How the SRA uses the Risk Framework to deliver risk-based outcomes-focused regulation

In this webinar, presented on 15 May 2013, we introduce the SRA's Regulatory Risk Framework, the mechanism through which we deliver risk-based outcomes-focused regulation. In particular, we examine the Risk Index, our catalogue of risks to the achievement of regulatory outcomes in the Legal Services Act 2007, and discuss the risk management process for identifying, assessing and managing these risks within the SRA.

Webinar recording

View this video on YouTube


Questions and answers

During the webinar, participants submitted more questions than we were able to answer. For that reason, we have reproduced below many of the questions that were asked—along with our answers. We hope you find this useful.

Q1. How do Level 1 risks compare with other 'levels'?

A. When we put the Risk Index together with colleagues across the SRA, we identified over 600 types of risks. Originally, we classified these in different levels - Level 1 being similar to those 43 risks which are in the published version of the Risk Index, and Level 2 which were more specific representations of these risks, for example different types of fraud. In publishing the Risk Index, and in using it both in the SRA and sharing it with the regulated community, we felt that a simpler and clearer list of risks would be more appropriate and so removed the detailed Level 2 risks. We have provided some examples of what these risks might be in more detail in the published Risk Index.

Q2. Is this Risk Index standard for all types and size of law firm?

A. The risk index is applicable to all firms and types of law. Based on extensive discussions with colleagues at the SRA, we believe that the Risk Index reflects all of the main risk areas. However, we recognise that new risks may arise or change, and so we regularly review the Risk Index and will publish updates should they be made.

Q3. Do you share or publish your firm risk assessments?

A. At the moment, we do not have plans to tell firms what their risk assessments are. This is a fairly standard practice for regulators. In isolation, risk scores will not be informative - they only make sense when taken in the context of the full firm population, and we are not currently in a position to make this information available to all firms, particularly as scores change on a regular basis. Similarly, there are no plans at the moment to share our probability indicators. These are based on regulatory and firm structural data collected by the SRA which, largely, firms can do nothing about.

It should be remembered that, for both events and firm assessments, the assessment does not reflect the final decision about whether to supervise or engage with a firm - for example, a firm's probability profile is just part of the information that is used to decide about how a firm is engaged with. In the coming months, we will publish a paper outlining the evolution of our approach to risk assessment, and this will include reference to how we hope that more information can be shared with firms in the future.

Q4. Do you share risk profiles with insurance companies?

A. Just as we do not share risk profiles with firms, we do not share them with insurance companies or any other third parties. They are a regulatory tool for use in the SRA only.

Q5. Do you publish the event assessment classifications?

A. The event classifications are available. Please see our information on incoming reports assessment for more details, and to find out how to obtain a full list of the classifications.

Q6. Do firms who have a high footprint know who they are?

A. Generally speaking, firms who are categorised with a high firm footprint will know who they are. This is because they will have a relationship manager. Non-relationship managed firms may have named supervisors, who may be allocated to medium and low footprint firms.

Q7. What is the severity score and how does the survey fit in?

A. Severity will be a new component in our risk assessment methodologies and will help us to refine our quantitative analysis. At present, the risks in the index are not weighted or prioritised, which means that, if we apply the same footprint and probability scores to the risk of money laundering, it would be the same as the risk of misleading or inappropriate publicity. The severity scores will reflect the fact that some risks have more potential than others to harm the regulatory objectives without considering footprint and probability. This will allow us to place risks relative to, and in context with, other risks in the Index.

We asked for members of the Compliance Officer community to help establish severity scores by completing a severity survey which closed in late May. We will be using the responses from this survey in conjunction with responses from staff at the SRA who also filled the survey in. This range of views should give us an accurate picture of the seriousness of the risks we face and a set of severity scores, taking account of SRA and professional opinions. We'll be publishing an analysis of the responses to the survey in the coming months.

Q8. Do you risk assess individuals?

A. No, at the moment we do not risk profile individuals. However, we are looking at ways that we could do this using a more generalised methodology. We are interested in people who move from one firm to another and create problems at each - any potential individual profiling would have this at the centre.

Q9. Do you use risk assessment when Authorising firms?

