LE
ARN A
ND ADAP
T
EVALUATE
ID
ENTIFY
ASS
ES
S
MO
NITOR
CO
NT
R
O
L
SRA
Regulatory Risk Framework
The Solicitors Regulation Authority (SRA) regulates • Risk-based regulation means that risks to the non-individuals and organisations delivering legal services achievement of regulatory objectives are assessed in line with the regulatory objectives outlined in the in terms of their likelihood and the impact of any Legal Services Act (LSA). The SRA regulates in the harm they cause to desired outcomes, before action public interest and in the interests of the consumers is taken. This approach ensures that regulatory of legal services. activities and resources are prioritised and applied
proportionately. The SRA is an outcomes-focused, risk-based regulator.
The SRA’s Regulatory Risk Framework outlines how
• Outcomes-focused regulation means that our goal we operate and oversee risk-based regulation through
is to ensure that those we regulate deliver the right our risk management process, risk governance and outcomes for the public, in line with the intent of the the organisational culture required to embed a
regulatory objectives. risk-based approach.
Our Regulatory Risk Index sets out the risks that we manage under this framework.
Risk management process overview
Before acting, we We asses risks consistently and We continually evaluate our identify risks based on share these assessments across effectiveness by monitoring
a central risk index the SRA to aid understanding changing outcomes
We learn and adapt our tolerance, We monitor risk levels We control unacceptable resourcing levels and approach against our tolerance to risk levels through
to controlling risks direct control activities regulatory tools
Contents
1. Our regulatory approach
4
2. The regulatory risk management process
7
3. Risk identification
8
4. Risk assessment
9
5. Monitoring
10
6. Controls
11
7. Evaluation
12
8. Embedding risk management
13
caus e har m to tangib le expr essi on o f
1. Our regulatory approach
The ultimate goal of our regulatory activity is to work We seek to do this in a manner that is transparent, towards the following objectives set out in the LSA1: accountable, proportionate, consistent and targeted
at cases in which action is needed, in line with the RO1 protecting and promoting the public interest principles of better regulation.
RO2 supporting the constitutional principle of In working towards these objectives, the SRA has the rule of law adopted an outcomes-focused, risk-based approach
to regulation. That is, we deliver outcomes-focused RO3 improving access to justice
regulation through a risk-based approach. RO4 protecting and promoting the interests
of consumers
RO5 promoting competition in the provision of services
RO6 encouraging an independent, strong, diverse and effective legal profession RO7 increasing public understanding of the
citizen’s legal rights and duties
RO8 promoting and maintaining adherence The diagram below shows at a high level how these to the professional principles concepts relate.
Regulatory
objectives
Risk fRamewORkRisks
Outcomes
manage risk to achieve outcomesThese requirements shape our approach to every
Outcomes-focused regulation
area of regulatory activity, for example authorising The outcomes-focused approach to regulation means individuals joining the profession, supervising firms, that our goal is to ensure that legal services providers enforcement activities and the setting of policies deliver positive outcomes for consumers of legal and standards.
services and the public, in line with the intent of the
Risk-based regulation enables us to consistently and LSA regulatory objectives. This is in contrast to our
proportionately direct resource by targeting resource historical rules-based approach: we no longer focus on
at those areas which pose an unacceptable threat prescribing how those we regulate provide services,
to the outcomes we have identified in relation to the but instead focus on the outcomes for the public and
regulatory objectives. consumers that result from their activities.
