1. How to put in place a compliance plan
Peter Scott
Peter Scott Consulting

2. The scope of this session
why all firms are going to need a compliance plan for the purposes of outcomes focused regulation;
compliance procedures which will need to be covered by a compliance plan; and
how a plan will need to be managed with a view to a firm not only being compliant and but also being able to demonstrate compliance.

3. Why do you need a compliance plan?
Rule 8.2 Authorisation Rules provide
An authorised body (i.e. a law firm) must at all times have suitable arrangements in place to ensure that:
the [firm], its managers and employees, comply with the SRA's regulatory arrangements as they apply to them, as required under section 176 of the LSA and Rule 8.1 above; and
the [firm] and its managers and employees, who are authorised persons, maintain
the professional principles.

4. 1. The [firm], its managers and employees, comply with the SRA's regulatory arrangements as they apply to them, as required under section 176 of the LSA and Rule 8.1 above
This will include all Principles, rules, outcomes and other requirements of the SRA Handbook

5. For example, under Chapter 7 of SRA Code the Outcomes provide that firms must, inter alia ....
- have appropriate systems and controls in place to achieve and comply with all Principles, rules and outcomes and other requirements of the Handbook - identify, monitor and manage risks to the achievement of all outcomes, rules, Principles and other requirements in the Handbook if applicable and take steps to address issues identified Do you already have appropriate systems and controls in place to comply?

6. The Principles
Uphold the rule of law and proper administration of justice
Act with integrity
Do not allow your independence to be compromised
Act in the best interests of each client
Provide a proper standard of service to clients

7. The Principles continued
Behave in a way that maintains the trust the public places in you and in the provision of legal services
Comply with your legal and regulatory obligations and deal with your regulators and ombudsmen in an open, timely and co-operative manner
Run your business and carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles
Run or carry our your role in the business in a way that encourages equality of opportunity and respect for diversity.
Protect client money and assets

8. The outcomes in the Code cover these areas ...
Client care
Equality and diversity
Conflict of interests
Your client and the court
Your client and introductions to third parties
Management of your business
Publicity
Fee sharing and referrals
You and your regulator
Relations with third parties
Separate businesses

9. • clearly defined governance arrangements providing a transparent
The Guidance Notes to Rule 8 of the Authorisation Rules say a compliance plan should include .....
• clearly defined governance arrangements providing a transparent
framework for responsibilities within the firm 
• appropriate accounting procedures 
• a system for ensuring that only the appropriate people authorise
payments from client account
 • a system for ensuring that undertakings are given only when intended,
and compliance with them is monitored and enforced 

10. Rule 8 Guidance notes continued
• appropriate checks on new staff or contractors
 • a system for ensuring that basic regulatory deadlines are not missed
e.g. submission of the firm's accountant's report, arranging indemnity
cover, renewal of practising certificates and registrations, renewal of
all lawyers' licences to practise and provision of regulatory information
• a system for monitoring, reviewing and managing risks
 • ensuring that issues of conduct are given appropriate weight in
decisions the firm takes, whether on client matters or firm-based
issues such as funding 

11. Rule 8 Guidance Notes continued ....
• file reviews 
• appropriate systems for supporting the development and training of
staff 
• obtaining the necessary approvals of managers, owners and
COLP/COFA 
• arrangements to ensure that any duties to clients and others are fully
met even when staff are absent.

12. 2. The [firm] and its managers and employees, who are authorised persons, maintain the professional principles.
that authorised persons should act with independence and integrity,
that authorised persons should maintain proper standards of work,
that authorised persons should act in the best interests of their clients,
that persons who exercise before any court a right of audience, or conduct litigation in relation to proceedings in any court, by virtue of being authorised persons should comply with their duty to the court to act with independence in the interests of justice, and
that the affairs of clients should be kept confidential

13. Where to start? Which areas will need to be covered?
Which areas should be given priority?
Begin by looking at your current procedures to
see if they are:
adequate?
Need upgrading?
Adding to?

14. Client care For example:
Procedures for accepting / terminating instructions
File opening
Complaints handling / records
Dealing with clients’ matters
Fee arrangements with clients
Engagement letters
Costs information
Financial benefits

15. Equality and diversity
For example:
Written policies
Recruitment and interview procedures
Promotion and development criteria
Staff training records
Workplace diversity monitoring
References
Do your people know where to find your policies and know what they say?

