(EDIT – since this article was originally written in 2012, the regulatory regime for solicitors has had a major overhaul (see SRA Standards and Regulations), but the main thrust of the article remains valid. It has been updated for style and content.)
Much has changed since the roles of Compliance Officers for Legal Practice (COLP) and Finance and Administration (COFA) were introduced under the 2011 Handbook.
And yet, much stays the same. We are still in an ‘outcomes focused’ world, albeit with different terminology and fewer rules.
The SRA Standards and Regulations, launched in 2019, has literally rewritten the rulebook for solicitors. In some respects, this is the natural progression of principles-based regulation. Although there is always a suspicion that these things are circular – as systems of regulation go in and out of fashion, who’s to say that the rules in 2027 will not resemble the 2007 Code?
We don’t have ‘indicative behaviours’ (those horrible guidance notes that looked suspiciously like rules) – which are instead replaced by an ever-growing body of Guidance. And, as we have been saying for some time, the Guidance itself is problematic: it is arbitrary, not subject to consultation, can appear and disappear at a whim, is treated as de facto rules, and makes finding the ‘truth’ harder to find.
Yes, the job of a COLP and COFA has not gotten any easier over time. There is still an element of personal responsibility for the firm’s compliance, although so far the SRA has largely made good on its promise not to make compliance officers the ‘sacrificial lambs’.
There is no getting away from the fact that both are roles which should only be taken with eyes wide open. The COLP and COFA are the compliance linchpins in the SRA’s eyes and, if not first, then close to the front of the firing line.
Persuaded that you need to do something now rather than later? So far, so good! Now what?
We’ve put together this list of ten things you should do as a COLP. Remember, Rome wasn’t built in a day, so think of this as a bit of a roadmap.
1. READ THE RULES (AND GUIDANCE)
The bad news: sorry, there’s no getting away from the fact that both compliance officers need to know exactly what they are responsible for complying with. This should not shock you.
The good news: it’s not that bad. The new rulebook is certainly much lighter reading than previous versions of the rules, which is the whole point of principles-based regulation.
Of course, we don’t yet have years worth of revisions (the 2011 Handbook got up to version 21 in its eight years of existence), so take the opportunity to get to grips with it now, before the small print outweighs the primary material. If you would like to keep up to date with the latest changes, you can subscribe to the COLP Insider here.
2. NEGOTIATE PROTECTION
If you didn’t do this before you agreed to take on the role, um….how to break this to you? You probably should have.
Unless you are a sole practitioner with no option but to take on the compliance burden yourself (and we feel for you), there is way too much potential for personal liability and – let’s face it – far too much work involved in being COLP for you not to have some assurances from the firm.
Again, probably a post for another time but have you thought about indemnities, job descriptions, contractual arrangements, insurances, budgets, re-appointment, cast-iron authorities, access to meetings and documents, resources, deputies……?
You could try to re-negotiate your position – remember you always have the fallback position that compliance officers have to consent to the role (8.2 (b) of the Authorisation of Firms Rules). So if you take the nuclear option because you don’t get the support or assurances you need, the firm will have to appoint another COLP or face breaching its basic conditions of authorisation.
That’s an ace up the sleeve if ever there was one, particularly if no-one else in the firm wanted the job in the first place. Use that bargaining power to protect yourself, then get on with the job.
3. ANALYSE YOUR BUSINESS, THINK STRATEGICALLY
Before you can go about planning for compliance and implementing any necessary changes, you need to thoroughly understand your business.
Yes, you’re a senior lawyer in the firm and, yes, you are commercially minded.. But when was the last time you took the time to sit down to analyse the business strategically?
Any management consultant/MBA graduate/self-proclaimed guru-type will tell you that there are a number of simple business analysis tools. Without wanting to teach anybody how to suck eggs, both SWOT and PESTLE analysis really are a very useful starting point for taking stock of the internal and external factors affecting your business. There are other tools of course, but your job at this stage is to ensure compliance with the SRA rules rather than turn the business around.
