SRA Risk Framework

Download (PDF 14 pages, 350K)

The Solicitors Regulation Authority (SRA) regulates individuals and organisations delivering legal services in line with the regulatory objectives outlined in the Legal Services Act (LSA). The SRA regulates in the public interest and in the interests of the consumers of legal services.

The SRA is an outcomes-focused, risk-based regulator.

  • Outcomes-focused regulation means that our goal is to ensure that those we regulate deliver the right outcomes for the public, in line with the intent of the regulatory objectives.
  • Risk-based regulation means that risks to us acting compatibly with the regulatory objectives are assessed in terms of their probability and the impact of any harm they cause to desired outcomes, before action is taken. This approach ensures that regulatory activities and resources are prioritised and applied proportionately.

The SRA's Regulatory Risk Framework outlines how we operate and oversee risk-based regulation through our risk management process, risk governance and the organisational culture required to embed a risk-based approach.

Our Regulatory Risk Index sets out the risks that we manage under this framework.

View the regulatory risk index.

Risk management process overview

Risk management process overview

Our regulatory approach

The ultimate goal of our regulatory activity is to work compatibly with the following objectives set out in the LSA1:

  • RO1 protecting and promoting the public interest
  • RO2 supporting the constitutional principle of the rule of law
  • RO3 improving access to justice
  • RO4 protecting and promoting the interests of consumers
  • RO5 promoting competition in the provision of services
  • RO6 encouraging an independent, strong, diverse and effective legal profession
  • RO7 increasing public understanding of the citizen's legal rights and duties
  • RO8 promoting and maintaining adherence to the professional principles

We seek to do this in a manner that is transparent, accountable, proportionate, consistent and targeted at cases in which action is needed, in line with the principles of better regulation.

In working compatibly with these objectives, the SRA takes a risk-based outcomes-focused approach to regulation. This means we have defined the desired regulatory outcomes we would expect to achieve if we are delivering against the objectives.

Outcome 1: The public interest is protected by ensuring that legal services are delivered ethically and the public have confidence in the legal system.

Outcome 2: The market for legal services is competitive and diverse, and operates in the interests of consumers.

Outcome 3: Consumers can access the services they need, receive a proper service and are treated fairly.

Outcome 4: Regulation is effective, efficient and meets the principles of better regulation.

We have also identified the risks that could prevent us from meeting these regulatory outcomes.

The diagram below shows at a high level how these concepts relate.

Regulatory Objectives

1 See section 28 of the Legal Services Act 2007

Outcomes-focused regulation

The outcomes-focused approach to regulation means that our goal is to ensure that legal services providers deliver positive outcomes for consumers of legal services and the public, in line with the intent of the LSA regulatory objectives. This is in contrast to our historical rules-based approach: we no longer focus on prescribing how those we regulate provide services, but instead focus on the outcomes for the public and consumers that result from their activities.

The SRA regulatory outcomes identify what we expect to observe when the market operates in line with the intent of the regulatory objectives. This process provides us with a practical articulation of the characteristics or results that we should be seeking to achieve through our regulation.

By adopting an outcomes-focused approach, we are able to encourage innovation within the market, regulating a broader range of business structures who bring new approaches to the provision of legal services, as well as providing greater freedom to those we already regulate.

As an outcomes-focused regulator we evaluate the impact of our regulatory activity on firms, consumers of legal services and the public and adapt our approach to continuously improve our delivery.

Risk-based regulation

Day-to-day regulatory activities are guided by a risk-based approach to regulation, focusing attention and activity upon issues, firms and potential risks that pose the greatest threat to our regulatory outcomes. In order to achieve this, we need:

  • A clear view on what the risks are to these regulatory outcomes and our exposure to them.
  • To be able to demonstrate where our most significant risks lie, what regulatory controls we are applying to address them, and that these actions are both proportionate and effective
  • Clear governance arrangements in place ensuring that risks are escalated as appropriate and that there is accountability for the effective management of risk.

These requirements shape our approach to every area of regulatory activity, for example authorising individuals joining the profession, supervising firms, enforcement activities and the setting of policies and standards.

