So, what do you need to do? Where do you start? Let’s demystify it all. A very good place to start is to conduct a gap analysis in your firm. This will help inform your plan for the future. There are many areas of risk and compliance to be considered in law firms, and the trick is to spot those that are deemed to be missing, or need work, and to draw up a good plan of action. (More on that plan below.)

The Dragon’s Challenge

To help you conduct your gap analysis, here are some ideas for you:

1. Review what you have by way of processes, policies and guidance. What is missing or lacking? You may want to focus on just three or four areas of compliance, as this might be a large task.
2. Speak to colleagues and ask pertinent questions. If your policy says ‘fee earners must do X’, do they? Do they know they need to? Do they feel they understand the regulatory requirements of them?
3. How does your firm put policies and processes into practice? How are they communicated? How is compliance checked?
4. What is the firm’s compliance training like? Is it up to date? Is it fit for purpose? Are staff really learning from it? Are staff members completing it or ignoring it?
5. Speak to brokers and insurers – what do they consider your firm’s weaknesses to be? Trust me – they will be pleased to be asked. Do they offer a gap analysis service? Do they offer risk-management input? If so, take it up.
6. Has the firm had any regulatory feedback? What was that feedback – and does anything need to change because of it?
7. Does the firm have any committees in the risk-and-compliance space? Are they working, made up of the right people, and do they meet at appropriate times?
8. What do the complaints and claims against the firm tell you, if anything?

Into the Spider-Verse

In order to understand where your firm’s gaps in risk and compliance might be, the reviewer and the firm need to understand what risks there might be. This can feel a little daunting but, by breaking it down into core areas of risk and compliance, the task can be tackled with relative ease. Below are some key areas to consider.

Complaints and insurance
Does the firm have a good independent complaints procedure that is working? Are notifications to insurers up to date and being notified correctly? Does the firm have a healthy notification culture? 

Do people in the firm know who to report complaints or claims to? Are claims being handled correctly? Does the firm limit its liability, and is it at the right level? Is there a process for increasing that limitation?

Data protection and cyber security
Does the firm have a data-protection policy that people understand? Does the firm have a data-protection officer, and do people know who that is? Do people know what to do if they accidentally send an email to the incorrect recipient?

Does the firm have a process for handling data-erasure requests or data-subject-access requests, and is it fit for purpose? Does everyone in the firm understand cyber-risk and how to avoid falling victim?

Does the firm have a mechanism for reporting cyber-attacks? Does the firm have a person with responsibility over cyber and information security?

Anti-money-laundering
Does the firm have all relevant procedures, controls and policies in place that are needed to adequately tackle money-laundering? Are people trained regularly, and is that training working?

Does the firm conduct all aspects of client due diligence that it should (ID, verification of ID, client and matter risk assessments, PEP/ sanction/ adverse media checks and ongoing monitoring)? Does the firm have a high-risk register?

Are the appropriate people appointed to important roles in the firm to report suspicions to the relevant authority and ensure compliance?

Statutory compliance
Does the firm comply with all statutory requirements? These could be in the areas of anti-bribery and corruption, modern slavery, whistleblowing, and so on. You might also wish to consider health-and-safety and employment legislation.

Regulatory compliance
Does the firm and its people comply with the relevant codes of conduct? Are people adequately trained to understand and handle ethical scenarios? Is the firm’s letterhead/advertising compliant with regulatory requirements? Does appropriate training happen, and is it up to date?

Risk management
Does the firm have appropriate risk registers? Does the firm have a procurement process that covers off any regulatory obligations? Does the firm have a process where contracts it enters into are reviewed to ensure they do not interfere with the firm’s regulatory obligations?

Does the firm have a destruction policy, and is it adhered to? Are new joiners inducted properly and understand the firm’s risk and compliance policies and culture? Is the disclaimer at the end of your emails sufficient and compliant?

Does the firm have an appropriate business continuity plan (which will have undoubtedly changed since COVID-19), and is it up to date? Does the firm have a policy around how and when to provide client bank-account details? Does the firm have appropriate engagement letter templates, and are they being used?

Other matters to consider
There are some aspects of firm life that often come under the risk-and-compliance umbrella because they don’t seem to fit anywhere else. You need to consider these, too.

These might be accreditation schemes, responding to audit letters from a client’s accountant (as it may be risky to confirm too much information and create an expectation of reliance on the letter content), membership to lender panels, and so on.

The extent of the possible risks, as outlined above, might feel like overkill (but are not, in fact, all that there could be), particularly if your firm is a small one. That is okay. What is important is not to tick off as many areas as you can in a tick-box exercise, but rather to pick key areas to tackle, and concentrate on them methodically.

Homecoming

Once you have considered the risks that there might be and conducted a gap analysis, it is time to draw up a plan of action.

Do not underestimate the power of a good plan. It not only gets things done, but is a tangible document that insurers like to see and, rather than it highlighting the firm’s issues to your detriment, it shows how serious you are about this subject.

Your action plan should set out the following:

1. What the compliance requirement or risk-mitigation area is,
2. Where the firm is currently, in terms of compliance or risk mitigation,
3. What needs to be done to bring the firm up to the level of compliance, or to mitigate the risk?
4. Who will undertake that work?
5. Who the liaison person should be in relation to the task (that is, business-service areas, or partners, and so on),
6. What the target date is for completion, and
7. Details of when completed.

You could also put your training schedule in this plan. Your plan could cover tasks to be undertaken over the next year or years. However, I would recommend carving tasks up, one year at a time, and being realistic about what can be achieved in that time.

For example, AML compliance could be the main task for a whole year, with a few ancillary tasks (such as training) through the year, and some cyber-awareness notices/guidance and articles.

Some areas are naturally much larger than others and, once you have brought the firm up to the right level of compliance or risk awareness, you are then in a state of maintenance, audit/checking/reviewing compliance, awareness and training.

Save for those risk-registers/risk-analysis documents that may be required under regulations, the firm may decide to have a firm-wide risk assessment. This is not compulsory, but it can be a good way of analysing the risks faced at the firm, and how they will be mitigated.

However, try not to make the risk assessment so large that it will be a serious task just to keep it up to date. The document needs to be useful rather than ‘simply pretty’ and never used after being created.

Endgame

If your firm does not have a risk-and-compliance team, conducting the steps outlined above may lead you to concluding that additional or dedicated personnel are needed to tackle risk and compliance in your firm.

It is true to say that law firms are more regulated now than they have ever been, and there is often a need for a dedicated team – just as there is for HR, IT, or business development/marketing.

If your firm is considering creating or expanding the risk-and-compliance team, it can help to understand what other law firms’ risk-and-compliance teams look like. To that end, personnel tasked with risk-and-compliance activities in their firm would do very well to liaise and network with risk people in other firms. 

Rebecca Atkinson is director of risk and compliance for Howard Kennedy LLP, London. She is the author of Assessing and Addressing Risk and Compliance in Your Law Firm (2020, bookshop.lawsociety.org.uk)

 Read and print a PDF of this article here.