Delivering the 'compliance message

I am often asked for tips
about the ways in which a compliance culture can be created. I usually respond by asking: how many emails are generated by the firm on a daily basis? A busy firm will be sending out a great quantity of emails and some of these may be sent to the wrong recipient. No one is perfect, after all. However, what happens next will be of interest to the firm's compliance officer for legal practice (COLP) and partners, as the response of the individual who makes the mistake is a good indicator of the existing compliance culture within
the firm.

Creating a compliance culture where the knee-jerk reaction is to make the COLP aware of such issues should be the goal. A COLP who is not recording examples of wayward emails should be questioning why not. Are colleagues unaware of the possible ethical and legal issues; do they not realise the COLP's interest; or is the culture one of blame and shame, rather than accountability and responsibility, and is this a deterrent to disclosure?

Identifying issues that need to be judged - both in terms of regulatory duties and in risk management - is the only means by which the firm can ensure it is able to demonstrate an appropriately risk-based and firm-wide response to the challenges presented by the requirement that everyone within the firm must comply with the Solicitors Regulation Authority (SRA) handbook. This response is easier to achieve where there is a clear compliance culture within the business.

Unknown unknowns

Yet this is the hardest aspect of the SRA's style of regulation: leaving ownership of notification duties with firms themselves means those with compliance roles cannot be in the position where they have 'unknown unknowns'. Simply having well-crafted documents to explain what response is expected in any given situation is not going to be sufficient. Instead, what's required is a strategy to ensure that everyone understands certain non-negotiable truths:

• Everyone in the firm has personal obligations and a requirement to understand the impact of SRA regulation on them, albeit proportionately applied to their role;

• Adherence to SRA requirements is not an extra burden, but means the firm is a safe environment both for those who work within it
  and those who receive
  services from it;

• Systems and policies are designed for the purpose of strengthening the firm's compliance culture and not to add to the weight of administration or to detract from the day jobs;

• Compliance equates to openness, accountability, and responsibility;

• But that openness is not intended to create a blame culture; and

• Communication of issues and concerns, in a timely manner, is the key to making these duties manageable.

But how do you win over hearts and minds? Having visited a good number of firms, I suggest the following:

• Make sure that senior members of the firm - partners, department and team heads, supervisors, etc. - understand they have an ambassadorial role in terms of compliance;

• Ensure the corporate structure is clear and visible. Members of staff should know who they can talk to and who has responsibility for what requirement;

• Secure ownership of risks at all levels by asking relevant people within the business to appreciate the consequences of their actions. For example, do support staff understand the implications of emailing client advice to the wrong recipient? Do fee earners understand the risks posed to both confidentiality and data security by flexible working practices?

• Ensure there are opportunities for the sharing of concerns and debate of difficult issues such as in departmental meetings, one-to-one meetings, through mentoring and supervisory roles, and even perhaps firm-wide through e-newsletters and internal bulletins;

• Share the compliance tasks with a network of support staff, whether they be a risk and compliance team, deputies, compliance champions within each department, or supervisors;

• Do not underestimate the value of investing time and money in appropriately targeted training to all members of staff, not only on the reasons why working in an SRA-regulated firm is a big deal, but also what will be expected of individuals and why, and the firm's systems and what they are designed to achieve.

This is at the heart of an effective compliance culture and is one of the biggest challenges of the modern style of regulation: the SRA's requirements must be observed by everyone employed within the firm, regardless of qualification and status, and anyone could place the firm's authorisation under scrutiny.

And, finally, to offer my view on the conundrum of wayward emails: of course this will happen from time to time and all such incidents should be reported to the COLP, who is then able to make decisions about recording and, if necessary, reporting in a timely fashion.

Tracey Calvert is director of Oakalls Consultancy Limited www.oakallsconsultancy.co.uk