This practice note is the Law Society's view of good practice in this area. It is not legal advice. [Read more]
Practice notes are issued by the Law Society for the use and benefit of its members. They represent the Law Society's view of good practice in a particular area. They are not intended to be the only standard of good practice that solicitors can follow. You are not required to follow them, but doing so will make it easier to account to oversight bodies for your actions.
Practice notes are not legal advice, nor do they necessarily provide a defence to complaints of misconduct or of inadequate professional service. While care has been taken to ensure that they are accurate, up to date and useful, the Law Society will not accept any legal liability in relation to them.
For queries or comments on this practice note contact the Law Society's Practice Advice Service.
This practice note provides an overview of OFR and therefore all parts of the Code are relevant. However, the following sections of the SRA Handbook are of particular interest:
There are ten mandatory principles which apply to all those the SRA regulates and to all aspects of practice. The principles can be found in the SRA Handbook.
The principles apply to solicitors or managers of authorised bodies who are practising from an office outside the UK. They also apply if you are a lawyer-controlled body practising from an office outside the UK.
1.1 Who should read this practice note?
This practice note is relevant to all solicitors.
1.2 What is the issue?
The Solicitors Regulation Authority (SRA) implemented outcomes-focused regulation (OFR) in October 2011. OFR is a move away from a rules-based approach to one that focuses on high-level outcomes governing practice and the quality of outcomes for clients.
The SRA has published a Handbook, which sets out all the SRA's regulatory requirements. It outlines the ethical standards that the SRA expects of practices and practitioners and the outcomes that the SRA expects them to achieve for their clients. The SRA Handbook includes a Code of Conduct (the 'SRA Code'), which replaced the Solicitors' Code of Conduct 2007 (the '2007 Code'). The SRA Code establishes outcomes-focused conduct requirements and each chapter outlines outcomes and indicative behaviours (IBs). The SRA Handbook and Code has been in force since 6 October 2011. Accordingly, the 2007 Code and all of its rules and guidance, no longer apply to solicitors' conduct , save in respect of any review by the SRA of conduct taken prior to 6 October 2011 to which the 2007 Code will still be applied.
This practice note is designed to give you an overview of OFR and the issues you may wish to consider in light of its implementation. It is not intended to provide prescriptive guidance on how to comply with OFR or to provide you with a detailed understanding of the Code of Conduct. You should still familiarise yourself with the Code of Conduct.
When reading this practice note you should bear in mind the type of organisation you work in, the size and complexity of your practice, and the type of work you undertake. Not all of the systems and controls suggested will be relevant to you or your practice, and your actions will depend on your assessment of the risks to compliance with regulatory requirements. For example, a larger firm may need to put in place, or upgrade, a database system to collect information required under the new reporting requirements. A smaller firm may be able to collate the information by the use of paper returns and a spreadsheet. You should carefully consider the issues raised in this practice note and how they apply to you and your practice.
2 The Code: Outcomes and IBs
Outcomes are mandatory and achieving them should help to ensure compliance with the Principles. The SRA believes that outcomes can be achieved in a variety of ways depending on the nature of the practice and client. However, to help firms comply they have provided non-mandatory indicative behaviours: 'IBs'. The IBs are not an exhaustive list of how to comply and, depending upon the circumstances, it is envisaged that it will be possible to achieve outcomes in other ways.
2.1 Do you meet all the outcomes?
Many of the requirements of the 2007 Code are reflected in the new handbook. However, there are some significant changes, including:
- the new requirement to 'treat clients fairly'
- the changes to the requirements on conflicts
- new requirements on outsourcing and;
- those relating to business management in chapter 7.
You should familiarise yourself with the new SRA Code and ensure that you will be able to meet all the new outcomes.
2.2 Are your current methods for compliance still effective?
There are some requirements within the 2007 Code of which are not requirements within the new SRA Code. Many of the previous requirements have become IBs which, as explained above, are non-mandatory. You should consider carefully whether you can still demonstrate compliance if you do not follow the IBs.
