Regulatory Risk Framework

Transcription

1 Regulatory Risk Framework

2 SRA Regulatory Risk Framework The Solicitors Regulation Authority (SRA) regulates individuals and organisations delivering legal services in line with the regulatory objectives outlined in the Legal Services Act (LSA). The SRA regulates in the public interest and in the interests of the consumers of legal services. The SRA is an outcomes-focused, risk-based regulator. Outcomes-focused regulation means that our goal is to ensure that those we regulate deliver the right outcomes for the public, in line with the intent of the regulatory objectives. Risk-based regulation means that risks to the nonachievement of regulatory objectives are assessed in terms of their likelihood and the impact of any harm they cause to desired outcomes, before action is taken. This approach ensures that regulatory activities and resources are prioritised and applied proportionately. The SRA s Regulatory Risk Framework outlines how we operate and oversee risk-based regulation through our risk management process, risk governance and the organisational culture required to embed a risk-based approach. Our Regulatory Risk Index sets out the risks that we manage under this framework. Risk management process overview Before acting, we We continually evaluate our We asses risks consistently and identify risks based on share these assessments across a central risk index the SRA to aid understanding NTIFY E ID effectiveness by monitoring changing outcomes EVALUATE AS SE AND A D APT We learn and adapt our tolerance, 2 ON TR RN M OL SS L EA IT O We monitor risk levels resourcing levels and approach against our tolerance to to controlling risks direct control activities R CO N We control unacceptable risk levels through regulatory tools

3 Contents 1. Our regulatory approach 4 2. The regulatory risk management process 7 3. Risk identification 8 4. Risk assessment 9 5. Monitoring Controls Evaluation Embedding risk management 13 Appendix 1 Regulatory Risk Index 14 Regulatory Risk Framework 3

4 1. Our regulatory approach The ultimate goal of our regulatory activity is to work towards the following objectives set out in the LSA1: RO1 protecting and promoting the public interest RO2 supporting the constitutional principle of the rule of law RO3 improving access to justice RO4 protecting and promoting the interests of consumers RO5 promoting competition in the provision of services RO6 encouraging an independent, strong, diverse and effective legal profession RO7 increasing public understanding of the citizen s legal rights and duties RO8 promoting and maintaining adherence to the professional principles We seek to do this in a manner that is transparent, accountable, proportionate, consistent and targeted at cases in which action is needed, in line with the principles of better regulation. In working towards these objectives, the SRA has adopted an outcomes-focused, risk-based approach to regulation. That is, we deliver outcomes-focused regulation through a risk-based approach. The diagram below shows at a high level how these concepts relate. ca us e ha rm f le o ib on ng si ta res p ex to Regulatory objectives Risks Outcomes Risk framework manage risk to achieve outcomes 4 1 See section 28 of the Legal Services Act 2007

5 Outcomes-focused regulation The outcomes-focused approach to regulation means that our goal is to ensure that legal services providers deliver positive outcomes for consumers of legal services and the public, in line with the intent of the LSA regulatory objectives. This is in contrast to our historical rules-based approach: we no longer focus on prescribing how those we regulate provide services, but instead focus on the outcomes for the public and consumers that result from their activities. The SRA defines desired regulatory outcomes by identifying what we expect to observe when the market operates in line with the intent of the regulatory objectives. This process provides us with a practical articulation of the characteristics or results that we should be seeking to achieve through our regulation. By adopting an outcomes-focused approach, we are able to encourage innovation within the market, regulating a broader range of business structures who bring new approaches to the provision of legal services, as well as providing greater freedom to those we already regulate. As an outcomes-focused regulator we evaluate the impact of our regulatory activity on firms, consumers of legal services and the public and adapt our approach to continuously improve our delivery. Risk-based regulation Day-to-day regulatory activities are guided by a riskbased approach to regulation, focusing attention and activity upon issues, firms and potential risks that pose the greatest threat to the objectives. In order to achieve this, we need: a clear view on what the risks are to the objectives and our exposure to them; to be able to demonstrate where our most significant risks lie, what mitigation activities we are taking to address them, and that these actions are both proportionate and effective; clear governance arrangements in place ensuring that risks are escalated as appropriate and that there is accountability for the effective management of risk. These requirements shape our approach to every area of regulatory activity, for example authorising individuals joining the profession, supervising firms, enforcement activities and the setting of policies and standards. Risk-based regulation enables us to consistently and proportionately direct resource by targeting resource at those areas which pose an unacceptable threat to the outcomes we have identified in relation to the regulatory objectives. Our regulatory risk appetite describes our attitude towards risk, including those which we tolerate or find acceptable and the level at which risks become unacceptable. Some areas that may historically have attracted attention under the SRA s prescriptive rules-based approach may now be within our appetite for regulatory risk, allowing us to divert resources to focus on more serious matters, and move from being reactive to being proactive in approach. We do not seek to eliminate risk completely, but to make the best use of our limited resources to proactively reduce the risks posed to an acceptable level. We also take an explicitly non-zero failure approach to regulation, meaning that we do not seek to prevent every harm from occurring, choosing instead to allow greater flexibility for the market to operate freely as far as risks remain within tolerable levels. In the course of letting the market operate freely, risks will crystallise that fall both within and outside our tolerance and we will respond accordingly. Regulatory activity consists of both proactive and reactive controls that can be applied according to the nature, severity and immediacy of the risk or issue posed. Our legal powers and regulatory tools include, but are not limited to: controls on how a firm or individual practises; issuing a warning about future conduct; closing a firm with immediate effect or imposing a disciplinary sanction, such as a fine; informing the market about undesirable trends and risks; adapting regulatory policy to minimise recurrence of an issue; setting qualification standards and ongoing competency requirements. Regulatory Risk Framework 5

