Business Management
Systemize your compliance with
Rule 5
Peter Scott
Peter Scott Consulting
www.peterscottconsult.co.uk
PETER SCOTT CONSULTING
- and with an eye on outcomes focussed regulation
in relation to business management …
how to plan at the same time to comply
with:



The new SRA Code
The Principles
The outcomes
PETER SCOTT CONSULTING
Who currently has a
compliance / risk manager?
The future …
“The management and supervision of firms is covered by chapter 7
of the new handbook. Firms will be required to have a compliance officer for legal
practice to oversee and embed adherence to the principles, rules and outcomes, and
a compliance officer for finance and administration to ensure compliance with the
Accounts Rules. You might wish to start considering who within your firm might fulfil these
roles and how they will carry them out.”
Charles Plant
– chair of the board of the SRA
Law Society Gazette 8 July 2010
Rule 5 aims to set out…




Responsibility for the overall supervision and
management framework of a firm
Minimum requirements to be ‘qualified to supervise’
Minimum standards for supervision of client matters
Minimum requirements for business arrangements
essential to good practice and integral to compliance
with supervision and other duties to clients
PETER SCOTT CONSULTING
The scope of Rule 5
Financial
management and
controls
Practice
continuation
Key regulatory
requirements
PI
SARs
certification
accountants
reports
registration
recognition
Training
- Competence
- CPD
Supervision
conflicts
-Qualified to
supervise
Management
of risk
Rule 2 –
client
relations
Rule 6 –
equality and
diversity
safe keeping of
documents and
assets
Control of
undertakings
Are you in control of your risks?
Operational
Management
Who believes they are currently fully
compliant with Rule 5?
How do you know you are
compliant?
The challenge of Rule 5….
How to manage compliance with Rule 5 in a
way which will enable you to evidence, even with
limited resources, that appropriate
arrangements are in place and operating, so you
can demonstrate:

compliance

the effectiveness of that compliance
PETER SCOTT CONSULTING
The challenge of Chapter 7 of the new
SRA Code?



Is about the management and supervision of
a firm
Provides that 10 listed outcomes must be
achieved
In particular ….
PETER SCOTT CONSULTING
firms must have ....
- have appropriate systems and controls in place to achieve
and comply with all Principles, rules and outcomes and other
requirements of the Handbook
- identify, monitor and manage risks to the achievement of all
outcomes, rules, Principles and other requirements in the
Handbook if applicable and take steps to address issues
identified
Who already has appropriate systems and controls in place …to
currently comply with Rule 5?
What is required?
A need to manage your:


Resources
Knowledge
PETER SCOTT CONSULTING
Resources?




People and Money
Internal or external?
Part time partners or professionals?
Bespoke or ‘off the peg’?
Carry out a cost / benefit analysis to establish
the most resource effective method for your firm
to manage compliance and risks
PETER SCOTT CONSULTING
Knowledge? - Failure to manage knowledge involves
widespread risk
Compliance /
Risk
Management
Knowledge
Management
Compliance and risk – do you
know your risk areas?

Where does the knowledge of your
compliance and risk areas reside?

Can you access it?

Do you have systems to maintain and
upgrade your knowledge?
Where to start?
A systematic approach is needed





Management driven, with top level buy-in
Zero tolerance is required
Managing risk and compliance needs to be seen as
‘everyone’s job’ – a mindset change is needed
Need a ‘no guilt’ culture to encourage disclosure
Approach compliance and risk management from a
knowledge management viewpoint and vice versa
PETER SCOTT CONSULTING
A systematic approach is required




Put in place a formal compliance and risk
management process to identify and manage every
area of compliance and risk for Rule 5 compliance and
for the new SRA Code
Establish a comprehensive database covering all
compliance and risk areas
Standards such as Lexel and ISO 9000 are likely to
help
Use of IT systems?
PETER SCOTT CONSULTING
Advantages of a formal compliance and risk
management process for Rule 5 and under the
new SRA Code?





