Presentation on theme: "How to put in place a compliance plan"— Presentation transcript:
1How to put in place a compliance plan Peter ScottPeter Scott Consulting
2The scope of this session why all firms are going to need a compliance plan for the purposes of outcomes focused regulation;compliance procedures which will need to be covered by a compliance plan; andhow a plan will need to be managed with a view to a firm not only being compliant and but also being able to demonstrate compliance.
3Why do you need a compliance plan? Rule 8.2 Authorisation Rules provideAn authorised body (i.e. a law firm) must at all times have suitable arrangements in place to ensure that:the [firm], its managers and employees, comply with the SRA's regulatory arrangements as they apply to them, as required under section 176 of the LSA and Rule 8.1 above; andthe [firm] and its managers and employees, who are authorised persons, maintainthe professional principles.
41. The [firm], its managers and employees, comply with the SRA's regulatory arrangements as they apply to them, as required under section 176 of the LSA and Rule 8.1 aboveThis will include all Principles, rules, outcomes and other requirements of the SRA Handbook
5For example, under Chapter 7 of SRA Code the Outcomes provide that firms must, inter alia .... - have appropriate systems and controls in place to achieve and comply with all Principles, rules and outcomes and other requirements of the Handbook - identify, monitor and manage risks to the achievement of all outcomes, rules, Principles and other requirements in the Handbook if applicable and take steps to address issues identified Do you already have appropriate systems and controls in place to comply?
6The PrinciplesUphold the rule of law and proper administration of justiceAct with integrityDo not allow your independence to be compromisedAct in the best interests of each clientProvide a proper standard of service to clients
7The Principles continued Behave in a way that maintains the trust the public places in you and in the provision of legal servicesComply with your legal and regulatory obligations and deal with your regulators and ombudsmen in an open, timely and co-operative mannerRun your business and carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principlesRun or carry our your role in the business in a way that encourages equality of opportunity and respect for diversity.Protect client money and assets
8The outcomes in the Code cover these areas ... Client careEquality and diversityConflict of interestsYour client and the courtYour client and introductions to third partiesManagement of your businessPublicityFee sharing and referralsYou and your regulatorRelations with third partiesSeparate businesses
9• clearly defined governance arrangements providing a transparent The Guidance Notes to Rule 8 of the Authorisation Rules say a compliance plan should include .....• clearly defined governance arrangements providing a transparentframework for responsibilities within the firm • appropriate accounting procedures • a system for ensuring that only the appropriate people authorisepayments from client account • a system for ensuring that undertakings are given only when intended,and compliance with them is monitored and enforced
10Rule 8 Guidance notes continued • appropriate checks on new staff or contractors • a system for ensuring that basic regulatory deadlines are not missede.g. submission of the firm's accountant's report, arranging indemnitycover, renewal of practising certificates and registrations, renewal ofall lawyers' licences to practise and provision of regulatory information• a system for monitoring, reviewing and managing risks • ensuring that issues of conduct are given appropriate weight indecisions the firm takes, whether on client matters or firm-basedissues such as funding
11Rule 8 Guidance Notes continued .... • file reviews • appropriate systems for supporting the development and training ofstaff • obtaining the necessary approvals of managers, owners andCOLP/COFA • arrangements to ensure that any duties to clients and others are fullymet even when staff are absent.
122. The [firm] and its managers and employees, who are authorised persons, maintain the professional principles.that authorised persons should act with independence and integrity,that authorised persons should maintain proper standards of work,that authorised persons should act in the best interests of their clients,that persons who exercise before any court a right of audience, or conduct litigation in relation to proceedings in any court, by virtue of being authorised persons should comply with their duty to the court to act with independence in the interests of justice, andthat the affairs of clients should be kept confidential
13Where to start? Which areas will need to be covered? Which areas should be given priority?Begin by looking at your current procedures tosee if they are:adequate?Need upgrading?Adding to?
14Client care For example: Procedures for accepting / terminating instructionsFile openingComplaints handling / recordsDealing with clients’ mattersFee arrangements with clientsEngagement lettersCosts informationFinancial benefits
15Equality and diversity For example:Written policiesRecruitment and interview proceduresPromotion and development criteriaStaff training recordsWorkplace diversity monitoringReferencesDo your people know where to find your policies and know what they say?
