A different focus – Round Table

The fourth Legal Business/Marsh round table brought together a group of risk managers to discuss the changing regulatory landscape and how they manage their risk functions

It is perhaps not surprising that the fourth risk round table hosted by Legal Business and Marsh was dominated by one subject. The Solicitors Regulation Authority’s new Code of Conduct, as a part of the move to outcomes-focused regulation (OFR) due in the Autumn, is weighing heavily on the minds of most risk professionals in the largest firms. The prospect of following indicative behaviours, managing relations with the SRA and appointing a compliance officer for legal practice (COLP) were all raised in the course of the discussion.

In late March we brought together a range of risk managers from some of the UK’s largest firms. From the predominantly UK-based firms we invited Juliet Tainui-Hernandez, director of risk and compliance at Addleshaw Goddard, Hazel Ryan, risk director at Eversheds, Bill Richards, head of risk and compliance at LG, and Tom Arrowsmith, head of risk and compliance at Olswang. Katherine Foran, senior risk manager at Salans, added the perspective of a firm headquartered outside of the UK while Tony Cherry, head of practice governance and risk at Beachcroft, spoke for those practices with both a volume-driven and advisory business. Andrew Clark, general counsel at Allen & Overy, and Julia Graham, chief risk officer at DLA Piper, were on hand to provide the global firm perspective. From Marsh, Sandra Neilson-Moore, European practice leader for solicitors’ professional indemnity, and Andrew Carpenter, who leads the day-to-day lawyers team at the company, were there to explain how the situation looked from their side of the table. Although the meeting took place shortly before the publication of the SRA’s draft handbook in early April, there was still much to discuss.

‘You have to show that you are adding value. You cannot just keep asking for extra people, extra resources and new systems.’
Tom Arrowsmith, Olswang

The world of risk is clearly changing but some messages still need to get through. ‘We spend a lot of time saying, we exist to enable not disable the business – it’s much more worthwhile to say yes than no if we can do things appropriately and safely,’ DLA Piper’s Graham comments. ‘It took me a long time to stop being called the business prevention unit!’

Betting on the outcome

At a time when the SRA is under pressure to provide a clear and organised transition from the old system to OFR, those at the round table give cautious support to the regulator. ‘I think there is a great will from the SRA to make this work,’ says Andrew Clark. ‘Its difficulty is being faced with a very tight timetable, which has been, in a sense, forced on it by the alternative business structures legislation. For the City firms, I am not sure the changes are that great when you look at the detail. We trust the SRA to deliver on what it is telling us, which is that it will be a proportionate regulator and focus risk on where it lies.’

Juliet Tainui-Hernandez is also positive. ‘I am feeling cautiously optimistic,’ she says. ‘We have had our first relationship management visit and I was actually encouraged by their more sensible approach.’ For DLA Piper’s Julia Graham there’s no need to worry as long as a firm’s procedures are up to scratch. ‘If you are already trading with appropriate controls in place and an understanding of what you are doing, there is nothing to be afraid of. Will large firms’ procedures be sufficient? They should be if you have done a good job.’

The long debated issue of distinguishing between the largest firms and High Street practices continues to trouble some around the table. ‘The biggest problem for the SRA is the diversity of the profession in terms of its goals, its use of the Code and the way it should be regulated,’ Neilson-Moore insists. ‘I still have not heard very much more about how the differences between regulating big commercial City firms and small, regional and High Street firms will be managed. Somehow that seems to have been lost in the mix.’

At the time of the discussion a number of the attendees had already been visited by the SRA, either in the form of a relationship management visit or benchmarking visit. The latter focused on a firm’s governance and management structure as well as how it manages its top risks.

‘If you are to be responsible for ensuring compliance in a large business, you need the power to be able to implement and enforce it.’
Juliet Tainui-Hernandez, Addleshaw Goddard

Despite the SRA’s pro-active approach, Katherine Foran of Salans sums up the reticence of many in the market. ‘We are a little nervous at this stage – and perhaps it is because this is the outset – as to how our regulator is going to deal with it. We are all a little concerned that these indicative behaviours may turn out to be treated as a new rulebook, that they apply in a tick-box-fashion,’ she continues. ‘If our regulator starts treating indicative behaviours as though they were rules and finding a breach if one of the indicative behaviours is missing, we are going to struggle and lose the flexibility that this regime is supposed to give us.’

Following on, Andrew Carpenter says: ‘It is likely that there will be a change in how firms manage partner and senior qualified lawyers.’

‘It depends on whether you want to systematise these things or not,’ responds Clark. ‘To me it is about raising awareness. I see the risk manager’s job as informing on risk tolerance. It is not deal prevention; it is assessing risk tolerance.’

