This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Compliance toolkit: How to ensure compliance with outcomes-focused regulation

Feature
Share:
Compliance toolkit: How to ensure compliance with outcomes-focused regulation

By

UK firms are at risk of overcorrecting their systems to comply with outcomes-focused regulation, says Jane Jarman of Nottingham Law School

There has been a sense of a ‘phony war’ regarding outcomes-focused regulation (OFR). This has been fuelled by issues around practising certificates and the MySRA website glitch, uncertainty about the content and form of the annual information report and the fact that the emergence of alternative business structures has been more of a drip-feed than an explosion.

However, despite the Solicitors Regulation Authority’s (SRA’s) recent announcement that the date for the nomination of compliance officers is to be deferred, it has also indicated that it intends to process all applications by October 2012. So, this issue cannot be ignored for much longer.

In the six months since the inception of OFR, some general areas of concern have gradually emerged regarding:

  • the potential for the imposition of huge fines running to six and seven figures, both for the entity and, most importantly, for the individual compliance officer;

  • the cost of compliance;

  • the lack of detail in OFR, which has made many firms feel vulnerable without the clear lines of a more ‘traditional’ code of conduct; and

  • the entire framework and language of OFR being predicated on an understanding of risk. While issues of description, analysis, monitoring and control are bread-and-butter concepts to risk professionals, they are relatively new to many in the legal profession.

As a result, firms have been drafting often over-elaborate compliance plans and mechanisms in an attempt to avoid regulatory sanction. Many neophyte compliance officers are now struggling with some alien concepts as they try to compile risk registers.

The end result is that, to some, appointment as a compliance officer can appear to be the most toxic of poisoned chalices. It is, however, a manageable appointment if the idea of risk is unpacked and some simple tools are used to get the conversation underway in the firm to create a risk-aware culture.

Compliance theory

There is a ‘lawyers are from Mars, regulators are from Venus’ feeling at present. Some in the profession simply do not believe that OFR will work in the way suggested by the SRA and that the regulator will retain what has been a traditional ‘rule breach then sanction’ approach. Brief consideration of the SRA’s Code of Conduct 2011 alone does seem to leave the profession vulnerable to attack.

OFR constitutes a big change in regulatory theory and ethos for the SRA. As the SRA states in the short guide accompanying the new handbook, there will be greater flexibility “which will require greater judgement on your part”. The lack of prescription is said to foster senior management buy-in and a focus on achieving the right outcomes for clients, rather than merely avoiding regulatory sanction.

However, lawyers are comfortable with rules; the profession is trained to interpret them. The lack of traditional clarity has fostered a more conservative approach, creating an impetus to over-correct to ensure compliance.

This is especially true for medium-sized firms: larger firms often have an army of staff to deal with compliance, while smaller firms tend to do work that constitutes a lower regulatory risk. It is the medium-sized firms that will feel the greatest impetus for change and the greatest pressure at present.

As a result, some of the compliance mechanisms may have become over-elaborate, as there has been a surge of activity to eliminate all risks and show audit trails for every procedure. But, if the compliance mechanisms are too elaborate, they will result in non-compliance by those working in the firm, thus creating a problem that was not there in the first place.

Any system must be clear and simple to comply with – it is possible that you are using it already. The main issue is often one of “evidence capture”, rather than a complete change of approach.

The language of risk

The language of OFR is sodden with risk theory. It is easy for the eye to glide over it as general ‘business speak’.

For instance, principle 8 requires you to “run your business effectively and in accordance with proper governance and sound financial and risk management principles”. Following that principle through, chapter 7 (management of your business) sets out ten specific outcomes that must be achieved, such as “effective governance structures”, “effective systems and controls” and an ability to “identify, monitor and manage risks to comply with all of the principles and outcomes… and take steps to address the issues identified”.

Furthermore, if there is a breach and enforcement action is taken, the risk element is to the fore. In rule 3(a) of the SRA’s disciplinary procedures rules, the receipt of a written rebuke or other sanction will consider issues such as whether the act complained of was “deliberate or reckless” or “was related to a failure or refusal to ascertain, recognise or comply with the regulated person’s professional or regulatory obligations” and that it “persisted after the regulated person realised or should have realised that it was improper”.

Active risk management principles are once again at work. Did you know, or should you have known, that something was awry? This is the language of risk management professionals.