Our regulatory risk appetite describes our attitude The SRA defines desired regulatory outcomes by
towards risk, including those which we tolerate or identifying what we expect to observe when the
find acceptable and the level at which risks become market operates in line with the intent of the regulatory
unacceptable. Some areas that may historically have objectives. This process provides us with a practical
attracted attention under the SRA’s prescriptive articulation of the characteristics or results that we
rules-based approach may now be within our appetite should be seeking to achieve through our regulation.
for regulatory risk, allowing us to divert resources to By adopting an outcomes-focused approach, we focus on more serious matters, and move from being are able to encourage innovation within the market, reactive to being proactive in approach.
regulating a broader range of business structures
We do not seek to eliminate risk completely, but who bring new approaches to the provision of legal
to make the best use of our limited resources to services, as well as providing greater freedom to those
proactively reduce the risks posed to an acceptable we already regulate.
level. We also take an explicitly non-zero failure As an outcomes-focused regulator we evaluate the approach to regulation, meaning that we do not seek impact of our regulatory activity on firms, consumers of to prevent every harm from occurring, choosing legal services and the public and adapt our approach to instead to allow greater flexibility for the market to continuously improve our delivery. operate freely as far as risks remain within tolerable
levels. In the course of letting the market operate
Risk-based regulation
freely, risks will crystallise that fall both within and outside our tolerance and we will respond accordingly. Day-to-day regulatory activities are guided by a
risk-based approach to regulation, focusing attention and
Regulatory activity consists of both proactive and activity upon issues, firms and potential risks that
reactive controls that can be applied according to the pose the greatest threat to the objectives. In order to
nature, severity and immediacy of the risk or issue achieve this, we need:
posed. Our legal powers and regulatory tools include, but are not limited to:
• a clear view on what the risks are to the objectives
and our exposure to them; • controls on how a firm or individual practises;
• to be able to demonstrate where our most •
issuing a warning about future conduct; significant risks lie, what mitigation activities we are
• closing a firm with immediate effect or imposing taking to address them, and that these actions are
a disciplinary sanction, such as a fine; both proportionate and effective;
• informing the market about undesirable
• clear governance arrangements in place ensuring
trends and risks; that risks are escalated as appropriate and that
there is accountability for the effective management • adapting regulatory policy to minimise recurrence
of risk. of an issue;
• setting qualification standards and ongoing competency requirements.
The risk-based approach enables us to be flexible and adaptive to ongoing changes within the market. As new risks to objectives are identified, we learn more about them and adjust our priorities to direct resources where they are most needed.
It should be noted that the SRA makes a distinction between operational and regulatory risk. Operational risks generated by the SRA’s activities, including our activities to control regulatory risks, are identified and assessed separately to the regulatory risks caused by the market that we regulate and other external factors. This framework describes our approach to the latter, although the risk management approach and behaviours can also be applied to these operational risks.
LE
ARN A
ND ADAP
T
EVALUATE
ID
ENTIFY
ASS
ES
S
MO
NITOR
CO
NT
R
O
L
2. The regulatory risk
management process
The SRA Regulatory Risk Framework focuses upon Risks are typically considered at an individual, firm individual, firm and thematic risks to ensure that regulated or industry level. In some cases, risks may already individuals and organisations achieve the proper have manifested, meaning that we actually assess and standards expected by consumers and the public. respond to the consequences of the issue rather than
to potential harm posed by a risk. A risk is considered to be the combination of
impact (the potential harm that could be caused) A key advantage to taking a risk-based approach to and probability (the likelihood of a particular regulation is that it enables us to become much more event occurring). proactive, identifying and tackling risks before adverse
events occur, rather than acting retrospectively once In the SRA context, impact and probability are harm has arisen.
combined to give a measure of the overall risk posed
to regulatory objectives. This assessment is then used The following diagram gives an overview of the SRA’s to prioritise and select our response. process for managing regulatory risk.
Risk management process
Before acting, we We asses risks consistently and We continually evaluate our identify risks based on share these assessments across effectiveness by monitoring
a central risk index the SRA to aid understanding changing outcomes
We learn and adapt our tolerance, We monitor risk levels We control unacceptable resourcing levels and approach against our tolerance to risk levels through
to controlling risks direct control activities regulatory tools
The risk management process is dynamic, with a constant feedback loop in place ensuring that we learn and adapt our approach to improve our control of risks, delivering better outcomes.
