Business as usual, in unusual circumstances
Risk in the time of covid-19 must be managed with care because regulatory requirements haven't changed, says Pete Riddleston
The move to remote working by most law firms during the pandemic has given rise to new operational challenges which demand strategic solutions.
While maintaining business as usual, we need a quantum shift in approach. This is certainly the case if we are to secure compliance with regulatory requirements and manage the high levels of risk we face, both now and in future.
Effective risk management stems from highly effective, firm-wide leadership and a common cultural perspective, where the emphasis is on continuous improvement. Firms must be aware of the key risk issues and target the root causes, with robust training and review processes.
From my vantage point, working with our LawNet member firms and the experts who deliver on our quality management, compliance and professional indemnity insurance, three topics should top every compliance professional’s checklist in the coming months: supervision, financial crime and risk culture.
Remote working and supervision
Supervision has been a major theme for our network members in recent months. We saw firms learning and evolving as they responded to the need for supervision structures fit for purpose.
Before the pandemic, supervision may have been less formal. Colleagues would constantly share ideas and information, whether in team meetings, supervision meetings or at the watercooler. So supervisors were well informed as they could hear and see what was happening across the team.
When people are working remotely, we need to adapt, formalising where necessary; and actively think about how supervision will be achieved and documented.
Online discussions via Zoom or Microsoft Teams may provide a viable alternative, but all supervisors must be attuned to asking questions and making themselves available in more structured ways than they may have done previously.
This is an issue that will not go away as the sector shifts towards hybrid working in the longer term, as we cannot rely on everyone being together in the office at the same time. Informal requests for input will be less feasible and the learning/risk management interface needs to be more strategic, with systems reviewed regularly.
As individual solicitors are personally responsible for work done under their supervision, firms need to ensure they provide the infrastructure to support that responsibility, with effective processes. Everyone must be aware of how those work. This is crucial in demonstrating to the Solicitors Regulation Authority (SRA) that the business has made a successful shift to online working while complying with the requirements of the SRA code of conduct.
Tracey Calvert, of Oakalls Consultancy, acts as a compliance consultant for our LawNet members. She says the approach is very much one of business as usual, as the SRA will not accept anything less; and processes must be adapted to reflect the current, unusual circumstances.
She suggests firms look at how to ensure people work together as teams rather than as individuals, adapting anything that would normally be done in the office to suit remote working.
It’s also important that supervision arrangements cover the whole team and not just junior lawyers, trainees and paralegals. Supervision and accountability for more senior lawyers is equally important.
In one of our recent online roundtables, bringing together those responsible for compliance and risk within the LawNet network, we discussed issues around documenting all the online meetings now being held, from senior management and department level to team meetings and one-to-ones.
While senior management meetings may be minuted, others may be less structured, shorter and more frequent; and it can be harder to maintain consistency in documenting them. But these can be vital in demonstrating that supervision is taking place, particularly for junior members of staff – so a solution must be found. Attendance notes justifying and explaining decisions remain as important as ever and supervisors should be checking for these.
Finally, supervisors should bear in mind the pandemic’s effect on mental wellbeing. This has been a hot topic in our network leadership forum as staff try to balance work, home schooling and the pressures of living under lockdown.
Supervisors and leaders can demonstrate the right behaviours, for example saying they are heading out for a run or a walk, and giving others permission to do the same; or discouraging late night emails to relieve pressure on staff who may otherwise feel they need to respond.
Checking in regularly and watching out for danger signals is harder during remote working, but more important than ever.
Squaring up to financial crime
There is an obvious link between staff supervision and managing the risk of financial crime, particularly as we adapt to our changing work structures. Less supervision or oversight brings more risk that staff will unwittingly enable fraudsters to break through, using socially-engineered situations. Those could include duping staff into handing over information or cyber penetration, such as malware designed to bring down a firm’s operations.
Most compliance officers will be aware of a rise in professional indemnity insurance claims due to financial crime. We have seen reports of attempted fraud steadily increasing across our network.
As well as becoming more frequent, financial crime is continually evolving so we recently updated our ISO9001 LawNet quality standard to help firms develop robust risk controls to tackle the changing face of financial crime.
To support this, QBE (the underwriter of our professional indemnity insurance scheme) has prepared guidance and templates, designed to help firms understand and review the risk controls that need to be in place. These cover three prevalent types of financial crime:
- Property fraud by imposter sellers
- Third party push-payment fraud and
- Insider fraud by rogue employees.
Identity verification is a key topic, particularly when clients may not be seen face-to-face. Identity checks are essential to satisfy money laundering requirements and to be sure of who you are dealing with. Even where a client is longstanding, due diligence compliance demands regular checks to ensure identity information is up-to-date.
With in person client meetings less common due to lockdown, we have seen a speeding up in the shift from wholly paper-based checks towards electronic verification, or a combination of the two. Many of the firms in our network are using sophisticated electronic verification systems, using facial recognition software and the ability for clients to upload short videos to assist with verification. Feedback suggests that clients have found these products straightforward to use, which is key to successful implementation.
Sharing experiences of attempted fraud or loss suffered is an important opportunity to learn, which can help strengthen defences for the future. We encourage our member firms to share across the LawNet network and see the value of this approach in the new processes and training initiatives developed.
Embedding a risk culture
At the heart of tackling financial crime is across-the-board awareness and recognition of the importance of risk management by all staff. This demands a firm wide culture engendered by strong leadership and open communication. It’s an approach which moves beyond the assessment, checkbox model to become part of the fabric of how the firm operates by creating a risk culture.
Not surprisingly, it is something that insurers look for and encourage in firms wishing to improve their risk profile. Our network insurers QBE have developed a tool on their QRisk platform which enables our members to assess where they are on the journey towards this approach to risk management.
As Deborah O’Riordan, practice leader at QBE explains: “I would challenge those practices that haven’t yet looked at risk culture to do so.”
The challenges of remote working provide further impetus towards this. A number of our conversations with risk and compliance professionals have concentrated on how to maintain that firm wide focus on risk management, particularly when remote working is likely to continue for most of us well into 2021.
Our members are tackling this by ensuring that it is business as usual in terms of carrying out file reviews, making corrective actions, reviewing matter risk assessments, looking at costs and time recorded and checking timescales and deadlines. The aim is to ensure lawyers think about risk each time they pick up the file, rather than simply moving on to the next thing for the client.
Having a strong risk culture can also make it easier to effect behavioural shifts. Remote working may create security concerns if paper files are taken out of the office, whereas electronic files are less vulnerable to data breaches and make it easier to conduct file reviews remotely.
There will be a learning curve when teams move from paper to electronic files, particularly during lockdown and working away from the office; but it can make all the difference when staff are committed to making the change because they understand why and have risk at the heart of their everyday.
The strength of a firm’s risk management reaches into every aspect of its legal practice, not just to keep down professional indemnity insurance premiums or avoid compliance breaches, but to maintain professional reputation, staff morale and beyond.
As we manage the ongoing constraints of the pandemic, the SRA expects us to maintain compliance standards. Our clients expect our legal work to be of the same high standard, wherever we may be working, and that our client service and risk management on their behalf are as professional as ever.
Making sure people are truly engaged and embracing risk management as part of the everyday can make a firm more agile and able to deal with these challenges – and any new threats that may arise.
Peter Riddleston is learning and quality director at LawNet lawnet.co.uk