Creating a compliance culture

I am often asked for tips about the ways in which a compliance culture can be cultivated in the workplace. I usually respond by asking two questions back: — How many emails are generated by the firm on a daily basis?

— How many emails are misdirected? A busy law firm will be sending out a great quantity of emails and some of these may be sent to the wrong recipient. No one is perfect after all. However, what happens next will be of interest to the firm’s COLP and partners as the response of the individual who makes the mistake is a good indicator of the existing compliance culture within the firm. If the firm knows when emails are going astray then they have the building blocks with which to create a compliance environment. Creating a compliance culture where the knee jerk reaction is to make the COLP aware of such issues should be the goal. A COLP who is not recording examples of wayward emails should be questioning why this is not happening. Are colleagues unaware of the possible ethical and legal issues, or do they not understand the COLP’s interest, or is the culture one of blame and shame rather than accountability and responsibility, creating a deterrent to disclosure? Identifying issues which need to be judged – both in terms of regulatory duties and for risk management purposes – is the only way the firm can demonstrate an appropriately risk-based and firmwide response to the challenges presented. It is a requirement that everyone within the firm must comply with the Solicitors Regulation Authority (SRA) regulatory toolkit, and it is easier for them to do so where there is a clear compliance culture within the business. 

SELF-REPORTING Yet this is the hardest aspect of the SRA’s style of regulation: it leaves ownership of notification duties with firms themselves meaning that those with compliance roles cannot be in the position where they have ‘unknown unknowns’. What is also clear is that simply having well-crafted documents to explain what response is expected of individuals in any given situation is not sufficient. Instead what’s required is a strategy to ensure everyone understands certain non-negotiable truths:

— That everyone in the firm has personal obligations and a requirement to understand the impact of SRA regulation on them, albeit proportionately applied to their role within the business;

— adherence to SRA requirements is not an extra burden but means that the firm is a safe environment both for those who work within it and those who receive services from it;

— the creation of systems and policies are designed for the purpose of strengthening the firm’s compliance culture and not to add to the weight of administration or to detract from the day jobs;

— that compliance equates to openness, accountability and responsibility; but

— that openness is not intended to create a blame culture; and

— communication of issues and concerns, in a timely manner, is the key to making these duties manageable. Easy for me to say! How do you win over hearts and minds? Having visited a good number of firms, my experiences lead me to suggest the following:

— Make sure that senior members of the firm – partners, department and team heads, supervisors and others in linemanagement roles – understand that they have an ambassadorial role in terms of compliance.

— Ensure that the corporate structure is clear and visible. Members of staff should know who they can talk to and who has responsibility for what requirement.

— Secure ownership of risks at all levels by asking relevant people within the business what matters to them and make sure they appreciate the consequences of their actions. Do support staff understand the implications of emailing client advice to the wrong recipient? Do reception staff understand, more generally, their responsibilities in ensuring that client confidentiality is not breached by careless talk in public areas? Do fee earners understand the risks posed to both confidentiality and data security by flexible working practices?

— In terms of openness, ensure there are opportunities for the sharing of concerns, debate of difficult issues, and so on. For instance, in departmental meetings, one-to-one meetings, through mentoring and supervisory roles, and perhaps firm wide through e-newsletters and internal bulletins.

— Share the compliance tasks with a network of support staff whether that’s a risk and compliance team, deputies, compliance champions within each department, or supervisors.

— Do not underestimate the value of investing time and money in good quality and appropriately targeted training to all members of staff – not only on the reasons why working in a SRA-regulated firm is a big deal for every employee, but also what will be expected of individuals and why, and the firm’s systems and what they are designed to achieve. This is at the heart of an effective compliance culture and is one of the biggest challenges of the modern style of regulation: the SRA’s requirements must be observed by everyone employed within the firm, regardless of qualification and status, and anyone could place the firm’s authorisation under scrutiny. Finally, to offer my view on the conundrum of wayward emails: of course, this will happen from time to time and all such incidents should be reported to the COLP who is then able to make decisions about recording and, if necessary, reporting in a timely fashion. Far better to know and manage, than not know and face the consequences. 

Tracey Calvert is a consultant at Oakalls Consultancy Limited oakallsconsultancy.co.uk