3. Risk identification
Identification of risk is the starting point for any The Regulatory Risk Index groups risks into the regulatory activity, from triage of incoming reports following six categories:
or determination of applications through to policy
Firm viability and structure
development or regulatory process design. Identifying
Risks arising from firm instability due to risks to regulatory objectives involves drawing upon
events relating to its financial viability and/or a wide range of sources, including reports we receive
structural composition about those we regulate, intelligence-gathering while
supervising firms, contacting consumers directly and
Fraud and dishonesty
monitoring markets and the economy.
Risk that firm or individual becomes involved in fraud In order to ensure wider consistency in the way in or dishonesty
which risks are identified, the SRA has identified a
Firm operational risks
set of risks to the regulatory objectives which are
contained in our Regulatory Risk Index. Risk arising from the inadequacy of firm’s policies, processes, people or systems
The Regulatory Risk Index is fundamental to the
Competence, fitness and propriety
risk management process. It provides a structure
that enables us to prioritise and organise incoming Risk that individuals lack skills, knowledge or information in a consistent manner, whilst building a behaviours, fitness or propriety
comprehensive picture of our risk exposures across
Market risks
all areas of activity. The publication of our risk index
makes transparent the areas of regulatory concern Risks arising from or affecting the operation of the and provides a common language to promote clear legal services market
dialogue with those we regulate around risks.
External risks
These risks cover potential harm caused by the
Risk arising from wider factors beyond the scope of activities of individuals and firms as well as external
the legal services market, such as economic, political factors such as macro-economic changes or lack of
or legal changes consumer awareness. The Risk Index is not designed
to be exhaustive and will evolve as new risks emerge. A copy of the Index can be found in Appendix 1.
4. Risk assessment
Consistent assessment throughout the organisation,
firms and individuals
and across the broad spectrum of risks that weRisk assessment will be used to inform decisions handle, is essential to ensure that action is targeted
about individuals, for example their entry to the proportionately at controlling the risks that pose most
profession or the nomination as role holders such threat. Assessment takes into account both risks
as compliance officers, and in response to that have crystallised as issues and those that pose
conduct issues. potential harm.
Firms may be assessed according to: SRA risk assessments take into account a broad
range of information and are performed at several
• their regulatory footprint or potential to impact different levels:
upon objectives
• incoming reports or notification from the regulated
• the severity of a particular risk if it were to manifest community, consumers and other agencies
• the likelihood of a particular risk arising in that firm • individuals or firms
For example, a firm’s footprint takes into account
• market-wide or sector-specific risks
attributes such as firm turnover, client money held,
Regulatory reports and notifications
number of fee earners and type of work undertaken.These attributes have been identified as being relevant The SRA has dedicated teams who manage the to the firm’s potential to impact upon the regulatory receipt and assessment of reports made to the
objectives. Indicators used to gauge the likelihood organisation in relation to regulated individuals and
of risks arising within a particular firm might make firms. These reports can, for example, relate to such
use of attributes such as geographical location, things as escalations from other regulatory agencies
ratios of partners to supervised staff, past regulatory or reports from consumers and others who have
findings against individuals now working in the firm, concerns about legal service providers.
or applications for waivers from particular regulatory requirements.
All incoming reports are risk-assessed to inform prioritisation and action. This assessment takes
Risk indicators are drawn from a range of information into account the number of consumers affected,
and are identified and weighted with the use of vulnerability, financial impact and public confidence as
statistical analysis. The SRA’s risk analysis also makes well as factors relating to the credibility of the source,
use of qualitative information which provides us with strength of evidence and severity of the risk itself.
a fuller picture across the spectrum of regulatory risk and provides important context for the interpretation We also receive notifications such as changes to firm
and application of statistical results. management or roles held by individuals.
