1.1 Who should read this practice note?
This practice note is relevant to all solicitors.
1.2 What is the issue?
The Solicitors Regulation Authority (SRA) implemented outcomes-focused regulation (OFR) in October 2011. OFR was a move away from the prior rules-based approach to one that focuses on high-level outcomes to govern practice and the quality of outcomes for clients. It is essentially risk-based regulation.
The SRA Code of Conduct sets out all of the SRA's regulatory requirements. It outlines the ethical standards that the SRA expects of practices and practitioners and the outcomes that the SRA expects them to achieve for their clients. It establishes outcomes-focused conduct requirements, and each chapter outlines outcomes and indicative behaviours (IBs).
The SRA Code of Conduct has been in force since 6 October 2011. You need to be aware that since the Code of Conduct was first published there have numerous amendments. You should therefore check the SRA website for the latest version. When considering actions taken previously, however, it may be necessary to consider the edition of the Code of Conduct prevailing at that time.
This practice note is designed to give you an overview of OFR and the issues you may wish to consider in light of its implementation. It is not intended to provide prescriptive guidance on how to comply with OFR or to provide you with a detailed understanding of the Code of Conduct. You should still familiarise yourself with the Code of Conduct.
When reading this practice note you should bear in mind the type of organisation you work in, the size and complexity of your practice, and the type of work you undertake. Not all of the systems and controls suggested will be relevant to you or your practice, and your actions will depend on your assessment of the risks to compliance with regulatory requirements. For example, a larger firm may need to put in place, or upgrade, a database system to collect information required under the reporting requirements. A smaller firm may be able to collate the information by the use of paper returns and a spreadsheet. You should carefully consider the issues raised in this practice note and how they apply to you and your practice.
2 The Code: principles, outcomes and IBs
The ten mandatory SRA principles underpin all of the Code of Conduct requirements and should be borne in mind at all times. The SRA recommends having a copy of the principles to hand at your desk.
Outcomes are mandatory and achieving them should help to ensure compliance with the principles. The SRA believes that outcomes can be achieved in a variety of ways depending on the nature of the practice and client. However, to help firms comply they have provided non-mandatory indicative behaviours (IBs). The IBs are not an exhaustive list of how to comply and, depending upon the circumstances, it is envisaged that it will be possible to achieve outcomes in other ways.
2.1 Do you meet all the outcomes?
You should familiarise yourself with the SRA Code and ensure that you will be able to meet all of the outcomes. Many are familiar to those who were in practice prior to 2011, however, the Code of Conduct did introduce some newer outcomes, including treating clients fairly and certain business management requirements.
2.2 Managing risk and ensuring compliance
You need to consider how to identify, manage and mitigate risks within your practice and personal area of work. Although the IBs are not mandatory, you should proactively consider carefully whether you can still demonstrate compliance if you do not follow the IBs.
2.3 Do you need to follow all of the IBs?
IBs provide examples of how you might meet the outcomes. They are not an exhaustive list and there may be other ways of achieving the same outcome. When deciding whether you will follow an IB you should consider the following:
- is the IB relevant to your practice?
- what is the risk of non-compliance with outcomes if you do not follow the IB?
- is there another way of doing something that would be better for you and your clients and still enable you to meet the outcomes?
- can you demonstrate that you still meet the outcomes and comply with the principles?
- are there other implications to not following the IB, eg will it increase the risk of a negligence claim?
You may be asked by the SRA to demonstrate how you have otherwise met an outcome if you do not follow the IBs. In some cases you may want to record your decision on how you will meet an outcome, particularly if it is by an alternative method to following the IB. This will allow you demonstrate to the regulator how you believe you are meeting the outcomes.
The SRA Code of Conduct contains a limited amount of guidance and, like IBs, this guidance is non-mandatory. The SRA website also has the page Outcomes-focused regulation at a glance.
Only a limited amount of information is avaialable indicating how the SRA has changed the way it deals with firms under OFR as opposed to the previous rules-based regulation.
3 Compliance Officers
In essence, the role of the compliance officer for a legal practice (COLP) is to:
- take all reasonable steps to ensure compliance with the terms and conditions of their firm's authorisation
- take all reasonable steps to ensure compliance with any statutory obligations, eg the duties imposed by the Legal Services Act 2007, the Solicitors Act 1974 and the Administration of Justice Act 1985
- take all reasonable steps to record all failures to comply. Also to report any such failures to comply to the SRA as soon as reasonably practicable, although in the case of non-material breaches, the firm will still be deemed compliant if they are reported as part of the information report required under Rule 8.7 of the Authorisation Rules.