6 The risk-based approach enables us to be flexible and adaptive to ongoing changes within the market. As new risks to objectives are identified, we learn more about them and adjust our priorities to direct resources where they are most needed. It should be noted that the SRA makes a distinction between operational and regulatory risk. Operational risks generated by the SRA s activities, including our activities to control regulatory risks, are identified and assessed separately to the regulatory risks caused by the market that we regulate and other external factors. This framework describes our approach to the latter, although the risk management approach and behaviours can also be applied to these operational risks. 6

7 2. The regulatory risk management process The SRA Regulatory Risk Framework focuses upon individual, firm and thematic risks to ensure that regulated individuals and organisations achieve the proper standards expected by consumers and the public. A risk is considered to be the combination of impact (the potential harm that could be caused) and probability (the likelihood of a particular event occurring). In the SRA context, impact and probability are combined to give a measure of the overall risk posed to regulatory objectives. This assessment is then used to prioritise and select our response. Risks are typically considered at an individual, firm or industry level. In some cases, risks may already have manifested, meaning that we actually assess and respond to the consequences of the issue rather than to potential harm posed by a risk. A key advantage to taking a risk-based approach to regulation is that it enables us to become much more proactive, identifying and tackling risks before adverse events occur, rather than acting retrospectively once harm has arisen. The following diagram gives an overview of the SRA s process for managing regulatory risk. Risk management process Before acting, we We asses risks consistently and We continually evaluate our identify risks based on share these assessments across effectiveness by monitoring a central risk index the SRA to aid understanding changing outcomes IDENTIFY EVALUATE ASSE S LEARN AND ADAPT MONITOR CONTROL We learn and adapt our tolerance, We monitor risk levels We control unacceptable resourcing levels and approach against our tolerance to risk levels through to controlling risks direct control activities regulatory tools The risk management process is dynamic, with a constant feedback loop in place ensuring that we learn and adapt our approach to improve our control of risks, delivering better outcomes. Regulatory Risk Framework 7

8 3. Risk identification Identification of risk is the starting point for any The Regulatory Risk Index groups risks into the regulatory activity, from triage of incoming reports following six categories: or determination of applications through to policy development or regulatory process design. Identifying Firm viability and structure risks to regulatory objectives involves drawing upon Risks arising from firm instability due to a wide range of sources, including reports we receive events relating to its financial viability and/or about those we regulate, intelligence-gathering while structural composition supervising firms, contacting consumers directly and Fraud and dishonesty monitoring markets and the economy. Risk that firm or individual becomes involved in fraud In order to ensure wider consistency in the way in which risks are identified, the SRA has identified a set of risks to the regulatory objectives which are contained in our Regulatory Risk Index. or dishonesty Firm operational risks Risk arising from the inadequacy of firm s policies, processes, people or systems The Regulatory Risk Index is fundamental to the risk management process. It provides a structure Competence, fitness and propriety that enables us to prioritise and organise incoming Risk that individuals lack skills, knowledge or information in a consistent manner, whilst building a behaviours, fitness or propriety comprehensive picture of our risk exposures across all areas of activity. The publication of our risk index Market risks makes transparent the areas of regulatory concern Risks arising from or affecting the operation of the and provides a common language to promote clear legal services market dialogue with those we regulate around risks. These risks cover potential harm caused by the activities of individuals and firms as well as external factors such as macro-economic changes or lack of External risks Risk arising from wider factors beyond the scope of the legal services market, such as economic, political or legal changes consumer awareness. The Risk Index is not designed to be exhaustive and will evolve as new risks emerge. 8 A copy of the Index can be found in Appendix 1.