16. Conflict of interests For example:
Systems and controls to identify conflicts
Governance procedures to manage issues relating to conflict
Policies for different areas of work
Policies on use of information barriers
Register of partners’ interests

17. Confidentiality and disclosure
For example:
Systems and controls to protect client confidential information
Policies on use of information barriers
Registers of outsourcing arrangements and confidentiality agreements

18. Introductions to third parties
For example:
Policies and procedures to be followed when referring clients to third parties
Register of financial arrangements with third parties
Systems and controls to ensure clients are fully informed about financial arrangements

19. Management and governance
For example:
Documentation as to governance and reporting lines
Training and communication to all appropriate personnel in respect of policies
Systems and controls relating to compliance, including monitoring, reporting and remedial
action and the maintenance of financial stability
regular review of procedures
supervision arrangements
file reviews
outsourcing contractual arrangements
undertakings policies
management of regulatory deadlines, including practising certificates

20. Publicity For example:
systems and controls to ensure all information in publicity and stationary is accurate and not misleading
protocols with external marketing advisers

21. Some other areas For example: business continuity plan
business plan for each part of the firm
library register
procedures for risk assessments, audits and remedial procedures
training records
data protection
file closure / file storage / archiving
deeds storage
anti- money laundering

22. Some other areas continued ....
record of claims and notifications to insurers
health and safety policies
intranet policies
and internet policies
Bribery Act
Checks on new staff and contractors
office procedures not covered by the above
And of course, last but not least, governance procedures in relation to the COLP and COFA and
how they will be supported in carrying out their roles.

23. Planning how to put in place a compliance plan

24. It will not be sufficient just to be compliant
Your challenge
It will not be sufficient just to be compliant
“If you cannot demonstrate compliance we may take regulatory action”
SRA - OFR at a glance

25. 1. Buy – in from everyone in your firm will be necessary
Needs to be management driven, with top level buy-in
Zero tolerance is required
Managing compliance risk needs to be seen as ‘everyone’s job’ – a mind set change is needed
Need a ‘no blame’ culture to encourage disclosure
Above all – identify your ‘big gorillas’ and deal with them
Otherwise everyone is at risk

26. “Heavyweight gorilla”
“You can’t manage me. I’m a big biller!”

27. “That’s a great idea …for the rest of you!”

28. Use education and training to obtain buy-in
Put in place a programme of education and training for all your people so they understand that everyone without exception needs to follow procedures Otherwise everyone is at risk

29. 2. Establish the resources you will need to put in place a compliance plan
For example:
Internal or external?
Part time partners or professionals?
Paper records or use of IT
If IT is used - bespoke or ‘off the peg’ systems?
Do you have a budget? 29 29

30. You will need a team to help you put together your compliance plan
Build a team around you to deal with this
- Assign responsibilities
Establish lines of accountability
Together
Each
Achieves
More

31. Planning your resources
Carry out a cost / benefit analysis to establish the most resource effective method for you to put in place and then manage your compliance plan

32. Constructing a compliance plan
DIAGNOSIS
Identification and assessment
MITIGATION
Control, transfer and avoidance
MONITORING
Auditing, tracking and reporting
When a risk crystallises
LIMITATION
Minimising the effect of crystallised risks

33. A systematic approach is required
Put in place a formal compliance risk
management process to identify and manage every area of compliance risk for the SRA Handbook and Code
Establish a comprehensive database covering all compliance risk areas
Standards such as Lexel and ISO 9000 are likely to help
Use of IT systems? 33 33

34. Identifying and assessing your compliance risks
DIAGNOSIS
Identification and assessment
MITIGATION
Control, transfer and avoidance
MONITORING
Auditing, tracking and reporting
When a risk crystallises
LIMITATION
Minimising the effect of crystallised risks

35. Identifying and assessing your compliance risks
Do you know your compliance risks?
What are your compliance risks?
Where does the knowledge of your compliance risk reside?
Can you access it?
Do you have systems to monitor, review and
upgrade your knowledge?

