Effective Identification and Management
of Compliance Risks
Peter Scott,
Peter Scott Consulting
1
What is risk?


Exposure to the possibility of suffering or harm
The chance of bad things happening

The probability of which may or may not be measurable – Seldon & Pennance
Everyman’s Dictionary of Economics

What gets measured effectively and as a result has a consequence, gets
done
2
Why manage risk?

“It has got to make financial sense, but you have to see risk management as
one of your strategic objectives. Business resilience is actually a
competitive advantage”
– Cedric Lenoire, head of FM Global’s business risk consulting division (‘The Times’ 21 January 2013

But it is also now mandatory for law firms. Principle 8 in the SRA Handbook
requires you to “Run your business or carry out your role in the business effectively and in
accordance with proper governance and sound financial and risk
management principles”

It is now not a question of if law firms manage their risks but how they do so
3
And the scope and volume of compliance now requires
a different approach
For example, under OFR firms must:

have appropriate systems and controls in place to achieve and comply
with all Principles, rules and outcomes and other requirements of the
Handbook

identify, monitor and manage risks to the achievement of all outcomes,
rules, Principles and other requirements in the Handbook if applicable and
take steps to address issues identified

Ensure compliance with all the reporting and notification requirements
in the Handbook
Scope of today’s session
1. Identifying and assessing
compliance risks
•y
3. Monitoring and reviewing the
t
effectiveness of your risk
o management procedures
o
n
e
2. Developing effective
control measures
However there is one thing which is fundamental to the
ability to manage risks …..
Knowledge
“There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say, we know there are some things
we do not know.
But there are also unknown unknowns – the ones we don’t know we don’t know”.
Donald Rumsfeld
One of the primary purposes of knowledge management (KM) should be to help
a law firm manage its risks
6
Law firm risks
Operational
Establishing
and
evaluating
knowledge
7
Failure to manage knowledge is itself a risk

What knowledge (if any) do you have about each aspect of your business?

Where is that knowledge?

Has it been captured or is it in someone’s head?

If recorded, is it under your control and can it be freely accessed?

If in someone’s head, how can you ensure that person remains with you and
shares that knowledge?
8
Failure to manage your knowledge will involve serious risk
Compliance / Risk
Management
Knowledge
Management
1. Identifying and assessing
compliance risks
•y
3. Monitoring and reviewing the
t
effectiveness of your risk
o management procedures
o
n
e
2. Developing effective
control measures
Some processes to identify compliance risks
A combination of 








Pre – file opening [online] mandatory matter level risk management
questionnaires
Exception reporting
‘Independent’ file reviews
Positive confirmation of compliance
Voluntary reporting?
Claims and complaints monitoring
Financial measurement and reporting
Supervision
Gap analysis
Such processes are likely to identify the existence, the frequency, the
severity and the causes of compliance failures
11
Some examples of compliance risks identifiable in
these ways ….








Failure to achieve SRA Principles and outcomes
Client inception
Matter inception
Doing the work
Financial controls
SRA Accounts Rules 2011
Management of your firm
Your people
12
SRA Code of Conduct outcomes
Use gap analysis and group brainstorming sessions to identify the gaps
in your compliance






Are we achieving this outcome?
If not, where are the gaps?
Why are we not achieving this outcome?
What will we need to do to achieve this outcome?
What could be the consequences / impact on our firm?
How should we prioritise our efforts to fill in the gaps?
13
Client inception

Do you really know your client?

Do you have procedures and controls in place for vetting and approving new
(and existing) clients?
- Where did the client come from?
- Why has the client chosen your firm?
- Experience with previous lawyers?
- If a former client, your previous experience?



Can your procedures be by-passed?
Recorded levels of compliance?
Do you have a risk committee to adjudicate on such matters?
14
Matter inception

Do you have procedures and controls in place for vetting and approving new
matters, including –
-



Conflicts of interests?
Nature of the work and your experience / skills?
Supervision required?
How busy are you?
PI cover adequate?
Engagement letters checked , sent and copy returned?
Are the above embedded into your systems to prevent being by-passed?
Recorded levels of compliance?
Do you have a risk committee to adjudicate on the above?
15
Doing the work
Do you have procedures and controls for ….











Delegation / supervision based on risk rating of clients and matters?
Key dates and time limits?
Undertakings?
Opinion letters?
File management?
File reviews?
International work and international offices?
Multiple use of advice / systemic loss?
Use of third parties?
Loss of confidential information?
Client care?
Recorded levels of compliance?
16
Financial controls
What do you measure and report on?
Quality of your financial management?
Cash flow
Profitability

 Budgets?




