SRA Regulatory Risk Index

 

The Risk Index provides a catalogue of risks that could impact on us meeting the regulatory outcomes (set out in the Regulatory Risk Framework). This catalogue of risks is used by us in our role as a risk-based regulator. It is embedded within our reporting, and all regulatory activities are aligned to it.

The first Risk Index was published in December 2012. This document is an update which further improves the language and structure of the index.

Download (PDF 9 pages, 286KB)

Purpose

The Solicitors Regulation Authority (SRA) uses the risk management process to manage regulatory risk. This is set out in our Regulatory Risk Framework.

This document introduces the March 2014 update of the Risk Index. The Risk Index applies the identification stage of the risk management process.

The first Risk Index was published in December 2012. This document should be seen as an update to the original document, further improving the language and structure of the index. This further improvement will allow the Risk Index to be better used by us and the regulated community by considering the ways in which risks are related to one another.

This fits with our belief that the Risk Index is a living document, which adjusts to the changing dynamics of the regulatory environment.

Risk management process diagram

Introduction

The Risk Index provides a catalogue of risks that could impact on us meeting the regulatory outcomes (set out in the Regulatory Risk Framework).

This catalogue of risks is used by us in our role as a risk-based regulator. It is embedded within our reporting, and all regulatory activities are aligned to it.

In addition to clearly setting out the risks to the regulatory outcomes, the Risk Index helps create consistency in our regulatory decision making and drives transparency in our regulatory approach.

It forms a vital piece of the risk-management process. By having a universal index, we can ensure each risk is accurately identified in a consistent way.

Structure

The Regulatory Risk Index is composed of 38 risks: 28 firm and 10 market risks.

Risks arising diagram

Market risks

Risks arising from or affecting the operation of the legal services market.

Firm risks

Risks which arise through the activities of regulated firms, their employees and regulated individuals employed by non-regulated persons, businesses or organisations.

Market risks are not broken down further. They therefore occupy a risk category in themselves. Firm risks are broken down into three risk categories. This gives a total of four risk categories.

Market risks

Risk arising from or affecting the operation of the legal services market

Market risks can have a negative impact on us meeting the regulatory outcomes. They can have different impacts on different firms within the market.

For example:

A competitive constraint has an impact on the regulatory outcome of ensuring the market for legal services is competitive.

Firm risks

Impact risks

Risk that firm or individual undertakes an action or omits to take an action which impacts negatively on us meeting the regulatory outcomes

Impact risks can prevent us meeting the regulatory outcomes by having a negative effect on one or more of the following:

  • clients
  • consumers more widely
  • the public interest
  • market

This impact is facilitated through the firm and/or individual.

For example:

Money laundering has a significant impact on the public interest.

Operational risks

Risk arising from a firm’s internal processes, people and systems

Operational risks provide the necessary condition(s) that give rise to impact risks. Without an operational risk occurring, impact risks rarely occur.

For example:

Money laundering could be due to deliberate action (suggesting a lack of integrity or ethics) or due to a lack of awareness around suspicious transactions (suggesting a lack of competence).

Viability risks

Risks arising from the viability of the firm and the way it is structured

Viability risks may have a negative impact on the regulated firm. They do not directly impact on clients, consumers, or the market and therefore do not directly impact on us meeting the outcomes. They rarely impact on the public interest.

The SRA cares about viability risks due to the influence they can have on operational risks and impact risks.

For example:

Reliance on a particular outsourcer could create inflexibility in a firm and impact on its ability to achieve its objectives.

By introducing the four different risk categories in this way we can begin to understand how they interact.

Relationships

Here we set out four statements around how the risk categories interact with one another.

Diagram of market risks

Market risks can cause firm risks and vice versa

Market risks can cause firm risks to occur. This acknowledges that since firms are part of a market, changes to the market will affect firms within the market. By this logic firm risks can also cause market risks to occur.

As a regulator, it is important we manage risks in the market as a whole as well as risks relative to specific firms.

For example:

  • Technological changes in the market can increase the probability of supply chain risks for firms.
  • A very severe case of misleading or inappropriate publicity could cause competitive constraints in the market.
 

Viability risks can be caused by an operational risk or a market risk

A viability risk can be caused by an operational risk or by a market risk.

As a regulator, being aware of viability risks allows us to consider how they could contribute to impact risks.