It is important to note that compliance with the conditions of the licence includes compliance with all the SRA's regulatory arrangements including those within the Code of Conduct.
The role of the compliance officer for finance and administration (COFA) is to:
- take all reasonable steps to ensure compliance with the SRA's Accounts Rules
- record all failures to comply. Also to report any such failures to comply to the SRA as soon as reasonably practicable, although in the case of non-material breaches, the firm will still be deemed compliant if they are reported as part of the Information Report required under Rule 8.7 of the Authorisation Rules.
The Law Society practice note on compliance officers provides more detail on the role and responsibilities of COLPs and COFAs.
3.1 Who within the firm meets the criteria
Compliance officers must be individuals who are:
- employed by, or manage, the firm
- of sufficient seniority and in a position of sufficient responsibility to fulfil the role have consented to undertake the role approved by the SRA.
Additionally, the COLP will need to be a lawyer.
Equally important is that the individual must be in a position to fulfil the responsibility the role of COLP brings with it. When thinking about whether an individual can meet these requirements firms may wish to consider the following issues:
3.1.1 Are there clear reporting lines in place?
Compliance officers must be in position to take reasonable steps to record all non-compliances, report relevant issues to the SRA and discuss compliance matters with the SRA when necessary. You should consider whether reporting lines in place allow the compliance officers to collate such information and discuss such matters with authority. All staff should be aware of the names of the COLP and COFA and have a basic understanding of their roles and how to report matters to them.
3.1.2 Do the compliance officers have sufficient time to fulfil their roles?
The amount of time a compliance officer has to dedicate to the role will vary from practice to practice. In larger practices, it may be that a compliance officer will delegate parts of the work (while retaining responsibility). In other practices, it may be that someone already performs many of these responsibilities and will not require much extra time to dedicate to the role of compliance officer. You should consider carefully the amount of time required to fulfil the role and whether the nominee will have sufficient time to perform their duties adequately.
3.1.3 Do the compliance officers have adequate authority?
A compliance officer will be responsible for implementing systems and processes which enable compliance. If the compliance officer believes that a system or process is leading to non-compliance, or risks doing so, then they should be in a position to make changes. You may wish to check that nominated persons are able to affect change if necessary.If the compliance officer is not a partner or senior manager do they have sufficient authority over other partners?
4 Reporting requirements
There are numerous reporting requirements placed on the practice and on the individuals within it, including the compliance officers, within the Code of Conduct. Changes to reporting requirements in November 2015 are explored in an SRA webinar.
4.1 Collecting and reporting the required data
You need to ensure that you have a system in place which provides adequately for necessary data collection with alerts to ensure that data is both collected and reported promptly.
Compliance officers will require a system for collecting information about all breaches of the Code of Conduct, and a process for identifying material failures to comply. This will include patterns of failure that together amount to a material failure to comply. The SRA has provided guidance on what might be considered material. Firms should also consider systems or processes for reporting changes in information about the firm to the SRA, such as changes to management (names of partners) or office addresses. Depending upon the size of your organisation, it maybe sensible to put in place periodic checks on the reliability of your system and the information reported to the SRA.
The SRA will request additional information from all authorised bodies on an annual basis.
4.1.1 Who will be responsible for making the various reports?
To ensure that reports are made promptly and there is no duplication you may consider nominating specific individuals to make various reports, with contingency plans for when nominated individuals are absent.
4.1.2 Communicating requirements for data recording and reporting
If data collection is to be successful then all all relevant individuals must be made aware of the need to record data accurately and report changes where necessary. You may wish to consider how you will communicate any new reporting systems to those working within the practice and how you will monitor effectiveness.
4.1.3 Using information collected to improve the efficiency of the practice
The data collected may also be used to inform how your practice is managed. You may therefore also wish to consider how the practice could use the data and the most appropriate format for capture. This may include systems to review the data and identify trends and issues.
5 Management of your business
Chapter 7 of the Code of Conduct deals with the management of your business. This chapter has requirements regarding:
- systems and controls
- monitoring risk
- monitoring financial stability
- complying with relevant legislation
- training of staff
The sections below look at some of these key areas. Others are covered by individual Law Society practice notes.
To help run an efficient business you should have a clear governance structure within your practice and ensure that those within the organisation are aware of reporting lines. This has become even more important given the requirements placed on compliance officers and the reporting requirements.
