How to be an effective COLP

Download Report

Transcript How to be an effective COLP

Systemise your compliance
management
Peter Scott Consulting
www.peterscottconsult.co.uk
Why manage compliance risks?
“The pursuit of excellence, with the aim of doing
things better for the clients”
Director of Risk of a ‘top ten’ UK law firm
“If you cannot demonstrate compliance we may
take regulatory action”
SRA – OFR at a glance
The scope and volume of compliance requires a
different approach
For example, under Chapter 7 of SRA Code the Outcomes provide that firms must:
- have appropriate systems and controls in place to achieve and comply with all Principles,
rules and outcomes and other requirements of the Handbook
- identify, monitor and manage risks to the achievement of all outcomes, rules, Principles
and other requirements in the Handbook if applicable and take steps to address issues
identified
Do you already have appropriate systems and controls in place to comply?
Your challenge ....
Is not merely to ensure your firm is compliant but …
to be able to DEMONSTRATE to the SRA that your firm
and everyone in the firm is compliant on an on-going
basis
How will you be able to do this?
Outcomes focused regulation is about
managing processes
How can these processes be systemised to
provide a cost effective method to manage
your compliance?
Do you know your compliance risks?
• What are your compliance risks
• Where does the knowledge of your compliance
risk reside?
• Can you access it?
• Do you have systems to monitor, review and
upgrade your knowledge?
A Risk Management / KM integrated approach
• Approach risk from a KM viewpoint and vice
versa
• Need to manage the risks relating to
knowledge in any event
• Managing the risks
– Quality assurance
– Greater competitiveness
Failure to manage your knowledge will involve serious risk
Compliance / Risk
Management
Knowledge
Management
Establishing the resources you will need to
effectively manage your compliance
For example:
•
•
•
•
Internal or external?
Part time partners or professionals?
Paper records or use of IT
If IT is used - bespoke or ‘off the peg’ systems?
Planning your resources
Carry out a cost / benefit analysis to
establish the most resource effective
method for you to manage your compliance risks
Where to start?
A systematic approach is needed
•
Needs to be management driven, with top level buy-in
•
Zero tolerance is required – no exceptions – just do it!
•
Managing compliance risk needs to be seen as ‘everyone’s job’ – a mind set change is needed
•
Need a ‘no blame’ culture to encourage disclosure
•
Training and education programmes to build awareness and change mindsets
•
Continuous and systematic monitoring and reporting
Otherwise everyone is at risk
A systematic approach is required
•
Put in place a formal compliance risk
management process to identify and manage every area of
compliance risk for the SRA Handbook and Code
•
Establish a comprehensive database covering all compliance risk
areas
•
Standards such as Lexel and ISO 9000 are likely to help
Implementing a compliance risk management
Strategy
DIAGNOSIS
Identification and
assessment
MITIGATION
Control, transfer and
avoidance
MONITORING
Auditing, tracking and reporting
When a risk crystallises
LIMITATION
Minimising the effect of
crystallised risks
Use of risk management tools?
Use an integrated risk management system to
quantify, assess and control risk by :
– streamlining diagnosis, mitigation and
monitoring
– embedding common risk management
procedures
– providing information access to all who
need it
– creating and maintaining one central, up to
date risk database
Identifying and assessing your compliance risks
Compliance Risk Mapping
IM P AC T
H ig h
H ig h im p a c t/ lo w in c id e n c e
H ig h im p a c t/ h ig h in c id e n c e
L o w im p a c t/ lo w in c id e n c e
L o w im p a c t/ h ig h in c id e n c e
Low
Low
H ig h
IN C ID E N C E
Compliance risk identification and assessment
• Incidence - probability
• Impact - severity
Some examples of compliance risks
•
•
•
•
•
•
•
•
•
•
•
Lack of management commitment to best practice
and compliance risk management
Lack of knowledge by management
Lack of supervision
High risk work
Lack of client vetting / fraud
Lack of client care / matter care
Lack of resource capability
Lack of knowledge / expertise / experience
Precedents / multiple use of advice
International work / overseas offices
Mergers
Using ‘brainstorming’ as a method of identifying and
assessing compliance risks
• ‘Top down – bottom up’ brainstorming sessions in each
group in your firm to:
-
to identify every compliance risk area
are we achieving every Outcome under the new Code?
are we compliant in every area?
do we have gaps?
what will be required to fully comply?
to what standards should we comply?
how should we prioritise our efforts?
Assessment of compliance risks
Consider the impact of, inter alia:
•
Disciplinary action
•
Bad publicity and loss of reputation
•
Lost clients
•
Complaints and claims
•
Increased P.I. premiums
Risk Diagnosis
Set criteria for
assessing risks
Identify detailed
risks
Identify high
level risks
Assess severity of
detailed risks
Assess severity of
high-level risks
Risk
map
Risk
summary
Compliance risk Mitigation
Designed to:-
• Ensure effective compliance
• Avoid / reduce non compliance
• Avoid / reduce incidence of risks
• Transfer some risks
Risk mitigation
Risk
map
Risk
summary
Residual
risk
summary
Consider impact /
probability
correlation
Consider available
mitigation
techniques
Contingency
plan
requirements
Insurance
requirements
summary
Required
controls
summary
Compliance risk monitoring involves…
•
Auditing, tracking and reporting
•
Comparing actual outcomes to pre-set indicators
•
Confirming effectiveness of your risk responses
•
Reporting compliance and exceptions
•
Establishing [annual / periodical] compliance risk
management reports
Risk monitoring
Required controls
summary
Contingency plan
requirements
Set risk indicators and
methods to monitor
them
Insurance
requirements
summary
Annual Risk
Management Report
Risk limitation involves
•
•
•
•
Risk crystalisation scenarios
Contingency plans
Limitation procedures
Post event assessment
Advantages of a formal compliance risk management
process for the new SRA Code?
•
Structured approach focuses on key compliance risk
areas
•
Can demonstrate how a firm is complying and the
effectiveness of compliance / outcomes
•
Continuous monitoring ensures management of
compliance and risk is “lived” day to day
•
Universal application to all compliance and risk areas
•
Comfort / assurance to PI insurers [and SRA?]
Effective use of IT systems for compliance risk management?
Use an integrated compliance risk management
system to cost effectively manage compliance risk
areas by:
– creating and maintaining one central, up to date
compliance and risk database
– providing information access to all who need it in
relation to exposure to risk
– embedding compliance and risk management
procedures – e.g. client inception procedures
– streamlining identification, assessment,
mitigation and monitoring of compliance risks
Outcomes focused regulation is about processes
Using IT systems is likely to be the most cost
effective and compliant method to manage
these processes.
Any questions?