Structured approach focuses on key compliance
and risk areas
Can demonstrate how a firm is complying and
the effectiveness of compliance / outcomes
Continuous monitoring ensures management of
compliance and risk is “lived” day to day
Universal application to all compliance and risk
areas
Comfort / assurance to PI insurers
Use of IT systems for compliance and risk
management?
Use an integrated compliance and risk
management system to cost effectively manage
compliance and risk areas by:




creating and maintaining one central, up to
date compliance and risk database
providing information access to all who
need it in relation to exposure to risk
embedding compliance and risk
management procedures – e.g. client
inception procedures
streamlining identification, assessment,
mitigation and monitoring
Implementing a compliance and risk
management strategy
Diagnosis
Identification and assessment
Implementation of compliance
procedures and Mitigation of risk
Avoidance, control or transfer
Monitoring
Auditing, tracking and reporting
Limitation
Minimising the effects of
crystallised risks
Identification of compliance and risk
areas?



Needs to be management- driven
‘Top down – bottom up’ brainstorming sessions to:
- to identify every compliance and risk area
- are we compliant in every area?
- do we have gaps?
- what will be required to comply?
- to what standards should we comply?
- how should we prioritise our efforts?
Assignment of responsibilities and lines of accountability
PETER SCOTT CONSULTING
Compliance and risk assessment


Incidence - probability
Impact - severity
Risk Mappingwhere to focus resource?
IMPACT
High
High impact/ low incidence
High impact/ high incidence
Low impact/ low incidence
Low impact/ high incidence
Low
Low
High
INCIDENCE
Try this out on your ...





Supervision arrangements
Financial controls
Business continuity planning
Client care letters
AML procedures
etc
Assessment of non-compliance and other risks
Consider the impact of, inter alia:





Disciplinary action
Bad publicity and loss of reputation
Lost clients
Complaints and claims
Increased P.I. premiums
PETER SCOTT CONSULTING
Assessment of compliance and risks
Set criteria for
assessing compliance
and risks
Identify detailed
risks
Identify high
level risks of non
compliance
Assess severity of
detailed risks
Assess severity of
high-level risks
Compliance
and risk
map
Compliance and
risk summary
Compliance and Risk Mitigation
Designed to:



Ensure effective compliance
Avoid / reduce non compliance
Avoid / reduce incidence of risks
Transfer some risks
Risk mitigation
compliance
and risk
map
Compliance and
risk summary
Residual risk
summary
Consider
impact/probability
correlation
Consider available
mitigation techniques
Contingency plan
requirements
Insurance
requirements
summary
Required
controls
summary
Some techniques to put in place
compliance and mitigate risks





Top level buy-in – management must not only drive
compliance but also live it
Zero tolerance – just do it!
Training and education programmes to build awareness
and change mindsets
Continuous and systematic monitoring and reporting
A need to continuously challenge the effectiveness of
compliance and risk management
PETER SCOTT CONSULTING
Compliance and risk monitoring
involves…





Auditing, tracking and reporting
Comparing actual outcomes to preset indicators
Confirming effectiveness of risk responses
Reporting compliance and exceptions
Annual compliance and risk management report
Compliance and risk monitoring
Required controls
summary
Contingency plan
requirements
Insurance requirements
summary
Set compliance and risk
indicators and methods to
monitor them
Annual Compliance
and Risk Report
How are you going to demonstrate the
effectiveness of your firm’s compliance with Rule 5?
Financial
management and
controls
Practice
continuation
Key regulatory
requirements
PI
SARs
certification
accountants
reports
registration
recognition
Training
- Competence
- CPD
Supervision
conflicts
-Qualified to
supervise
Management
of risk
Rule 2 –
client
relations
Rule 6 –
equality and
diversity
F
i
n
n
c
i
a
l
safe keeping of
documents and
assets
Control of
undertakings
In the future how are you going to
demonstrate achievement of outcomes
under the new SRA Code?
Start now – systemise your
compliance and risk
management
The future?
How will law firms be able to provide the
increasing resource needed to be fully and
effectively compliant?
- by consolidation?
- by pooling of resources?
- by other means?
PETER SCOTT CONSULTING
Outsourcing your compliance and risk
management?
Outcome 10) of Chapter 7 – Management of your business
Where legal activities or operational functions are outsourced you ensure
such outsourcing does not:
(i) jeopardise the quality of your legal activities nor impair the quality of
your internal controls; and
(ii) impact on the SRA’s ability to monitor your compliance with all
obligations in the Handbook.
Any questions?