How to put a compliance plan in place

Report
How to put in place a compliance
plan
Peter Scott
Peter Scott Consulting
www.peterscottconsult.co.uk
The scope of this session
• why all firms are going to need a compliance plan for the
purposes of outcomes focused regulation;
• compliance procedures which will need to be covered by a
compliance plan; and
• how a plan will need to be managed with a view to a firm not
only being compliant and but also being able to demonstrate
compliance.
Why do you need a compliance plan?
Rule 8.2 Authorisation Rules provide
An authorised body (i.e. a law firm) must at all times have suitable arrangements in
place to ensure that:
1. the [firm], its managers and employees, comply with the SRA's regulatory
arrangements as they apply to them, as required under section 176 of the LSA and
Rule 8.1 above; and
2. the [firm] and its managers and employees, who are authorised persons, maintain
the professional principles.
1. The [firm], its managers and employees, comply with the
SRA's regulatory arrangements as they apply to them, as
required under section 176 of the LSA and Rule 8.1 above
This will include all Principles, rules, outcomes and
other requirements of the SRA Handbook
For example, under Chapter 7 of SRA Code the Outcomes
provide that firms must, inter alia ....
- have appropriate systems and controls in place to achieve and comply with all
Principles, rules and outcomes and other requirements of the Handbook
- identify, monitor and manage risks to the achievement of all outcomes, rules,
Principles and other requirements in the Handbook if applicable and take steps to
address issues identified
Do you already have appropriate systems and controls in place to comply?
The Principles
• Uphold the rule of law and proper administration of
justice
• Act with integrity
• Do not allow your independence to be compromised
• Act in the best interests of each client
• Provide a proper standard of service to clients
The Principles continued
• Behave in a way that maintains the trust the public places in you and in
the provision of legal services
• Comply with your legal and regulatory obligations and deal with your
regulators and ombudsmen in an open, timely and co-operative manner
• Run your business and carry out your role in the business effectively and in
accordance with proper governance and sound financial and risk
management principles
• Run or carry our your role in the business in a way that encourages
equality of opportunity and respect for diversity.
• Protect client money and assets
The outcomes in the Code cover these areas ...
•
•
•
•
•
•
•
•
•
•
•
Client care
Equality and diversity
Conflict of interests
Your client and the court
Your client and introductions to third parties
Management of your business
Publicity
Fee sharing and referrals
You and your regulator
Relations with third parties
Separate businesses
The Guidance Notes to Rule 8 of the Authorisation Rules say a compliance plan
should include .....
• clearly defined governance arrangements providing a transparent
framework for responsibilities within the firm
• appropriate accounting procedures
• a system for ensuring that only the appropriate people authorise
payments from client account
• a system for ensuring that undertakings are given only when intended,
and compliance with them is monitored and enforced
Rule 8 Guidance notes continued
• appropriate checks on new staff or contractors
• a system for ensuring that basic regulatory deadlines are not missed
e.g. submission of the firm's accountant's report, arranging indemnity
cover, renewal of practising certificates and registrations, renewal of
all lawyers' licences to practise and provision of regulatory information
• a system for monitoring, reviewing and managing risks
• ensuring that issues of conduct are given appropriate weight in
decisions the firm takes, whether on client matters or firm-based
issues such as funding
Rule 8 Guidance Notes continued ....
• file reviews
• appropriate systems for supporting the development and training of
staff
• obtaining the necessary approvals of managers, owners and
COLP/COFA
• arrangements to ensure that any duties to clients and others are fully
met even when staff are absent.
2. The [firm] and its managers and employees, who are
authorised persons, maintain the professional principles.
•
that authorised persons should act with independence and integrity,
• that authorised persons should maintain proper standards of work,
• that authorised persons should act in the best interests of their clients,
• that persons who exercise before any court a right of audience, or conduct
litigation in relation to proceedings in any court, by virtue of being
authorised persons should comply with their duty to the court to act with
independence in the interests of justice, and
• that the affairs of clients should be kept confidential
Where to start?
• Which areas will need to be covered?
• Which areas should be given priority?
Begin by looking at your current procedures to
see if they are:
- adequate?
- Need upgrading?
- Adding to?
Client care
For example:
•
•
•
•
•
•
•
•
Procedures for accepting / terminating instructions
File opening
Complaints handling / records
Dealing with clients’ matters
Fee arrangements with clients
Engagement letters
Costs information
Financial benefits
Equality and diversity
For example:
•
•
•
•
•
•
Written policies
Recruitment and interview procedures
Promotion and development criteria
Staff training records
Workplace diversity monitoring
References
Do your people know where to find your policies and know what they say?
