1 / 35

Effective Identification and Management of Compliance Risks Peter Scott,

Effective Identification and Management of Compliance Risks Peter Scott, . Peter Scott Consulting . What is risk?. Exposure to the possibility of suffering or harm The chance of bad things happening

soren
Télécharger la présentation

Effective Identification and Management of Compliance Risks Peter Scott,

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Effective Identification and Management of Compliance Risks Peter Scott, Peter Scott Consulting

  2. What is risk? • Exposure to the possibility of suffering or harm • The chance of bad things happening • The probability of which may or may not be measurable – Seldon & Pennance Everyman’s Dictionary of Economics • What gets measured effectively and as a result has a consequence, gets done

  3. Why manage risk? • “It has got to make financial sense, but you have to see risk management as one of your strategic objectives. Business resilience is actually a competitive advantage” – Cedric Lenoire, head of FM Global’s business risk consulting division (‘The Times’ 21 January 2013 • But it is also now mandatory for law firms. Principle 8 in the SRA Handbook requires you to - “Run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles” • It is now not a question of if law firms manage their risks but how they do so

  4. And the scope and volume of compliance now requires a different approach For example, under OFR firms must: • have appropriate systems and controls in place to achieve and comply with all Principles, rules and outcomes and other requirements of the Handbook • identify, monitor and manage risks to the achievement of all outcomes, rules, Principles and other requirements in the Handbook if applicable and take steps to address issues identified • Ensure compliance with all the reporting and notification requirements in the Handbook

  5. Scope of today’s session 1. Identifying and assessing compliance risks • y to one 3. Monitoring and reviewing the effectiveness of your risk management procedures 2. Developing effective control measures

  6. However there is one thing which is fundamental to the ability to manage risks ….. Knowledge “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say, we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know”. Donald Rumsfeld One of the primary purposes of knowledge management (KM) should be to help a law firm manage its risks

  7. Operational Reputational People Regulatory Asset IT Financial Economic, political, fiscal Competition /business Law firm risks Establishing and evaluating knowledge

  8. Failure to manage knowledge is itself a risk • What knowledge (if any) do you have about each aspect of your business? • Where is that knowledge? • Has it been captured or is it in someone’s head? • If recorded, is it under your control and can it be freely accessed? • If in someone’s head, how can you ensure that person remains with you and shares that knowledge?

  9. Failure to manage your knowledge will involve serious risk Knowledge Management Compliance / Risk Management

  10. 1. Identifying and assessing compliance risks • y to one 3. Monitoring and reviewing the effectiveness of your risk management procedures 2. Developing effective control measures

  11. Some processes to identify compliance risks A combination of - • Pre – file opening [online] mandatory matter level risk management questionnaires • Exception reporting • ‘Independent’ file reviews • Positive confirmation of compliance • Voluntary reporting? • Claims and complaints monitoring • Financial measurement and reporting • Supervision • Gap analysis Such processes are likely to identify the existence, the frequency, the severity and the causes of compliance failures

  12. Some examples of compliance risks identifiable in these ways …. • Failure to achieve SRA Principles and outcomes • Client inception • Matter inception • Doing the work • Financial controls • SRA Accounts Rules 2011 • Management of your firm • Your people

  13. SRA Code of Conduct outcomes Use gap analysis and group brainstorming sessions to identify the gaps in your compliance • Are we achieving this outcome? • If not, where are the gaps? • Why are we not achieving this outcome? • What will we need to do to achieve this outcome? • What could be the consequences / impact on our firm? • How should we prioritise our efforts to fill in the gaps?

  14. Client inception • Do you really know your client? • Do you have procedures and controls in place for vetting and approving new (and existing) clients? - Where did the client come from? - Why has the client chosen your firm? - Experience with previous lawyers? - If a former client, your previous experience? • Can your procedures be by-passed? • Recorded levels of compliance? • Do you have a risk committee to adjudicate on such matters?

  15. Matter inception • Do you have procedures and controls in place for vetting and approving new matters, including – - Conflicts of interests? - Nature of the work and your experience / skills? - Supervision required? - How busy are you? - PI cover adequate? - Engagement letters checked , sent and copy returned? • Are the above embedded into your systems to prevent being by-passed? • Recorded levels of compliance? • Do you have a risk committee to adjudicate on the above?

  16. Doing the workDo you have procedures and controls for …. • Delegation / supervision based on risk rating of clients and matters? • Key dates and time limits? • Undertakings? • Opinion letters? • File management? • File reviews? • International work and international offices? • Multiple use of advice / systemic loss? • Use of third parties? • Loss of confidential information? • Client care? Recorded levels of compliance?

