risk management workshop - the law society€¦ · common non compliances: lexcel top 5 : •5.1 -...

Risk Management Workshop

Lexcel: Common Non Compliances in Risk Management

Ms Shazia Saleem

Solicitor | Lexcel Assessor | ISO9001 & 27001 Auditor

Contents

• Introduction

• Risk – What is it?

• Risk Identification

• Risk Treatment/Assessment

• Common Non compliances in Risk

• Conclusion

• Questions

Risk – what is it?

• Risk ‘A situation involving exposure to danger’ (Oxford

Dictionary)

• SRA ‘ We take an outcome focused risk based approach

to regulation to make sure individuals and Firms we

regulate operate independently and with integrity in the

interests of their clients and in the wider public

interest.’

• FCA ‘We consider risk to be the combination of impact

(the potential harm that could be caused) and

probability (the likelihood of the particular issue or

event occurring).’

Risk – What is it?

As Solicitors, our approach to risk management is often

determined by a number of factors : -

• Our regulatory body

• Our business model

• Accreditations

• Stakeholder Requirements

• Clients

Risk – What is it?

• The SRA publish their Risk Outlook annually

• Contains an overview of:

– risks for the protection of people who use legal

services

– the operation of the rule of Law

– & proper administration of justice.

• Amongst other things, it is designed to help

Solicitors & Firms manage risk

Risk – Identification

• The 2015/2016 Risk

Outlook identified

these priority risks

• A good starting point?

• How does this tie in

with Lexcel?

Risk – Identification

Lexcel Practice Management Standard broadly identifies 3

types of Risk :

• Strategic Risks

• Operational Risks

• Regulatory Risks

• Risk Index

• Process approach

Risk – Identification

Risk Index's are helpful in:

• Identifying risk

• Categorising risk

• Providing methodology

• Risk Profiling

• Monitoring & Controlling Risk

• Continual review and improvement

• A useful example: SRA Risk Index

Risk Identification

Risk Assessment/ Treatment

• Identify the Risk

• Assess/Measure its importance (impact v

probability of occurrence)

• Give it a score

• Accept, Reduce/Transfer or Eliminate

• Monitor & Review

• Continually Improve the QMS

• Examples provided

Common Non Compliances: Lexcel

Lexcel:

• The are three accredited Lexcel bodies: -

– Inspiring Business Performance

– Centre For Assessment

– Recognising Excellence

• Identified top 5 non compliance areas within

Risk Management

Common Non Compliances: Lexcel

Top 5 :

• 5.1 - Compliance Plan & Risks Register

• 5.11 - File Reviews

• 5.12 - Operational Risk/ Instructions: Opening,

Interim and Closing Risk Assessment

• 5.15 - Bribery

• 5.16 - Annual Risk Assessment of Data

Compliance Plan & Risk Register

5.1 of the Law Society’s Lexcel Standard:

‘Practices must have a risk management policy

which must include:

a) Compliance Plan

b) Risks Register

Compliance Plan

A Compliance Plan:

• Identify key personnel (COLP/COFA/ MLRO/ CO)

• State the Practices/ Personnel

• Authority & responsibility for Compliance

• Identify key policies crucial to the compliance plan for

example:

– SRA (COLP/ COFA)

– Solicitors Accounts Rules

– Accountants Report

Compliance Plan

– Health and safety

– Anti-money laundering

– Anti-bribery

– Data protection

• Draft the policies

• Control of documents

• Diarise key dates for review/ reporting

• Establish Internal reporting procedures

• Comply with external regulatory reporting

requirements

• Review and Improve

Compliance Plan

• Auditing experience (examples of Non compliances)

• How to meet the requirements

• Implications for large Firms

Risk Register

Risks Register

Lexcel Guidance: The Risks register often divides risks

into the following categories:

• Strategic

• Financial

• Operational

• Compliance

• Breaches (material and non-material)

Risk Register

• Auditing experience (examples of Non compliances)

• How to meet the requirements for large organisations

• Implications for large Firms

File Reviews

5.11 Practices must have a procedure for regular,

independent file reviews of either the management of the

file or its substantive legal content, or both. In relation to

file reviews, the practice must:

a) Define and explain the selection criteria

b) Define and explain the number and frequency of reviews

c) Retain a record of the file review on the matter file and

centrally

d) Ensure that the designated supervisor reviews and

monitors the data generated by the file review

e) Conduct a review at least annually of the data generated

by file reviews.