Risk-based regulation enables us to consistently and proportionately direct resource by targeting resource at those areas which pose an unacceptable threat to the regulatory outcomes.

Our regulatory risk appetite describes our attitude towards risk, including those which we tolerate or find acceptable and the level at which risks become unacceptable. Some areas that may historically have attracted attention under the SRA's prescriptive rules-based approach may now be within our appetite for regulatory risk, allowing us to divert resources to focus on more serious matters, and move from being reactive to being proactive in approach.

We do not seek to eliminate risk completely, but to make the best use of our limited resources to proactively reduce the risks posed to an acceptable level. We also take an explicitly non-zero failure approach to regulation, meaning that we do not seek to prevent every harm from occurring, choosing instead to allow greater flexibility for the market to operate freely as far as risks remain within tolerable levels. In the course of letting the market operate freely, risks will crystallise that fall both within and outside our tolerance and we will respond accordingly.

Regulatory activity consists of both proactive and reactive controls that can be applied according to the nature, severity and immediacy of the risk or issue posed. Our legal powers and regulatory tools include, but are not limited to:

  • controls on how a firm or individual practises;
  • issuing a warning about future conduct;
  • closing a firm with immediate effect or imposing a disciplinary sanction, such as a fine;
  • informing the market about undesirable trends and risks;
  • adapting regulatory policy to minimise recurrence of an issue;
  • setting qualification standards and ongoing competency requirements.

The risk-based approach enables us to be flexible and adaptive to ongoing changes within the market. As new risks to the regulatory outcomes are identified, we learn more about them and adjust our priorities to direct resources where they are most needed.

It should be noted that the SRA makes a distinction between operational and regulatory risk. Operational risks generated by the SRA's activities, including our activities to control regulatory risks, are identified and assessed separately to the regulatory risks. This framework describes our approach to the latter, although the risk management approach and behaviours can also be applied to these operational risks.

The regulatory risk management process

The SRA Regulatory Risk Framework focuses upon individual, firm and market risks to ensure that regulated individuals and organisations can achieve the proper standards expected by consumers and the public.

A risk is considered to be the combination of impact (the potential harm that could be caused) and probability (the likelihood of a particular risk occurring).

In the SRA context, impact and probability are combined to give a measure of the overall risk posed to the regulatory outcomes. This assessment is then used to prioritise and select our response.

Risks are typically considered at an individual, firm, thematic or market level. In some cases, risks may already have occurred, meaning that we actually assess and respond to the consequences of the issue rather than to potential harm posed by a risk.

A key advantage to taking a risk-based approach to regulation is that it enables us to become much more proactive, identifying and tackling risks before they occur, rather than acting retrospectively once harm has arisen.

The following diagram gives an overview of the SRA's process for managing regulatory risk.

Risk management process

Risk management process

The risk management process is dynamic, with a constant feedback loop in place ensuring that we learn and adapt our approach to improve our management of risks, delivering better outcomes.

Risk identification

Identification of risk is the starting point for any regulatory activity, from triage of incoming reports or determination of applications through to policy development or regulatory process design. Identifying risks to regulatory outcomes involves drawing upon a wide range of sources, including reports we receive about those we regulate, intelligence-gathering while supervising firms, contacting consumers directly and monitoring markets and the economy.

In order to ensure wider consistency in the way in which risks are identified, the SRA has identified a set of risks to the regulatory outcomes which are contained in our Regulatory Risk Index.

The Regulatory Risk Index is fundamental to the risk management process. It provides a structure that enables us to prioritise and organise incoming information in a consistent manner, whilst building a comprehensive picture of our risk exposures across all areas of activity. The publication of our Risk Index makes transparent the areas of regulatory concern and provides a common language to promote clear dialogue with those we regulate around risks.

These risks cover potential harm caused by the activities of individuals and firms as well as external factors such as macro-economic changes or lack of consumer awareness. The Risk Index is not designed to be exhaustive and will evolve as new risks emerge.

The Regulatory Risk Index groups risks into the following four categories:

Firm viability risks

Risks arising from the viability of the firm and the way it is structured.

Firm operational risks

Risk arising from a firm's internal processes, people and systems.

