Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Risk Management Workshop
Lexcel: Common Non Compliances in Risk Management
Ms Shazia Saleem
Solicitor | Lexcel Assessor | ISO9001 & 27001 Auditor
Contents
• Introduction
• Risk – What is it?
• Risk Identification
• Risk Treatment/Assessment
• Common Non compliances in Risk
• Conclusion
• Questions
Risk – what is it?
• Risk ‘A situation involving exposure to danger’ (Oxford
Dictionary)
• SRA ‘ We take an outcome focused risk based approach
to regulation to make sure individuals and Firms we
regulate operate independently and with integrity in the
interests of their clients and in the wider public
interest.’
• FCA ‘We consider risk to be the combination of impact
(the potential harm that could be caused) and
probability (the likelihood of the particular issue or
event occurring).’
Risk – What is it?
As Solicitors, our approach to risk management is often
determined by a number of factors : -
• Our regulatory body
• Our business model
• Accreditations
• Stakeholder Requirements
• Clients
Risk – What is it?
• The SRA publish their Risk Outlook annually
• Contains an overview of:
– risks for the protection of people who use legal
services
– the operation of the rule of Law
– & proper administration of justice.
• Amongst other things, it is designed to help
Solicitors & Firms manage risk
Risk – Identification
• The 2015/2016 Risk
Outlook identified
these priority risks
• A good starting point?
• How does this tie in
with Lexcel?
Risk – Identification
Lexcel Practice Management Standard broadly identifies 3
types of Risk :
• Strategic Risks
• Operational Risks
• Regulatory Risks
• Risk Index
• Process approach
Risk – Identification
Risk Index's are helpful in:
• Identifying risk
• Categorising risk
• Providing methodology
• Risk Profiling
• Monitoring & Controlling Risk
• Continual review and improvement
• A useful example: SRA Risk Index
Risk Identification
Risk Assessment/ Treatment
• Identify the Risk
• Assess/Measure its importance (impact v
probability of occurrence)
• Give it a score
• Accept, Reduce/Transfer or Eliminate
• Monitor & Review
• Continually Improve the QMS
• Examples provided
Common Non Compliances: Lexcel
Lexcel:
• The are three accredited Lexcel bodies: -
– Inspiring Business Performance
– Centre For Assessment
– Recognising Excellence
• Identified top 5 non compliance areas within
Risk Management
Common Non Compliances: Lexcel
Top 5 :
• 5.1 - Compliance Plan & Risks Register
• 5.11 - File Reviews
• 5.12 - Operational Risk/ Instructions: Opening,
Interim and Closing Risk Assessment
• 5.15 - Bribery
• 5.16 - Annual Risk Assessment of Data
Compliance Plan & Risk Register
5.1 of the Law Society’s Lexcel Standard:
‘Practices must have a risk management policy
which must include:
a) Compliance Plan
b) Risks Register
Compliance Plan
A Compliance Plan:
• Identify key personnel (COLP/COFA/ MLRO/ CO)
• State the Practices/ Personnel
• Authority & responsibility for Compliance
• Identify key policies crucial to the compliance plan for
example:
– SRA (COLP/ COFA)
– Solicitors Accounts Rules
– Accountants Report
Compliance Plan
– Health and safety
– Anti-money laundering
– Anti-bribery
– Data protection
• Draft the policies
• Control of documents
• Diarise key dates for review/ reporting
• Establish Internal reporting procedures
• Comply with external regulatory reporting
requirements
• Review and Improve
Compliance Plan
• Auditing experience (examples of Non compliances)
• How to meet the requirements
• Implications for large Firms
Risk Register
Risks Register
Lexcel Guidance: The Risks register often divides risks
into the following categories:
• Strategic
• Financial
• Operational
• Compliance
• Breaches (material and non-material)
Risk Register
• Auditing experience (examples of Non compliances)
• How to meet the requirements for large organisations
• Implications for large Firms
File Reviews
5.11 Practices must have a procedure for regular,
independent file reviews of either the management of the
file or its substantive legal content, or both. In relation to
file reviews, the practice must:
a) Define and explain the selection criteria
b) Define and explain the number and frequency of reviews
c) Retain a record of the file review on the matter file and
centrally
d) Ensure that the designated supervisor reviews and
monitors the data generated by the file review
e) Conduct a review at least annually of the data generated
by file reviews.
