Lexcel-accredited firms will be familiar with the concept of an overarching risk register but others might well be less clear about how they work. Fiona du Feu reviews the basics.
(Note that this article assumes that relevant practices already have a separate AML entity risk assessment, looking specifically at their money laundering risks.)
Do we really need one?
It’s true that the SRA’s Code of Conduct for Firms does not make having a risk register mandatory.
However, it does require at para 2.5 that ”you identify, monitor and manage all material risks to your business”, and at 2.2 that “you keep and maintain records to demonstrate compliance with your obligations.” Having a risk register then, is a convenient way of meeting those two requirements, but it can be beneficial in other ways as well.
Where do I start?
The Lexcel definition of a risk register won’t take you far down the drafting road (”a risk register is a record of the risks facing the practice”), but take heart. While there is no regulatory prescribed format for a risk register, it is generally good practice, once risks have been identified, to record who has responsibility for a particular risk and the measures taken by the practice to mitigate or reduce those risks.
What else goes into one?
It’s up to you, since every practice is unique, but work on the basis that a risk register should:
- be in writing and in a digital format for ease of manoeuvre
- state who is responsible for it
- be up to date - that means reviewed at least annually for Lexcel purposes but in reality much more often
- describe how the firm addresses each of the risks it has identified
- be communicated effectively
Can I adapt one rather than start from scratch?
Absolutely - there is no need to reinvent the wheel. Have a look at the excellent templates in the Law Society’s COLPs Toolkit and Assessing and Addressing Risk and Compliance in your Law Firm.
Note that a template is only the beginning of the drafting journey, so your finished risk register must be bespoke and unique to your firm to be of any operational help.
What does a good one look like?
A good risk register will generally do the following:
- List the strategic, regulatory and operational risks the practice faces, setting out how the firm reduces, removes or addresses each risk. There is no need to reproduce all your policies procedures and plans here - simply provide an overview and add hyperlinks to the actual documents.
- Contain an assessment of impact (indicating the relative significance for the practice) of failing to address the risks identified, so that resources are targeted appropriately. Using traffic light codes works well on screen.
- It should be bespoke to the practice. An auditor can spot a cut and paste job so use your own words—they are much more persuasive than stock phrases.
- The register should be continually updated (typically by regular input from the COLP/COFA) so it’s a living document that recognises and deals with current and emerging risks.
- Make sure it’s comprehensive and reflects the firm’s size and work types.
- Any changes to it should be communicated to staff as there is no point in having a risk register which is secret.
Communicating risk changes to staff
Having clear procedures and expectations is crucial and it is useful to think about the ‘risk cycle’. There are three parts to this:
- upwards-reporting of risk—ie fee earners and support staff must have the means to alert the management team to any new or emerging risks
- discussion of the risk issue at high level—resulting in the identification of a mitigation strategy (the risk response)
- downwards dissemination of that risk response—it might be an update to a procedure by the management team to fee earners and support staff
Upwards-reporting will only flourish within a culture of openness and trust, so clear compliance expectations and risk-management that is regarded as a normal-part of your ethos is also key.
Think of the risk register as a living document - it literally should be ‘fed‘ information which will then generate active discussion, creating a risk response, which is then communicated back to the people who need to know.
It is this ’cycle‘ of risk management that demonstrates active monitoring for the purposes of para 2.5 of the SRA’s Code for Firms. Retaining successive versions of your risk register is a good idea should you need evidence of your pro-active approach to risk management.
How often should it be reviewed?
Reviews should take place at least quarterly and any other time that your risk antennae detect changes:
- to the external operating/business/market environment
- to government policy or legislation
- to the strategic direction of the practice (taking on types of new work)
- within the legal or business community
Consider what other data you can harvest to feed your risk register, for example:
- monthly reviews by the COLP/COFA of any breaches/queries
- quarterly assessments of file review results, complaints and claims
- supervision reports from supervisors and department heads to the COLP/Board
- having risk as a standing agenda item at team meetings (thereby encouraging open discussion and harvesting risk experiences at fee earner level) as well as at management board meetings
- the SRA Risk Outlook is sector-specific risk data on a plate, so be sure to check your risk register is aligned to the latest regulatory viewpoint
Tone and ethos
An appropriate ethos and culture of risk management should be made apparent within the practice’s plans, policies and procedures. But are they evident in practice?
Completing the cycle means there must be mechanisms for checking whether those same PPPs are actually applied and acting swiftly if they are not. Don’t wait for an external audit to tell you where any gaps are—this is your ship—find any leaks and fix them now.
A well-nourished risk register is so much more than another piece of paper. Utilised fully it can have numerous benefits including:
- a regulatory audit trail, showing how you fully understand and track the risks you face as a business
- a map of the firm’s current and past risk profile, and its direction of travel for the future
- evidence of pro-active and responsible business planning (future-proofing)
- a rich seam of risk knowledge and a learning resource, capable of being used to mentor and grow the firm’s future managers and leaders
- a summary of the current focus of the management team, and therefore a ready-made agenda for business meetings, and
- a clear expression of, and commitment to, ethical and compliant leadership by the practice