36. Failure to manage your knowledge will involve serious risk
Compliance / Risk Management
Knowledge
Management

37. Law firm risks Management IT People Regulatory Operational
Competition
/business
Economic,
political,
fiscal
Financial
Asset
Reputational
Management

38. Compliance Risk Mapping

39. Some key factors in identifying and assessing risks
Areas of law practiced
Claims record
Number and location of offices
Fee income / size of firm
Commitment to best practice
Knowledge management
Are risk management procedures already in place?
Supervision levels

40. Some examples of compliance risks
Lack of management commitment to best practice and compliance risk management
Lack of knowledge by management
Lack of supervision
High risk work
Lack of client vetting / fraud
Lack of client care / matter care
Lack of resource capability
Lack of knowledge / expertise / experience
Precedents / multiple use of advice
International work / overseas offices
Mergers

41. Assessment of compliance risks
Consider the impact of, inter alia:
Disciplinary action
Bad publicity and loss of reputation
Lost clients
Complaints and claims
Increased P.I. premiums 41 41

42. Using ‘brainstorming’ as a method of identifying and assessing compliance risks
‘Top down – bottom up’ brainstorming sessions in each group in your firm to:
- to identify every compliance risk area
- are we achieving every Outcome under the new Code?
- are we compliant in every area?
- do we have gaps?
- what will be required to fully comply?
- to what standards should we comply?
- how should we prioritise our efforts?

43. Risk Diagnosis Assess severity of high-level risks
Identify high level risks
Set criteria for assessing risks
Identify detailed risks
Assess severity of detailed risks
Risk map
Risk summary

44. Mitigating compliance risks
DIAGNOSIS
Identification and assessment
MITIGATION
Control, transfer and avoidance
MONITORING
Auditing, tracking and reporting
When a risk crystallises
LIMITATION
Minimising the effect of crystallised risks

45. Compliance risk Mitigation
Designed to:-
Ensure effective compliance
Avoid / reduce non compliance
Avoid / reduce incidence of risks
Transfer some risks

46. Risk mitigation Risk map Residual risk summary
Consider impact / probability correlation
Required controls summary
Insurance requirements summary
Contingency plan requirements
Residual risk summary
Consider available mitigation techniques

47. Monitoring compliance risks
DIAGNOSIS
Identification and assessment
MITIGATION
Control, transfer and avoidance
MONITORING
Auditing, tracking and reporting
When a risk crystallises
LIMITATION
Minimising the effect of crystallised risks

48. Compliance risk monitoring involves…
Auditing, tracking and reporting
Comparing actual outcomes to pre-set indicators
Confirming effectiveness of your risk responses
Reporting compliance and exceptions
Establishing [annual / periodical] compliance risk management reports
NB – COLP and COFA reporting obligations to SRA

49. Risk monitoring Required controls summary
Contingency plan requirements
Insurance requirements summary
Set risk indicators and methods to monitor them
Annual Risk Management Report

50. Limitation of compliance risks
DIAGNOSIS
Identification and assessment
MITIGATION
Control, transfer and avoidance
MONITORING
Auditing, tracking and reporting
When a risk crystallises
LIMITATION
Minimising the effect of crystallised risks

51. Risk limitation involves
Risk crystalisation scenarios
Contingency plans
Limitation procedures
Post event assessment
NB – COLP and COFA reporting obligations to SRA

52. Advantages of a formal compliance and risk management process for the new SRA Code?
Structured approach focuses on key compliance risk areas
Can demonstrate how a firm is complying and the effectiveness of compliance / outcomes
Continuous monitoring ensures management of compliance and risk is “lived” day to day
Universal application to all compliance and risk areas
Comfort / assurance to PI insurers [and SRA?]

53. Use of IT systems for compliance and risk management?
Use an integrated compliance risk management system to cost effectively manage compliance risk areas by:
creating and maintaining one central, up to date compliance and risk database
providing information access to all who need it in relation to exposure to risk
embedding compliance and risk management procedures – e.g. client inception procedures
streamlining identification, assessment, mitigation and monitoring of compliance risks

54. Some areas of particular FOCUS in relation to managing compliance risks
Top level buy-in – management must not only drive compliance but also live it
Zero tolerance – just do it!
Training and education programmes to build awareness and change mind sets
Continuous and systematic monitoring and reporting 54 54

55. Above all, you will need to continuously challenge and stress test the effectiveness of your compliance procedures “We should always be able to do better”

56. Any questions?