Firm impact risks

Risk that firm or individual undertakes an action or omits to take action which impacts negatively on us meeting the regulatory outcomes.

Market risks

Risks arising from or affecting the operation of the legal services market.

View the regulatory risk index.

Risk assessment

Consistent assessment throughout the organisation, and across the broad spectrum of risks that we handle, is essential to ensure that action is targeted proportionately at controlling the risks that we do not tolerate. Assessment takes into account both risks that have occurred as issues and those that could potentially occur.

SRA risk assessments take into account a broad range of information and are performed at several different levels:

  • regulatory reports and notifications
  • firms and individuals
  • thematic
  • market wide.

Regulatory reports and notifications

The SRA has dedicated teams who manage the receipt and assessment of reports made to the organisation in relation to regulated individuals and firms. These reports can, for example, relate to such things as escalations from other regulatory agencies or reports from consumers and others who have concerns about legal service providers.

All incoming reports are risk assessed to inform prioritisation and action. This assessment takes into account the number of consumers affected, vulnerability, financial impact and public confidence as well as factors relating to the credibility of the source, strength of evidence and severity of the risk itself.

We also receive notifications such as changes to firm management or roles held by individuals.

All relevant information gathered by the SRA is recorded and available to inform further assessments at individual, firm, thematic and market level.

Firms and individuals

Risk assessment will be used to inform decisions about individuals, for example their entry to the profession or the nomination as role holders such as compliance officers, and in response to conduct issues.

Firms will be assessed according to:

  • their regulatory footprint or potential to impact upon objectives
  • the severity of a particular risk if it were to occur
  • the probability of a particular risk arising in that firm

For example, a firm's footprint takes into account attributes such as firm turnover, client money held, number of fee earners and type of work undertaken. These attributes have been identified as being relevant to the firm's potential to impact upon the regulatory objectives. Indicators used to gauge the probability of risks arising within a particular firm might make use of attributes such as ratios of partners to supervised staff, past regulatory findings against individuals now working in the firm, or applications for waivers from particular regulatory requirements.

Risk indicators are drawn from a range of information and are identified and weighted with the use of statistical analysis. The SRA's risk analysis also makes use of qualitative information which provides us with a fuller picture across the spectrum of regulatory risk and provides important context for the interpretation and application of statistical results.

These assessments are used to inform our monitoring and control activities, including the supervisory approach taken.


The SRA uses a process of risk aggregation to combine firm and individual assessments. If they are aggregated according to a particular theme then we call this a thematic risk. Thematic risks help us to gauge our exposure to specific regulatory risks across specific themes. An example could be financial difficulties in the personal injury sector.

Likewise, market risks can also be considered across a theme. An example could be competitive constraints in south west, England.

Thematic risks are regularly reviewed within the SRA's internal governance and are used to prioritise regulatory activity, direct resource and develop policy. They are also used to inform the market about the SRA's areas of concern through a Risk Outlook (see section 7).


Market risks allow us to gauge our exposure to specific regulatory risks across the entire market.

Changes to the risk assessment model

The SRA's risk assessment model has been constructed to be very flexible. The model contains parameters that can be set by senior management to reflect their risk appetite and tolerances, as well as new or emerging risks.

The accuracy of risk assessment within the model is dependent upon the quality and adequacy of available regulatory information. We recognise the time and cost associated with the provision of data to the SRA and therefore regularly assess the relevance of our regulatory information to ensure that we are being proportionate in imposing information requirements on those we regulate, whilst securing sufficient data to inform accurate and timely risk assessment. Ultimately information gathered allows us to focus regulatory attention and activities where they are most needed.

The SRA's Risk Centre undertakes a regular exercise to review and adjust the model to ensure its ongoing integrity and completeness.


Risk monitoring takes place across the SRA to ensure that risks are constantly reassessed in line with tolerance and escalated as appropriate. Monitoring is done through regular reviews at individual, firm, thematic and market levels, in line with the governance outlined section 7.

Risk tolerances provide limits against which risks can be compared to understand whether they remain acceptable. Tolerances provide thresholds against which action can be taken consistently across the SRA.


