Improving compliance: from box-ticking to better outcomes
By Lyn Coughlan
Lyn Coughlan explores the importance of empowering employees to create a strong compliance culture
There is sometimes a hint of negativity when people talk about compliance. I remember someone joking to me once that it “makes it quite difficult to be a lawyer.” The truth is, there are many elements to compliance and each one is essential to uphold standards within the industry and to ensure clients get the service they are paying for. It touches everything from legal practice, HR, IT and business continuity to Health & Safety, data protection and insurance.
All solicitors and most law firms in England and Wales are regulated by the Solicitors Regulation Authority (SRA), an independent body set up in 2007 to regulate professional conduct. There are other regulators operating in England and Wales who oversee the conduct of providers of specific legal services – such as the Council for Licensed Conveyancers, the Intellectual Property Regulation Board and CILEx – but the SRA is the main regulatory body for most full-service law firms.
The SRA’s Standards and Regulations (published in 2018) is the framework upon which our policies, procedures, systems and controls are designed.
Creating a culture of compliance
When our firm decided to go for the ISO 9001 quality accreditation in 2000, I was invited to join a working group which would be looking at the controls, policies and procedures required to achieve it. At the time I was in a secretarial role, but after the ISO 9001 project my work evolved into my current role as the firm’s Head of Compliance, which I’ve been doing for 15 years.
My career progression was atypical then. When I first started going out to compliance conferences and events, the attendees were mostly partners who had responsibility for compliance as an add on to their role. However, there are now more people like me – non-lawyers but with relevant skills and experience which are applicable to the legal profession heading up the compliance function as a full-time role.
Especially for smaller firms, having the budget for a dedicated compliance officer may be difficult to justify but – speaking from experience – compliance is a full-time job. For a partner with a case load, adding compliance on the top is often too much. You need someone with dedicated time and resources – you also need the support and buy in of your colleagues.
Compliance has been elevated to a business function in its own right and I attend the firm’s weekly operations meetings alongside the heads of HR, customer experience, marketing etc.
The importance put on compliance at a senior level trickles down and this is very helpful as every employee can play a part in compliance. We speak to staff regularly about the existing policies and procedures to see if anything needs updating or reviewing and keep compliance front of mind with our ‘policy of the month,’ which gives timely reminders about different policies to keep staff engaged.
Creating a culture of compliance means including and empowering everyone.
The change challenge
One of the reasons I advocate for compliance being a full-time role is that it’s changing all the time and it is a challenge to ensure policies and procedures remain compliant and fit for purpose. There are monthly updates from the SRA on hot topics and regulatory changes to be aware of, plus additional obligations under money laundering and data protection legislation.
The current SRA hot topic is the impact of home and hybrid working on employee behaviours and wellbeing, and providing appropriate supervision. SRA guidance is it just that – guidance, rather than prescriptive rules – so you need to consider how you interpret them for your firm.
With so many updates, it’s easy to lose track. I participate in compliance forums – both in person and online - which I would highly recommend. These ensure I don’t miss anything and also gives me some insight into how other compliance professionals are integrating the latest requirements from the SRA, and also changes directed by the Legal Ombudsman, Information Commissioner, Legal Services Affinity Group and more. Everyone has a slightly different take on things so it’s a good learning opportunity.
The change from within
The need for new policies, procedures and controls can come from within the firm. Sometimes this is ad hoc, such as when covid-19 hit, but I also carry out a full internal audit every autumn to see what needs to be updated. This is done as part of our ISO 9001 audit programme but it is also best practice.
Policies need to evolve with the practice, not sit on the server gathering dust. Each department is encouraged to be involved in the annual review, so we’ll go through their risk register together and ensure our policies and procedures reflect and mitigate any risks to the firm. We also include other colleagues, as they are a good barometer for what’s working and what’s not. If they are frustrated or are looking for a workaround for a control or procedure, we need to look at it again. Compliance shouldn’t make people’s lives harder or impact the customer experience.
The weekly operations board I mentioned earlier also throws up compliance issues from time to time. Another department may present an idea for something they want to run and I can be proactive about flagging compliance considerations from the outset.
One of the biggest challenges – and enablers – of compliance is technology. There are lots of new innovations coming to market and they all claim to ease your compliance woes! But are they a good fit for your business? It’s worth scrutinising new tools before making them part of your business as usual and monitoring outputs once they are up and running, as you will be culpable for any errors.
The piece of compliance tech that we wouldn’t be without is our e-verification tool which we use to onboard clients. As well as screening potential and active clients to ensure we comply with money laundering regulations, it also highlights any potential risks such as companies or individuals on the sanctions list because of their links with Russia, for example. The tool updates daily so if there are changes you should be aware of, you get an alert.
New technologies like this one may be cost-prohibitive to smaller firms but they can pay for themselves in both demonstrating compliance and reduced risk.
The policies and procedures you create to manage compliance are there to be used and there is a growing focus on evidencing outcomes. For example, our indemnity insurance provider now requires a risk management report as well as the usual facts and figures at renewal time. It’s indicative of a shift in thinking – anyone can say they are compliant, but can they prove it?
If you aren’t sure about the efficacy of your compliance activities and you need more support, there’s loads out there. You can learn from industry experts and share best practice with fellow professionals through Risk and Compliance groups (the Law Society and LawNet both have one) and also the Lawnet compliance newsletter.
Compliance is not about ticking boxes; it’s about achieving better outcomes for the client and for the industry. To do this, we’ve found that creating a culture where high standards of practice are the norm, and everyone takes responsibility for carrying out their role in accordance with policy and procedure can help deliver compliance day-in, day-out. I may be the compliance manager, but I certainly can’t do it all on my own.
Lyn Coughlan is head of compliance at FBC Manby Bowdler fbcmb.co.uk