Operational Risk and Compliance – Common Failings

Everything we do should be underpinned by a strategy or plan for the future rather dwelling on the past and/or the here and now.

Few provide a clear and well thought-out plan for the future – probably because it is difficult to do so in a climate of uncertainty.  Nevertheless, a clear and well-presented plan for managing strategic risk will make it easier to manage risk at an operational level. 


A significant change is taking place this year regarding the SRA’s CPD requirements.  The focus remains on outcomes but in this article we focus on the issue of competence. 

Outcome 7.6 of the Code of Conduct makes it clear that competence applies to everyone in the firm not just the solicitors.  This is a weak area in those firms who see “learning and development” as an expense rather than an investment in their business and the people within it.

The new framework provides greater flexibility but with that comes the responsibility to ensure that everyone in the business is competent to carry out their role on a technical, supervisory and management level as appropriate. 

The new CPD cycle [Reflect – Plan – Act – Evaluate] that forms part of the “Competence Framework” should be examined closely.  The weak areas could well be the “Reflection and Evaluation” sections of the cycle. 

Reflection & Evaluation requires an investment of time and some honesty when analysing one’s performance.  This is not a tick box exercise. This should not be about whether we have our 16 CPD hours on the clock. 

Risk Assessment

Solicitors assess risks every day in their professional lives and there are several references to risk within the listed Outcomes & Indicative Behaviours in the code of conduct.

Many risk management policies include a relatively short list of operational risks. Generally, this is another weak area and may be because managers and technicians have not engaged with the formalisation of risk assessment until they have had a complaint or claim.  

Of course, prevention is better than cure so we should consider any risk attached to a client and their instructions before we decide whether to take them on and if we do, decide how best to deal with the matter, taking into account the competence and capacity demands of doing so.

It is relatively easy to put in place a documented risk assessment process that considers the types of risks attached to particular clients, circumstances and work.   It is more difficult to ensure consistency of understanding and practice and therefore compliance with a policy, particularly in larger and/or multi office operations. 

How can you, as a manager of risk, be confident that your fee earners are competent in the area of risk assessment?  The risk message needs to be communicated on an on-going basis not as a one-off. 

“Client Care” letters & Terms of Business.

Generally, the first documents sent to clients upon receipt of their initial instructions are client unfriendly.  They are long and contain technical, sometimes irrelevant, information.   Nevertheless, important information must be communicated to the client at the outset of the relationship with them not least to ensure the achievement of Chapter 1 Outcomes!

However, these documents should go beyond compliance and provide an opportunity to set the tone of the client-solicitor relationship and instil confidence in that relationship.

Many may say “but the client doesn’t read them anyway” but regardless they should be drafted and presented as if every client is going to read them.

Again, generally, this is a weak area in practice because these documents have been drafted with compliance in mind to cover the backs of the firm and fee earners in the firm.   Unfortunately, many fall short of even compliance as they do not cover Chapter 1 Outcomes and/or contain out-of-date references and information. 

So, who checks them?   When a client complaint arises and/or the Legal Ombudsman becomes involved, the first point of reference will be the client care letter and terms of business.  Can you be confident that these will help you out of a sticky situation?

Summary & Disclaimer

The points made in this article are very general and some or all may not apply to you.  No liability is accepted for any consequences arising out of this article.  Hopefully though, upon reading this you will reflect on your practices with a view to compliance and possibly making improvements.

Complacency can be very dangerous and risk management is not a static concept and should be subject to regular review.  What works today might not work tomorrow and a low risk today might be a high risk tomorrow!