2.3 Do you need to follow all of the IBs?
IBs provide examples of how you might meet the outcomes. They are not an exhaustive list and there may be other ways of achieving the same outcome. When deciding whether you will follow an IB you should consider the following:
- is the IB relevant to your practice?
- what is the risk of non-compliance with outcomes if you do not follow the IB?
- is there another way of doing something that would be better for you and your clients and still enable you to meet the outcomes?
- can you demonstrate that you still meet the outcomes and comply with the principles?
- are there other implications to not following the IB eg will it increase the risk of a negligence claim?
You may be asked by the SRA to demonstrate how you have otherwise met an outcome if you do not follow the IBs. In some cases you may want to record your decision on how you will meet an outcome, particularly if it is by an alternative method to following the IB. This will allow you demonstrate to the regulator how you believe you are meeting the outcomes.
The SRA Handbook contains a limited amount of guidance and, like IBs, this guidance is non-mandatory.
3 Compliance Officers
In essence, the role of the compliance officer for a legal practice (COLP) is to:
- take all reasonable steps to ensure compliance with the terms and conditions of their firm's authorisation
- take all reasonable steps to ensure compliance with any statutory obligations e.g. the duties imposed by the Legal Services Act 2007, the Solicitors Act 1974 and the Administration of Justice Act 1985
- take all reasonable steps to record all failures to comply. Also to report any such failures to comply to the SRA as soon as reasonably practicable, although in the case of non-material breaches, the firm will still be deemed compliant if they are reported as part of the information report required under Rule 8.7 of the Authorisation Rules.
It is important to note that compliance with the conditions of the licence includes compliance with all the SRA's regulatory arrangements including those within the Handbook.
The role of the compliance officer for finance and administration (COFA) is to:
- take all reasonable steps to ensure compliance with the SRA's Accounts Rules
- record all failures to comply. Also to report any such failures to comply to the SRA as soon as reasonably practicable, although in the case of non-material breaches, the firm will still be deemed compliant if they are reported as part of the Information Report required under Rule 8.7 of the Authorisation Rules.
The Law Society practice note on compliance officers provides more detail on the role and responsibilities of COLPs and COFAs. A Law Society e-learning course on the role of COLPs is also available.
3.1 Who within the firm meets the criteria
Compliance officers must be individuals who are:
- employed by, or manage, the firm
- of sufficient seniority and in a position of sufficient responsibility to fulfil the role; and
- have consented to undertake the role
- approved by the SRA.
Additionally, the COLP will need to be a lawyer.
Equally important is that the individual must be in a position to fulfil the responsibility the role of COLP brings with it. When thinking about whether an individual can meet these requirements firms may wish to consider the following issues:
3.1.1 Are there clear reporting lines in place?
Compliance officers must be in position to take reasonable steps to record all non-compliances, report relevant issues to the SRA and discuss compliance matters with the SRA when necessary. You should consider whether reporting lines in place allow the compliance officers to collate such information and discuss such matters with authority.
3.1.2 Do the compliance officers have sufficient time to fulfil their roles?
The amount of time a compliance officer has to dedicate to the role will vary from practice to practice. In larger practices, it may be that a compliance officer will delegate parts of the work (while retaining responsibility). In other practices, it may be that someone already performs many of these responsibilities and will not require much extra time to dedicate to the role of compliance officer. You should consider carefully the amount of time required to fulfil the role and whether the nominee will have sufficient time to perform their duties adequately.
3.1.3 Do the compliance officers have adequate authority?
A compliance officer will be responsible for implementing systems and processes which enable compliance. If the compliance officer believes that a system or process is leading to non-compliance, or risks doing so, then they should be in a position to make changes. You may wish to check that nominated persons are able to effect change if necessary.
