The speech below was delivered by Samantha Barrass, executive director of Supervision, Risk and Standards, at the annual Risk Management for Law Firms conference on 1 December 2010.
Good morning. It is a great pleasure to be invited to speak at the seventh annual risk management conference. Risk management is of course a rigorous discipline rooted in unsuperstitious scholarship, in science and statistics, but even so I hope that your seventh conference will be lucky for you.
We live now in a "risk society". Anthony Giddens has defined this as "a society increasingly preoccupied with the future (and also with safety), which generates the notion of risk". Unsurprisingly, the concept of risk has now become very much a part of regulation, across industries and across the world.
I realise that risk management is the subject matter of your conference and, probably against a background that one of the risks you will have in mind is regulatory risk, I'm going to focus on the SRA's transformation into delivering "outcomes-focused regulation", or as it is often known, "OFR".
You will know from documents already published by the SRA that a focus on outcomes is intended to be about what you achieve as firms, rather than how you achieve it, although of course ethical standards of behaviour remain essential. Yesterday we published an important new document on OFR providing more detail on our transformation progress.
Before addressing the nature of the change, I would like to remind you why a focus on outcomes is an important and necessary development for us.
Our former approach to regulation has a long history associated with it, not just in the SRA but in many regulators of many markets all over the world. The paradigm is a simple one: the regulator sets detailed rules with which firms either comply or don't comply.
If firms don't comply and get found out, they run the risk of enforcement action. If the firm isn't expelled and is brought back into compliance, the whole cycle starts again. As I say, this model of regulation has been quite common.
Unfortunately, this reactive approach based on detailed rules is not particularly efficient, especially where there is significant change underway in the regulated community.
In such cases, there is a risk that the rules will either fail to keep up with innovation leading to consumers and others being exposed to poor behaviour that has no sanction. Or, on the other hand, firms may find their ability to innovate held back by rules designed for a former world.
Outcomes-focused regulation is designed to create a more robust and efficient regulatory system. Instead of focusing on the failures that have occurred in firms, we will look instead at what we require firms to achieve by way of outcomes. This is a forward-looking approach.
Some firms have told us they are concerned about the loss of detail in our move to OFR. In registering this concern, they are effectively equating detail with certainty. There are three points to make about this.
First, I'm not at all convinced that our detailed rules have ever had quite the degree of certainty that is claimed for them. We seem to spend a great deal of our time in discussions with firms over what particular rules mean, leading to more detail, leading to more anxiety by firms if there is detail that doesn't directly apply, leading to more discussions, leading to more detail and so on and so forth. This is a fair characterisation of the SRA's current body of rules.
Second, a focus on detailed rules forces firms on occasion to do things because the rules require them to, rather than because they are necessary for consumer protection or the wider public interest.
And third, detailed rules run the risk of distorting our regulatory activity; increasing the extent to which we may spend our time supervising and enforcing things that don't really matter, at the expense of spending time on things that do.
Instead, we would like firms to attach weight to what the SRA intends to do as a risk-based regulator. In particular, that our decisions on how we use our limited resources will be driven by our analysis of what we view as the important risks to our objectives, such as consumer protection.
We will be explicit with firms, through specific publications such as the "Risk Outlook", but also in our discussions with them, about what we see as these risks.
I believe that the forward focus of both OFR and our risk-based approach will be a benefit to firms. Our openness in relation to risk should help firms by alerting them to our view of risks of serious breaches of the required outcomes.
Of course, some less well managed or badly intentioned firms will continue to not care sufficiently about compliance, and we will need to deal with these firms through enforcement. But the important point I want to stress to you today is that the changes to the SRA's regulatory approach are not intended to "catch firms out"...
This change of regulatory approach is significant inside the SRA, as well as outside of it. We have recently undertaken an interim management restructure to place our staff resources around the key regulatory functions of authorisation, supervision and enforcement.
In addition, we are putting all of our staff through an assessment centre, to ensure that their behavioural competencies will match what we will expect of them in our new regulatory approach and have begun work to devise technical competencies.