File Reviews

Devise rationale for file selection, for example:

- Sample size

- Frequency

- Representative sampling

- Risk Profiling

- Composition of review

- Experience/ Expertise of reviewer

- Format

- Documented record on file of review and central register

of reviews (5.11.c)

File Reviews

• Auditing experience (examples of Non compliances)

• How to meet the requirements for large organisations

• Benefits for large Firms

Operational Risk/ Instructions

5.12 of the Law Society’s Lexcel Standard:

‘Operational risk must be considered and

recorded in all matters before, during and after

the processing of instructions.

Operational Risk/ Instructions

Before the matter is undertaken the Fee Earner

must:

a) Consider if a new client and/or matter is accepted by

the practice, in accordance with section 6.1 (client

care policy) and 6.7 (accepting/ declining instructions)

b) Assess the risk profile of all new instructions and

notify the supervisor, in accordance with procedures

under 5.4, of any unusual or high risk considerations in

order that appropriate action may be taken.

Operational Risk/ Instructions

During the retainer the fee earner must:

c) Consider any change to the risk profile of the matter

and report and advise on such circumstances without

delay, informing the supervisor if appropriate

d) Inform the client in all cases where an adverse costs

order is made against the practice in relation to the

matter in question.

Operational Risk/ Instructions

At the end of the matter the fee earner must:

e) Undertake a concluding risk assessment by considering

if the clients objectives have been achieved

f) Notify the supervisor of all such circumstances in

accordance with documented procedures in section 5.4

(higher risk profile matters) above.

Opening, interim and closing risk assessments must be

documented on the matter file.

Operating Risk/ Instructions

Potential risks throughout matter: -

- Venerable clients

- Difficult clients/ Clients that are likely to complain

- Unpalatable Advice

- High Profile/ Public interest matter

- Effective management of client care

A concluding risk assessment is a consideration of:

• Have the client objectives been met?

• Is the client likely to complain?

• Potential for negligence?

Operating Risk/ Instructions

• Auditing experience (examples of Non compliances)

• How to meet the requirements for large organisations

• Implications for large Firms

Bribery

5.15 Practices must have a policy setting out the

procedures to prevent bribery in accordance with

current legislation.

Bribery

Guidelines for drafting Bribery policy:

• Set out clear objectives

• Identify and establish boundaries

• No exceptions/ No tolerance

• Create and maintain a register of gifts and hospitality

• If in doubt, record and report internally

• Continual review and improvement

Bribery

• Auditing experience (examples of Non compliances)

• How to meet the requirements for large organisations

• Implications for large Firms

Annual Risk Assessment of Data

5.16 Practices will analyse at least annually all risk

assessment data generated within the practice. This must

include:

a) Any indemnity insurance claims

b) An analysis of client complaint trends

c) Data generated by file reviews

d) Any matters notified to the COLP/COFA

e) Any material breaches notified to the SRA

f) Any non material breaches recorded

g) Situations where the practice acted where a conflict

existed.

h) The identification of remedial action

Annual Risk Assessment of Data

Annual Risk Assessment:

• Collate data/ statistics

• Identify trends

• Review policies to ensure effective operation

• Be proactive, take steps to improve the QMS

• The role of the COLP/COFA cannot be understated

• All breaches must be recorded material or non material.

Annual Risk Assessment of Data

• Auditing experience (examples of Non compliances)

• How to meet the requirements for large organisations

• Implications for large Firms

Conclusion & Questions

• Questions

• Thank you

• Contact

Shazia Saleem

Solicitor | Lexcel Assessor | ISO 9001 & 27001 Auditor

E: shazia@ssaleem.com

T: 07947 782 934