Compliance Q&A: 'You are only as safe as your weakest link'
Helen Roche, Reports Content Manager at Ark, interviewed compliance expert Tracey Calvert, Director of Oakalls Consultancy Ltd (pictured), on legal compliance to get her views on the challenges currently facing compliance officers.
Can you explain your background and particular expertise when it comes to law firm compliance?
I am a lawyer myself and I have worked in both private practice and in an in-house role for a local authority. I have also worked for both The Law Society and the Solicitors Regulation Authority. I was a Senior Ethics Advisor for the SRA, and I was part of the team that drafted the SRA Handbook which created most of the compliance requirements. Now I run my own business, Oakalls Consultancy Ltd, providing compliance-related services to lawyers, law firms, and alternative business structures. I also write on the topic and, over the past 15 years or so, I have seen a lot of different types of law firms and have experienced a variety of compliance issues.
So what was it that specifically made you focus on compliance in your consultancy work?
Compliance is very much part and parcel of running a law firm these days. You have to have, at the very least, a compliance plan and, at best, a compliance culture within the organisation. This is for a whole variety of reasons: for mandatory reasons because you need to demonstrate compliance to stay regulated; plus, there are good management and business reasons because a good compliance culture ultimately means good client service.
From all of the work that you have done in this area, what do you see as the major challenges that law firms are facing in terms of risk and compliance at the moment?
I think the greatest challenge is creating a compliance culture within the business. We had the excitement of the new SRA Handbook and the designated compliance roles (the COLP and the COFA), and now we are in the phase where it is all bedding in and people might lose interest in the topic. I think that the challenge for managers of law firms, the senior people, and the compliance officers is keeping it real, and keeping it part of the agenda of the business. It is not going away and, if anything, the need for compliance and dealing with risk is getting more and more important as time goes on.
Is there anything in particular that you think law firms should be focusing on at the moment?
Well, we get our lead from the SRA and other external bodies. They focus very much on working out what the biggest risk priorities are, and these are the obvious things like money laundering and misuse of client money, and financial issues more generally. I think they are the priorities at the moment, but firms need to make sure they run alongside the more day-to-day compliance requirements such as making sure the client care response is right, or making sure people understand the basics about compliance (for example, the importance of confidentiality and not sending information to the wrong person). So, the day-to-day issues must not be forgotten while thinking of the headline issues.
Do you have any tips or suggestions for how a law firm can ensure that they have an audit trail for the SRA to prove that they are compliant?Are there any specific processes to follow?
What you want is to instil accountability in every employee and fee earner within the firm, and they need to take ownership of their own compliance matters. You want them to respond to systems and processes that create the crosscheck that the compliance officers in the firm can then use as the basis for having fuss-free conversations with the SRA. It is all about being able to create an audit trail – a paper trail in the firm that suits you so that the answers are recorded already, rather than having to go back to an issue and second guess why you did something.
Would you say that ‘tone-from-the-top’ is important in a law firm when it comes to compliance?
Yes. It is all to do with the compliance culture ethos. You need buy-in from the senior people because they will create the example from which others will follow. It is my experience that, in some law firms, if you do not get that buy-in people who listen to the messages of the compliance officers sometimes feel a little bit compromised in carrying out the compliance officer’s requirements because the senior people in their team are giving them a different message. So, you need everyone to be sharing the same message regarding compliance and processes within the firm. The discussions about the rights and wrongs of the systems and processes really should be behind the scenes.
Is there any specific approach that you think compliance officers can take to ensure they have that buy-in? Do they have to approach people in those top positions in a different way to the rest of the lawyers and other professionals within the firm?
I think they have to make sure that the senior people understand the risks of not complying, and the message compliance officers give to them is going to be different to the message to the fee earners for example. The message to the senior people will be about whether or not the law firm will still exist, with its reputation intact, if they do not have a compliance culture. Whereas, to the fee earners, the message should be more about their role in keeping the firm safe by following a particular system or compliance requirement.
That leads quite nicely onto another topic related to people within the firm being responsible for keeping it safe. Law firms in the UK are becoming increasing aware of the importance of ethics as something they need to pay particular attention to. What are your thoughts on the topic and how it relates to UK firms?
I think, increasingly, people are realising that ethics are a huge part of the legal profession. Our ethics creates a standard which makes law firms different from other businesses. There are extremely good values to sell to clients – and clients come to us expecting we will behave in a particular way. So ethics, and introducing an ethical culture to the business, should be at the very start of the compliance planning process in the firm. It is part of risk management and how we want to behave. It forms our guidelines and how we will ensure everyone complies with those guidelines.
I think sometimes ‘ethics’ is not centralised enough and it is seen as a separate issue to risk management, business development, systems and policies. But I think, increasingly, people see it as part of the very heart of all of those. If you do not have ethics and professional standards at the heart of all your compliance planning, then things are soon going to go awry.
That may answer my next question which was going to be about who needs to consider ethics within a law firm? Is it everyone?
Absolutely. If you think of entity-based regulation – which means that the SRA is looking at absolutely everyone within a law firm – you are only as safe as your weakest link, and your weakest link could be someone in a senior position, someone who has recently joined the firm with a different way of doing things, or someone in a support role. So ethics really matters and I think it is part of the function of the compliance team to make sure that everyone understands the behaviours that are expected – and why they are expected.
Moving on then, what are your top compliance tips for law firms?
I would say my top tip is to create that compliance culture and give everyone the message that mistakes are going to happen, and the worst thing you can do if you are responsible for a mistake is hide it or think you are operating in a blame and shame culture. What you want to develop is a culture of openness with accountability. You do that by keeping the communication channels open, by getting the senior people to endorse what the compliance function is doing, and simply by ensuring that everyone feels that they are playing their part in keeping the firm open, keeping the firm safe, and keeping its reputation intact.
Is there anything else that you think we have not covered that we should mention with regards to compliance? Or are there any other challenges to highlight?
No, we have covered the main things. Compliance has to come from within; it has to come from the firm itself. Yes, a firm can hire consultants to put the right questions to them and help them think of the right answers, and they can also help them to develop their processes, but if they do not live and breathe compliance themselves and it is not part of the internal workings of the firm then they are not going to be as successful as they could be otherwise.