Key indicators

With OFR moving the profession away from a prescriptive tick-boxing mindset to an approach based on indicative behaviours, there’s a fair amount of discussion on the risks that the new regime poses. For instance, what is the position of a firm that clearly follows the indicative behaviours as laid out in the new code but is then found to be in breach of the rules? As A&O’s Andrew Clark summarises: ‘I suppose we all worry what will happen if an outcome is not what was expected and you have not for good reasons followed indicative behaviours,’ he says, adding, ‘Will the regulator look back with the benefit of hindsight and say that you did not do something you should have?’

‘It might be difficult trying to explain to colleagues the outcome he or she should be trying to achieve, when it is quite vague and the “indicative behaviours” do not help,’ comments Eversheds’ Ryan. ‘I am positive about the move to OFR, but it will extend the internal debates you get into with your colleagues about what are the right and wrong things to do.’

‘What we have not done and will have to do now is to introduce an element of review of legal technical content.’
Tony Cherry, Beachcroft

Foran points out that the regulator has stressed that it will take a pragmatic stance: ‘The SRA has indicated that what it is focusing on is wilful disregard of what is sensible and careful business practice and consideration for your client.’ She explains: ‘If you have observed all the rules and indicative behaviours but, nevertheless, something has unfortunately gone wrong despite your best efforts, it would be unreasonable for the SRA to take severe action, and we have had fair indication that it would not.’

There is, however, a sense within the group that getting it right is in large part down to firms’ own internal processes. ‘If you have systematic errors that you do not deal with, you deserve to be hit,’ says Graham. ‘If, however, you have a one-off event and then react, that would be looked at sympathetically.’ She stresses the importance of having a paper trail that clearly explains the actions that a firm has taken. ‘It is something you need to instil in your lawyers that they should always be recording things and putting them on file,’ she adds.

‘The risk manager’s job is informing on risk tolerance. It is not deal prevention; it is assessing risk tolerance.’
Andrew Clark, Allen & Overy

If a mistake is made it may well be easy to claim that a firm followed an indicative behaviour, however its processes would be heavily scrutinised by the regulators and, if litigation arose, by the other side’s lawyers. It’s a point that Neilson-Moore is particularly keen to stress. ‘Even if one is not worried about the SRA and the regulators, you still have to worry about the 20/20 hindsight event, where someone else litigating on behalf of your dissatisfied client will be crawling all over the file trying to poke holes in your adherence to the indicative behaviours,’ she says. There is no doubt that while these indicative behaviours provide an element of comfort the experts are cautioning to treat them like rules.

The new regime also introduces the position of COLP. Bill Richards of LG explains the role and the amount of work it is expected to entail. He said that there is a requirement on them to record any breach of the obligations of their firm to comply with its authorisation and statutory obligations concerning its authorised activities, which is very wide ranging in its scope. This led on to a discussion on why it has been stipulated that the COLP must be a lawyer. ‘Is it not odd to expect your COLP to be a lawyer at a time when most substantial firms are looking at passing a lot of this responsibility over to professional management, so that lawyers can get on with the lawyering?’ Foran asks.

‘We exist to enable not disable the business. It took me a long time to stop being called the business prevention unit!’
Julia Graham, DLA Piper

Juliet Tainui-Hernandez highlights another potential issue. ‘If you are to be responsible for ensuring compliance in a very large business, you need the power to be able to implement and enforce it. The COLP must be a powerful and respected figure,’ she says. ‘That is one of the reasons why people were suggesting that the managing partner ought to take the role,’ she adds. To Graham the main issue is not about who fills the role but how it is organised. ‘I have no problem with someone like the managing partner (CEO) being in the role, as long as you have an appropriate governance structure,’ she comments. Foran then questions whether a managing partner taking on the role would create a conflict in their responsibilities. ‘A managing partner’s duty is to act in the interests of the partnership, develop the firm and all the associated responsibilities, is there not a conflict of interest between that and reporting these breaches?’ she asks. Both Graham and Tanui-Hernandez feel that this doesn’t throw up a potential conflict and that a managing partner, supported by a firm’s risk team, is ultimately well placed to report any breaches.

Cost management

With the changes in regulation combined with the cost pressures on firms in the economic downturn, there has never been a greater onus on risk teams to prove their productivity and value to their firms.

Richards is quick to raise the spectre of one change causing a significant drain on resources: ‘OFR is probably going to bring in one thing that the PI market has been demanding for years but has never really achieved, and that is proper file reviews across the firms.’ But as Clark points out: ‘That is a very resource-intensive process, which many firms have shied away from.’