5.1.1 What type of governance structure needs to be put in place?
The governance structure for each practice will be different. However, a clear governance structure may include the following:
- who is responsible for different aspects of running the practice
- who can make decisions about various matters (in bigger organisations this may be done by grade rather than by individual)
- clear reporting lines for those within the practice
5.1.2 How are staff made aware of the governance structure?
In most practices staff will be aware of the governance structure to some extent, even if it is not formalised. It may, however, be helpful to provide an organisational chart which sets out roles and responsibilities and reporting lines.
5.2 Risk assessment
The SRA have emphasised the need for practices to take a risk-based approach to compliance and managing their business. This will mean practices identifying and assessing risk.
5.2.1 What is risk?
Risk is normally described as a function of impact and probability. For example, something that would be very costly if it occurs and is very likely to occur would be considered high risk.
5.2.2 What risk is a practice likely to face?
Practices are likely to face a range of risks which can generally be categorised as strategic, operational and regulatory risks. These might include risks to:
- the financial stability of the business, eg changes in market conditions, changes in government policy, loss of key partners, negligence claims
- the running of the business, eg loss of data, loss of key staff
- compliance with regulatory requirements eg system errors, being unaware of changes in requirements, poor supervision, rogue partners, or
- the governance of the business, eg due to rapid expansion or geographical spread.
The risks each practice faces will vary, as will the extent of the risk. You may wish to seek a range of views from staff about the risks you face, as it is likely that different individuals will have different perceptions.
5.2.3 Assessing the risk
Assessing risk is normally achieved by assessing the probability and the impact of something occurring. These are usually presented as estimates because the probability and impact of something cannot be accurately measured until after the event. At the basic level, risks are categorised as high, medium or low. A matrix is then used to decide the ultimate risk; an example of a simple risk matrix is shown below.
The SRA have provided an example of the risk matrix they will use, which may be of use to firms.
You should identify the main risks of non-compliance with the Code of Conduct. Initially, you may consider listing the main risks to complying with the outcomes and principles and assessing their impact and probability. Input from a range of staff can help to indentify a fuller range of risks. You can then look at any systems or processes you have in place to mitigate or remove the identified risk and how that affects the assessment.
You may find that, in some cases, the systems you have in place mitigate the risk and so you are prepared to tolerate it, while in other areas risk may remain high. This information will help inform your compliance plan.
If your practice is complex you may need to put in place a systematic approach to identifying risks. In smaller, less complex practices a brainstorming session may be sufficient.
When you have completed your initial assessment in relation to the Code of Conduct, you should widen your assessment to consider other areas, such as other parts of the SRA Code, other regulatory requirements and non-regulatory risks.
5.2.4 Approaches to risk
All practices will face a range of risks. You should consider:
- which can you tolerate
- which can you remove
- which can you mitigate, and
- which can you transfer.
For instance, you might transfer part of a risk by getting insurance to cover you for the eventuality of that risk occurring.
You should focus on those areas that pose the highest risk first. Ideally, you would want to remove a risk, however, many risks cannot be removed and must be mitigated. For instance, an office fire may pose a risk to the running of your business. The probability of fire cannot be reduced to zero but it can be lowered by good alarm systems and the impact of such an event can be limited by contingency plans and mitigatory steps such as locating IT servers off-site.
One mechanism to mitigate risks to compliance is to put in place robust systems and processes to help ensure outcomes are achieved. For example, a system could be put in place to ensure that at the start of each matter a client receives a leaflet and a brief explanation about the complaints process. This will lower the probability of clients not being informed about the complaints process and thus the risk of the practice not meeting outcomes 1.9 and 1.10. Similarly, the risk posed by failing to meet undertakings to clients could be mitigated by systems to ensure that undertakings are properly recorded and the relevant people are alerted when an undertaking should be met.
It is important to appreciate that risks may change over time and therefore the issue of risk needs to be revisited periodically.
5.3 Systems and processes
As noted above, systems and processes can play an important role in enabling compliance. They can also improve efficiency and the quality of service offered by a practice. The SRA has suggested numerous systems and processes that a practice may wish to put in place.
5.3.1 What systems and processes are already in place and how effective are they?
Most practices will have some systems and processes in place for certain aspects of their work. You should re-consider the systems and processes your firm has in place, both formal and informal, on a periodic basis. You may wish to use existing information such as data on complaints and non-compliance issues to assess whether systems and processes are effective in ensuring efficiency of service and compliance.
