It's Risky Business Without A Risk Register

It's Risky Business Without A Risk Register

by Pearl Moses

If you're not a Compliance Officer for Legal Practice (COLP), you might ask what a risk register is, and if you are a COLP, you should definitely have one.

What is a risk register?

A risk register is simply a tool (commonly used in business generally) in which all the potential risks to a firm are identified and assessed according to priority. They are monitored and assessed within a time frame in order to mitigate those key risks.

It is good practice to record your regulatory risks, or your most serious risks, in a risk register, as the SRA takes the view that firms demonstrating a responsible approach will be supported, making the need for enforcement action less likely.

Regulatory requirements

Risk registers part of an existing knowledge base around the measurement and management of risk. From a regulatory perspective risk registers became more prominent after the SRA introduced outcomes-focused regulation (OFR) with the SRA Handbook 2011. This risk-based approach emphasised the need for firms to manage their own risk, not through adherence to strict rules, but to general principles, outcomes and behaviours.

There is no strict obligation to have a risk register but the SRA Code of Conduct, Chapter 7, Outcome7.3, requires that:

"you identify, monitor and manage risks to compliance with all the Principles, rules and outcomes and other requirements of the Handbook, if applicable to you, and take steps to address issues identified."

To my mind, it would require several complex and connected documents to achieve the same desired outcome that a risk register would.

The advantages of a risk register

A risk register can be used as a tool to identify, assess and manage risk to acceptable levels. Actions can then be taken to reduce the probability and potential impact of specific risks.

Of all the areas of compliance that the SRA requires you to address, risk management is the least tangible. To avoid spending more time on it than you can afford, you need a well constructed register that can:

  • improve your internal risk management processes;
  • heighten risk awareness across the firm;
  • prioritise the identification of risks and the mitigation of them;
  • operate as a useful management tool for making any strategic decisions for the firm as a whole;
  • provide support for the COLP and COFA by ensuring systems are in place to meet the particular obligations of those roles;
  • reduce your PI insurance costs; and
  • meet the obligations of the SRA.

However, a risk register should not be a 'tick box' exercise. It's important that it's regarded both as a 'living' document in the firm's overall risk strategy and a proactive framework for continuously analysing and managing any shifting threats and challenges.

Monitoring the register

To meet the challenge of continuous monitoring and updating the COLP should ensure that any changes feed into the firm's overall compliance plan and that there is buy-in from the strategic leadership within the organisation.

Useful tips for successful monitoring include:

  1. Ensure that you capture new and emerging risk by keeping up-to-date. The SRA's 'Risk Outlook' is a useful guide to identifying high risk issues.
  2. It is important that someone owns the risk register (usually the COLP) and co-ordinates all the key players in the organisation to feed into it.
  3. Make sure the risk register has profile within the firm—it should be on the agenda at management meetings and have the buy-in of the most senior people in the organisation.
  4. It pays to involve different departments as well as support staff in contributing to the register—different areas of the business will face different risks.
  5. Used properly, the risk register can be a tool not just for monitoring risk but can reveal strategic opportunities for the firm that might not otherwise be apparent.

Priority risks

The challenge is to keep the register under review and to regularly capture any new and emerging risks. Any risks that do emerge need to be measured and actions plans should be reassessed on a regular basis to ensure that targets are met.

Some of the key risks on our radar for 2016/17 include the following:

  • Continuing threats from cybercrime
  • Upcoming changes to data protection law
  • Implications of the changes in anti-money laundering, including the new Money Laundering Regulations and the recent Criminal Finances Act 2017.
  • The challenges and uncertainty over Brexit
  • Forthcoming changes to the SRA Handbook

Benefits

A risk register template can provide a quick and easy framework that is simple to complete and ensures you include all the elements necessary to assess, treat and manage the risks facing your organisation. Risk registers make sense—and firms who manage their risk effectively are more likely to enjoy:

  • fewer complaints and claims;
  • a reputation for quality;
  • repeat business;
  • preferential PII premiums;
  • less management time spent dealing with the regulator; and
  • less risk of incurring regulatory sanctions.

This allows you to achieve a consistent level of quality over time.

Pearl Moses is Head of Risk & Compliance at the Law Society. To join the Service or for bespoke advice, email: riskandcompliance@lawsociety.org.uk.