Some of you may know that the SRA is based across three sites in the Midlands. This creates operating difficulties and a mentality of working in silos, something which we are changing.
We are looking at options for a single site in the Midlands at which we would be able to accommodate the majority of our staff. Our London office will however remain, a London presence being essential to dealing with the concerns of our London area stakeholders, including London-based firms.
On 21 October this year, we published a second consultation paper on our new Handbook. The Handbook sets out our complete set of regulatory requirements, including the SRA's ten mandatory principles which apply to all.
Then, in a revised Code of Conduct, it sets out, in 12 chapters, a series of mandatory "outcomes" which describe what firms and individuals are expected to achieve in order to comply with the principles in the context of each individual chapter.
Your professional judgement will be needed to decide if any particular outcome is relevant to your practice and you will need to bear in mind that
- some of the outcomes do not apply to overseas practice; and
- outcomes may be different when applied to in-house practice and/or where services are provided only to your employer.
The outcomes are supplemented by "indicative behaviours". These specify, but do not constitute, an exhaustive list of the types of behaviours which may establish compliance with, or contravention of, the principles. These are not mandatory but they may help us to decide whether an outcome has been achieved in compliance with the principles.
Importantly, we recognise that there may be a number of ways of achieving the required outcomes. The key is that you must consider the principles and Code requirements in the context of your own business, your areas of practice and the clients to whom you deliver services.
You must establish appropriate processes and systems that will enable you to deliver the required outcomes and comply with the Code. This is a responsibility that lies squarely with firms and with the individual owners, managers and other regulated individuals.
I have already mentioned that, in earlier discussions on our move to OFR, some firms expressed concern about the move away from prescriptive rules. We have seen some of those underlying concerns emerging again in early responses to, and requests for clarification on, the latest consultation.
It appears to me that some of these concerns arise because there is a fear that whilst we are explicitly moving away from rules as a basis for our regulatory approach, we will continue, in the way in which we operate, to regulate the new outcomes in a "rules-based" way: seeking obsessively to identify "breaches" of the outcomes and applying simplistic enforcement sanctions to all such "breaches".
This will not be the case. The new approach requires a changed approach for firms and a change of approach by the SRA.
For example, we have a specific outcome that provides that, "you do not act where there is an own interest conflict" – that is a conflict of interest between the firm and the client. We might receive complaints about two separate firms that have failed to achieve this outcome in individual cases by acting in such a conflict situation.
In Firm A, we can see that the firm has taken its regulatory responsibilities seriously, has complied with other relevant outcomes, for example, that which requires a firm to have effective systems and controls in place to enable it to identify and assess potential conflicts of interest, and is actively managing risks around conflicts in the context of its own business and clients.
However, in Firm B, we can see that there is little or no attempt to comply. There are no effective systems, staff are not trained to identify conflict situations and there has been no consideration of the risks to the business or to compliance posed by conflicts.
In these circumstances, in the light of what would initially seem to be very similar issues, our regulatory response to the two firms will be very different. To me, the key issue is whether or not the individual or firm takes compliance seriously, has assessed its risks thoroughly and has then been competent in establishing effective systems and processes to achieve compliance and manage risk.
The theme of firms taking ownership and responsibility has also been apparent in our discussions on another of the requirements set out in the draft Handbook: the requirement we propose to place on traditionally structured law firms to appoint a Compliance Officer for Legal Practice (COLP) and a Compliance Officer for Finance and Administration (COFA).
These requirements mirror those placed on ABSs by the Legal Services Act 2007 to appoint Heads of Legal Practice and Heads of Finance and Administration (HOLPs and HOFAs). We are strongly of the view that having COLPs and COFAs who are responsible for implementing appropriate controls is in the interest of the public and all firms.
The responsibilities of COLPs and COFAs will remove none of the responsibilities of other individuals, be these principals of traditional law firms or directors of ABSs, to operate within those controls or from the governing body to oversee those controls. Our primary concern is with the implementation of effective controls by the firm as a whole.
The requirements surrounding the COLP and COFA roles, as set out in the Handbook, now include the opportunity for these roles to be undertaken by appropriate employees and not solely by managers.
