• News
• Bookshop
• Events
• Anti Money Laundering
• Conveyancing/HIPS
• Financial Management
• Human Resources
• Information Technology
• International Firms
• Jobs & Careers
• Knowledge Management
• Marketing, Business Development
• Mergers
• Outsourcing
• Professional Indemnity
• Risk Management

Feature

posted 11 Jun 2004 in Volume 7 Issue 2

Covering all bases: Implementing a holistic risk-management approach

Where budgets are stretched to cover such essential elements as IT and HR, risk management can fall far down the list of priorities. With risk affecting all areas of the business, however, John Verry, a risk manager at Charles Russell, argues that a risk strategy is essential, especially as new regulations come into force.

Risk management is a lot more than simply setting up a diary system and ensuring that a retainer letter is sent on every new matter (although even these basic concepts are beyond some firms). It is about adopting a risk-based approach to managing your business effectively. There are various categories of risk affecting your business: operational, strategic, disaster, regulatory and statutory.

What is meant by adopting a risk-based approach? This simply means that the level of risk involved in a particular area will dictate how you manage it. Hence, a low level of risk needs a minimal response from management, while greater risk will require additional resources, such as IT and management time.

Effective risk management will mean that the partners and staff are:

• Working in an environment that is compliant with statutory and regulatory requirements;
• Providing an effective service delivery to clients at an affordable price;
• Minimising exposure to the risk of error on the part of the service provider;
• Complying with their professional regulations.

This is achieved by adopting the following well rehearsed basic principles of risk:

1. Identify your risk;
2. Analyse it;
3. Create and implement systems and procedures to manage the risk;
4. Monitor compliance.

And this is where the problems start. Finding the time and resources to develop and implement a risk strategy requires substantial investment of both time and money. Unfortunately, however, risk management tends to be long way down the wish lists of managing partners, particularly at budget time, when it competes with other requirements such as IT, information services, human resources and facilities. Offer a partner the latest version of a Blackberry or a new risk procedure and it is not difficult to see what the decision will be. With such attitudes, risk management quickly becomes ‘nice to have’ rather than ‘necessary’.

However, regulation of the legal profession is going to change as it is a fact that the government does not regard maintaining the status quo as an option. The only question is the degree of change and the impact that this will have on the profession. Complying with such regulatory requirements is an integral part of risk management and a real skill has become identifying new and emerging risks and how they will impact on your business.

Historically, however, the profession, by reason of the fact that it has been self-regulated, has not been over troubled with compliance issues. Indeed, the regulatory requirements were, and still are, often ignored. Statistics have shown that an incredibly low percentage of firms complied with the requirements of the Solicitors Costs Information and Client Care Code, and sent out adequate Rule 15 letters. Many firms failed to have a complaints procedure in place, which all staff were aware of and complied with. This is notwithstanding that there are model precedents on the Law Society website.

It is also important to understand that when we talk about regulation, we are not just talking about complaints. The consultation paper produced by Sir David Clementi refers to the ‘five core functions of regulation’:

1. Entry standards and training;
2. Rule making;
3. Monitoring and enforcement;
4. Complaints;
5. Discipline.

Rule making, monitoring and enforcement are two areas of particular interest to the risk manager. The consultation paper describes rule making as the formulation of rules by which members are expected to work and adhere. That may be interpreted as rules governing the service delivery to the client. For a number of years now the profession has been told what causes complaints against solicitors. There are common themes running through claims (that is unacceptable levels of service delivery), irrespective of the area of law concerned:

• Time limits;
• Delay and poor supervision;
• Inadequate delegation;
• Poor communication of undertakings;
• Failing to comply with office procedures;
• Lack of knowledge of the law.

Suggestions have been put forward as to systems and procedures that may be adopted to reduce the risk of a claim arising out of one of these areas.

It would not be unreasonable to think that there has been a marked reduction in the number of claims because their causes are easily identifiable and the systems to manage the risks are straightforward. The depressing fact, however, is that the causes of claims are the same today as they were ten years ago: time limits are missed; files are not dealt with effectively; bemused junior lawyers are dealing with matters far beyond their capabilities, which have been passed down the food chain to them. How will the profession cope if procedural rules are imposed upon them by way of regulation? The chances are badly, if the advent of the money-laundering regulations are anything to go by (more of these later).

Firms should prepare now for what may happen, rather than adopting a ‘wait and see’ approach. Implementing good working practices, which enhance the firm’s performance and reputation cannot be a bad thing, even if the chosen systems and procedures exceed the basic requirements of any form of regulatory process that may be imposed.