16Conflict of interests For example: Systems and controls to identify conflictsGovernance procedures to manage issues relating to conflictPolicies for different areas of workPolicies on use of information barriersRegister of partners’ interests
17Confidentiality and disclosure For example:Systems and controls to protect client confidential informationPolicies on use of information barriersRegisters of outsourcing arrangements and confidentiality agreements
18Introductions to third parties For example:Policies and procedures to be followed when referring clients to third partiesRegister of financial arrangements with third partiesSystems and controls to ensure clients are fully informed about financial arrangements
19Management and governance For example:Documentation as to governance and reporting linesTraining and communication to all appropriate personnel in respect of policiesSystems and controls relating to compliance, including monitoring, reporting and remedialaction and the maintenance of financial stabilityregular review of proceduressupervision arrangementsfile reviewsoutsourcing contractual arrangementsundertakings policiesmanagement of regulatory deadlines, including practising certificates
20Publicity For example: systems and controls to ensure all information in publicity and stationary is accurate and not misleadingprotocols with external marketing advisers
21Some other areas For example: business continuity plan business plan for each part of the firmlibrary registerprocedures for risk assessments, audits and remedial procedurestraining recordsdata protectionfile closure / file storage / archivingdeeds storageanti- money laundering
22Some other areas continued .... record of claims and notifications to insurershealth and safety policiesintranet policiesand internet policiesBribery ActChecks on new staff and contractorsoffice procedures not covered by the aboveAnd of course, last but not least, governance procedures in relation to the COLP and COFA andhow they will be supported in carrying out their roles.
24It will not be sufficient just to be compliant Your challengeIt will not be sufficient just to be compliant“If you cannot demonstrate compliance we may take regulatory action”SRA - OFR at a glance
251. Buy – in from everyone in your firm will be necessary Needs to be management driven, with top level buy-inZero tolerance is requiredManaging compliance risk needs to be seen as ‘everyone’s job’ – a mind set change is neededNeed a ‘no blame’ culture to encourage disclosureAbove all – identify your ‘big gorillas’ and deal with themOtherwise everyone is at risk
26“Heavyweight gorilla” “You can’t manage me. I’m a big biller!”
28Use education and training to obtain buy-in Put in place a programme of education and training for all your people so they understand that everyone without exception needs to follow procedures Otherwise everyone is at risk
292. Establish the resources you will need to put in place a compliance plan For example:Internal or external?Part time partners or professionals?Paper records or use of ITIf IT is used - bespoke or ‘off the peg’ systems?Do you have a budget?2929
30You will need a team to help you put together your compliance plan Build a team around you to deal with this- Assign responsibilitiesEstablish lines of accountabilityTogetherEachAchievesMore
31Planning your resources Carry out a cost / benefit analysis to establish the most resource effective method for you to put in place and then manage your compliance plan
32Constructing a compliance plan DIAGNOSISIdentification and assessmentMITIGATIONControl, transfer and avoidanceMONITORINGAuditing, tracking and reportingWhen a risk crystallisesLIMITATIONMinimising the effect of crystallised risks
33A systematic approach is required Put in place a formal compliance riskmanagement process to identify and manage every area of compliance risk for the SRA Handbook and CodeEstablish a comprehensive database covering all compliance risk areasStandards such as Lexel and ISO 9000 are likely to helpUse of IT systems?3333
34Identifying and assessing your compliance risks DIAGNOSISIdentification and assessmentMITIGATIONControl, transfer and avoidanceMONITORINGAuditing, tracking and reportingWhen a risk crystallisesLIMITATIONMinimising the effect of crystallised risks
35Identifying and assessing your compliance risks Do you know your compliance risks?What are your compliance risks?Where does the knowledge of your compliance risk reside?Can you access it?Do you have systems to monitor, review andupgrade your knowledge?