You get the point. By analysing your business and gaining a true understanding of your firm’s strengths, weaknesses, opportunities and threats, and external risk factors, you will begin to build an understanding of exactly what your efforts as COLP should be focused on.
Compliance is all about risk management, and nobody is better placed to understand your business. That is partly why the COLP and COFA roles cannot be entirely outsourced (that, and the fact that self-regulation only works if there is accountability and liability).
It’s a good idea to brainstorm this stuff as a team, firstly because two or more heads are better than one, and secondly because it is a golden opportunity to focus other leaders on compliance. This sort of exercise says, “I’m taking this project seriously”.
Remember, whilst the COLP is responsible for putting things in place and running the show, the firm and its partners/Directors remain accountable for breaches, and it is therefore in everyone’s interest to (**management speak alert**) “buy in” to the task at hand.
4. TAKE THE RISK MANAGEMENT BULL BY THE HORNS
In the not-too-distant past any mention of risk management made most lawyers tut, roll their eyes and start playing with their phones immediately.
This can probably be traced back to thousands of dull webinars and the fact that compliance and risk was often seen as a cost centre. Thankfully, those attitudes are slowly changing, and it is up to the COLP to foster this compliance culture. Some might say this is the hardest part of the job.
Risk management is not something to shy away from, but neither does it need to be particularly difficult. You do not need the latest software, expensive consultants or even to read extensively on the topic.
Training does have its place, and if you are serious about becoming a skilled risk manager that is to be encouraged, but all you really need to get started is a pen and paper, an in-depth knowledge of the business, and the time set aside to do the job properly.
Although this does not begin to do justice to the topic, risk management essentially boils down to three things, identifying, managing and reviewing risks:
- Your business analysis will have started you down the road of identifying strengths and weaknesses, and this is where you should do your brainstorming about specific risks in the business (e.g. on individual client files, or systems such as a creaking IT infrastructure) and things on the horizon and which might crop up in the future.
- You will then set out how you intend to manage each identified risk based on its risk profile. You can prioritise risks based on the likelihood of them happening, and the impact that they would have. Then you determine whether each risk needs to be eliminated, reduced or simply kept under review. You will probably also want to allocate responsibility and a timescale for action. What you will end up with is a simple list or spreadsheet populated with all the known risks that the firm faces and a plan for dealing with them. Well done, you’ve just created your risk register.
- You can’t just leave it at that of course. The risk register will need to be reviewed regularly to make sure everything is on track as planned, and systems will have to be put in place to ensure that new risks feed into the risk management system as they arise, but we’re getting ahead of ourselves.
5. FILL THOSE COMPLIANCE GAPS
You’re now an adept risk manager – well done!
But let’s not forget that we have to comply with specific rules from our regulators as well.
How does the COLP know that the firm is complying with all of the relevant rules? That’s where the Gap Analysis comes in.
Taking the SRA rules first, look at the Standards and Regulations, take into account the Guidance, and compare this to your current systems and procedures. Review your key documentation, letters, terms of business, website and policies.
You will need to be methodical about this. Always be thinking, “Yes, the policy says this but what actually happens in practice?”. Speak to staff to find out how they work and whether they have any suggestions for improvement.
Be warned that this process could take some time, but should not be rushed. We usually budget about three days, and we know what we are looking for.
The rewards in doing the Gap Analysis exercise will far outweigh the pain, since it will guide your entire compliance planning. And you will have that warm fuzzy feeling in the knowledge that you have taken a huge step towards that mythical state of ‘compliance’. Gold stars all round.
6. MAKE YOUR COMPLIANCE PLAN
Perhaps this should be higher up the list, given its importance.There is no prescribed format for a compliance plan but “Keep it simple, stupid” probably applies.
Some firms want to be able to point the SRA to a separate document called “Our Compliance Plan”, should they come knocking. Others simply use their office manual and risk register to do the same job. Our view is that the fewer documents you have to look at and keep updated, the more likely you are to do so. However, a dusty folder full of policies and procedures which nobody in the firm pays a blind bit of notice to is not a compliance plan. It is more likely to be a fast track to an uncomfortable series of meetings with your new best friend at the SRA.