The requirements are deliberately designed to be sufficiently flexible for firms to put in place arrangements appropriate to their own business in the context of the structure of that business, the areas of practice and their particular clients. This is consistent with our overall approach.
So, a sole practitioner may, themselves, undertake the COLP and COFA roles. In a larger and more complex firm these roles will undoubtedly be undertaken by dedicated individuals, probably individuals already leading compliance and finance teams.
We have already been asked for additional detail, advice and formal guidance on these roles, their specific responsibilities, the structures and systems we might consider compliant, etc.
Whilst we will consider all responses to the consultation, I believe that it is unlikely that we will seek to prescribe the duties more specifically, or to produce job descriptions for these roles in great detail.
Again, this is because we believe that firms have to take responsibility for putting in place arrangements appropriate to their own business. Many firms already have in place excellent structures to manage their businesses in a way that properly identifies and manages risk.
The COLP and COFA requirements do not require firms to tear up those arrangements and rebuild systems from scratch, rather they are an opportunity to review those arrangements in the light of the new requirements and make suitable, evolutionary adjustments to identify who, in that structure, should assume the COLP and COFA roles and ensure that they have the necessary authority and support from managers to fulfil them effectively.
I turn now to a little more detail on the SRA's approach to risk. I have already mentioned that the risk that concerns us is the risk that we might be unable to achieve our regulatory objectives. There are three separate types of risk that might have this effect.
First, there are the risks arising from individual firms themselves. We need to identify the higher risk firms in order that we may give them sufficient regulatory attention.
There is an important point here. Where we classify a firm as "high risk", we do not necessarily mean that we have concern about the firm's viability or its behaviour. A "high risk" rating may simply reflect the fact that the firm is an important firm in the market for legal services, such that if something were to go wrong it might cause serious difficulties, perhaps because it could cause consumers to lose confidence in legal services providers as a whole.
So "high risk" doesn't necessarily mean "bad", it could just as equally mean "complex and important".
The second type of risk is what we call "thematic risk". Thematic risks arise from the wider environment or from the activities of firms acting in similar ways – where we have concerns that the outcomes of such actions may be harmful in some way to the achievement of our objectives.
So, for example, we may spot a new method of approaching clients in a particular sector of providers. This may even be geographical, where firms in one particular area are copying one of their peers to match their competitive advantage. If we are concerned that the methods being used are inconsistent with, say, consumer protection, we may register the matter as a "thematic risk".
This is a different type of risk from firm-based risks. We will want to understand the nature and scale of the issue and we may need to undertake some research in order to do so. We may need to visit a selection of firms that might be engaging in the activity.
The third type of risk is "operational risk", that is, risks arising from failures in SRA staff or internal systems and controls.
It is necessary to recognise these three different types of risk because the implications of each of them are different. The risk rating of individual firms is important to assigning an appropriate regulatory style to each, so that, for example, higher risk firms receive an enhanced form of supervision compared to lower-risk firms.
Thematic risks on the other hand can only really be tackled through forming a special project team designed specifically to understand the particular nature of the risk in question. Such teams may have a mixture of internal SRA specialists, supervisors and perhaps external consultants. Our operational risks will be tackled internally by inwardly focused teams of relevant specialists.
Implicit in what I have just said is that understanding the risks to the regulatory objectives brings with it decisions around which risks we do something about and which we don't.
We are very unlikely to have sufficient resource to be able to tackle all of the risks that we identify. Therefore we need to make decisions to tackle our higher risks, whilst simultaneously deciding not to tackle some of the risks lower down the list.
This is a significant change of approach for the SRA. All regulators have limited resources. The difference is our decision to become a more focused, efficient and effective regulator through the systematic targeting of those resources to the greatest areas of risk.
And at this juncture, it should begin to become obvious that spending time in a well-run firm on a "fishing expedition" for breaches is not a good use of our resources.
In speaking about risks I have thus far had in mind our work in supervision.
However, this risk focus is not restricted to supervision, although most firms will have their main experience of us through their relationship with our supervisors.
