Authors:Vicky Ling
Last updated:2023-09-18
Using Lexcel in risk management
The Lexcel practice quality mark provides a useful framework for meeting regulatory requirements on managing risk.
The Solicitors Regulation Authority (SRA) takes a risk-based approach to regulation and identifies risks to the regulatory objectives set out in Legal Services Act 2007 Pt 1 on an annual basis. The SRA’s outlook includes issues that can be described as strategic, compliance and operational.
Legal practices need to review and assess the risks they face. Managing risk effectively is an important part of ensuring that each practice will be able to continue serving its clients. The risks faced by each practice depend on its size and the complexity of its operations, and so planning and risk management are intimately connected.
Business plan
Lexcel v6 requires you to evaluate the risks associated with the objectives in your business plan (1.2f) and report on performance against the plan (1.2g). You should conduct a formal assessment of the risks associated with different types of work to ensure the practice has both the expertise and the personnel to deliver the services it offers. Valuable information can be obtained from your professional indemnity insurers, representative bodies and regulators, particularly the SRA and the Legal Ombudsman, in relation to those areas that tend to be high-risk, especially regarding complaints.
You need to think about the risks associated with failing to meet the objectives in your business plan; but it is also worth thinking about the implications of meeting them or exceeding them: would you need additional staff, and, if so, could you afford to pay for them without causing a cash-flow problem?
Business continuity
Your business continuity plan needs to be tested and reviewed annually so it will be effective in ensuring your practice can manage operational threats (1.3d). It is worth noting that assessors regularly find that the tests are overlooked. You can use real events that have happened or you can run scenarios such as the sudden incapacity of a key person. As the adage has it: if so and so fell under a bus, would our systems and procedures still work?
Current risk areas include information security, so you could work through a data security breach and think about the damage to reputation and how you would deal with that as well as the technical issues. There is guidance on the GOV.UK
The importance of communication
Lexcel states (5.1) that your risk management policy must include: a compliance plan; a risk register; defined risk management roles and responsibilities; and arrangements for communicating risk information.
Cybercrime and bogus law firms are areas of concern. It is important to remember that unless people within a practice are regularly updated about current risks, technical approaches to avoiding scams and cybercrime are vulnerable – and fraudsters know this. A bogus law firm, often with a similar or identical name to a real one, is one of the recent ways that fraudsters have been gaining access to client account money, so firms need to be particularly vigilant about that (but this could, of course, change in future). This means training for personnel on information security (3.1i) and arrangements for communicating risk information (5.1d) need to run alongside technical security arrangements.
The compliance plan
People often ask what they should put into a compliance plan. It should cover the milestones and reporting obligations in relation to SRA compliance, health and safety, anti-money laundering, anti-bribery as well as data protection. For example, in relation to SRA compliance you would include the systems and procedures you use for monitoring compliance with the SRA Accounts Rules (eg monthly reconciliations of client accounts, annual accountant’s report, etc), undertakings (eg giving and discharge of undertakings, review of an undertakings register), checks on staff and contractors, meeting regulatory deadlines (eg renewing authorisation, practising certificates, etc), file reviews, and monitoring and acting on trends.
Risk reviews
You also need to carry out an annual review of risk (5.16). Lexcel v6 ties this closely to SRA requirements, so you should include:
any matters notified to the compliance officer for legal practice or for finance and administration;
any material breaches notified to the SRA;
any non-material breaches recorded; and
any situations where the practice acted where a conflict existed.
Even if you have nothing to note against the headings, it is important to say so, as it shows that you have considered all relevant issues.