How to be an effective COLP Peter Scott Consulting www.peterscottconsult.co.uk Why manage compliance risks? “The pursuit of excellence, with the aim of doing things better for the clients” Director of Risk of a ‘top ten’ UK law firm Compliance needs to be ‘lived’ on a daily basis by everyone and there can be no exceptions to following procedures. Otherwise everyone is at risk. Your challenges as the COLP 1. 2. 3. 4. 5. Understanding your role and responsibilities as the COLP Planning how you will fulfil your role as the COLP Securing ‘buy-in’ and ‘accountability’ from everyone in your firm Identifying and assessing your firm’s compliance risks Implementing and managing your ‘compliance plan’ - in order to be able to DEMONSTRATE to the SRA that your firm is compliant 1. Understanding your role and responsibilities as the COLP • The scope of your role • The potential consequences if you do not carry out your role effectively – - for you - your firm - everyone in your firm The scope of your role as COLP under Rule 8 of the SRA Authorisation Rules is extensive and very wide 8.5.(c) SRA Authorisation Rules (i) Take all reasonable steps to: (A) ensure compliance with the terms and conditions of the authorised body’s authorisation except any obligations under the SRA Accounts Rules (B) ensure compliance with any statutory obligations of the body, its managers, employees or interest holders in relation to the body’s carrying on of authorised activities (C) record any failure so to comply and make such records available to the SRA on request; For example, Chapter 7 of the SRA Code includes the following outcomes .... - you have appropriate systems and controls in place to achieve and comply with all Principles, rules and outcomes and other requirements of the Handbook - you identify, monitor and manage risks to the achievement of all outcomes, rules, Principles and other requirements in the Handbook if applicable and take steps to address issues identified Are you achieving these outcomes? 8.5.(c) SRA Authorisation Rules (continued) (ii) As soon as reasonably practicable, report to the SRA any failure so to comply provided that: (A) in the case of non-material failures, these shall be taken to have been reported as soon as reasonably practicable if they are reported to the SRA together with such other information as the SRA may require in accordance with Rule 8.7(a): and (B) a failure may be material either taken on its own or as part of a pattern of failures so to comply. What is a ‘material’ failure to comply? Guidance Notes to Rule 8 provide: (x) In considering whether a failure is “material” and therefore reportable, the COLP or COFA, as appropriate, will need to take account of various factors, such as: • the detriment, or risk of detriment, to clients • the extent of any risk of loss of confidence in the firm or in the provision of legal services • the scale of the issue • the overall impact on the firm, its clients and third parties. In addition, the COLP/COFA will need to keep appropriate records of failures in compliance to: • monitor overall compliance with obligations • assess the effectiveness of the firm’s systems • be able to comply with the duty to report breaches which are material because they form a pattern. For example, Chapter 10 of the SRA Code includes the following • Outcome O(10.1) you ensure that you comply with all the reporting and notification requirements in the Handbook that apply to you; • Indicative behaviour IB(10.1) - actively monitoring your achievement of the outcomes in order to improve standards and identify non-achievement of the outcomes may tend to show that you have achieved these outcomes and therefore complied with the Principles NB - 8.5.(c) SRA Authorisation Rules …. (ii) As soon as reasonably practicable, report to the SRA any failure so to comply Consider the impact of • • • • • Disciplinary action Bad publicity and loss of reputation Lost clients Complaints and claims Increased P.I. premiums 2. Planning how to fulfil your role as the COLP • What are your compliance risks? • Where does the knowledge of your compliance risks reside? • Can you access that knowledge? • Do you have systems to monitor, review and upgrade your knowledge of your compliance risks? • Do you have the resources to effectively carry out your role? Carry out a cost / benefit analysis to establish the most resource effective method for you to manage your role as COLP for your firm to be compliant For example: • Internal or external? • Part time partners or professionals? • Paper records or use of IT 3. Securing internal buy-in as a condition of your agreement to carry out the role of COLP • Needs to be management driven, with top level buy-in • Zero tolerance is required – just do it! • Managing compliance risk needs to be seen as ‘everyone’s job’ – a mind set change is needed • Need a ‘no blame’ culture to encourage disclosure • Above all – identify your ‘big gorillas’ and deal with them otherwise everyone is at risk “That’s a great idea …for the rest of you!” “Heavyweight gorilla” “You can’t manage me. I’m a big biller!” Accountability “We have no room for those who put their own personal agenda ahead of the interests of the clients or the office” David Maister’s “Predictive package” An ‘accountability undertaking’ may be required from partners Your role as the COLP will only be capable of being effectively carried out by you if your partners (other owners) accept that they must be ‘accountable’ by, for example, undertaking to support and comply with in the fullest possible way: • The implementation of all regulatory compliance procedures agreed by our firm; • Those mandated with the onerous task of managing regulatory compliance within the firm; and • Every other partner and individual in the firm as each endeavours to fulfil their respective roles in the firm in order to ensure full and complete regulatory compliance. 4. Identifying and assessing your compliance risks Use ‘Top down – bottom up’ brainstorming sessions in each group in your firm as a method of identifying and assessing compliance risks - to identify every compliance risk area are we achieving every Outcome under the new Code? are we compliant in every area? do we have gaps? what will be required to fully comply? to what standards should we comply? how should we prioritise our efforts? Some examples of compliance risks • • • • • • • • • • • Lack of management commitment to best practice and compliance risk management Lack of knowledge by management Lack of supervision High risk work Lack of client vetting / fraud Lack of client care / matter care Lack of resource capability Lack of knowledge / expertise / experience Precedents / multiple use of advice International work / overseas offices Mergers Compliance Risk Mapping IM P AC T H ig h H ig h im p a c t/ lo w in c id e n c e H ig h im p a c t/ h ig h in c id e n c e L o w im p a c t/ lo w in c id e n c e L o w im p a c t/ h ig h in c id e n c e Low Low H ig h IN C ID E N C E 5. Managing your ‘compliance plan’ A systematic approach is required • • • Put in place a formal compliance risk management process to identify and manage every area of compliance risk for the SRA Handbook and Code Establish a comprehensive database covering all compliance risk areas Standards such as Lexel and ISO 9000 are likely to help Advantages of a formal compliance risk management process for the new SRA Code? • • • • • A structured approach focuses on key compliance risk areas Can demonstrate how a firm is complying and the effectiveness of compliance / outcomes Continuous monitoring ensures management of compliance and risk is “lived” day to day Universal application to all compliance and risk areas Comfort / assurance to PI insurers [and SRA?] Use of IT systems for compliance risk management? Use an integrated compliance risk management system to cost effectively manage compliance risk areas by: – creating and maintaining one central, up to date compliance and risk database – providing information access to all who need it in relation to exposure to risk – embedding compliance and risk management procedures – e.g. client inception procedures – streamlining identification, assessment, mitigation and monitoring of compliance risks Above all, as a COLP you will need to continuously challenge the effectiveness of your compliance management Any questions?