  17. Financial controls What do you measure and report on?Quality of your financial management? Cash flow • Credit checks / money on account / frequency of billing / credit terms? • Levels of work in progress and debtors? • Cash flow forecasts and variance reports? • Cash generation plans? • Banking covenants? • Profitability • Budgets? • Full time recording? • Input reports? • Pricing? • Write – off controls on wip and debtors?

  18. SRA Accounts Rules 2011 • What procedures and controls do you have in place in relation to - - Your accounts department’s ability to Identify risks to client money? - Authority limits? - Using client account to provide banking facilities? - Interest on client money? - Residual client account balances / file closing procedures? • Do you have a breaches register? • Awareness by your lawyers of the Accounts Rules? / training? • Does your COFA have a working knowledge of the Accounts Rules?

  19. Management of your firm? Do you have a tested and sufficiently resourced management structure to deal with – • Finance? • Risk and compliance? • KM? • AML / fraud? • Client care / quality standards? • Reputation? • Outsourcing? • Business planning and continuity? • People? How do you document your management of the above risks?

  20. People Do you have • Professional HR management? • Training on all compliance and other risk procedures? • Development and learning policies? • Appropriate appraisal systems? • Procedures to manage regulatory risk issues • A whistleblowing policy? How do you document your management of the above?

  21. Set criteria for assessing compliance and risks Identify detailed risks Assess severity of detailed risks Identify high level risks of non compliance Assess severity of high-level risks Compliance and risk map Compliance and risk summary

  22. Analysis and assessment of risks Set criteria – for example, financial stability • Run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles – Principle 8 • Maintain systems and controls for monitoring your financial stability …. and taking steps to address issues identified - outcome (7.4)

  23. Analysis of your risks against achievement of those financial stability criteria? High level risks • Quality of your financial management? • Lack of financial awareness by your people? • Willingness of your partners to be managed? Detailed risks • Procedures for credit checking clients and taking money on account? • Controlling levels of work in progress and debtors? • Cash flow forecasts and variance reports? • Budgets? • Fully recording matter related time? • Control of pricing and writing off recorded time?

  24. Risk mapping

  25. 1. Identifying and assessing compliance risks • y to one 3. Monitoring and reviewing the effectiveness of your risk management procedures 2. Developing effective control measures

  26. Developing effective control measures for compliance risk mitigation Designed to - Ensure effective compliance Avoid / reduce non compliance Avoid / reduce incidence of risks Transfer some risks

  27. Residual risk summary Consider impact/probability correlation Contingency plan requirements Insurance requirements summary risk map Consider available mitigation techniques Required controls summary risk summary

  28. 1. Identifying and assessing compliance risks • y to one 3. Monitoring and reviewing the effectiveness of your risk management procedures 2. Developing effective control measures

  29. Compliance risk monitoring involves… Auditing, tracking and reporting Comparing actual outcomes to pre-set indicators Confirming effectiveness of your risk controls Reporting compliance and exceptions Establishing [annual / periodical] compliance risk management reports

  30. Required controls summary Contingency plan requirements Annual Risk Report Insurance requirements summary Set risk indicators and methods to monitor them

  31. On – going monitoring and reviewing compliance risks A combination of - • Pre – file opening mandatory matter level risk management questionnaires • Exception reporting • ‘Independent’ file reviews • Positive confirmation of compliance • Voluntary reporting? • Claims and complaints monitoring • Financial measurement and reporting • Accounts Rules breaches register • Supervision • Use of IT systems?

  32. Effective use of IT systems for compliance risk management? Use an integrated risk management system to cost effectively manage compliance and other risk areas by: creating and maintaining one central, up to date compliance and risk database providing information access to all who need it in relation to exposure to risk embedding compliance and risk management procedures – e.g. client inception procedures streamlining identification, assessment, mitigation and monitoring of compliance and other risks

  33. Risk limitation involves • Risk crystalisation scenarios • Contingency plans • Limitation procedures • Post event assessment

  34. Advantages of a formal compliance risk management process? Structured approach focuses on key compliance and other risk areas Can demonstrate how a firm is complying and the effectiveness of compliance / outcomes Continuous monitoring ensures management of compliance and risk is “lived” day to day Universal application to all compliance and risk areas Comfort / assurance to PI insurers [and SRA?]

  35. Your challenge .... is not merely to ensure your firm is compliant but … to be able to DEMONSTRATE to the SRA that your firm and everyone in the firm is compliant on an on-going basis “If you cannot demonstrate compliance we may take regulatory action”SRA – OFR at a glance

More Related