4 Reporting requirements
There are numerous reporting requirements placed on the practice and on the individuals within it, including the compliance officers, within the Handbook. The Law Society website provides a list of the reporting requirements within the Handbook.
4.1 Collecting and reporting the required data
Most practices are likely to collect some of the data required by the SRA but many will need to collect additional data. You may wish to consider whether you need to put in place new systems for data collection, and alerts to ensure required data is reported promptly. For example, compliance officers will require a system for collecting information about all breaches of the Handbook, and a process for identifying material failures to comply. This will include patterns of failure that together amount to constitute a material failure to comply. The SRA has provided guidance on what might be considered material. Firms should also consider systems or processes for reporting changes in information about the firm to the SRA, such as changes to management or addresses.
The SRA will request additional information from all authorised bodies on an annual basis.
4.1.1 Who will be responsible for making the various reports?
To ensure that reports are made promptly and there is no duplication you may consider nominating specific individuals to make various reports, with contingency plans for when nominated individuals are absent.
4.1.2 Communicating requirements for data recording and reporting
If data collection is to be successful then all all relevant individuals must be made aware of the need to record data accurately and report changes where necessary. You may wish to consider how you will communicate any new reporting systems to those working within the practice and how you will monitor effectiveness.
4.1.3 Using information collected to improve the efficiency of the practice
The data collected may also be used to inform how your practice is managed. Therefore you may also wish to consider how the practice could use the data and the most appropriate format for capture. This may include systems to review the data and identify trends and issues.
5 Management of your business
The new Handbook has a chapter on the management of your business. This chapter has requirements regarding:
- systems and controls
- monitoring risk
- monitoring financial stability
- complying with relevant legislation
- training of staff
The sections below look at some of these key areas. Others are covered by individual Law Society practice notes (see links above).
To help run an efficient business you should have a clear governance structure within your practice and ensure that those within the organisation are aware of reporting lines. This has become even more important given the requirements placed on compliance officers and the new reporting requirements.
5.1.1 What type of governance structure needs to be put in place?
The governance structure for each practice will be different. However, a clear governance structure may include the following:
- who is responsible for different aspects of running the practice
- who can make decisions about various matters (in bigger organisations this may be done by grade rather than by individual)
- clear reporting lines for those within the practice
5.1.2 How are staff made aware of the governance structure?
In most practices staff will be aware of the governance structure to some extent, even if it is not formalised. However, it may be helpful to provide an organisational chart which sets out roles and responsibilities and reporting lines.
5.2 Risk assessment
The SRA have emphasised the need for practices to take a risk-based approach to compliance and managing their business. This will mean practices identifying and assessing risk.
5.2.1 What is risk?
Risk is normally described as a function of impact and probability. For example, something that would be very costly if it occurs and is very likely to occur would be considered high risk.
5.2.2 What risk is a practice likely to face?
Practices are likely to face a range of risks which can generally be categorised as strategic, operational and regulatory risks. These might include risks to:
- the financial stability of the business eg changes in market conditions, changes in Government policy, loss of key partners, negligence claims
- the running of the business eg loss of data, loss of key staff, or
- compliance with regulatory requirements eg system errors, being unaware of changes in requirements, poor supervision, rogue partners.
- the governance of the business eg due to rapid expansion, geographical spread
The risks each practice faces will vary, as will the extent of the risk. You may wish to seek a range of views from staff about the risks you face, as it is likely that different individuals will have different perceptions.
5.2.3 Assessing the risk
Assessing risk is normally achieved by assessing the probability and the impact of something occurring. These are usually presented as estimates because the probability and impact of something cannot be accurately measured until after the event. At the basic level, risks are categorised as high, medium or low. A matrix is then used to decide the ultimate risk; an example of a simple risk matrix is shown below.
The SRA have provided an example of the risk matrix they will use, which may be of use to firms.
