Inside job

A key risk in any law firm is from within. The legal press is littered with examples of things that have gone wrong involving trusted colleagues. When a firm contacts me for advice after the event, the questions are usually ‘What do we say to colleagues? Clients? What do we say to the regulator?’.

Managing key person risk helps ensure everyone knows to ask: ‘Are we sure that’s ok?’

Add to this the fact that law firms are often very hierarchical, with certain individuals seemingly above scrutiny, and having unfettered access, and/or very high profiles. This creates ‘key person risk’: when a firm becomes too reliant on that individual.

We all trust our partners, colleagues, employees and advisers. But ethically, is everyone on the same page? In order to manage this risk, you’ll need a delicate balance of trust, ethical thinking, and systems with safeguards. The Solicitors Regulation Authority (SRA) expects you to manage this risk, and ethical thinking is a good means of doing so.

The risk is real

The SRA Risk Outlook (Autumn 2018 update) noted: ‘Firms should carry out proper due diligence on potential employees. There have been two recent cases of fraudsters being employed by small firms and stealing client money.’ As part of their recruitment process, firms should check for staff who have a section 43 order against them. (Section 43 of the Solicitors Act 1974 permits the SRA to exclude non-solicitors from working in any firm regulated by the SRA.)

The Metropolitan Police’s booklet, The Little Book of Big Scams: Business Edition, identified that one in four businesses has been a victim of fraud within the last 12 months, and 56 per cent of the identified offenders were internal.

The insurer Travelers, in its ‘Guidance notes for legal practices’, states: ‘Theft, fraud and dishonesty are a risk for all businesses, but firms are doubly vulnerable. Not only do they often have significant amounts of money in their accounts, they are also at risk of being used to launder money… Sadly such [internal] fraud is sometimes perpetrated at the highest level in the firm and by senior and respected staff.’

To put it bluntly, your colleagues are a threat.

The role of ethics

When you have key personnel, solicitors or not, in positions of trust, irrespective of the compliance regime, you will find they have to exercise judgement at some stage. Influencing how individuals behave is key: a person’s own ethical awareness hinders misconduct more effectively than a regulator’s rulebook. An ethical culture empowers colleagues to say: ‘Let’s check this.’

In the legal sector, we have for many years focused on a compliance culture in firms, not an ethical one. Regulators have talked of a compliance and risk management approach. Compliance focuses on rules, systems and processes. By contrast, in an ethical culture, the focus is on behaviours, decision making and judgement. The changes to the SRA regime in 2019 elevate judgement and ethics – it’s a subtle rebalancing in favour of an ethical element.

How to reduce the risk

When was the last time you had ethics training? Never, perhaps, or only for a couple of hours on your legal practice course 20 years ago? Training helps because it impacts on culture – it empowers junior colleagues to say: ‘I’m probably worrying over nothing, but Dave appears to have paid the wrong person and was very upset when I tried to check this. I’m worried about it.’

Ethics training embeds ethical thinking. It also gives the senior management team and compliance officers the chance to raise issues going forward with an ethical impact.

Processes should also have embedded ethical and control checks. For instance, each payment should have two authorisers, and a checklist of questions should be run through with each payment, including the following.

• Why are we making this payment? (Think about the SRA’s focus on treating payments to third parties as potentially provision of a banking facility – so what is the underlying legal transaction?)
• Am I satisfied the purpose is legitimate and on instructions?
• Are the recipient details correct, and do they match the file records?
• Ethically, can I show the reasons for authorising this payment if I’m asked to in six to 12 months?

Conduct file audits to genuinely assess the ethical risks on each file.

Additionally, ethics being embedded means excuses such as ‘It’s in dictation,’ or ‘I’m working on it at home,’ should be met with ‘Please let me have it for audit now and you can then have it back within a few hours’. There should be no hiding place.

Managing key person risk helps ensure everyone knows to ask: ‘Are we sure that’s ok?’