36Failure to manage your knowledge will involve serious risk Compliance / Risk ManagementKnowledgeManagement
37Law firm risks Management IT People Regulatory Operational Competition/businessEconomic,political,fiscalFinancialAssetReputationalManagement
39Some key factors in identifying and assessing risks Areas of law practicedClaims recordNumber and location of officesFee income / size of firmCommitment to best practiceKnowledge managementAre risk management procedures already in place?Supervision levels
40Some examples of compliance risks Lack of management commitment to best practice and compliance risk managementLack of knowledge by managementLack of supervisionHigh risk workLack of client vetting / fraudLack of client care / matter careLack of resource capabilityLack of knowledge / expertise / experiencePrecedents / multiple use of adviceInternational work / overseas officesMergers
41Assessment of compliance risks Consider the impact of, inter alia:Disciplinary actionBad publicity and loss of reputationLost clientsComplaints and claimsIncreased P.I. premiums4141
42Using ‘brainstorming’ as a method of identifying and assessing compliance risks ‘Top down – bottom up’ brainstorming sessions in each group in your firm to:- to identify every compliance risk area- are we achieving every Outcome under the new Code?- are we compliant in every area?- do we have gaps?- what will be required to fully comply?- to what standards should we comply?- how should we prioritise our efforts?
43Risk Diagnosis Assess severity of high-level risks Identify high level risksSet criteria for assessing risksIdentify detailed risksAssess severity of detailed risksRisk mapRisk summary
44Mitigating compliance risks DIAGNOSISIdentification and assessmentMITIGATIONControl, transfer and avoidanceMONITORINGAuditing, tracking and reportingWhen a risk crystallisesLIMITATIONMinimising the effect of crystallised risks
45Compliance risk Mitigation Designed to:-Ensure effective complianceAvoid / reduce non complianceAvoid / reduce incidence of risksTransfer some risks
46Risk mitigation Risk map Residual risk summary Consider impact / probability correlationRequired controls summaryInsurance requirements summaryContingency plan requirementsResidual risk summaryConsider available mitigation techniques
47Monitoring compliance risks DIAGNOSISIdentification and assessmentMITIGATIONControl, transfer and avoidanceMONITORINGAuditing, tracking and reportingWhen a risk crystallisesLIMITATIONMinimising the effect of crystallised risks
48Compliance risk monitoring involves… Auditing, tracking and reportingComparing actual outcomes to pre-set indicatorsConfirming effectiveness of your risk responsesReporting compliance and exceptionsEstablishing [annual / periodical] compliance risk management reportsNB – COLP and COFA reporting obligations to SRA
49Risk monitoring Required controls summary Contingency plan requirementsInsurance requirements summarySet risk indicators and methods to monitor themAnnual Risk Management Report
50Limitation of compliance risks DIAGNOSISIdentification and assessmentMITIGATIONControl, transfer and avoidanceMONITORINGAuditing, tracking and reportingWhen a risk crystallisesLIMITATIONMinimising the effect of crystallised risks
51Risk limitation involves Risk crystalisation scenariosContingency plansLimitation proceduresPost event assessmentNB – COLP and COFA reporting obligations to SRA
52Advantages of a formal compliance and risk management process for the new SRA Code? Structured approach focuses on key compliance risk areasCan demonstrate how a firm is complying and the effectiveness of compliance / outcomesContinuous monitoring ensures management of compliance and risk is “lived” day to dayUniversal application to all compliance and risk areasComfort / assurance to PI insurers [and SRA?]
53Use of IT systems for compliance and risk management? Use an integrated compliance risk management system to cost effectively manage compliance risk areas by:creating and maintaining one central, up to date compliance and risk databaseproviding information access to all who need it in relation to exposure to riskembedding compliance and risk management procedures – e.g. client inception proceduresstreamlining identification, assessment, mitigation and monitoring of compliance risks
54Some areas of particular FOCUS in relation to managing compliance risks Top level buy-in – management must not only drive compliance but also live itZero tolerance – just do it!Training and education programmes to build awareness and change mind setsContinuous and systematic monitoring and reporting5454
55Above all, you will need to continuously challenge and stress test the effectiveness of your compliance procedures “We should always be able to do better”