Conflict of interests
For example:
•
•
•
•
•
Systems and controls to identify conflicts
Governance procedures to manage issues relating to conflict
Policies for different areas of work
Policies on use of information barriers
Register of partners’ interests
Confidentiality and disclosure
For example:
• Systems and controls to protect client confidential information
• Policies on use of information barriers
• Registers of outsourcing arrangements and confidentiality agreements
Introductions to third parties
For example:
• Policies and procedures to be followed when referring clients to third
parties
• Register of financial arrangements with third parties
• Systems and controls to ensure clients are fully informed about financial
arrangements
Management and governance
For example:
•
•
•
•
•
•
•
•
•
•
Documentation as to governance and reporting lines
Training and communication to all appropriate personnel in respect of policies
Systems and controls relating to compliance, including monitoring, reporting and remedial
action and the maintenance of financial stability
regular review of procedures
supervision arrangements
file reviews
outsourcing contractual arrangements
undertakings policies
management of regulatory deadlines, including practising certificates
Publicity
For example:
• systems and controls to ensure all information in publicity and stationary
is accurate and not misleading
• protocols with external marketing advisers
Some other areas
For example:
•
•
•
•
•
•
•
•
•
business continuity plan
business plan for each part of the firm
library register
procedures for risk assessments, audits and remedial procedures
training records
data protection
file closure / file storage / archiving
deeds storage
anti- money laundering
Some other areas continued ....
•
•
•
•
•
•
•
record of claims and notifications to insurers
health and safety policies
intranet policies
email and internet policies
Bribery Act
Checks on new staff and contractors
office procedures not covered by the above
And of course, last but not least, governance procedures in relation to the COLP and COFA and
how they will be supported in carrying out their roles.
Planning how to put in place a
compliance plan
Your challenge
It will not be sufficient just to be compliant
“If you cannot demonstrate compliance we
may take regulatory action”
SRA - OFR at a glance
1. Buy – in from everyone in your firm will be
necessary
•
Needs to be management driven, with top level buy-in
•
Zero tolerance is required
•
Managing compliance risk needs to be seen as ‘everyone’s job’ – a
mind set change is needed
•
Need a ‘no blame’ culture to encourage disclosure
•
Above all – identify your ‘big gorillas’ and deal with them
Otherwise everyone is at risk
“Heavyweight gorilla”
“You can’t
manage me.
I’m a big biller!”
“That’s a great idea
…for the rest of you!”
Use education and training to obtain buy-in
Put in place a programme of education and training for
all your people so they understand that everyone
without exception needs to follow procedures
Otherwise everyone is at risk
2. Establish the resources you will need to put in
place a compliance plan
For example:
•
•
•
•
•
Internal or external?
Part time partners or professionals?
Paper records or use of IT
If IT is used - bespoke or ‘off the peg’ systems?
Do you have a budget?
You will need a team to help you put together your
compliance plan
Build a team around you to deal with this
- Assign responsibilities
- Establish lines of accountability
Together
Each
Achieves
More
Planning your resources
Carry out a cost / benefit analysis to
establish the most resource effective
method for you to put in place and then manage
your compliance plan
Constructing a compliance plan
DIAGNOSIS
Identification and
assessment
MITIGATION
Control, transfer and
avoidance
MONITORING
Auditing, tracking and reporting
When a risk crystallises
LIMITATION
Minimising the effect of
crystallised risks
A systematic approach is required
•
Put in place a formal compliance risk
management process to identify and manage every area of
compliance risk for the SRA Handbook and Code
•
Establish a comprehensive database covering all compliance risk
areas
•
Standards such as Lexel and ISO 9000 are likely to help
•
Use of IT systems?
Identifying and assessing your compliance risks
DIAGNOSIS
Identification and
assessment
MITIGATION
Control, transfer and
avoidance
MONITORING
Auditing, tracking and reporting
When a risk crystallises
LIMITATION
Minimising the effect of
crystallised risks
Identifying and assessing your compliance risks
Do you know your compliance risks?
• What are your compliance risks?
• Where does the knowledge of your compliance risk
reside?
• Can you access it?
• Do you have systems to monitor, review and
upgrade your knowledge?