Risk control is the process by which regulatory tools and interventions are applied to manage issues, reduce risks or exploit opportunities.

The choice and application of regulatory tool is dependent upon the risks posed. Efficient, proportionate and effective management of risks relies upon a clear understanding of the risks themselves, and a consistent approach to application and evaluation of controls. The SRA's operations all use the same Regulatory Risk Index in developing and overseeing their processes to ensure we can learn from the effectiveness of particular control approaches on different risks.

Our regulatory response in any given situation is tailored to deliver particular outcomes by targeting unacceptable risks. The SRA has a broad range of regulatory tools and powers at its disposal in order to manage these risks. These include setting standards, issuing warnings, formal decisions to fine or reprimand, applying conditions to an individual's practising certificate, influencing market practice and consumer awareness through the use of education or communications to a broad target audience.

Objective decision-making and governance

As a recognised regulator, the SRA has formal decision-making governance arrangements that set out the decisions that can be made, by whom and in what situations. The decision-making process and supporting governance ensure a proportionate approach and appropriate oversight in evaluating and managing risks.

In some cases, formal decisions require referral to an adjudicator, ensuring objectivity in approach.

Evaluate, learn and adapt

The SRA continually evaluates the effectiveness of the Risk Framework and how well it is operating in practice to ensure desired outcomes are achieved and to identify potential improvements. There are five key elements to our approach:

  • governance and oversight,
  • regulatory priorities and risk appetite,
  • reporting,
  • assurance,
  • organisational learning and continuous improvement.

Governance and oversight ensures that there is a proportionate response to any new or emerging risks, that risk exposure outside tolerance is understood and enables us to adjust strategy in line with changing priorities and observed outcomes.

There is an established non-executive Regulatory Risk Committee that advises the SRA Board on the delivery of risk-based and outcomes-focused regulation.

The SRA ensures that responsibility for all risk-based outcomes-focused activities are clearly defined and cascaded through internal governance and individual responsibilities as well as policies and procedures.

Strategic priorities are regularly reviewed to ensure that delivery of outcomes remains in line with regulatory intent and the principals of better regulation. Our risk appetite and tolerances are used to direct regulatory activity in line with strategic priorities at firm, individual, thematic and market levels.

There are also executive risk governance groups with strategic and tactical oversight roles who provide assurance.

Risk and outcome reporting provides a view of:

  • delivery of outcomes,
  • aggregate risk exposures,
  • material issues or events,
  • outlook, including trends and forecasts of risk events or risk levels,
  • effectiveness of controls in reducing risk levels over time.

The SRA publishes risk and outcome-focused information to inform key stakeholders about performance and areas of concern. The SRA's Risk Outlook sets out our assessment of the most significant risks to the regulatory outcomes.

On the basis of our evaluation, we learn and adapt our regulatory approach, resourcing levels and tolerances to direct regulatory activities accordingly.

Embedding risk management

The SRA has developed a model that sets out the key steps and capabilities that it is developing on the path to full OFR implementation. This model is used to assess the current level of OFR capability, identify realistic targets for improvement, and produce action plans.

OFR maturity model

Maturity Model

Download large version of OFR maturity model (PDF 1 page, 172K)

The OFR Maturity Model identifies five levels of organisational maturity, described in terms of the following attributes:

  • risk awareness,
  • risk oversight and governance,
  • risk appetite and tolerances,
  • risk analysis, reporting and outlook,
  • regulatory controls,
  • decision making,
  • information governance,
  • organisational performance.

This model is designed to be a simple means of targeting development activity and charting progress towards greater OFR maturity, rather than being prescriptive or constraining. It provides a clear internal view of the organisation's current approach to OFR, as well as a definition of the intended destination.

As well as taking steps to understand the organisation's progression towards outcomes-focused maturity, the SRA has identified a number of key behaviours that will serve to embed the effective operation of the risk framework within its internal operations. When enacted, these behaviours will ensure good risk awareness and a positive risk culture.

The SRA's Risk Centre works with other functional areas within the SRA to embed risk behaviours through a programme of internal communications and engagement.

Please use to link to this page.

Print page to PDF