1. Assessing firm risk 27-28 September 2012 Andrew Garbutt Director of Risk, SRA

2. The SRA Risk Framework Before acting, we identify risks based on a central risk index We assess risks consistently & share these assessments across the SRA to aid understanding We monitor risk levels against our tolerance to direct control activities We continually evaluate our effectiveness by monitoring changing outcomes Evaluate We control unacceptable risk levels through regulatory tools We learn and adapt our tolerance, resourcing levels and approach to contolling risks ControlMonitorAssessIdentify

3. Risk Assessment We will assess risk at the level of : Event Individual Firm Sector Market

4. Risk Index We have identified 6 high level categories of regulatory risk Instability or firm failure Risks arising from firm instability due to financial viability and/or structural composition Fraud & dishonesty Risk that firm becomes involved in fraud or dishonesty as perpetrator, facilitator or victim Operational risk Risk arising from the inadequacy of firm’s policies, processes, people or systems Fitness & propriety Risk that individuals lack competence, fitness or propriety Market risk Risks arising from or affecting the operation of the legal services market External risks Risk arising from wider factors beyond the scope of the legal services market, such as economic, political or legal changes.

5. frequency > impact / severity > External events political, economic, social, technological shifts High volume, lower impact events every day events more predictable Very large single events severe faults in very large firms large negative reputation events Probability scoring

6. Risk assessment – entity level Each one of the 11,000+ firms we regulate will be supervised The level of resource allocated to supervising each firm will be based upon the level of risk The firm assessment will have two key aspects - impact and probability: First each firm’s potential to impact upon our regulatory objectives will be scored. This screening process will be largely automated Then a more detailed assessment will take place which looks at the probability of issues arising within a firm

7. Size TurnoverFee earnersBranches Client money Client money held? Vulnerability Vulnerable client work Asymmetry Work for clients in a position of informational asymmetry Impact scoring This represents the regulatory footprint of the entity

8. Risk profile – data led risk assessment Brainstormed possible risk indicators where data was available in the SRA Informed by review of factors present in past cases Identified pools of firms where risks could be shown to have crystallised - e.g. Where there has been a finding of dishonesty Tested for the presence of our risk indicators Tested for statistical significance in pool of firms compared to all firms

9. Risk profile – data led risk assessment Relative strength of the significant indicators used to inform weightings Indicators used to calculate a category score RAG rating Indicator Score = 0 Score = 4 Score = 3 Score = 0 Score = 9 Category score = 16 FALSE TRUE FALSE TRUE

10. Risk profile – data led risk assessment outputs

11. Evaluation of the model Sources of evaluation: Profiles of intervened firms –Good correlation between levels of risk in profile, and intervention –Some correlation with grounds of intervention –Can see direction of travel for risk matched to grounds for intervention Data set of 600 firms with grounds to suspect higher levels of risk Comparison with assessments of other organisations