For example:

Financial difficulty could be due to:

  • lack of financial competence (i.e. a firm is unable to competently manage cash flow)
  • PESTLE risk (i.e. the economic downturn has reduced consumer demand considerably)
 

Impact risks are always caused by an operational risk

An impact risk will normally be attributable to one or more of the operational risks.

As a regulator, it is important that we identify the operational risk that causes the impact risk. This allows us to manage the cause.

For example:

A breach of confidentiality could be due to:

  • ineffective systems and controls (i.e. sensitive data was not adequately encrypted)
  • lack of management competence (i.e. staff were not given appropriate data security training)
  • lack of integrity and ethics (i.e. a member of staff deliberately breached confidentiality)
 

Firm risks are inter-related

Firm risks are inter-related with one another.

As a regulator, we should appreciate the ways in which risks inter-relate. This ensures we see the full picture.

For example:

A geographical/jurisdictional conflict could result in a firm falling into financial difficulty if they have a large reliance on work generated from that area.

These statements allow us to better understand the causes which lead to a negative impact on the regulatory outcomes, in addition to the risks which are impacting on the firm. Where appropriate, we can manage these to eliminate undesirable action at the earliest opportunity.

Risk characteristics

Each firm risk in the Regulatory Risk Index has a set of fundamental characteristics. These characteristics play an important role throughout the risk management process and we explain each in turn below. By including them in this document, we can ensure consistency in their use. These characteristics are:

  • Whether it relates just to a firm or can also apply to individuals.
  • The relative severity of the risk.
  • Whether the risk is typically associated with a regulatory breach.

Market risks do not have these characteristics.

Firm/individual

Some risks in the Regulatory Risk Index can only occur through a regulated firm. This is because they are risks specifically regarding elements of an organisational entity.

For example:

Irregular firm structure refers specifically to the structure of a regulated firm. It cannot apply to individuals.

Other risks in the Regulatory Risk Index can occur through a regulated firm, its employees and regulated individuals employed by non-regulated persons, businesses or organisations.

For example:

A specific individual can act outside regulatory permissions by practising without a valid practising certificate. A firm can act outside regulatory permissions by offering legal services without valid professional indemnity insurance.

Differentiating between these is crucial. As a regulator, we have varied controls and procedures for managing the risk in each scenario.

Severity score

Severity scores capture the amount of harm that each risk can cause relative to the worse case scenario that could materialise at a regulated firm. This relativity is expressed through a percentage score between zero percent and one-hundred percent.

The severity scores are combined with the footprint score1 for each firm in order to provide an impact score for each risk in each firm. This impact score is then combined with a probability score to give the size of a particular risk in a particular firm. The severity scores are also used more widely in our regulatory activities.

They were formulated through a survey completed by compliance officers in 2013. This survey asked participants to select the risks which had the potential to cause the most and least amounts of harm to the regulatory objectives. The responses were combined with responses from subject matter experts in the SRA and used to produce a set of severity scores.

These severity scores will be refreshed intermittently to ensure they remain relevant.

Regulatory breach

A regulatory breach refers to an action or inaction, by a regulated firm, its employees or a regulated individual employed by a non-regulated person, business or organisation, which breaches the SRA Principles, the SRA Code of Conduct or the rules and obligations set out in the SRA Handbook2.

  • All impact risks are typically related to a regulatory breach.
  • All operational risks are typically related to a regulatory breach.
  • All viability risks are not typically related to a regulatory breach.

Generally, formal controls imposed by the SRA require a regulatory breach to be present. Therefore, it is important, when identifying a particular risk, to identify the relevant regulatory breaches.

The Risk Index (summary)

Market risks

  • Changing regulatory landscape
  • Competitive constraints
  • Failure to meet consumer demand
  • Lack of consumer awareness of rights and duties
  • Lack of adequate training provision
  • Lack of diverse & representative profession
  • Lack of public interest provision
  • PESTLE risk
  • Poor perception of legal services
  • Public emergencies

Firm risks

  • Financial difficulty
  • Group contagion
  • Geographical/jurisdictional conflicts
  • Irregular firm structure
  • Lack of independence
  • Structural instability
  • Supply chain risks

Operational risks

  • Failure to act with integrity or ethics
  • Ineffective systems and controls
  • Lack of financial competence
  • Lack of legal competence
  • Lack of management competence

Impact risks

  • Acting outside regulatory permissions
  • Bogus firm or individual*
  • Breach of confidentiality
  • Bribery & corruption
  • Conflict of interests
  • Criminal association
  • Discrimination
  • Disorderly closure
  • Failure to co-operate or comply
  • Failure to meet duties to 3rd parties or the court
  • Inadequate complaints handling
  • Misleading a party
  • Misleading or inappropriate publicity
  • Misuse of money or assets
  • Money laundering
  • Failure to provide a proper standard of service

* Note that this risk relates to unregulated person(s) and not the regulated firm or individual.

