How to be an effective COLP

How to be an effective COLP
Peter Scott Consulting
Why manage compliance risks?
“The pursuit of excellence, with the aim of doing
things better for the clients”
Director of Risk of a ‘top ten’ UK law firm
Compliance needs to be ‘lived’ on a daily basis
by everyone and there can be no exceptions to
following procedures. Otherwise everyone is at
Your challenges as the COLP
Understanding your role and responsibilities as the COLP
Planning how you will fulfil your role as the COLP
Securing ‘buy-in’ and ‘accountability’ from everyone in your firm
Identifying and assessing your firm’s compliance risks
Implementing and managing your ‘compliance plan’
- in order to be able to DEMONSTRATE to the SRA that your firm is compliant
1. Understanding your role and responsibilities as the COLP
• The scope of your role
• The potential consequences if you do not carry out your role effectively –
- for you
- your firm
- everyone in your firm
The scope of your role as COLP under Rule 8 of the SRA
Authorisation Rules is extensive and very wide
8.5.(c) SRA Authorisation Rules
Take all reasonable steps to:
(A) ensure compliance with the terms and conditions of the authorised
body’s authorisation except any obligations under the SRA Accounts
(B) ensure compliance with any statutory obligations of the body, its
managers, employees or interest holders in relation to the body’s
carrying on of authorised activities
(C) record any failure so to comply and make such records available to
the SRA on request;
For example, Chapter 7 of the SRA Code includes the following
outcomes ....
- you have appropriate systems and controls in place to achieve and comply with all
Principles, rules and outcomes and other requirements of the Handbook
- you identify, monitor and manage risks to the achievement of all outcomes, rules,
Principles and other requirements in the Handbook if applicable and take steps to
address issues identified
Are you achieving these outcomes?
8.5.(c) SRA Authorisation Rules (continued)
(ii) As soon as reasonably practicable, report to the SRA any failure so to comply
provided that:
(A) in the case of non-material failures, these shall be taken to have been reported
as soon as reasonably practicable if they are reported to the SRA together with such
other information as the SRA may require in accordance with Rule 8.7(a): and
(B) a failure may be material either taken on its own or as part of a pattern of failures
so to comply.
What is a ‘material’ failure to comply?
Guidance Notes to Rule 8 provide:
(x) In considering whether a failure is “material” and therefore reportable, the
COLP or COFA, as appropriate, will need to take account of various factors,
such as:
• the detriment, or risk of detriment, to clients
• the extent of any risk of loss of confidence in the firm or in the
provision of legal services
• the scale of the issue
• the overall impact on the firm, its clients and third parties.
In addition, the COLP/COFA will need to keep appropriate records of failures
in compliance to:
• monitor overall compliance with obligations
• assess the effectiveness of the firm’s systems
• be able to comply with the duty to report breaches which are material
because they form a pattern.
For example, Chapter 10 of the SRA Code includes the following
Outcome O(10.1) you ensure that you comply with all the reporting and
notification requirements in the Handbook that apply to you;
Indicative behaviour IB(10.1) - actively monitoring your achievement of the
outcomes in order to improve standards and identify non-achievement of the
outcomes may tend to show that you have achieved these outcomes and
therefore complied with the Principles
NB - 8.5.(c) SRA Authorisation Rules ….
(ii) As soon as reasonably practicable, report to the SRA any failure so to comply
Consider the impact of
Disciplinary action
Bad publicity and loss of reputation
Lost clients
Complaints and claims
Increased P.I. premiums
2. Planning how to fulfil your role as the COLP
What are your compliance risks?
Where does the knowledge of your compliance risks reside?
Can you access that knowledge?
Do you have systems to monitor, review and
upgrade your knowledge of your compliance risks?
Do you have the resources to effectively carry out your role?
Carry out a cost / benefit analysis to establish the most resource
effective method for you to manage your role as COLP for
your firm to be compliant
For example:
• Internal or external?
• Part time partners or professionals?
• Paper records or use of IT
3. Securing internal buy-in as a condition of your agreement to
carry out the role of COLP
Needs to be management driven, with top level buy-in
Zero tolerance is required – just do it!
Managing compliance risk needs to be seen as ‘everyone’s job’ – a
mind set change is needed
Need a ‘no blame’ culture to encourage disclosure
Above all – identify your ‘big gorillas’ and deal with them otherwise
everyone is at risk
“That’s a great idea
…for the rest of you!”
“Heavyweight gorilla”
“You can’t
manage me.
I’m a big biller!”
“We have no room for those who put their
own personal agenda ahead of the
interests of the clients or the office”
David Maister’s “Predictive package”
An ‘accountability undertaking’ may be required from partners
Your role as the COLP will only be capable of being effectively
carried out by you if your partners (other owners) accept that
they must be ‘accountable’ by, for example, undertaking to
support and comply with in the fullest possible way:
The implementation of all regulatory compliance procedures
agreed by our firm;
Those mandated with the onerous task of managing
regulatory compliance within the firm; and
Every other partner and individual in the firm as each
endeavours to fulfil their respective roles in the firm in order
to ensure full and complete regulatory compliance.
4. Identifying and assessing your compliance risks
Use ‘Top down – bottom up’ brainstorming sessions in each group in your
firm as a method of identifying and assessing compliance risks
to identify every compliance risk area
are we achieving every Outcome under the new Code?
are we compliant in every area?
do we have gaps?
what will be required to fully comply?
to what standards should we comply?
how should we prioritise our efforts?
Some examples of compliance risks
Lack of management commitment to best practice
and compliance risk management
Lack of knowledge by management
Lack of supervision
High risk work
Lack of client vetting / fraud
Lack of client care / matter care
Lack of resource capability
Lack of knowledge / expertise / experience
Precedents / multiple use of advice
International work / overseas offices
Compliance Risk Mapping
H ig h
H ig h im p a c t/ lo w in c id e n c e
H ig h im p a c t/ h ig h in c id e n c e
L o w im p a c t/ lo w in c id e n c e
L o w im p a c t/ h ig h in c id e n c e
H ig h
5. Managing your ‘compliance plan’
A systematic approach is required
Put in place a formal compliance risk
management process to identify and manage every area of compliance risk
for the SRA Handbook and Code
Establish a comprehensive database covering all compliance risk areas
Standards such as Lexel and ISO 9000 are likely to help
Advantages of a formal compliance risk management process for
the new SRA Code?
A structured approach focuses on key compliance risk
Can demonstrate how a firm is complying and the
effectiveness of compliance / outcomes
Continuous monitoring ensures management of
compliance and risk is “lived” day to day
Universal application to all compliance and risk areas
Comfort / assurance to PI insurers [and SRA?]
Use of IT systems for compliance risk management?
Use an integrated compliance risk management system to cost
effectively manage compliance risk areas by:
– creating and maintaining one central, up to date compliance
and risk database
– providing information access to all who need it in relation to
exposure to risk
– embedding compliance and risk management procedures –
e.g. client inception procedures
– streamlining identification, assessment, mitigation and
monitoring of compliance risks
Above all, as a COLP you will need to
continuously challenge the
effectiveness of your compliance
Any questions?

similar documents