Failure to manage your knowledge will involve serious risk
Compliance / Risk
Management
Knowledge
Management
Law firm risks
Operational
Management
Compliance Risk Mapping
IMPACT
High
High impact/ low incidence
High impact/ high incidence
Low impact/ low incidence
Low impact/ high incidence
Low
Low
High
INCIDENCE
Some key factors in identifying and assessing risks
•
•
•
•
•
•
•
•
Areas of law practiced
Claims record
Number and location of offices
Fee income / size of firm
Commitment to best practice
Knowledge management
Are risk management procedures already in place?
Supervision levels
Some examples of compliance risks
•
•
•
•
•
•
•
•
•
•
•
Lack of management commitment to best practice
and compliance risk management
Lack of knowledge by management
Lack of supervision
High risk work
Lack of client vetting / fraud
Lack of client care / matter care
Lack of resource capability
Lack of knowledge / expertise / experience
Precedents / multiple use of advice
International work / overseas offices
Mergers
Assessment of compliance risks
Consider the impact of, inter alia:
•
Disciplinary action
•
Bad publicity and loss of reputation
•
Lost clients
•
Complaints and claims
•
Increased P.I. premiums
Using ‘brainstorming’ as a method of identifying and
assessing compliance risks
‘Top down – bottom up’ brainstorming sessions in each group in
your firm to:
-
to identify every compliance risk area
are we achieving every Outcome under the new Code?
are we compliant in every area?
do we have gaps?
what will be required to fully comply?
to what standards should we comply?
how should we prioritise our efforts?
Risk Diagnosis
Set criteria for
assessing risks
Identify detailed
risks
Identify high
level risks
Assess severity of
detailed risks
Assess severity of
high-level risks
Risk
map
Risk
summary
Mitigating compliance risks
DIAGNOSIS
Identification and
assessment
MITIGATION
Control, transfer and
avoidance
MONITORING
Auditing, tracking and reporting
When a risk crystallises
LIMITATION
Minimising the effect of
crystallised risks
Compliance risk Mitigation
Designed to:-
• Ensure effective compliance
• Avoid / reduce non compliance
• Avoid / reduce incidence of risks
• Transfer some risks
Risk mitigation
Risk
map
Risk
summary
Residual
risk
summary
Consider impact /
probability
correlation
Consider available
mitigation
techniques
Contingency
plan
requirements
Insurance
requirements
summary
Required
controls
summary
Monitoring compliance risks
DIAGNOSIS
Identification and
assessment
MITIGATION
Control, transfer and
avoidance
MONITORING
Auditing, tracking and reporting
When a risk crystallises
LIMITATION
Minimising the effect of
crystallised risks
Compliance risk monitoring involves…
•
Auditing, tracking and reporting
•
Comparing actual outcomes to pre-set indicators
•
Confirming effectiveness of your risk responses
•
Reporting compliance and exceptions
•
Establishing [annual / periodical] compliance risk
management reports
NB – COLP and COFA reporting obligations to SRA
Risk monitoring
Required controls
summary
Contingency plan
requirements
Set risk indicators and
methods to monitor
them
Insurance
requirements
summary
Annual Risk
Management Report
Limitation of compliance risks
DIAGNOSIS
Identification and
assessment
MITIGATION
Control, transfer and
avoidance
MONITORING
Auditing, tracking and reporting
When a risk crystallises
LIMITATION
Minimising the effect of
crystallised risks
Risk limitation involves
•
•
•
•
Risk crystalisation scenarios
Contingency plans
Limitation procedures
Post event assessment
NB – COLP and COFA reporting obligations to SRA
Advantages of a formal compliance and risk
management process for the new SRA Code?
•
Structured approach focuses on key compliance risk
areas
•
Can demonstrate how a firm is complying and the
effectiveness of compliance / outcomes
•
Continuous monitoring ensures management of
compliance and risk is “lived” day to day
•
Universal application to all compliance and risk areas
•
Comfort / assurance to PI insurers [and SRA?]
Use of IT systems for compliance and risk management?
Use an integrated compliance risk management
system to cost effectively manage compliance risk
areas by:
– creating and maintaining one central, up to date
compliance and risk database
– providing information access to all who need it in
relation to exposure to risk
– embedding compliance and risk management
procedures – e.g. client inception procedures
– streamlining identification, assessment,
mitigation and monitoring of compliance risks
Some areas of particular FOCUS in relation to managing
compliance risks
•
Top level buy-in – management must not only drive compliance but also
live it
•
Zero tolerance – just do it!
•
Training and education programmes to build awareness and change mind
sets
•
Continuous and systematic monitoring and reporting
Above all, you will need to continuously
challenge and stress test the effectiveness
of your compliance procedures
“We should always be able to do better”
Any questions?

similar documents