‘The challenge is to find a proportionate way to do that and monitor it,’ Tainui-Hernandez insists. ‘But it would be a brave firm that does not invest in a sensible and proper risk management function.’

‘The biggest problem for the SRA is the diversity of the profession in terms of its goals, use of the Code and the way it should be regulated.’
Sandra Neilson-Moore, Marsh

At DLA Piper, Graham and her team have already introduced a thorough review system. ‘We do systematic file reviews in every jurisdiction and office in which we operate – it’s labour intensive, but we’re going to continue to do this, taking a risk-based approach,’ she says, ‘and we always come away from these learning something new and making improvements.’ Tony Cherry feels that the shift would result in a slight change of approach at Beachcroft. ‘What we have not done systematically and will have to do now is to introduce an element of review of legal technical content,’ he reveals.

All of this potentially adds up to growing the size of risk teams. However, Olswang’s Tom Arrowsmith stresses how important it is for a risk team to show their input into the business. ‘You have to try to show that you are adding value to some extent,’ he comments. ‘You have to appreciate that you cannot just keep asking for extra people, extra resources and new systems. In the last few years it has been virtually impossible to just say “there are new regulations coming and so we need lots more people”.’

‘If our regulator starts treating indicative behaviours as though they were rules, we are going to struggle.’
Katherine Foran, Salans

Buy-in from a firm’s management is also a vital element. ‘We are lucky because our management is very supportive of us,’ Tainui-Hernandez says. ‘We are the only team in the business services part of our firm that has grown during the recession. It would be difficult to be in a firm without adequate resources in risk management, but we are still conscious to ensure we’re always adding value: we push our team to be helpful and commercial, as far as possible.’

Julia Graham explains how DLA Piper would ultimately solve the problem. ‘We use the “total cost of risk” as a key performance indicator, which measures the cost of risk (insurance, uninsured loss, the risk team and other risk-related overheads etc) against the turnover of the firm,’ she says. ‘I’m not sure that this would work for all firms but it is accepted good practice in many other sectors and it has proven to be an effective indicator for us.’

Clark sums up the resource dilemma most succinctly. ‘You will never have enough resources, because there is always more that you could be doing,’ he claims. ‘It is a question of ensuring that you are using them in the best and most efficient way, and measuring the effectiveness of those resources.’

‘OFR is probably going to bring in one thing that the PI market has been demanding for years: proper file reviews across the firms.’
Bill Richards, LG

For a number of the representatives, their wide international network presents potential issues for the risk team. Co-ordinating jurisdictions’ different regulatory approaches is an obvious challenge but those around the table point out that differences could in part be managed by minimum standards. Basic internal standards are also increasingly important to global firms.

‘On the one hand, the fact that we are moving to OFR has to help because, when you talk to lawyers from around the world, there are a number of basic principles that are consistent across the board. We do tend to find that the devil is in the detail, so removing detailed rules will help,’ Foran comments. ‘The downside is that, particularly in jurisdictions that have codified law, lawyers appreciate being able to point at a specific rule.’

For a firm like DLA Piper, which has a significant US presence as well as an extensive network throughout Europe, Asia and now Australia, the firm’s risk management runs along to two different strands. Talking about policy and practice, Graham explains ‘in some risk management and compliance practice areas, for example, anti money laundering, we have a minimum international benchmark below which we will not go, and then we top up that benchmark depending on the legal, regulatory and business practice in some jurisdictions. This is practice and labour intensive but matches our wide jurisdictional reach and business culture and evidence of how seriously we take these issues.’

‘I am positive about the move to OFR, but it will extend the internal debates about what are the right and wrong things to do.’
Hazel Ryan, Eversheds

‘There are some basic principles,’ Foran agrees. ‘We say, “We are a law firm, there are certain principles that should be inherent in everything we do, and these are applied consistently.”’ As one of the most active lateral hirers in the world, DLA faces the challenge of integrating swathes of new joiners into its global system. ‘In effect, we have our own version of the Code, in which we educate our lawyers,’ Graham outlines. ‘We immerse people in the way we do things when they join us from other firms as while they may have done things in a certain way before when they were at X, they now do it our way – “the DLA Piper Way” (the name of our online risk management and compliance toolkit). It’s a challenge but sometimes we also learn and end up changing our practice.’

Although the changes in regulation give rise to some anxiety from those around the table, the principles on which they’re based are broadly welcomed. Whether the SRA will be able to pull off the transition to a more flexible, less prescriptive approach is less clear. As Neilson-Moore sums up: ‘Risk management is just good business sense. It is when you start to make prescriptive rules with tick boxes that people will start to resent it.’ LB