File Reviews
Devise rationale for file selection, for example:
- Sample size
- Frequency
- Representative sampling
- Risk Profiling
- Composition of review
- Experience/ Expertise of reviewer
- Format
- Documented record on file of review and central register
of reviews (5.11.c)
File Reviews
• Auditing experience (examples of Non compliances)
• How to meet the requirements for large organisations
• Benefits for large Firms
Operational Risk/ Instructions
5.12 of the Law Society’s Lexcel Standard:
‘Operational risk must be considered and
recorded in all matters before, during and after
the processing of instructions.
Operational Risk/ Instructions
Before the matter is undertaken the Fee Earner
must:
a) Consider if a new client and/or matter is accepted by
the practice, in accordance with section 6.1 (client
care policy) and 6.7 (accepting/ declining instructions)
b) Assess the risk profile of all new instructions and
notify the supervisor, in accordance with procedures
under 5.4, of any unusual or high risk considerations in
order that appropriate action may be taken.
Operational Risk/ Instructions
During the retainer the fee earner must:
c) Consider any change to the risk profile of the matter
and report and advise on such circumstances without
delay, informing the supervisor if appropriate
d) Inform the client in all cases where an adverse costs
order is made against the practice in relation to the
matter in question.
Operational Risk/ Instructions
At the end of the matter the fee earner must:
e) Undertake a concluding risk assessment by considering
if the clients objectives have been achieved
f) Notify the supervisor of all such circumstances in
accordance with documented procedures in section 5.4
(higher risk profile matters) above.
Opening, interim and closing risk assessments must be
documented on the matter file.
Operating Risk/ Instructions
Potential risks throughout matter: -
- Venerable clients
- Difficult clients/ Clients that are likely to complain
- Unpalatable Advice
- High Profile/ Public interest matter
- Effective management of client care
A concluding risk assessment is a consideration of:
• Have the client objectives been met?
• Is the client likely to complain?
• Potential for negligence?
Operating Risk/ Instructions
• Auditing experience (examples of Non compliances)
• How to meet the requirements for large organisations
• Implications for large Firms
Bribery
5.15 Practices must have a policy setting out the
procedures to prevent bribery in accordance with
current legislation.
Bribery
Guidelines for drafting Bribery policy:
• Set out clear objectives
• Identify and establish boundaries
• No exceptions/ No tolerance
• Create and maintain a register of gifts and hospitality
• If in doubt, record and report internally
• Continual review and improvement
Bribery
• Auditing experience (examples of Non compliances)
• How to meet the requirements for large organisations
• Implications for large Firms
Annual Risk Assessment of Data
5.16 Practices will analyse at least annually all risk
assessment data generated within the practice. This must
include:
a) Any indemnity insurance claims
b) An analysis of client complaint trends
c) Data generated by file reviews
d) Any matters notified to the COLP/COFA
e) Any material breaches notified to the SRA
f) Any non material breaches recorded
g) Situations where the practice acted where a conflict
existed.
h) The identification of remedial action
Annual Risk Assessment of Data
Annual Risk Assessment:
• Collate data/ statistics
• Identify trends
• Review policies to ensure effective operation
• Be proactive, take steps to improve the QMS
• The role of the COLP/COFA cannot be understated
• All breaches must be recorded material or non material.
Annual Risk Assessment of Data
• Auditing experience (examples of Non compliances)
• How to meet the requirements for large organisations
• Implications for large Firms
Conclusion & Questions
• Questions
• Thank you
• Contact
Shazia Saleem
Solicitor | Lexcel Assessor | ISO 9001 & 27001 Auditor
T: 07947 782 934