effective identification and management of compliance risks peter scott,
DESCRIPTION
Effective Identification and Management of Compliance Risks Peter Scott, . Peter Scott Consulting . What is risk?. Exposure to the possibility of suffering or harm The chance of bad things happening - PowerPoint PPT PresentationTRANSCRIPT
Effective Identification and Management of Compliance Risks
Peter Scott,
1
Peter Scott Consulting
What is risk?
Exposure to the possibility of suffering or harm The chance of bad things happening
The probability of which may or may not be measurable – Seldon & Pennance Everyman’s Dictionary of Economics
What gets measured effectively and as a result has a consequence, gets done
2
Why manage risk?
“It has got to make financial sense, but you have to see risk management as one of your strategic objectives. Business resilience is actually a competitive advantage”
– Cedric Lenoire, head of FM Global’s business risk consulting division (‘The Times’ 21 January 2013
But it is also now mandatory for law firms. Principle 8 in the SRA Handbook requires you to -
“Run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles”
It is now not a question of if law firms manage their risks but how they do so
3
And the scope and volume of compliance now requires a different approach
For example, under OFR firms must:
have appropriate systems and controls in place to achieve and comply with all Principles, rules and outcomes and other requirements of the Handbook
identify, monitor and manage risks to the achievement of all outcomes, rules, Principles and other requirements in the Handbook if applicable and take steps to address issues identified
Ensure compliance with all the reporting and notification requirements in the Handbook
2. Developing effective control measures
• y to one
3. Monitoring and reviewing the effectiveness of your risk management procedures
1. Identifying and assessing compliance risks
Scope of today’s session
However there is one thing which is fundamental to the ability to manage risks …..Knowledge
“There are known knowns; there are things we know we know.
We also know there are known unknowns; that is to say, we know there are some things we do not know.
But there are also unknown unknowns – the ones we don’t know we don’t know”.
Donald Rumsfeld
One of the primary purposes of knowledge management (KM) should be to help a law firm manage its risks
6
Law firm risks
7
Peop
le
Operational
Regulatory
IT
Competition
/businessEcon
omic
,po
litic
al,
fisca
lFinancial
Asset
Reputational
Establishing and
evaluating knowledge
Failure to manage knowledge is itself a risk
What knowledge (if any) do you have about each aspect of your business?
Where is that knowledge?
Has it been captured or is it in someone’s head?
If recorded, is it under your control and can it be freely accessed?
If in someone’s head, how can you ensure that person remains with you and shares that knowledge?
8
Failure to manage your knowledge will involve serious risk
Compliance / Risk Management
KnowledgeManagement
2. Developing effective control measures
• y to one
3. Monitoring and reviewing the effectiveness of your risk management procedures
1. Identifying and assessing compliance risks
Some processes to identify compliance risks
A combination of -
Pre – file opening [online] mandatory matter level risk management questionnaires
Exception reporting ‘Independent’ file reviews Positive confirmation of compliance Voluntary reporting? Claims and complaints monitoring Financial measurement and reporting Supervision Gap analysis
Such processes are likely to identify the existence, the frequency, the severity and the causes of compliance failures
11
Some examples of compliance risks identifiable in these ways ….
Failure to achieve SRA Principles and outcomes Client inception Matter inception Doing the work Financial controls SRA Accounts Rules 2011 Management of your firm Your people
12
SRA Code of Conduct outcomes
Use gap analysis and group brainstorming sessions to identify the gaps in your compliance
Are we achieving this outcome? If not, where are the gaps? Why are we not achieving this outcome? What will we need to do to achieve this outcome? What could be the consequences / impact on our firm? How should we prioritise our efforts to fill in the gaps?
13
Client inception
Do you really know your client?
Do you have procedures and controls in place for vetting and approving new (and existing) clients?
- Where did the client come from? - Why has the client chosen your firm? - Experience with previous lawyers? - If a former client, your previous experience?
Can your procedures be by-passed? Recorded levels of compliance? Do you have a risk committee to adjudicate on such matters?
14
15
Matter inception
Do you have procedures and controls in place for vetting and approving new matters, including –
- Conflicts of interests? - Nature of the work and your experience / skills? - Supervision required? - How busy are you? - PI cover adequate? - Engagement letters checked , sent and copy returned?
Are the above embedded into your systems to prevent being by-passed? Recorded levels of compliance? Do you have a risk committee to adjudicate on the above?
Doing the work
Do you have procedures and controls for ….
Delegation / supervision based on risk rating of clients and matters? Key dates and time limits? Undertakings? Opinion letters? File management? File reviews? International work and international offices? Multiple use of advice / systemic loss? Use of third parties? Loss of confidential information? Client care?