Another reason to start now is that the cultural change involved will not happen overnight. Getting any individual, let alone a whole profession to change its culture will require a gradual process. But regulatory changes are not structured to accommodate such change, coming into effect as they do on a particular date. Rather, partners, fee earners and staff need to anticipate change and react accordingly, before it is too late.

For instance, the legal profession, as a consumer service, must be ready for the competition being opened up to other consumer services. Much could be learnt from those suppliers as to how the profession may improve. However difficult it may be, the fact that the ‘customer is always right’ might not be a bad starting point.

Doing the client’s work correctly, that is, managing your operational risk, is essential, but all areas of the business will need effective risk-management strategies.

For example:

• Providing a safe place to work – have your archives team received their manual-handling training?
• Effectively managing stress;
• Compliance with discrimination, equality and disability legislation. Is your firm even aware of this legislation?
• Registering for the purposes of the Data Protection Act and ensuring somebody is responsible for annual renewal. Failing to register may lead to criminal proceedings against a partner or partners.

There are also issues with professional regulation. For instance, if you are planning a joint venture, you must check the overseas practice rules and register foreign lawyers. If any services are supplied through a limited company, firms need to confirm whether it has to be registered as an incorporated practice with the Law Society.

If you receive a visit from the Consumer Complaints Service, you will need to be able to show that you are compliant and that you have a complaints procedure in place (for those of you who had not realised, the OSS has changed its name). Are you taking steps to comply with money-laundering legislation? If not, you need to take steps to train your staff, appoint an MLRO, create and implement the appropriate internal procedures for reporting, and change your archive procedures to ensure that you comply with the requirements for record keeping as set out in the Money Laundering Regulations 2003.

The advent of the new Money Laundering Regulations may be taken as a good indicator of how the profession may react to any future regulatory changes, that is, at the last minute. The Regulations came into effect on 1 March 2003. Many firms were wholly unprepared. They knew that there was change coming, but they had not prepared for it. Bearing in mind the consequences of non-compliance, this was surprising to say the least.

These are but just a few examples of the very many risk and regulatory matters facing lawyers. Non compliance does not result in a slap on the wrist. The penalties are potentially loss of income (fines), loss of your practice (intervention), imprisonment (non compliance), and, in all cases, the greatest risk of all, which you cannot insure against, damage to reputation.

The management of risk and regulatory compliance should therefore be high on the managing partner’s agenda.

Change is far easier to effect when it is carefully managed as opposed to being imposed. Effective and successful businesses embrace, rather than resist change. They are always looking at ways to improve efficiency, attract more customers and raise their reputation. Getting your internal affairs in order is the first step. This means making rules. But that is not the end of it.

There has to be monitoring and enforcement of those rules, and this is an ongoing requirement. This means that fee-earner work will have to be checked, most likely through file audits. Audits will also have to check and ensure that the firm’s internal rules, regulations and procedures have been complied with. If there has been non-compliance, then disciplinary procedures will have to be followed. For any form of regulation to succeed, the regulator must have teeth. The discipline imposed will reflect the degree of the problem. It may be further training in a particular area, closer supervision, financial penalties (withholding bonus) or the ultimate sanction of termination of employment.

To ensure effective risk and regulatory management, there must be effective training programmes for all staff who are subject to the regulatory requirements or who are exposed to risk, that is, in carrying out their job there is the possibility of the client suffering loss by reason of that person’s error. The classic example here is the post-operative putting all the post into the DX system and vice versa, with the result that urgent communications are lost or delayed, critical time limits missed, cheques lost, and important information not received.

The degree of time and money invested in developing and implementing compliance procedures for risk and regulation will of course depend on the size of the firm. This is where smaller firms are at an advantage. They are better placed to know what is going on in the practice and to ensure compliance. Larger firms will be looking to dedicated personnel ensuring that the firm is, and remains, compliant, and is properly monitored. While there are risks that are common to all firms, the degree does vary, and in accordance with the risk-based approach, will determine how a firm deals with the problem. There are other factors that create different risk profiles, including location, type of work carried out by the firm, client base, and, probably most importantly, the quality of staff.

For such a variety of needs, there are three suggested ways of managing risk and compliance issues within a firm:

1. The appointment of a dedicated risk manager;
2. The risk committee/board supported by an audit function;
3. Outsourcing to a competent provider.