9 4. Risk assessment Consistent assessment throughout the organisation, and across the broad spectrum of risks that we handle, is essential to ensure that action is targeted proportionately at controlling the risks that pose most threat. Assessment takes into account both risks that have crystallised as issues and those that pose potential harm. SRA risk assessments take into account a broad range of information and are performed at several different levels: incoming reports or notification from the regulated community, consumers and other agencies individuals or firms market-wide or sector-specific risks Regulatory reports and notifications The SRA has dedicated teams who manage the receipt and assessment of reports made to the organisation in relation to regulated individuals and firms. These reports can, for example, relate to such things as escalations from other regulatory agencies or reports from consumers and others who have concerns about legal service providers. All incoming reports are risk-assessed to inform prioritisation and action. This assessment takes into account the number of consumers affected, vulnerability, financial impact and public confidence as well as factors relating to the credibility of the source, strength of evidence and severity of the risk itself. We also receive notifications such as changes to firm management or roles held by individuals. All relevant information gathered by the SRA is recorded and available to inform further assessments at individual, firm, sector and market level. firms and individuals Risk assessment will be used to inform decisions about individuals, for example their entry to the profession or the nomination as role holders such as compliance officers, and in response to conduct issues. Firms may be assessed according to: their regulatory footprint or potential to impact upon objectives the severity of a particular risk if it were to manifest the likelihood of a particular risk arising in that firm For example, a firm s footprint takes into account attributes such as firm turnover, client money held, number of fee earners and type of work undertaken. These attributes have been identified as being relevant to the firm s potential to impact upon the regulatory objectives. Indicators used to gauge the likelihood of risks arising within a particular firm might make use of attributes such as geographical location, ratios of partners to supervised staff, past regulatory findings against individuals now working in the firm, or applications for waivers from particular regulatory requirements. Risk indicators are drawn from a range of information and are identified and weighted with the use of statistical analysis. The SRA s risk analysis also makes use of qualitative information which provides us with a fuller picture across the spectrum of regulatory risk and provides important context for the interpretation and application of statistical results. These assessments are used to inform our monitoring and control activities, including the supervisory approach taken. Regulatory Risk Framework 9

10 Market-wide and sector-specific risks Changes to the risk assessment model The SRA uses a process of risk aggregation to combine regulatory reports and information received The SRA s risk assessment model has been across the organisation with firm and individual assessments, to gauge our overall exposure to specific regulatory risks. Market risks provide a view on the Regulatory Risk constructed to be very flexible. The model contains parameters that can be set by senior management to reflect their risk appetite and tolerances, as well as new or emerging risks. we would consider at market level include financial difficulties, insufficient diversity within the profession and risks arising from technological developments. The accuracy of risk assessment within the model is dependent upon the quality and adequacy of available regulatory information. We recognise the time and cost associated with the provision of data to the SRA and therefore regularly assess the relevance of our regulatory information to ensure that we are being proportionate in imposing information requirements Market-wide and sector-specific risks are regularly reviewed within the SRA s internal governance and are used to prioritise regulatory activity, direct resource and develop policy. on those we regulate, whilst securing sufficient data to inform accurate and timely risk assessment. Ultimately information gathered allows us to focus regulatory attention and activities where they are most needed. Market-wide and sector-specific risks, often referred to as thematic risks are also used to inform the market about the SRA s areas of concern through a Risk Outlook (see section 7). The SRA s Risk Centre undertakes an annual exercise to review and adjust the model to ensure its ongoing integrity and completeness, but will make adjustments in between these periods on an exceptional basis. Index from a market level, whilst sector-specific risks assess risk within particular market sectors such as conveyancing or will-writing. Examples of risks that 5. Monitoring Risk monitoring takes place across the SRA to ensure that risks are constantly reassessed in line with tolerance and escalated as appropriate. Monitoring is done through regular reviews at individual, firm and thematic risk levels, in line with the governance outlined in section 7. Risk tolerances provide limits against which risks can be compared to understand whether they remain acceptable. Tolerances provide thresholds against which action can be taken consistently across the SRA. 10