Lawyers have not, in the past, been trained in such techniques. Most of the legal training provided in relation to risk management in the UK focuses on claims avoidance, rather than other aspects of risk analysis used in other businesses and professions, such as concepts of risk tolerance, probability and impact.

OFR does require a system to identify, monitor, manage and “address issues identified”, as highlighted here. The language of OFR is that of “suitable arrangements” being in place, with compliance plans and information reports.

The fact that the word “effective” is used throughout the text also indicates some form of testing to ensure compliance is envisaged. Yet, a recent search of the literature on OFR does not really assess the practical aspects of risk and the “sound risk and financial management systems” that underpin it.

Appointing a compliance officer

If you are about to talk a new compliance officer into taking on a ‘new and exciting role’, where should you start? The problem is threefold.

First, the appointment mechanism poses a resourcing challenge. The compliance officer for legal practice (COLP) must be a lawyer, based on R8.5(c) of the authorisation rules, ?but lawyers lack grounding in at least ?the more formal risk-analysis techniques.

Second, much attention has been given to the COLP, but less to the compliance officer for finance and administration (COFA). Ironically, given the duties involved, there is no requirement for any accountancy qualifications. Yet, if there was ever a hot seat, it belongs to the COFA. It is the COFA’s duty to report on financial health and it is more likely that the COFA may need to report, in some cases, where the finances of the firm are poor.

The “consent” to the position of compliance officer is not a once-and-for-all deal. If a COFA or COLP resigns because he is unable to fulfil this statutory role under the Legal Services Act and withdraws his consent, then the firm is out of the race. A compliance officer is a prerequisite of authorisation: the firm cannot proceed without one. While emergency appointments can be made, the circumstances and reason for the withdrawal of consent is likely to be a regulatory red flag.

Third, how do you define risk? Where do you start? If no one size fits all and the risks should simply be managed, how can that be achieved without breaking the bank? Is there at least something that could start the risk and compliance conversation as compliance officers and colleagues start the process?

Managing risks and resources

It will take time for each firm to decide what, how much and when information must be collected to ensure compliance with OFR. The question is how compliance is to be achieved: how should risks be identified?

The problem currently is that some firms are overestimating the potential for risk in an area, with the result that resources are being wasted preparing for risks that are unlikely to emerge anytime soon.

However, there is a straightforward way to identify and analyse risks, so that suitable resources can be allocated to improve the firm’s risk profile and monitor the results. Figure 1 shows a probability and impact matrix that can be used to define risk. This approach is well known in industry and has the advantage of being graphical and capable of being completed on a collaborative basis.

It also has the advantage of enabling groups to consider many different aspects of risk: operational, strategic, reputational and financial, and to calibrate both the probability that something will happen and its impact should it do so.

Figure 1: Defining risk – probability and impact matrix

Using the risk matrix

Usually, a risk matrix is calibrated as set out in Figure 1. Impact and probability ?can be measured as follows.

Impact:

  1. Low impact

  2. Some short-term impact

  3. Harms the practice/disruptive

  4. Catastrophic

Probability (usually, but not ?always within one year):

  1. Unlikely

  2. Possible

  3. Probable

  4. Inevitable

A 1x1 risk is both unlikely and of ?low impact, whereas a 4x4 risk is ?inevitable and catastrophic – not a ?good place to be!

As a start, brainstorming the issues and then completing the matrix may bring some clarity to the situation, especially if a number of colleagues complete the task independently. This has the advantage of forcing a choice and is a recognised method in the risk sector.

In the example provided, if the client that decides to take its work in-house is Mrs Miggins’ Pie Shop in a market town, that may be a high probability but have a low impact because it accounts for less than one per cent of fee income.

But, if it is Mrs Miggins’ Pies ?Inc. and accounts for half of one department’s billables, that is a ?completely different situation.

Similarly, there may be a low-to-medium probability that your coffee ?maker will break down because it is old, but it is unlikely to have a high impact, all things considered.

A cultural shift

There will, inevitably, be a cultural shift in attitudes towards compliance. Many firms will have initial concerns as to whether they have done enough to evidence that they have achieved the relevant outcomes. It will require the development of a new skill set for lawyers which, as they get to grips with OFR, may result not only in greater compliance but also in greater business efficiency.