The dedicated risk manager

This is the path a number of top-50 firms have followed. The first step here is to decide what you want your risk manager to do, so prepare a job description. This will also assist in finding the right person for the job. Likely responsibilities would include risk management, compliance with regulatory issues, insurance (that is, dealing with professional-indemnity renewal) and dealing with complaints and claims. These functions may be undertaken directly by the risk manager or in conjunction with a nominated partner.

For example, the risk manager could assist the firm’s money laundering reporting officer who should always be a relatively senior equity partner. The same goes for claims handling. The risk manager could deal with day-to-day running of the files under the supervision of a particular partner.

Interestingly, dedicated risk managers nearly all say that a large part of their time is taken up dealing with regulatory and compliance issues as opposed to risk management and creating and implementing systems and procedures. Once there is a focal point for risk and regulation in the firm, then staff are much more likely to address issues before they become a problem with the risk manager. Common questions put to in-house risk managers include:

• Can I terminate the retainer?
• Do you think a conflict of interest arises?
• What papers do I have to send and what papers can I keep if the client asks for his file to be sent to another solicitor?
• Can I exercise a lien?
• Can I limit liability on my retainer letter?
• Do I have to notify this?
• What proof of identity do I need for money-laundering purposes?

Immediate answers make the fee earners’ lives easier and also greatly reduce the risk of error, or non-compliance.

Risk committee supported by an audit function

This scenario envisages the partners or rather a selection of them sitting on a board and being responsible for risk and compliance issues within the firm. This can be a very effective method, provided they have the time to undertake the role. The committee would be responsible for the creation and implementation of risk and regulatory procedures, while the audit function would involve the appointment of an internal auditor whose role would be to ensure compliance. This appointment would be more junior than that of a dedicated risk manager.

The auditor would report back to the committee and provide statistical and other data analysis of the audit. This scenario would also envisage responsibility for risk devolving on to support-function heads in larger firms, for example, the directors of HR, IT and finance, in relation to the risk and regulatory matters affecting their work areas. They in turn would report back to the committee. Other functions reporting back into the committee would be the partners responsible for money-laundering compliance, complaints and claims. The risk committee would, therefore, be the focal point for risk within the firm.

Outsourcing

It may be that firms, while recognising the importance of ensuring compliance, do not have the resources or, indeed, the inclination to maintain this function in house, either wholly or partially. Equally, some firms feel very strongly that any form of internal policing should be kept at arms length from the partners and undertaken by an external organisation, with problems being identified and brought to the partners’ attention.

In such cases, outsourcing these functions may be possible, but it is essential to use a reputable organisation with the appropriate skill and expertise. Outsourcing may range simply from providing risk and compliance training to providing the audit function, to developing and implementing the risk and compliance procedures. The outsourcing may also be used in conjunction with in-house functions (again, IT, HR and finance).

Such an organisation would be able to prepare and submit reports to the partners, help identify new and emerging risks and provide solutions tailored to meet the firm’s particular needs.

This regime of risk control is not as daunting as it may at first appear. Many firms deal quite adequately with the matters that have been identified. Indeed, many lawyers automatically manage their operational risk exposure by simply being careful and making sure that they clearly identify and meet time limits affecting the file. Again, with many solicitors it would not even cross their mind to delegate a file to a fee earner who did not have the skill, expertise or time to deal with the matter properly. Such organisations have little to fear whatever form of regulation is brought in.

On the other hand, those firms that little consider such issues and are either resistant to or not prepared to change face difficulties, whether internal regulation is beefed up or external regulation is introduced.

At present, it is possible to carry on business without being able to demonstrate compliance with existing regulations and, by and large, a problem will only arise if something goes wrong. In the future it is likely that firms will have to demonstrate to a regulator that they have the systems and procedures in place, and that they comply with them, so as to reduce the risk of error. Failure to demonstrate such compliance will result in penalties being imposed.

There are real benefits to effectively managing risk and compliance, including:

1. Standardising procedures, which cuts costs;
2. Introducing a degree of uniformity and common understanding, so that fee earners know the procedure for giving undertakings, or conflict checks;
3. Reducing the administrative burdens of providing legal advice to clients;
4. Demonstrating to a consumer that their service provider has attained a certain basic standard of competency through compliance to a set of regulations.

Regulatory controls will become more commonplace. Make sure that you have the infrastructure in place to implement and comply with those regulatory and compliance issues.

Now is the time to start the change process. Change will happen, so do not wait until it is forced upon you. Remember, maintaining the status quo is not an option. n

John Verry is a risk manager at Charles Russell. He can be contacted at: john.verry@charlesrussell.co.uk