / impact on our firm? How should we prioritise our efforts to fill in the gaps? 13 Client inception Do you really know your client? Do you have procedures and controls in place for vetting and approving new (and existing) clients? - Where did the client come from? - Why has the client chosen your firm? - Experience with previous lawyers? - If a former client, your previous experience? Can your procedures be by-passed? Recorded levels of compliance? Do you have a risk committee to adjudicate on such matters? 14 Matter inception Do you have procedures and controls in place for vetting and approving new matters, including – - Conflicts of interests? Nature of the work and your experience / skills? Supervision required? How busy are you? PI cover adequate? Engagement letters checked , sent and copy returned? Are the above embedded into your systems to prevent being by-passed? Recorded levels of compliance? Do you have a risk committee to adjudicate on the above? 15 Doing the work Do you have procedures and controls for …. Delegation / supervision based on risk rating of clients and matters? Key dates and time limits? Undertakings? Opinion letters? File management? File reviews? International work and international offices? Multiple use of advice / systemic loss? Use of third parties? Loss of confidential information? Client care? Recorded levels of compliance? 16 Financial controls What do you measure and report on? Quality of your financial management? Cash flow Profitability Budgets? Credit checks / money on account / frequency of billing / credit terms? Levels of work in progress and debtors? Cash flow forecasts and variance reports? Cash generation plans? Banking covenants? Full time recording? Input reports? Pricing? Write – off controls on wip and debtors? 17 SRA Accounts Rules 2011 What procedures and controls do you have in place in relation to - Your accounts department’s ability to Identify risks to client money? Authority limits? Using client account to provide banking facilities? Interest on client money? Residual client account balances / file closing procedures? Do you have a breaches register? Awareness by your lawyers of the Accounts Rules? / training? Does your COFA have a working knowledge of the Accounts Rules? 18 Management of your firm? Do you have a tested and sufficiently resourced management structure to deal with – Finance? Risk and compliance? KM? AML / fraud? Client care / quality standards? Reputation? Outsourcing? Business planning and continuity? People? How do you document your management of the above risks? 19 People Do you have Professional HR management? Training on all compliance and other risk procedures? Development and learning policies? Appropriate appraisal systems? Procedures to manage regulatory risk issues A whistleblowing policy? How do you document your management of the above? 20 Set criteria for assessing compliance and risks Identify detailed risks Identify high level risks of non compliance Assess severity of detailed risks Assess severity of high-level risks Compliance and risk map Compliance and risk summary Analysis and assessment of risks Set criteria – for example, financial stability Run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles – Principle 8 Maintain systems and controls for monitoring your financial stability …. and taking steps to address issues identified - outcome (7.4) 22 Analysis of your risks against achievement of those financial stability criteria? High level risks Quality of your financial management? Lack of financial awareness by your people? Willingness of your partners to be managed? Detailed risks Procedures for credit checking clients and taking money on account? Controlling levels of work in progress and debtors? Cash flow forecasts and variance reports? Budgets? Fully recording matter related time? Control of pricing and writing off recorded time? 23 Risk mapping IMPACT High High impact/ low incidence High impact/ high incidence Low impact/ low incidence Low impact/ high incidence Low Low High INCIDENCE 24 1. Identifying and assessing compliance risks •y 3. Monitoring and reviewing the t effectiveness of your risk o management procedures o n e 2. Developing effective control measures Developing effective control measures for compliance risk mitigation Designed to Ensure effective compliance Avoid / reduce non compliance Avoid / reduce incidence of risks Transfer some risks risk map risk summary Residual risk summary Consider impact/probability correlation Consider available mitigation techniques Contingency plan requirements Insurance requirements summary Required controls summary 1. Identifying and assessing compliance risks •y t o o n e 3. Monitoring and reviewing the effectiveness of your risk management procedures 2. Developing effective control measures Compliance risk monitoring involves… Auditing, tracking and reporting Comparing actual outcomes to pre-set indicators Confirming effectiveness of your risk controls Reporting compliance and exceptions Establishing [annual / periodical] compliance risk management reports Required controls summary Contingency plan requirements Insurance requirements summary Set risk indicators and methods to monitor them Annual Risk Report On – going monitoring and reviewing compliance risks A combination of Pre – file opening mandatory matter level risk management questionnaires Exception reporting ‘Independent’ file reviews Positive confirmation of compliance Voluntary reporting? Claims and complaints monitoring Financial measurement and reporting Accounts Rules breaches register Supervision Use of IT systems? 31 Effective use of IT systems for compliance risk management? Use an integrated risk management system to cost effectively manage compliance and other risk areas by: creating and maintaining one central, up to date compliance and risk database providing information access to all who need it in relation to exposure to risk embedding compliance and risk management procedures – e.g. client inception procedures streamlining identification, assessment, mitigation and monitoring of compliance and other risks Risk limitation involves Risk crystalisation scenarios Contingency plans Limitation procedures Post event assessment Advantages of a formal compliance risk management process? Structured approach focuses on key compliance and other risk areas Can demonstrate how a firm is complying and the effectiveness of compliance / outcomes Continuous monitoring ensures management of compliance and risk is “lived” day to day Universal application to all compliance and risk areas Comfort / assurance to PI insurers [and SRA?] Your challenge .... is not merely to ensure your firm is compliant but … to be able to DEMONSTRATE to the SRA that your firm and everyone in the firm is compliant on an on-going basis “If you cannot demonstrate compliance we may take regulatory action” SRA – OFR at a glance