These assessments are used to inform our monitoring All relevant information gathered by the SRA is
and control activities, including the supervisory recorded and available to inform further assessments
Market-wide and sector-specific risks
Changes to the risk assessment model
The SRA uses a process of risk aggregation to The SRA’s risk assessment model has been combine regulatory reports and information received constructed to be very flexible. The model contains across the organisation with firm and individual parameters that can be set by senior management to assessments, to gauge our overall exposure to reflect their risk appetite and tolerances, as well as
specific regulatory risks. new or emerging risks.
Market risks provide a view on the Regulatory Risk The accuracy of risk assessment within the model is Index from a market level, whilst sector-specific risks dependent upon the quality and adequacy of available assess risk within particular market sectors such as regulatory information. We recognise the time and conveyancing or will-writing. Examples of risks that cost associated with the provision of data to the SRA we would consider at market level include financial and therefore regularly assess the relevance of our difficulties, insufficient diversity within the profession regulatory information to ensure that we are being and risks arising from technological developments. proportionate in imposing information requirements Market-wide and sector-specific risks are regularly on those we regulate, whilst securing sufficient data to reviewed within the SRA’s internal governance and are inform accurate and timely risk assessment. Ultimately used to prioritise regulatory activity, direct resource information gathered allows us to focus regulatory and develop policy. attention and activities where they are most needed. Market-wide and sector-specific risks, often referred The SRA’s Risk Centre undertakes an annual exercise to as ‘thematic risks’ are also used to inform the to review and adjust the model to ensure its ongoing market about the SRA’s areas of concern through integrity and completeness, but will make adjustments a Risk Outlook (see section 7). in between these periods on an exceptional basis.
5. Monitoring
Risk monitoring takes place across the SRA to ensure that risks are constantly reassessed in line with tolerance and escalated as appropriate. Monitoring is done through regular reviews at individual, firm and thematic risk levels, in line with the governance outlined in section 7.
Risk tolerances provide limits against which risks can be compared to understand whether they remain acceptable. Tolerances provide thresholds against which action can be taken consistently across the SRA.
6. Controls
Risk identification and assessment provides the of regulatory tools and powers at its disposal in basis on which the SRA can mitigate those risks that order to manage these risks. These include setting pose greatest harm to regulatory objectives. Risk standards, issuing warnings, formal decisions to fine control is the process by which regulatory tools and or reprimand, applying conditions to an individual’s interventions are applied to manage issues, reduce practising certificate or indirect controls, such as risks or exploit opportunities. influencing market practice and consumer awareness
through the use of education or communications to a The choice and application of regulatory tool broad target audience.
is dependent upon the risks posed. Efficient,
proportionate and effective management of risks
Objective decision-making
relies upon a clear understanding of the risks
and governance
themselves, and a consistent approach to application
As a recognised regulator, the SRA has formal and evaluation of controls. The SRA’s operations all
decision-making governance arrangements that set use the same Regulatory Risk Index in developing and
out the decisions that can be made, by whom and overseeing their processes to ensure that controls
in what situations. The decision-making process consistently identify, assess and manage risks and
and supporting governance ensure a proportionate over time we can learn from the effectiveness of
approach and appropriate oversight in evaluating and particular control approaches on different risks.
managing risks. Our regulatory response in any given situation is
In some cases, formal decisions require referral to an tailored to deliver particular outcomes by targeting
adjudicator, ensuring objectivity in approach. unacceptable risks. The SRA has a broad range
7. Evaluation
The SRA continually evaluates the effectiveness of the Risk reporting provides governance forums with a risk framework and how well it is operating in practice view of:
to ensure desired outcomes are achieved and to
• current risk exposures against tolerance identify potential improvements.
• escalated risks or events which are Responsibilities for risk need to be clear, with effective
outside tolerance risk governance forums providing assurance to
internal and external stakeholders.