11 6. Controls Risk identification and assessment provides the basis on which the SRA can mitigate those risks that pose greatest harm to regulatory objectives. Risk control is the process by which regulatory tools and interventions are applied to manage issues, reduce risks or exploit opportunities. The choice and application of regulatory tool is dependent upon the risks posed. Efficient, proportionate and effective management of risks relies upon a clear understanding of the risks themselves, and a consistent approach to application and evaluation of controls. The SRA s operations all use the same Regulatory Risk Index in developing and overseeing their processes to ensure that controls consistently identify, assess and manage risks and over time we can learn from the effectiveness of particular control approaches on different risks. Our regulatory response in any given situation is tailored to deliver particular outcomes by targeting unacceptable risks. The SRA has a broad range of regulatory tools and powers at its disposal in order to manage these risks. These include setting standards, issuing warnings, formal decisions to fine or reprimand, applying conditions to an individual s practising certificate or indirect controls, such as influencing market practice and consumer awareness through the use of education or communications to a broad target audience. Objective decision-making and governance As a recognised regulator, the SRA has formal decision-making governance arrangements that set out the decisions that can be made, by whom and in what situations. The decision-making process and supporting governance ensure a proportionate approach and appropriate oversight in evaluating and managing risks. In some cases, formal decisions require referral to an adjudicator, ensuring objectivity in approach. Regulatory Risk Framework 11

12 7. Evaluation The SRA continually evaluates the effectiveness of the Risk reporting provides governance forums with a risk framework and how well it is operating in practice to ensure desired outcomes are achieved and to identify potential improvements. view of: Responsibilities for risk need to be clear, with effective risk governance forums providing assurance to internal and external stakeholders. There is an established non-executive Regulatory Risk Committee which advises the SRA Board on the delivery of risk-based and outcomes-focused regulation in authorisation, supervision and enforcement activity, as well as advising the Board on firm-based regulatory activity and the management of current risk exposures against tolerance escalated risks or events which are outside tolerance controls (regulatory activity) currently in place against each risk trends and forecasts of risk events or risk levels effectiveness of control activity in reducing risk levels over time regulatory risks. insight into the achievement of outcomes There are also executive risk governance groups with We also publish risk information externally to provide strategic and tactical oversight roles who provide assurance. those we regulate and other stakeholders with Tailored risk reporting is provided to each of these groups to facilitate their decision-making and oversight of risk activities. Risk reporting helps governance forums to ensure that there is a proportionate response to any new or emerging risks, understand any risk exposures outside tolerance and adjust tolerance levels in line with changing priorities and outcomes observed. 12 information on risk exposures and the effectiveness of risk management activities. This includes our Risk Outlook, which is an annual publication that sets out the SRA s assessment of the most significant risks to regulatory objectives in the legal services market. The document also provides an overview of the economic and environmental conditions that we believe regulated firms and consumers are currently operating in. This will be made publicly available for the benefit of those we regulate and other external stakeholders.

13 8. Embedding risk management The SRA has developed a model that sets out the key steps and capabilities that it is developing on the path to full OFR implementation. This model is used to assess the current level of OFR capability, identify realistic targets for improvement, and produce action plans for developing or enhancing our embedding process. OFR maturity Development drivers: Capability and capacity IT enhancement Embedding Individual/ Silo Focus Process Focus End-to-end Monitor/ Measure General awareness Building consensus established fragmented awareness emerging Functional risk framework foundation Risk tools available implemented but not embedded Shifts in focus Ad-hoc Awareness of risk viewed implementation OFR objectives positively Limited awareness Developing risk Key risk behaviours of risk and outcomes awareness embedded Risk averse Risk perceived General awareness as process of risks & outcomes Anticipate Responsive Dynamic Fully Integrated intuitive Optimised Risk and outcomes drive all activity Focus on continuos All stakeholders improvement recognise, System facilities understand and risk versus outcome support approach analysis and including firms response Organisation wide Regulatory delivery understanding of is assured risk tolerance and treatment Key risk behaviours evidenced within market Pre Timeline The OFR Maturity Model identifies This model is designed to be behaviours that will serve to five levels of organisational a simple means of targeting embed the effective operation maturity, described in terms development activity and charting of the risk framework within its of the following attributes: progress towards greater OFR internal operations. When enacted, maturity, rather than being these behaviours will ensure good risk awareness prescriptive or constraining. It risk awareness and a positive risk oversight and governance provides a clear internal view risk culture. risk appetite and tolerances of the organisation s current approach to OFR, as well as The SRA s Risk Centre works with risk analysis, reporting a definition of the intended other functional areas within the and outlook destination. SRA to embed risk behaviours through a programme of internal regulatory controls As well as taking steps to communications and engagement. decision-making understand the organisation s information governance progression towards outcomesfocused maturity, the SRA organisational performance has identified a number of key Regulatory Risk Framework 13