A. In authorisation of firms, the SRA uses the Risk Index and impact and probability concepts to help identify and prioritise risks. The approach to footprint is the same as that mentioned already, whilst probability assessment relies more on the information provided in application forms and other dialogue with applicants.

Q10. Why have you asked for more client money information?

A. Unlike some other regulated sectors, 82 percent of our regulated firms hold client money, presenting an obvious potential risk to consumers assets and the regulatory objective to protect the interests of consumers. Client money is an important component of the Footprint methodology, but we are aware that there is a lot more to client money than data that simply states whether a firm does or does not hold any. Rather than the generalised approach to using client money at the moment which does not allow us to differentiate between firms that hold small amounts of money and those holding large amounts, this more detailed client money data will allow us to have a more comprehensive picture of where client money balances are held. For example, we are aware of small firms in terms of personnel holding large amounts of client money and vice versa, and it is important that we factor this into our calculations.

Q11. Will you be asking for more information in the future?

A. In time, yes. But, we recognise the time and cost associated with the provision of data to the SRA and therefore we assess the relevance of our regulatory information to ensure that we are being proportionate in imposing information requirements on those we regulate, whilst securing sufficient data to inform accurate and timely risk assessment.

Q12. Are firm accreditations used in your risk profiling?

A. At the moment we do not use information about accreditations in our risk profiling. However, we are looking at how we can use this in the future as our risk assessment methodologies evolve.

Q13. What external data do you use in your risk assessments - for example credit information?

A. At present we use regulatory data that is held by the SRA and information about firm characteristics that we also hold. We do not currently use other third party data directly in our risk assessments, although we would like to make use of information from various sources such as Companies House, the Legal Services Commission, the Legal Ombudsman, and other sources in the future.

Q14. Does attendance on OFR and other risk-related training also get monitored by the SRA and fed into the footprint data?

A. No, we do not currently use this information in our footprint calculations, The characteristics that we use to calculate footprint methodologies relate to a firms size, whether they hold client money, and whether they work with vulnerable clients or clients in a position of informational asymmetry.

Q15. Should firms use the same risk index in their own risk assessment systems?

A. Firms should make use of the risks outlined in the Risk Index, but should remember that the risks we've established are those that we feel may arise in firms and which could affect the SRA's ability to achieve the regulatory objectives. Firms have their own objectives and there may have additional risks that are not included in our regulatory risk index.

Q16. How does the SRA determine tolerances to different risks? Will these tolerances be shared with law firms?

A. Tolerances are set by different groups depending on the issues in question. Our three governance groups perform this function, as outlined in the webinar. Tolerances can change over time and as new information comes to light. There are no plans to share our tolerances as a matter of course with law firms, however, sometimes our tolerances are obvious from SRA communications, such as in the recent Financial Stability project or event classification.

Q17. Is there a policy on the destruction of data held on individuals by the SRA in connection with risk assessment?

A. The SRA has a records disposal schedule which sets out how we comply with legislation such as the Data Protection Act 1998, our Freedom of Information Code of Practice ,as well as adherence to best practice standards.

Q18. Can firms contact the Risk Centre at the SRA on an ongoing basis for guidance and advice?

A. Although the Risk Centre is not in a position to offer one-to-one guidance, we are publishing documents in the coming months that firms should find useful for their own risk management. In particular we have a Risk Outlook due to be published in the coming months, and a Firm Risk Assessment Methodology document also due to be released soon. You will find other document such as the Risk Framework and Risk Index at www.sra.org.uk/risk.

Q19. How can firms raise concerns with the SRA about risks that may be going on in other firms?

A. There is a reporting procedure that firms, members of the public, other law enforcement agencies and other entities can use when they have concerns about regulatory breaches. To make such a report, please complete our report form or email us at report@sra.org.uk. Reports that are received via this route are assessed using the Event assessment methodology as outlined in the webinar.

Q20. Could risk profiles have an affect on practicing certificate costs?

A. There are no plans at present for risk profile information to be used to directly affect practising certificate costs. We acknowledge that whilst our assessments do help to identify areas of enquiry for colleagues in the SRA to investigate, it is only through direct liaison with a firm that the true levels of risk can be identified. Therefore, risk assessments on their own are not accurate enough to be used to determine whether firms are of higher or lower risk may potentially influence practising certificate costs.