• controls (regulatory activity) currently in place against each risk
There is an established non-executive Regulatory Risk Committee which advises the SRA Board on
• trends and forecasts of risk events or risk levels the delivery of risk-based and outcomes-focused
regulation in authorisation, supervision and •
effectiveness of control activity in reducing enforcement activity, as well as advising the Board on
risk levels over time firm-based regulatory activity and the management of
regulatory risks. • insight into the achievement of outcomes
There are also executive risk governance groups with We also publish risk information externally to provide strategic and tactical oversight roles who provide those we regulate and other stakeholders with
assurance. information on risk exposures and the effectiveness
of risk management activities. This includes our Risk Tailored risk reporting is provided to each of these
Outlook, which is an annual publication that sets out groups to facilitate their decision-making and
the SRA’s assessment of the most significant risks to oversight of risk activities.
regulatory objectives in the legal services market. The document also provides an overview of the economic Risk reporting helps governance forums to ensure
and environmental conditions that we believe that there is a proportionate response to any new
regulated firms and consumers are currently operating or emerging risks, understand any risk exposures
in. This will be made publicly available for the benefit outside tolerance and adjust tolerance levels in line
with changing priorities and outcomes observed. of those we regulate and other external stakeholders.
O
FR
m
atu
rit
y
Developmen t drivers: Capability an d capacity IT enhancem ent Embedding a nt ic ip at e e nd-to -end m o n it o r/ m ea su re P ro ce ss fo cu s ind ivi d u al / s ilo fo cu s fu lly in te g ra te d8. Embedding risk management
The SRA has developed a model that sets out the realistic targets for improvement, and produce action key steps and capabilities that it is developing on the plans for developing or enhancing our embedding path to full OFR implementation. This model is used process.
to assess the current level of OFR capability, identify
intuitive Responsive Optimised General awareness Dynamic
• Risk and outcomes Building
drive all activity consensus established
• Focus on continuos • All stakeholders fragmented
improvement
awareness recognise,
emerging understand and • System facilities
• Functional risk
support approach risk versus outcome
framework
foundation implemented analysis and including firms • Risk tools available
response • Organisation wide but not embedded • Shifts in focus
understanding of • Regulatory delivery
• Ad-hoc • Awareness of — risk viewed
risk tolerance and is assured
implementation OFR objectives positively
treatment • Key risk behaviours
• Limited awareness • Developing risk • Key risk behaviours
evidenced within
of risk and outcomes awareness embedded
market • Risk averse • Risk perceived • General awareness
of risks & outcomes as process
Pre-2012
2012
2013
2014
Timeline
The OFR Maturity Model identifies This model is designed to be behaviours that will serve to five levels of organisational a simple means of targeting embed the effective operation maturity, described in terms development activity and charting of the risk framework within its of the following attributes: progress towards greater OFR internal operations. When enacted,
maturity, rather than being these behaviours will ensure good
• risk awareness prescriptive or constraining. It risk awareness and a positive provides a clear internal view risk culture.
• risk oversight and governance
of the organisation’s current
• risk appetite and tolerances The SRA’s Risk Centre works with
approach to OFR, as well as
other functional areas within the
• risk analysis, reporting a definition of the intended
SRA to embed risk behaviours
and outlook destination.
through a programme of internal
• regulatory controls As well as taking steps to communications and engagement. understand the organisation’s
• decision-making
progression towards
outcomes-• information governance
focused maturity, the SRA
14
appendix 1.
Regulatory Risk Index
December 2012
The following table provides a catalogue of risks to they are identified. These risks are embedded within the achievement of regulatory objectives in the Legal our reporting and all regulatory activities are aligned Services Act 2007, identified by the SRA. to this central index.
The Index is intended to be a living document which To see the most up to date version of the SRA’s risk provides a common language and structure for risk index, please visit www.sra.org.uk.
information that will flex to incorporate new risks as
Risk category Risk level 1 Financial difficulty
Risk that a firm experiences difficulty in meeting ongoing financial liabilities.
Firm viability and structure
Fraud and dishonesty
Group contagion
Risk that liabilities, losses or events affecting one part of a group (involving a corporate structure or common branding) affect a regulated legal firm within the group.