Recorded levels of compliance?
16
17
Financial controls What do you measure and report on?Quality of your financial management?
Cash flow
Credit checks / money on account / frequency of billing / credit terms?
Levels of work in progress and debtors?
Cash flow forecasts and variance reports?
Cash generation plans? Banking covenants?
Profitability
Budgets?
Full time recording?
Input reports?
Pricing?
Write – off controls on wip and debtors?
SRA Accounts Rules 2011
What procedures and controls do you have in place in relation to -
- Your accounts department’s ability to Identify risks to client money? - Authority limits? - Using client account to provide banking facilities? - Interest on client money? - Residual client account balances / file closing procedures?
Do you have a breaches register? Awareness by your lawyers of the Accounts Rules? / training? Does your COFA have a working knowledge of the Accounts Rules?
18
Management of your firm?
Do you have a tested and sufficiently resourced management structure to deal with –
Finance? Risk and compliance? KM? AML / fraud? Client care / quality standards? Reputation? Outsourcing? Business planning and continuity? People?
How do you document your management of the above risks?
19
People
Do you have
Professional HR management? Training on all compliance and other risk procedures? Development and learning policies? Appropriate appraisal systems? Procedures to manage regulatory risk issues A whistleblowing policy?
How do you document your management of the above?
20
Assess severity of high-level risks
Identify high level risks of non compliance
Set criteria for assessing compliance and risks
Identify detailed risks
Assess severity of detailed risks
Compliance and risk map
Compliance and risk summary
Analysis and assessment of risks
Set criteria – for example, financial stability
Run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles – Principle 8
Maintain systems and controls for monitoring your financial stability ….
and taking steps to address issues identified - outcome (7.4)
22
Analysis of your risks against achievement of those financial stability criteria?
High level risks Quality of your financial management? Lack of financial awareness by your people? Willingness of your partners to be managed? Detailed risks Procedures for credit checking clients and taking money on account? Controlling levels of work in progress and debtors? Cash flow forecasts and variance reports? Budgets? Fully recording matter related time? Control of pricing and writing off recorded time?
23
Risk mapping
24
IMPACT High
High impact/ low incidence
High impact/ high incidence
Low impact/ low incidence
Low impact/ high incidence
Low Low High INCIDENCE
2. Developing effective control measures
• y to one
3. Monitoring and reviewing the effectiveness of your risk management procedures
1. Identifying and assessing compliance risks
Developing effective control measures for compliance risk mitigation
Designed to -
Ensure effective compliance
Avoid / reduce non compliance
Avoid / reduce incidence of risks
Transfer some risks
risk map
risk summary
Consider impact/probability
correlation
Required controls
summary
Insurance requirements
summary
Contingency plan
requirements
Residual risk
summary
Consider available mitigation techniques
2. Developing effective control measures
• y to one
3. Monitoring and reviewing the effectiveness of your risk management procedures
1. Identifying and assessing compliance risks
Compliance risk monitoring involves…
Auditing, tracking and reporting
Comparing actual outcomes to pre-set indicators
Confirming effectiveness of your risk controls
Reporting compliance and exceptions
Establishing [annual / periodical] compliance risk management reports
Required controls summary
Contingency plan requirements
Insurance requirements summary
Set risk indicators and methods to monitor them
Annual Risk Report
On – going monitoring and reviewing compliance risks
A combination of -
Pre – file opening mandatory matter level risk management questionnaires Exception reporting ‘Independent’ file reviews Positive confirmation of compliance Voluntary reporting? Claims and complaints monitoring Financial measurement and reporting Accounts Rules breaches register Supervision
Use of IT systems?
31
Effective use of IT systems for compliance risk management? Use an integrated risk management system to cost effectively manage compliance and other risk areas by:
creating and maintaining one central, up to date compliance and risk database
providing information access to all who need it in relation to exposure to risk
embedding compliance and risk management procedures – e.g. client inception procedures
streamlining identification, assessment, mitigation and monitoring of compliance and other risks
Risk limitation involves
Risk crystalisation scenarios Contingency plans
Limitation procedures
Post event assessment
Advantages of a formal compliance risk management process?
Structured approach focuses on key compliance and other risk areas
Can demonstrate how a firm is complying and the effectiveness of compliance / outcomes
Continuous monitoring ensures management of compliance and risk is “lived” day to day
Universal application to all compliance and risk areas
Comfort / assurance to PI insurers [and SRA?]
Your challenge ....
is not merely to ensure your firm is compliant but …
to be able to DEMONSTRATE to the SRA that your firm and everyone in the firm is compliant on an on-going basis
“If you cannot demonstrate compliance we may take regulatory action”
SRA – OFR at a glance