You should identify the main risks of non-compliance with the Handbook. Initially, you may consider listing the main risks to complying with the outcomes and principles and assessing their impact and probability. Input from a range of staff can help to indentify a fuller range of risks. You can then look at any systems or processes you have in place to mitigate or remove the identified risk and how that affects the assessment.
You may find that, in some cases, the systems you have in place mitigate the risk and so you are prepared to tolerate it, while in other areas risk may remain high. This information will help inform your compliance plan.
If your practice is complex you may need to put in place a systematic approach to identifying risks. In smaller, less complex practices a brainstorming session may be sufficient.
When you have completed your initial assessment in relation to the Code, you should widen your assessment to consider other areas, such as other parts of the handbook, other regulatory requirements and non-regulatory risks.
5.2.4 Approaches to risk
All practices will face a range of risks. You should consider:
- which you can tolerate,
- which you can remove,
- which you can mitigate and
- which you can transfer.
For instance, you might transfer part of a risk by getting insurance to cover you for the eventuality of that risk occurring.
You should focus on those areas that pose the highest risk first. Ideally, you would want to remove a risk. However, many risks cannot be removed and must be mitigated. For instance, an office fire may pose a risk to the running of your business. The probability of fire cannot be reduced to zero but it can be lowered by good alarm systems and the impact of such an event can be limited by contingency plans and mitigatory steps such as locating IT servers off-site.
One mechanism to mitigate risks to compliance is to put in place robust systems and processes to help ensure outcomes are achieved. For instance, a system could be put in place to ensure that at the start of each matter a client receives a leaflet and a brief explanation about the complaints process. This will lower the probability of clients not being informed about the complaints process and thus the risk of the practice not meeting outcomes 1.9 and 1.10. Similarly the risk posed by failing to meet undertakings to clients, could be mitigated by systems to ensure that undertakings are properly recorded and the relevant people are alerted when an undertaking should be met.
5.3 System and processes
As noted above, systems and processes can play an important role in enabling compliance. They can also improve efficiency and the quality of service offered by a practice. The SRA has suggested numerous systems and processes that a practice may wish to put in place.
5.3.1 What systems and processes are already in place and how effective are they?
Most practices will have some systems and processes in place for certain aspects of their work. You may wish to consider the systems and processes your firm has in place, both formal and informal. You may wish to use existing information such as data on complaints and non-compliance issues to assess whether systems and processes are effective in ensuring efficiency of service and compliance.
5.3.2 What systems and processes are missing?
You may wish to consider the SRA's list of suggested systems and processes. These include:
- clearly defined governance arrangements providing a transparent framework for responsibilities within the firm
- appropriate accounting procedures
- a system for ensuring that only the appropriate people authorise payments from client accounts
- a system for ensuring that undertakings are given only when intended, and compliance with them is monitored and enforced
- appropriate checks on new staff or contractors
- a system for ensuring that basic regulatory deadlines are not missed eg
- submission of the firm's accountant's report
- arranging indemnity cover
- renewal of practising certificates and registrations
- renewal of all lawyers' practising certificates and
- provision of regulatory information
- a system for monitoring, reviewing and managing risks
- ensuring that issues of conduct are given appropriate weight in decisions the firm takes, whether on client matters or firm-based issues such as funding
- file reviews
- appropriate systems for supporting the development and training of staff
- obtaining the necessary approvals of managers, owners and COLP/COFA
- arrangements to ensure that any duties to clients and others are fully met, even when staff are absent.
Others you should consider putting in place are systems to identify conflicts of interest; systems for supervision of staff (and contractors or outsourcers where relevant) and systems for handling and monitoring complaints.
While not all of these will be relevant to every practice some may need to be implemented within your practice. You should consider the results of your risk assessment. This may highlight areas where risk needs to be mitigated, for which systems and processes may play an important part.