Geographical/jurisdictional conflicts
Risks posed by territories within which firm operates or is linked. Inappropriate firm structure
Risk that a firm is structured in a fashion that is non-compliant with regulatory or statutory requirements.
Lack of independence
Risk that a firm’s decision making is influenced by structural or commercial concerns. Structural instability
Risk that a firm's structure is destabilised by events or contains fundamental weaknesses. Bogus firm or individual
Risk that an unregulated person(s) (unrelated to an authorised firm) hold themselves out as an authorised firm or individual.
Bribery and corruption
Risk that firm or individual commits, facilitates or is otherwise involved in bribery or other corrupt practices.
Criminal association
Risk that firm or individual is involved with criminal organisation/group. Dishonest misuse of client money or assets
Risk that firm or individual dishonestly misuses money from one client’s account for the benefit of another account or dishonestly misappropriates client money or assets.
Dishonest misuse of non-client money or assets
Risk that firm or individual dishonestly misuses the office account or misappropriates non-client money or assets for their own or another’s benefit.
Intentional misleading
Risk that firm or individual acts in a way that is intentionally deceptive. Money laundering
Risk category Risk level 1
Acting outside regulatory permissions
Risk that firm or individual fails to obtain or acts outside appropriate regulatory permissions.
Firm operational
risks
Breach of confidentiality
Risk that firm fails to properly protect information in their possession. Conflict of interests
Risk that a firm acts in a conflict of interests. Disorderly closure
Risk that a firm fails to close in a proper and orderly manner.
Failure to co-operate or comply with notification and information requirements
Risk that firm or individual fails to co-operate or comply with the notification and information requirements of relevant regulators or ombudsmen.
Failure to meet duties to 3rd parties or the court
Risk that firm fails to comply with duties owed to third parties or to the Courts. Inadequate complaints handling
Risk that firm fails to properly deal with consumer complaints. Inadequate systems and controls
Risk that firm’s systems and controls are inadequate. Misleading or inappropriate publicity
Risk that firm is publicised in a way which is inappropriate or misleading. Poor standard of service
Risk that firm fails to provide a proper standard of service to consumers. Supply chain risks
Risk that firm is critically dependent on the actions of a third party supplier or provider.
Competence, fitness and propriety
Discrimination
Risk that firm or individual discriminates on a prohibited ground against consumers or employees. Failure to act with integrity or ethics
Risk that firm or individual acts in a way that demonstrates a lack of integrity or ethics. Lack of legal competence
Risk that firm or individual lacks necessary legal competence. Lack of financial competence
Risk that firm or individual lacks necessary competence in financial matters. Lack of management competence
Risk that firm or individual lacks the competence needed for management of the firm or of staff.
Market risks
Changing regulatory landscape
Risks arising from the development of the regulatory framework for legal service providers. Competitive constraints
Risk that market is not operating freely. Failure to meet consumer demand
Risk that the legal services market does not or cannot meet consumer demand. Lack of consumer awareness of rights and duties
Risk that consumers are not sufficiently aware of their legal rights and duties. Lack of adequate training provision
Risks arising from a lack of adequate legal services training provision. Lack of diverse and representative profession
Risks arising from failure to reflect diversity of consumers within legal services providers. Lack of public interest provision
Risk that firms become profit-driven to the detriment of the wider public interest.
External risks
Economic risk
Risk that economic changes impact on the legal market or legal service providers. Legal risk
Risk that legal or regulatory changes impact adversely on the legal market or legal services providers. Political risk
Risk that changes in the political landscape locally, nationally or internationally impact adversely on the legal market or legal service providers.
Poor perception of legal services
Risk that public perception of legal services is adversely affected. Public emergencies
Risk that the provision of legal services by firms or the market as a whole is impacted by external public emergencies.
Social / cultural risk
Risk that social / cultural changes impact adversely on the legal market or legal service providers. Technological risk
16