14 appendix 1. Regulatory Risk Index December 2012 Services Act 2007, identified by the SRA. they are identified. These risks are embedded within our reporting and all regulatory activities are aligned to this central index. The Index is intended to be a living document which provides a common language and structure for risk To see the most up to date version of the SRA s risk index, please visit The following table provides a catalogue of risks to the achievement of regulatory objectives in the Legal information that will flex to incorporate new risks as Risk category Risk level 1 Financial difficulty Risk that a firm experiences difficulty in meeting ongoing financial liabilities. Group contagion Risk that liabilities, losses or events affecting one part of a group (involving a corporate structure or common branding) affect a regulated legal firm within the group. Firm viability and structure Geographical/jurisdictional conflicts Risks posed by territories within which firm operates or is linked. Inappropriate firm structure Risk that a firm is structured in a fashion that is non-compliant with regulatory or statutory requirements. Lack of independence Risk that a firm s decision making is influenced by structural or commercial concerns. Structural instability Risk that a firm's structure is destabilised by events or contains fundamental weaknesses. Bogus firm or individual Risk that an unregulated person(s) (unrelated to an authorised firm) hold themselves out as an authorised firm or individual. Bribery and corruption Risk that firm or individual commits, facilitates or is otherwise involved in bribery or other corrupt practices. Criminal association Risk that firm or individual is involved with criminal organisation/group. Fraud and dishonesty Dishonest misuse of client money or assets Risk that firm or individual dishonestly misuses money from one client s account for the benefit of another account or dishonestly misappropriates client money or assets. Dishonest misuse of non-client money or assets Risk that firm or individual dishonestly misuses the office account or misappropriates non-client money or assets for their own or another s benefit. Intentional misleading Risk that firm or individual acts in a way that is intentionally deceptive. Money laundering Risk that firm or individual commits, facilitates, or is otherwise involved in money laundering. 14

15 Risk category Risk level 1 Firm operational risks Competence, fitness and propriety Market risks External risks Acting outside regulatory permissions Risk that firm or individual fails to obtain or acts outside appropriate regulatory permissions. Breach of confidentiality Risk that firm fails to properly protect information in their possession. Conflict of interests Risk that a firm acts in a conflict of interests. Disorderly closure Risk that a firm fails to close in a proper and orderly manner. Failure to co-operate or comply with notification and information requirements Risk that firm or individual fails to co-operate or comply with the notification and information requirements of relevant regulators or ombudsmen. Failure to meet duties to 3rd parties or the court Risk that firm fails to comply with duties owed to third parties or to the Courts. Inadequate complaints handling Risk that firm fails to properly deal with consumer complaints. Inadequate systems and controls Risk that firm s systems and controls are inadequate. Misleading or inappropriate publicity Risk that firm is publicised in a way which is inappropriate or misleading. Poor standard of service Risk that firm fails to provide a proper standard of service to consumers. Supply chain risks Risk that firm is critically dependent on the actions of a third party supplier or provider. Discrimination Risk that firm or individual discriminates on a prohibited ground against consumers or employees. Failure to act with integrity or ethics Risk that firm or individual acts in a way that demonstrates a lack of integrity or ethics. Lack of legal competence Risk that firm or individual lacks necessary legal competence. Lack of financial competence Risk that firm or individual lacks necessary competence in financial matters. Lack of management competence Risk that firm or individual lacks the competence needed for management of the firm or of staff. Changing regulatory landscape Risks arising from the development of the regulatory framework for legal service providers. Competitive constraints Risk that market is not operating freely. Failure to meet consumer demand Risk that the legal services market does not or cannot meet consumer demand. Lack of consumer awareness of rights and duties Risk that consumers are not sufficiently aware of their legal rights and duties. Lack of adequate training provision Risks arising from a lack of adequate legal services training provision. Lack of diverse and representative profession Risks arising from failure to reflect diversity of consumers within legal services providers. Lack of public interest provision Risk that firms become profit-driven to the detriment of the wider public interest. Economic risk Risk that economic changes impact on the legal market or legal service providers. Legal risk Risk that legal or regulatory changes impact adversely on the legal market or legal services providers. Political risk Risk that changes in the political landscape locally, nationally or internationally impact adversely on the legal market or legal service providers. Poor perception of legal services Risk that public perception of legal services is adversely affected. Public emergencies Risk that the provision of legal services by firms or the market as a whole is impacted by external public emergencies. Social / cultural risk Risk that social / cultural changes impact adversely on the legal market or legal service providers. Technological risk Risk that technology impacts adversely on the legal market or legal service providers. Regulatory Risk Framework 15

16 The Regulatory Risk Framework is available in alternative formats. Please contact December 2012