You should also consider putting in place an overarching compliance plan to ensure everything is captured. This may include:
- For the areas where you believe your systems and processes are robust in ensuring compliance
- how you will monitor and review these systems to ensure their continued robustness
- how other changes in the business might mean altering these systems and how you monitor the impact of change
- For the areas where you believe that there are risks of non-compliance
- how you will mitigate these risks and the timelines for doing so
- how you will assess the effectiveness of the mitigation
- The compliance plan should be informed by the results of your risk assessment.
5.3.3 Communicating changes in systems and processes
New systems and processes will have limited value if no one is aware of them. It is important to communicate changes to staff. Often new processes are written down and this can be helpful, particularly for new-starters and temporary staff who will be unaware of how the practice operates. However, written processes are of little value if no one follows them. It is important to ensure staff are made aware of the processes and follow them, and if changes to current processes are substantive you may need to provide staff training.
It is also important to consider involving relevant staff in designing any new systems or processes to ensure that they are practical and functional.
Systems and processes will need to be updated. You may wish to consider how you will ensure that staff are informed of changes and, where a process is documented, that only the most up-to-date version is in use. In a smaller office, changes might be highlighted at a staff meeting and by e-mail. Any paper documents are kept then the location of these should be noted, they should be updated as necessary and previous versions archived or destroyed. The latest version of any electronic documents must be clearly identifiable; for example by using a numbering system.
5.3.4 Reviewing the effectiveness of new systems and processes
You may consider reviewing the effectiveness of the systems and processes you have implemented. You can:
- ask for feedback from staff on how they are used and how they might be improved
- undertake audits to see if systems and processes are followed
- review data such as data on non-compliance and complaints.
Undertaking regular reviews will allow you to ensure continuous improvement.
5.4 Communicating regulatory changes
It is important that the relevant people within a practice are made aware of changes to the regulatory system and any changes you are making as a result. You should provide staff with additional education and training on the changes to regulation where neccessary. This may include:
- additional training
- regular update meetings
- office manuals
- document control systems to ensure only the most up to date versions are in use
6 SRA's focus
The SRA will target areas which they believe put their regulatory objectives at risk. This means the focus will change over time. You may wish to consider checking the SRA's website on a regular basis to see how their focus is shifting. Along with the new overarching interest in business and risk management perennial areas of interest include:
- client engagement process
7 More information
7.1 Law Society advice and training
7.1.1 Law Society practice notes:
7.1.2 Law Society publications
7.1.3 Law Society Practice Advice Service
The Law Society provides support for solicitors on a wide range of areas of practice. Practice Advice can be contacted on 020 7320 5675 from 09.00 to 17.00 on weekdays.
7.1.4 Law Society Consulting
If you require further support, Law Society Consulting can help. We offer expert and confidential support and guidance, including face-to-face consultancy on risk and compliance. Please contact us on 020 7316 5655, or email firstname.lastname@example.org.
Find out more about our consultancy services
7.1.5 Events and training
Must - A specific requirement in legislation or of a principle, rule, outcome or other mandatory provision in the SRA Handbook. You must comply, unless there are specific exemptions or defences provided for in relevant legislation or the SRA Handbook.
- Outside of a regulatory context, good practice for most situations in the Law Society's view.
- In the case of the SRA Handbook, an indicative behaviour or other non-mandatory provision (such as may be set out in notes or guidance).
These may not be the only means of complying with legislative or regulatory requirements and there may be situations where the suggested route is not the best possible route to meet the needs of your client. However, if you do not follow the suggested route, you should be able to justify to oversight bodies why the alternative approach you have taken is appropriate, either for your practice, or in the particular retainer.
May - A non-exhaustive list of options for meeting your obligations or running your practice. Which option you choose is determined by the profile of the individual practice, client or retainer. You may be required to justify why this was an appropriate option to oversight bodies.
SRA Code - SRA Code of Conduct 2011
2007 Code - Solicitors' Code of Conduct 2007
OFR - Outcomes-focused regulation
SRA - Solicitors Regulation Authority
IB -indicative behaviour