Most firms want to avoid reinventing the wheel, which is entirely sensible (unless of course you have realised that you are an intervention waiting to happen). By plugging the gaps identified through your Gap Analysis, you will be able to prioritise key omissions in your current set-up. Everything else can wait until you have less on your plate.
7. PUT SYSTEMS AND PROCEDURES IN PLACE
Your Risk Register and Gap Analysis will have identified where you need to tighten things up, and your compliance plan will provide the roadmap for putting things right. Now you just need to implement the changes you have identified.
Re-writing policies and procedures is the easy bit, but don’t be fooled into thinking that implementation ends there.
Perhaps it would be wise to go back a step. Implementation will be nigh on impossible if your compliance plan has not properly considered the realities of your business, your staff, your clients, your budget and so on. So, your compliance plan will need to take account of all these things. Failure to plan is planning to fail, as the cliche goes.
Implementation also inevitably involves training (see below), tinkering with IT systems, perhaps introducing whole new workflows, replacing old precedent letters and file procedures…the list goes on.
The hardest part though isn’t leading the horse to water, it is making it drink. Nobody likes change. It makes us feel uneasy, and our first reaction is usually anger, disbelief or exasperation.
You need to confront this resistance head on as an inevitability. Read up on change management, educate your staff and partners on the need for change, and show the necessary leadership qualities to implement your new systems. And don’t kid yourself that anybody will thank you.
8. TRAIN YOUR STAFF
You don’t need anybody to tell you that a system or procedure is only as good as the people performing the job. You’ll fall at the first hurdle unless everybody in the firm understands the need for change, why the old ways weren’t cutting it, how these new fangled systems will put things right, and exactly how they affect how people go about their jobs.
If you have not already done so, training on the SRA rules targeted at partners/Directors, solicitors and support staff is a good starting point, as it primes people in readiness for change, and also explains the importance of getting things right.
Everybody in the firm has a part to play in compliance, so don’t miss anyone out.
9. RECORD, RECORD, RECORD
Creating a compliance audit trail is of utmost importance to everything a COLP (and COFA) does.
You must be able to demonstrate not only how you comply with the rules (“here, have a look at this risk register and all these shiny new policies”), but also evidence that you are doing so. That is going to involve recording every compliance decision you make as COLP (“I do not consider this is reportable because….”), every breach of the rules (so that you can identify patterns of breaches), every referral made and received, every client complaint, every time instructions were refused, every file review undertaken, every report made to you by staff…..and so on.
The sheer amount of recording required is one of the least fun aspects of the Cop’s role, to put it mildly. But it is certainly not alien to lawyers. After all, some of you generate attendance notes when you so much as sneeze, so recording the important stuff shouldn’t be too difficult.
What you will really need to ensure is that your systems are capable of capturing all of the information necessary to be recorded. That requires some careful thought. Perhaps requiring a risk management item on every meeting agenda and file review is a good start, as well as training your staff the process of reporting risk and breaches. No doubt you will be able to think of others.
For example, on our COLP-Help programme each firm is led through a series of quarterly Risk Management Meetings, which are designed to capture and record all of the important compliance issues, and flush out those which otherwise might be missed. Minutes of the meeting can be shared with the senior management team to increase visibility.
10. A COLP’s JOB IS NEVER DONE
As soon as you review something it will invariably become out of date. As soon as you get to grips with one set of rules, the regulators and legislators move the goalposts. People come and go, business models change, bringing new compliance considerations. Compliance and risk never stand still.
Your position means that you will probably be the central collection point for reports, data, and numerous emails and forms. At times, you may feel like you are drowning in paper. However, you will need to organise and interpret all the data you generate because that will feed back into the compliance plan and risk register. After all, these are living beasts which require constant feeding.
So there you have it. That’s our top tips for being a COLP. If you need support or external advice, you know where to come.