Not having a risk register isn't a risk worth taking
By Alec Samuels
Firms should regard the new requirement to have a risk register and a compliance plan as an opportunity to improve efficiencies, however unclear the SRA's regulatory expectations are, says Stuart Bushell
Many firms of solicitors find themselves trying to guess what the Solicitors Regulation Authority actually wants in order to demonstrate compliance with the new Code of Conduct '“ the SRA has hardly adopted a didactic approach towards giving them a clue. Experience of the regulatory regime of the Financial Services Authority, which provided the precedent for outcomes focused regulation, makes clear that this requires an audit trail.
Two documents which are likely to be key elements in most firms' audit trails are the risk register and the compliance plan. These were specified as part of the consultation process undertaken by the SRA in preparation for the new regulatory regime, in which a group of pilot firms were asked to compile a schedule of the risks confronting their practices, on the basis that this would inform the compliance plan which they were also asked to create. Curiously, there is no reference to a risk register in the SRA handbook, and the only reference to a compliance plan is in one of the Guidance notes to Rule 8.10 of the Authorisation Rules, which assumes that such a plan will be in place. Such is outcomes focused regulation! It is noticeable that, in the SRA application forms for ABS status, a risk register and compliance plan are mandatory.
Risk and compliance are clearly regarded as going hand in hand. Hence the creation of the Law Society's risk and compliance support service. The focus on risk may seem
surprising, given that most solicitors are already far too risk averse for their own good in the commercial world in which they have to compete. However, it should be remembered that the focus on risk was instigated originally by the FSA in the context of investment, and that the types of risk which firms are required to address are those affecting their clients and the reputation of the profession, as much as the firms themselves. So the compilation of a risk register is a good starting point on the roads to compliance.
Conforming to firm-wide disciplines
One of the biggest risks facing many law firms is the self-inflicted risk arising from the unwillingness of individual partners to bow to authority and conform to firm-wide disciplines '“ i.e. to work as team members rather than individuals. Associated with this is the reluctance to share clients and cross-refer work, perhaps with a view to keeping the option open of taking the client following elsewhere. These risks, combined, could undermine the competitiveness of a firm and threaten its future viability; and the fact of committing the risk to paper and making it an on-going agenda item for management meetings could in itself assist in bringing recalcitrants to heel in a way which avoids finger-pointing.
The threat of competition from new entrants to the legal market is on many solicitors' minds and merits serious discussion, the conclusions from which should inform the firm's business plan and marketing plan. Certain areas of business are likely to be affected by the growth in on-line legal services, and discussion of the possible impact should be prompted by the inclusion of the issue in the risk register, as also should be question of over-dependence on particular types of business or individual clients.
New solutions to old issues
Another major issue is that of client data security, not only in terms of confidentiality and IT policies but also the physical risk of loss of data from fire or flood or theft. The absence of discipline in recording and maintaining client data in a consistent and orderly fashion could hamper internal cross-referrals and give rise to conflicts; and to the extent that IT systems might be outsourced, the absence of due diligence and the failure to provide contractually for the outsource provider to provide access to the SRA, would present their own risks.
It is commonly accepted that clients are rarely in a position to question the quality of legal advice and that consequently most complaints centre on service standards. The risk here arises out of the failure to establish and implement robust client care procedures, making clear the services to be provided, the costs and time frames involved and the redress procedures; and firms' terms of business can easily be turned to advantage by combining them with explanations of the scope of the services provided and the factors which differentiate the firm from its competitors.
The experience of FSA-regulated firms is that addressing regulatory requirements as an opportunity for improvement rather than an unwelcome imposition can greatly assist in improving business efficiency and a spirit of teamwork; and it should always be remembered that the SRA has confirmed that it is firms' management as a whole which will be held accountable for shortcomings, and that COLP and COFA will not be regarded as scapegoats. For every firm, not having a risk register or compliance plan are, in themselves, risks simply not worth taking.