5.3.2 What systems and processes are missing?
You may wish to consider the SRA's list of suggested systems and processes. These include:
- clearly defined governance arrangements providing a transparent framework for responsibilities within the firm
- appropriate accounting procedures
- a system for ensuring that only the appropriate people authorise payments from client accounts
- a system for ensuring that undertakings are given only when intended, and compliance with them is monitored and enforced
- appropriate checks on new staff or contractors
- a system for ensuring that basic regulatory deadlines are not missed, eg
- submission of the firm's accountant's report
- arranging indemnity cover
- renewal of practising certificates and registrations
- renewal of all lawyers' practising certificates and
- provision of regulatory information
- a system for monitoring, reviewing and managing risks
- ensuring that issues of conduct are given appropriate weight in decisions the firm takes, whether on client matters or firm-based issues such as funding
- file reviews
- appropriate systems for supporting the development and training of staff
- obtaining the necessary approvals of managers, owners and COLP/COFA
- arrangements to ensure that any duties to clients and others are fully met, even when staff are absent.
Others you should consider putting in place are systems to identify conflicts of interest; systems for supervision of staff (and contractors or outsourcers where relevant) and systems for handling and monitoring complaints.
While not all of these will be relevant to every practice some may need to be implemented within your practice. You should consider the results of your risk assessment. This may highlight areas where risk needs to be mitigated, for which systems and processes may play an important part.
You should also consider putting in place an overarching compliance plan to ensure everything is captured. This may include:
- 1. For the areas where you believe your systems and processes are robust in ensuring compliance:
- how you will monitor and review these systems to ensure their continued robustness
- how other changes in the business might mean altering these systems and how you monitor the impact of change.
- 2. For the areas where you believe that there are risks of non-compliance:
- how you will mitigate these risks and the timelines for doing so
- how you will assess the effectiveness of the mitigation
The compliance plan should be informed by the results of your risk assessment.
5.3.3 Communicating changes in systems and processes
Systems and processes are of limited value if no one is aware of them. It is important to communicate changes to staff. Often new processes are written down and this can be helpful, particularly for new starters and temporary staff who will be unaware of how the practice operates. Written processes are of little value, however, if no one follows them. It is important to ensure staff are made aware of the processes and follow them, and if changes to current processes are substantive you may need to provide staff training.
It is also important to consider involving relevant staff in designing any new systems or processes to ensure that they are practical and functional.
Systems and processes will need to be updated periodically. You may wish to consider how you will ensure that staff are informed of changes and, where a process is documented, that only the most up-to-date version is in use. In a smaller office, changes might be highlighted at a staff meeting and by email. if any paper documents are kept, then the location of these should be noted, and they should be updated as necessary and previous versions archived or destroyed. The latest version of any electronic documents must be clearly identifiable; for example by using a numbering system.
5.3.4 Reviewing the effectiveness of systems and processes
You may consider reviewing the effectiveness of the systems and processes you have implemented. You can:
- ask for feedback from staff on how they are used and how they might be improved
- undertake audits to see if systems and processes are followed
- review data such as data on non-compliance and complaints.
Undertaking regular reviews will allow you to ensure continuous improvement.
5.4 Communicating regulatory changes
It is important that the relevant people within a practice are made aware of changes to the regulatory system and any changes you are making as a result. You should provide staff with additional education and training on the changes to regulation where necessary. This may include:
- additional training
- regular update meetings
- office manuals
- document control systems to ensure that only the most up to date versions are in use.
6 SRA's focus
The SRA will target areas which they believe put their regulatory objectives at risk. This means the focus will change over time. You may wish to consider checking the SRA's website on a regular basis to see how their focus is shifting. Each year the SRA publishes its Risk Outlook. Along with the new overarching interest in business and risk management, perennial areas of interest include:
- client engagement process
- financial stability of the firm
- the lack of a diverse and representative profession (equality and diversity)
- misuse of client money
7 More information
7.1 Law Society advice and training
7.1.1 Law Society practice notes:
7.1.2 Law Society publications
7.1.3 Law Society Practice Advice Service
The Law Society provides support for solicitors on a wide range of areas of practice. Practice Advice can be contacted on 020 7320 5675 from 09.00 to 17.00 on weekdays.
7.1.4 Law Society Consulting
If you require further support, Law Society Consulting can help. We offer expert and confidential support and guidance, including face-to-face consultancy on risk and compliancePlease contact us on 020 7316 5655, or email email@example.com.
Find out more about our consultancy services
7.1.5 Events and training