We will apply a risk focus also to authorisation. Authorisation processes at the SRA, similar to many other regulators, have historically been given insufficient attention, and offer a major opportunity to reduce unacceptable risk from the outset.
We are working at the moment to develop a system where applications can be ranked by risk factors. This will entail distinctions between applications based on their level of risk and complexity.
Low risk applications may have a largely automated system for approval based on the applicant's information submitted online. Medium risk applications may require an additional set of enquiries including direct contact with the applicant. Complex applications could raise the need for face-to-face meetings to seek further information, to validate data that has been submitted and explore in greater detail the implication for the SRA of the application.
Our Authorisation team will be our front line, not least in dealing with the licensing of ABSs – the SRA will authorise such structures from 6 October 2011, subject of course to our approval as a Licensing Authority earlier in 2011.
The introduction of ABSs will present one of the most significant changes to the legal landscape for many years. We have created a separate ABS team to liaise with and assist firms that are interested in creating ABSs.
The ABS team is our point of contact for all enquiries relating to ABSs and we invite prospective ABSs to speak with us in advance about the structures they are intending to submit for licensing.
We are currently looking at the information that we will need from prospective applicants in order to be able to authorise them as ABS's. We will begin to provide more information about these requirements during the first quarter of 2011.
We will need the right amount and type of information in order to be able to license ABS's safely. In addition, the information will enable us to "risk rate" the firms themselves as they move from authorisation to ongoing supervision.
To conclude
The SRA's transformation of its regulatory approach is fundamental. We have limited resources and we need to make sure that we use those resources effectively: in the interests of consumers, the rule of law and the wider public interest.
Our transformation recognises that in the past we have not always made the best use of those resources. We have been too heavily focused on administrative application of rules and procedures and reactively searching for breaches of those rules, rather than making risk-based judgements on the best use of our resources.
And I understand that it is that experience of the SRA that drives a desire, on the part of at least some of you, for regulatory detail and caveats around personal responsibility.
The regulatory Handbook in these circumstances becomes the tool around which you manage your regulatory risk. It is not a question of whether firms such as those represented in the audience today are able to deliver the outcomes we have set out in the draft Handbook, it is about whether the Handbook provides a protective barrier against the actions of a regulator whose approach and response to particular circumstances has not in the past always been trusted.
I want to tell you today that we can be trusted. We will not unreasonably enforce against firms or individuals. Firms and individuals looking to do a good job, even in difficult circumstances, can look forward to constructive engagement with us.
This is not, frankly, even about being nice, it's about determining the best way to use our resources. It doesn't make sense for us to enforce against or micro-regulate firms capable of putting things right themselves. It's a waste of our resources and a distraction from identifying and dealing with firms and individuals who don't want to, or can't, deliver safe legal services.
Our journey to being a proportionate, modern, professional, risk-based regulator is well underway. We might not be at the top of the mountain yet but we're about half way to 6 October 2011 and the SRA's over halfway up that mountain.
I've run through some of our changes today and would make the point that you don't put all your staff through assessment centres if you're not serious about changing your regulatory approach!
Other things I haven't mentioned include the new enforcement strategy of constructive engagement and credible deterrence. This was well received when we consulted in April. It is now finalised and was published yesterday.
Basics, such as resource allocation across the key functions of authorisation, supervision and enforcement will be announced early in the new year, heralding a significant reallocation of SRA resources to risk-based authorisation and constructive supervisory engagement
So, to repeat, you don't do this as a regulator if you're not serious about reform. I understand why some of you may see that adjusting your response to us might be a leap of faith. But we've spent all year demonstrating that we're serious about this. We'll spend all of next year demonstrating that we're serious about this.
I know that almost all firms see the benefit of the new approach, particularly in terms of capacity to compete in the new legal services marketplace brought about by the Legal Services Act. If firms take an overly conservative approach to compliance, some of these benefits may not be realised.
So I do hope that even if some require further convincing, others of you will see that our preparatory actions this year mean that a basis for trusting us is more substantial than a leap of faith.