Credit checks / money on account /
frequency of billing / credit terms?
Levels of work in progress and
debtors?
Cash flow forecasts and variance
reports?
Cash generation plans?
Banking covenants?
 Full time recording?
 Input reports?
 Pricing?
 Write – off controls on wip
and debtors?
17
SRA Accounts Rules 2011

What procedures and controls do you have in place in relation to -



Your accounts department’s ability to Identify risks to client money?
Authority limits?
Using client account to provide banking facilities?
Interest on client money?
Residual client account balances / file closing procedures?
Do you have a breaches register?
Awareness by your lawyers of the Accounts Rules? / training?
Does your COFA have a working knowledge of the Accounts Rules?
18
Management of your firm?
Do you have a tested and sufficiently resourced management structure to deal
with –









Finance?
Risk and compliance?
KM?
AML / fraud?
Client care / quality standards?
Reputation?
Outsourcing?
Business planning and continuity?
People?
How do you document your management of the above risks?
19
People
Do you have






Professional HR management?
Training on all compliance and other risk procedures?
Development and learning policies?
Appropriate appraisal systems?
Procedures to manage regulatory risk issues
A whistleblowing policy?
How do you document your management of the above?
20
Set criteria for
assessing compliance
and risks
Identify detailed
risks
Identify high
level risks of non
compliance
Assess severity of
detailed risks
Assess severity of
high-level risks
Compliance
and risk
map
Compliance and
risk summary
Analysis and assessment of risks
Set criteria – for example, financial stability

Run your business or carry out your role in the business effectively and in
accordance with proper governance and sound financial and risk
management principles – Principle 8

Maintain systems and controls for monitoring your financial stability ….
and taking steps to address issues identified - outcome (7.4)
22
Analysis of your risks against achievement of those
financial stability criteria?
High level risks
 Quality of your financial management?
 Lack of financial awareness by your people?
 Willingness of your partners to be managed?
Detailed risks
 Procedures for credit checking clients and taking money on account?
 Controlling levels of work in progress and debtors?
 Cash flow forecasts and variance reports?
 Budgets?
 Fully recording matter related time?
 Control of pricing and writing off recorded time?
23
Risk mapping
IMPACT
High
High impact/ low incidence
High impact/ high incidence
Low impact/ low incidence
Low impact/ high incidence
Low
Low
High
INCIDENCE
24
1. Identifying and assessing
compliance risks
•y
3. Monitoring and reviewing the
t
effectiveness of your risk
o management procedures
o
n
e
2. Developing
effective control
measures
Developing effective control measures for
compliance risk mitigation
Designed to 
Ensure effective compliance

Avoid / reduce non compliance

Avoid / reduce incidence of risks

Transfer some risks
risk map
risk summary
Residual
risk
summary
Consider
impact/probability
correlation
Consider available
mitigation techniques
Contingency
plan
requirements
Insurance
requirements
summary
Required
controls
summary
1. Identifying and assessing
compliance risks
•y
t
o
o
n
e
3. Monitoring and
reviewing the
effectiveness of your risk
management procedures
2. Developing effective
control measures
Compliance risk monitoring involves…

Auditing, tracking and reporting

Comparing actual outcomes to pre-set indicators

Confirming effectiveness of your risk controls

Reporting compliance and exceptions

Establishing [annual / periodical] compliance risk management
reports
Required controls
summary
Contingency plan
requirements
Insurance
requirements
summary
Set risk indicators and methods to
monitor them
Annual Risk
Report
On – going monitoring and reviewing compliance risks
A combination of 








Pre – file opening mandatory matter level risk management questionnaires
Exception reporting
‘Independent’ file reviews
Positive confirmation of compliance
Voluntary reporting?
Claims and complaints monitoring
Financial measurement and reporting
Accounts Rules breaches register
Supervision

Use of IT systems?
31
Effective use of IT systems for compliance
risk management?
Use an integrated risk management system to cost effectively manage
compliance and other risk areas by:




creating and maintaining one central, up to date compliance and
risk database
providing information access to all who need it in relation to
exposure to risk
embedding compliance and risk management procedures – e.g.
client inception procedures
streamlining identification, assessment, mitigation and monitoring of
compliance and other risks
Risk limitation involves
 Risk crystalisation scenarios
 Contingency plans
 Limitation procedures
 Post event assessment
Advantages of a formal compliance risk management
process?

Structured approach focuses on key compliance and
other risk areas

Can demonstrate how a firm is complying and the
effectiveness of compliance / outcomes

Continuous monitoring ensures management of
compliance and risk is “lived” day to day

Universal application to all compliance and risk areas

Comfort / assurance to PI insurers [and SRA?]
Your challenge ....
is not merely to ensure your firm is compliant but …
to be able to DEMONSTRATE to the SRA that your firm and everyone in the
firm is compliant on an on-going basis
“If you cannot demonstrate compliance we may take regulatory action”
SRA – OFR at a glance