300 likes | 502 Views
Systemise your compliance management. Peter Scott Consulting www.peterscottconsult.co.uk. Why manage compliance risks?. “The pursuit of excellence, with the aim of doing things better for the clients” Director of Risk of a ‘top ten’ UK law firm.
E N D
Systemise your compliance management Peter Scott Consulting www.peterscottconsult.co.uk
Why manage compliance risks? “The pursuit of excellence, with the aim of doing things better for the clients” Director of Risk of a ‘top ten’ UK law firm
“If you cannot demonstrate compliance we may take regulatory action”SRA – OFR at a glance
The scope and volume of compliance requires a different approach For example, under Chapter 7 of SRA Code the Outcomes provide that firms must: - have appropriate systems and controls in place to achieve and comply with all Principles, rules and outcomes and other requirements of the Handbook - identify, monitor and manage risks to the achievement of all outcomes, rules, Principles and other requirements in the Handbook if applicable and take steps to address issues identified Do you already have appropriate systems and controls in place to comply?
Your challenge .... Is not merely to ensure your firm is compliant but … to be able to DEMONSTRATE to the SRA that your firm and everyone in the firm is compliant on an on-going basis How will you be able to do this?
Outcomes focused regulation is about managing processesHow can these processes be systemised to provide a cost effective method to manage your compliance?
Do you know your compliance risks? What are your compliance risks Where does the knowledge of your compliance risk reside? Can you access it? Do you have systems to monitor, review and upgrade your knowledge?
A Risk Management / KM integrated approach • Approach risk from a KM viewpoint and vice versa • Need to manage the risks relating to knowledge in any event • Managing the risks • Quality assurance • Greater competitiveness
Failure to manage your knowledge will involve serious risk Knowledge Management Compliance / Risk Management
Establishing the resources you will need to effectively manage your compliance For example: Internal or external? Part time partners or professionals? Paper records or use of IT If IT is used - bespoke or ‘off the peg’ systems?
Planning your resources Carry out a cost / benefit analysis to establish the most resource effective method for you to manage your compliance risks
Where to start? A systematic approach is needed Needs to be management driven, with top level buy-in Zero tolerance is required – no exceptions – just do it! Managing compliance risk needs to be seen as ‘everyone’s job’ – a mind set change is needed Need a ‘no blame’ culture to encourage disclosure Training and education programmes to build awareness and change mindsets Continuous and systematic monitoring and reporting Otherwise everyone is at risk
A systematic approach is required Put in place a formal compliance risk management process to identify and manage every area of compliance risk for the SRA Handbook and Code Establish a comprehensive database covering all compliance risk areas Standards such as Lexel and ISO 9000 are likely to help
DIAGNOSIS Identification and assessment MITIGATION Control, transfer and avoidance MONITORING Auditing, tracking and reporting When a risk crystallises LIMITATION Minimising the effect of crystallised risks Implementing a compliance risk management Strategy
Use of risk management tools? Use an integrated risk management system to quantify, assess and control risk by : • streamlining diagnosis, mitigation and monitoring • embedding common risk management procedures • providing information access to all who need it • creating and maintaining one central, up to date risk database
Compliance risk identification and assessment • Incidence - probability • Impact - severity
Some examples of compliance risks • Lack of management commitment to best practice and compliance risk management • Lack of knowledge by management • Lack of supervision • High risk work • Lack of client vetting / fraud • Lack of client care / matter care • Lack of resource capability • Lack of knowledge / expertise / experience • Precedents / multiple use of advice • International work / overseas offices • Mergers
Using ‘brainstorming’ as a method of identifying and assessing compliance risks • ‘Top down – bottom up’ brainstorming sessionsin each group in your firm to: - to identify every compliance risk area - are we achieving every Outcome under the new Code? - are we compliant in every area? - do we have gaps? - what will be required to fully comply? - to what standards should we comply? - how should we prioritise our efforts?
Assessment of compliance risks Consider the impact of, inter alia: Disciplinary action Bad publicity and loss of reputation Lost clients Complaints and claims Increased P.I. premiums
Set criteria for assessing risks Identify detailed risks Assess severity of detailed risks Identify high level risks Assess severity of high-level risks Risk map Risk summary Risk Diagnosis
Compliance risk Mitigation Designed to:- Ensure effective compliance Avoid / reduce non compliance Avoid / reduce incidence of risks Transfer some risks
Residual risk summary Consider impact / probability correlation Contingency plan requirements Risk map Insurance requirements summary Consider available mitigation techniques Required controls summary Risk summary Risk mitigation
Compliance risk monitoring involves… Auditing, tracking and reporting Comparing actual outcomes to pre-set indicators Confirming effectiveness of your risk responses Reporting compliance and exceptions Establishing [annual / periodical] compliance risk management reports
Required controls summary Contingency plan requirements Insurance requirements summary Annual Risk Management Report Set risk indicators and methods to monitor them Risk monitoring
Risk limitation involves • Risk crystalisation scenarios • Contingency plans • Limitation procedures • Post event assessment
Advantages of a formal compliance risk management process for the new SRA Code? Structured approach focuses on key compliance risk areas Can demonstrate how a firm is complying and the effectiveness of compliance / outcomes Continuous monitoring ensures management of compliance and risk is “lived” day to day Universal application to all compliance and risk areas Comfort / assurance to PI insurers [and SRA?]
Effective use of IT systems for compliance risk management? Use an integrated compliance risk management system to cost effectively manage compliance risk areas by: creating and maintaining one central, up to date compliance and risk database providing information access to all who need it in relation to exposure to risk embedding compliance and risk management procedures – e.g. client inception procedures streamlining identification, assessment, mitigation and monitoring of compliance risks
Outcomes focused regulation is about processes Using IT systems is likely to be the most cost effective and compliant method to manage these processes. Any questions?