Risk framework: Questions and answers

5 May 2011

Risk-based regulation

What is a risk-based approach to regulation?

A risk-based approach means that we seek to identify the risks to us meeting our regulatory objectives, and targeting our limited resources to the areas of greatest risk. The SRA's objectives will flow from the regulatory objectives set out in section 1 of the Legal Services Act 2007.

What areas of risk is the SRA concerned about?

The SRA risk framework will bring together the assessment of

• the risks inherent in an individual firm,
• the thematic risks that affect groups of firms or sectors of the legal services market,
• the risk presented by events reported to the SRA, and
• the risks the SRA's own operations present.

In each of these areas, the risks we assess will be the risks to us meeting our regulatory objectives.

Risk in this context can be assessed as the impact of an event on our objectives, taking account of the probability of that event occurring.

Is this different from how the SRA currently sees risk?

The focus of the SRA's risk assessment processes has been on a reactive assessment of events that have been reported to us. These processes are carried out by our Risk Assessment and Designation Centre (RADC), and are explained elsewhere on our website (see Risk-based regulation). The introduction of the RADC has brought significant benefits in the more proportionate use of our resources to investigate these reports, but the move to our new risk framework is about more proactive and comprehensive assessment of risk.

How will the new SRA structure accommodate this change?

Our assessment of risk in all its aspects will be informed by work undertaken by our new Risk Centre. The centre is now developing the approach and the processes through which risk will be measured and prioritised throughout our regulatory functions. The purpose of this development work is to ensure that we have the capacity and capability to assess the potential "impact" and "probability" of risks at all levels. This will be a gradual process, and the risk centre will develop the range and sophistication of its work over time.

Firm-based risks

Why is the SRA interested in the risks posed by individual firms?

By assessing the risks inherent in any particular firm, we can decide what level of resource needs to be allocated to supervising it. As a risk-based regulator, our allocation of supervisory resource should be proportionate to the risk that a firm presents to us achieving our objectives.

How will you assess firm risk?

As we have seen, the assessment of risk will have two elements: the impact of a significant failure in a firm and the probability of that failure occurring. As a regulator with limited resources, we cannot actively supervise every firm in the same way, so we will be allocating an approach to supervision based on measures of potential impact a firm may have on our objectives. We will use measures representing

• the size of a firm,
• the potential vulnerability of its clients,
• and the amount of client money it may hold.

After a firm has been allocated to a particular approach to supervision, an assessment of the probability of failures occurring across key risk groups such as financial stability, fraud and operational risks will take place. We will use a range of indicators that are currently being tested to produce a risk profile. This will allow supervisors to assess where particular risks may be in a firm, and will allow targeted supervisory activity. This is in recognition that a one-size-fits-all approach to supervision is not appropriate to the range of firms delivering legal services to consumers.

What does it mean if a firm is high impact or high risk?

The assessment of impact and/or risk is about the approach we need to take to supervision of a firm, and not a measure of the quality of the firm. Successful, innovative firms delivering high-quality legal services can be assessed as high impact, effecting a need for us to supervise actively the firm's delivery of a business model, the failure of which has the potential to impact on our achievement of the regulatory objectives.

Will there be a credit for our risk management activities?

Although we are still developing the detail of our risk assessments, our intention is that firms who actively manage risk by achieving relevant accreditation or by demonstrating effective risk management will experience a less intrusive relationship with us than would otherwise be the case. Given the limited amount of information we have gathered from firms in the past, we will need to develop this area further as the move to risk-based regulation progresses.

Will firms be told what their risk score is?

At the moment, there are no plans to tell firms what their risk score or risk rating is. The "risk score" will, of course, fluctuate, and in isolation will not be informative, but a firm will know the level of supervision we believe is proportionate to the risks presented by them based on our assessment.

Will this mean the SRA will be increasing the information firms must provide?

In time, yes. But, in recognition of the pace of change, we have taken the decision that, in 2011, the additional information firms will need to provide will be limited to information on complaints made to firms.

Why are you collecting information on complaints?

Section 112(1) of the Legal Services Act requires us to ensure that those we regulate have an effective complaints-handling procedure for consumers. The Act also requires us to make provision for the enforcement of those requirements.

We also need to take into account published Legal Services Board requirements on the regulation of complaints handling by firms.

To meet these requirements, we need a clear picture of how firms are performing in relation to complaints handling. The information you provide will help us to do this. Second-tier complaint information from the Legal Ombudsman and consumer-client research will further add to our understanding of firms' complaints handling.

Thematic risk

What is thematic risk?

Thematic risks are

• risks caused by the behaviour of groups of individuals and/or firms,
• risks arising from a particular category of service, or
• emerging external risks.

For example, we may notice that certain firms in a particular sector of the legal services market are engaging in an activity that is leading to poor outcomes for consumers—a new kind of fraud, for instance. Firms involved in our thematic activity are likely to be from across the spectrum of low, medium and high risk/impact. The defining characteristic will be that the activity of a number of them may reveal a problem that we need to address.

SRA operational risk

Why is it important that the risk framework includes SRA operational risk?

The way we operate our own internal functions can also present a risk to us achieving our objectives, and it is important that we do not overlook these risks.

Events

Will the SRA continue to risk assess reports or complaints about events that have already happened?

Our forward-looking risk analysis and assessment will be complemented by ongoing assessment of actual events and developments. For example, a complaint, series of complaints, or information from the police may identify that there is an issue that needs to be addressed immediately. If this is the case, we will apply the resources necessary to address the situation and take effective action in accordance with our overall policies and proportionate to the issue that has arisen.

Please use www.sra.org.uk/risk to link to this page.

Search