 

The Risk Index (full)

  Risk Description Severity
Market risks Changing regulatory landscape Risks arising from the development of the regulatory arrangements for legal services providers -
Competitive constraints Risk that market is not operating freely -
Failure to meet consumer demand Risk that the legal services market does not or cannot meet consumer demand -
Lack of consumer awareness of rights and duties Risk that consumers are not sufficiently aware of their legal rights and duties -
Lack of adequate training provision Risks arising from a lack of adequate legal services training provision -
Lack of diverse & representative profession Risks arising from failure to reflect diversity of consumers within legal services providers -
Lack of public interest provision Risk that market factors reduce the provision of legal services for the wider public interest -
Political, Economic, Social, Technological, Legal and Ethical risk (PESTLE) Risk arising from political, economic, social, technological, legal and ethical changes in the market -
Poor perception of legal services Risk that public perception of legal services is adversely affected -
Public emergencies Risk that the provision of legal services by firms or the market as a whole is impacted by external public emergencies -
Viability risks Financial difficulty Risk that a firm experiences difficulty in meeting ongoing financial liabilities 60%
Group contagion Risk that liabilities, losses or events affecting one part of a group (involving a corporate common branding) affect a regulated legal firm within the group 31%
Geographical/jurisdictional conflicts Risks posed by territories within which firm operates or is linked 4%
Irregular firm structure Risk that a firm is structured in a fashion that causes regulatory concern 30%
Lack of independence Risk that a firm’s decision making is influenced by structural or commercial concerns 35%
Structural instability Risk that a firm’s structure is destabilised by events 44%
Supply chain risks Risk arising from a firm’s third party supplier(s) or provider(s) 26%
Operational risks Failure to act with integrity or ethics Risk that firm or individual acts in a way that demonstrates a lack of integrity or ethics 60%
Ineffective systems and controls Risk that firm’s systems and controls are ineffective 36%
Lack of financial competence Risk that firm or individual lacks necessary competence in financial matters 47%
Lack of legal competence Risk that firm or individual lacks necessary legal competence 51%
Lack of management competence Risk that firm or individual lacks the competence needed for management of the firm or of staff 42%
Impact risks Acting outside regulatory permissions Risk that firm or individual fails to obtain or acts outside appropriate regulatory permissions 38%
Bogus firm or individual* Risk that an unregulated person(s) (unrelated to an authorised firm) hold themselves out as an authorised
firm or individual
62%
Breach of confidentiality Risk that unauthorised parties access information in a firm’s possession 38%
Bribery & corruption Risk that firm or individual commits, facilitates or is otherwise involved in bribery or other corrupt practices 67%
Conflict of interests Risk that a firm acts in a conflict of interests 28%
Criminal association Risk that firm or individual is involved with criminal organisation/group 77%
Discrimination Risk that firm or individual discriminates on a prohibited ground against consumers or employees 33%
Disorderly closure Risk that a firm fails to close in a proper and orderly manner 47%
Failure to co-operate or comply Risk that firm or individual fails to co-operate or comply with relevant regulators or ombudsmen 30%
Failure to meet duties to 3rd parties or the court Risk that firm fails to comply with duties owed to third parties or to the Courts 31%
Inadequate complaints handling Risk that firm fails to properly deal with consumer complaints 10%
Misleading a party Risk that firm or individual acts in a way which is misleading 65%
Misleading or inappropriate publicity Risk that firm is publicised in a way which is inappropriate or misleading 11%
Misuse of money or assets Risk that firm or individual misuses money or assets 96%
Money laundering Risk that firm or individual commits, facilitates, or is otherwise involved in money laundering 73%
Failure to provide a proper standard of service Risk that firm or individual fails to provide a proper standard of client care and/or quality of work to clients 31%

Notes

1. The footprint score captures the regulatory footprint left behind by a regulated firm in the event of a disorderly closure.

2. SRA Handbook version 8


To link to this page, use www.sra.org.uk/riskindex