System and order: goodbye to Principle 8?
The principle that forced firms to move away from a tick-box approach to risk management is gone from the new Standards but it will endure in the new codes, says Tracey Calvert
SRA Principle 8 is the compliance practitioner’s friend and ally. Twenty-seven words which will provide anyone needing to argue for system and order in the workplace with answers to any negativity and scepticism that they might encounter along the way. I have referred to it constantly since it was first introduced in 2011 as a way of demonstrating what the SRA is expecting to see and what will assist in having a low maintenance fuss-free relationship with the regulator. Imagine my horror to discover that it has not survived the cull of the 2011 principles and will not feature in the 2019 principles which will come into effect with the SRA Standards and Regulations on 25 November 2019. Where does that leave us? Actually, in not too much of a different place as it turns out. The fact that it is no longer a headline does not denote any significant devaluation of its sentiments. It has done much to promote the culture of law firm compliance and this will continue into the new regulatory era. In this article, I’d like to share some thoughts on the significance of Principle 8 and how this has evolved over recent years. For anyone needing a reminder, the principle embodies what the SRA expects from us in terms of governance and effective risk management: “You must run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles” Back in 2011 many questions were asked about this unseemly modern wording by practitioners who did not readily warm to the principle; why was the word ‘business’ used rather than ‘firm’ or “practice’? Wasn’t that language undermining our professionalism? Why was the principle applied to everyone and not just the partners? Wasn’t management and compliance just a top-tier duty? What was proper governance? What gave the SRA the right to be so interested in our internal composition? Why was the SRA interested in our risk management? Would we get templates that we could use to tick the boxes?
MODERN EXPECTATIONS
The answers provided insight into what was expected of modern law firms. The SRA has been clear and consistent in this message: we are businesses providing legal services and a business must be well-run not, from the regulator’s perspective, with an interest in the financial success that this should bring, but so that clients will receive a proper standard of service from a well-run organisation. Everyone plays a role in the effectiveness of the business; the trick is to be clear about the individual roles and to ensure sure that colleagues understand what is expected of them (and the regulatory consequences if they wilfully fail to achieve these expectations). The SRA expects a different response at different levels; the owners of the business will be expected to respond differently to other fee earners whilst support staff will have other, not necessarily client facing, responsibilities which must be clearly stated and achieved. The internal workings of the business are also relevant to the SRA hence the reference to proper governance and risk management, but there was never going to be any help with this. The SRA expected us to partake in some navel-gazing and determine what systems and controls will protect our firms and what risks we needed to prioritise. This requires reflection on the type of structure we have created, the services we provide, and even the types of clients we attract. No template would address this reflection. This means that since 2011, the starting point for any compliance professional working in an SRA-authorised law firm has been to answer certain key questions which hide within the twenty-seven words of Principle 8. Questions like these:
—— Does everyone in the business understand their specific roles and the detrimental consequences if they fail? How will we ensure that we support all our colleagues so that there is less chance that they will fail? What do we expect from our senior colleagues (our partners and owners) in terms of communicating the firmwide regulatory and ethical expectations? Do we have the correct ‘tone from the top’ to support the development of a safe compliance culture in the workplace?
—— Is the firm’s governance structure appropriate, agreed and clearly communicated to everyone in the business? Who will be responsible for what? Do the owners of specific titles have the skills and characteristics necessary to achieve their particular role? For example, does the COFA has the necessary knowledge of both the SRA Accounts Rules and internal accounting systems? More generally, are our team leaders, managers and supervisors well supported in their roles?
—— Have we considered what would cause us financial difficulties? How do we ensure that proper governance encompasses financial management? Do we have adequate oversight and strategic thinking to ensure that we do not receive any surprising financial news and that we are equipped to deal with other unwelcome financial events?
—— Have we considered what other risks are present in our specific circumstances? For some firms this might be an over-dependence on a particular source of work, for others it might be information security. The decisions about what ought to be prioritised have to be made by us.
—— Do we have the means to demonstrate that we apply Principle 8 in practice? Are our systems and controls appropriate and do we monitor to be satisfied that they continue to be appropriate and applied as necessary?
CORE BEHAVIOURS
Despite the absence of this principle from the 2019 collection, do not underestimate the SRA’s continued interest in our internal workings and compliance response. The new principles are somewhat ‘old school’ and used to demonstrate core behaviours expected of individuals. The responsibilities focused on the compliance culture of the business have been transposed to the new SRA Code of Conduct for Firms and are as meaningful as ever. This new code describes the standards and business controls by which authorised law firms will be judged. The SRA’s intention is that these will “create the right culture and environment for the delivery of competent and ethical legal services to clients”. The code applies to everyone working in the firm and there are additional and specific requirements addressed to managers (i.e. the owners) and compliance officers.
It describes all that the SRA expects. Standard 2.1 embodies the sentiments of old Principle 8 in that it contains the following duties:
2.1 You have effective governance structures, arrangements, systems and controls in place that ensure:
(a) you comply with all the SRA’s regulatory arrangements, as well as with other regulatory and legislative requirements, which apply to you;
(b) your managers and employees comply with the SRA’s regulatory arrangements which apply to them;
(c) your managers and interest holders and those you employ or contract with do not cause or substantially contribute to a breach of the SRA’s regulatory arrangements by you or your managers or employees;
(d) your compliance officers are able to discharge their duties under paragraphs 9.1 and 9.2 below.
2.2 You keep and maintain records to demonstrate compliance with your obligations under the SRA’s regulatory arrangements. 2.3 You remain accountable for compliance with the SRA’s regulatory arrangements where your work is carried out through others, including your managers and those you employ or contract with. 2.4 You actively monitor your financial stability and business viability. Once you are aware that you will cease to operate, you effect the orderly wind-down of your activities”.
The regulatory message is unambiguous. Principle 8 has been a success from the SRA’s viewpoint in that it has made clearer what is expected from us in terms on internal management of people and risks. In the new age of compliance which is coming in with the SRA Standards and Regulations we will be expected to keep us the compliance work. The SRA still expects everyone to know their role in the authorised entity, and for the business to be a safe place from which clients can obtain legal services.
Maybe now in the run up to the launch of this new Code, we should be reflecting on our current compliance response and using the time to consider what could change or be improved upon.
Tracey Calvert is a consultant at Oakalls Consultancy Limited oakallsconsultancy.co.uk