Authors:Vicky Ling
Last updated:2023-09-18
Assessing and managing risk
Marc Bloomfield
In these uncertain times, it is important to refresh your risk assessment.
The risks faced by each practice depend on its size and the complexity of its operations. Managing those risks effectively means that you will still be there to serve your clients for many years to come. Adopting a compliance plan and risk register, allocating roles and responsibilities, and ensuring everyone in the practice is aware of current risks, are the key features of an effective risk management policy.
Lexcel requires you to document the risks associated with the objectives in your business plan.1Lexcel England and Wales v6.1 standard for legal practices, Law Society, March 2018, 1.2f. You probably didn’t adopt Brexit as one of your smart objectives, but it would be a good idea to work through possible implications. The impacts on organisations offering immigration law are pretty obvious, but there are bound to be more subtle effects across all disciplines. It may seem too unpredictable and vast to prepare for but getting people together to brainstorm the issues would be time well spent.
Although, in general, legal aid work is seen as low-risk, you should conduct a formal assessment of the risks associated with the different types of work you offer. Your professional indemnity insurers are usually happy to advise and there is useful information available from the Solicitors Regulation Authority (SRA) and the Legal Ombudsman on how to identify and reduce risk.
Your business continuity plan needs to be tested and reviewed so that it will be effective in a real-life situation. It is easy to think that a desk-top exercise will be an adequate test but if you can bear to do a real life ‘walk-through’, as you would with a fire drill, you are more likely to spot the weaknesses in your plan. One practitioner told me that it was only when all staff had left the office that they realised no one had picked up the contact details of the emergency office they were supposed to go to …
Lexcel2Ibid – 5.18. provides a good list of the risk assessment data you need to consider on an annual basis:
any indemnity insurance claims;
an analysis of complaints;
data generated by file reviews;
any matters notified to the COLP (compliance officer for legal practice) or COFA (compliance officer for finance and administration);
any material breaches notified to the SRA (and any non-material breaches recorded);
situations where the practice acted where a conflict existed;
the identification of remedial action; and
any risk of non-compliance with current policy to manage personal data.
In relation to SRA compliance, you would include the systems and procedures you use for monitoring compliance with the SRA Accounts Rules (eg, monthly reconciliations of client account, annual accountant’s report, etc), undertakings (eg, giving and discharge of undertakings, review of an undertakings register), checks on staff and contractors, meeting regulatory deadlines (eg, renewing authorisation, practising certificates, etc), file reviews, monitoring and acting on trends.
The SRA publishes a risk outlook every year that is very helpful when working through your own risk assessment. Current risk areas are:
access to legal services;
cyber security;
information security;
integrity and ethics;
investment schemes;
managing claims;
money laundering;
protecting client money; and
standards of service.
As an organisation with a legal aid contract, it also makes sense to review your performance against contract requirements and your relationship with the Legal Aid Agency. Controlled work (legal help, family help lower, and controlled legal representation) remains vulnerable to audit as the process is still paper-based and so it is easy for human error to creep in. The main issues are:
poor form completion;
lack of evidence of means or invalid evidence of means; and
lack of valid evidence of domestic abuse.
You can keep on top of these potential problems by ensuring these areas are regularly checked through supervisory file reviews.
You should also be considering ‘provider activity reports’,3See Provider activity report guidance, LAA, August 2017; updated October 2017. which include information on claim rejects and reconciliation statistics for standard and variable monthly payments. The person at your designated primary contact email address should be receiving them on a quarterly basis. The idea is to give you the opportunity to review and monitor changes in performance using the same information as your contract manager so that you can be proactive and take early steps to resolve any problems.
1     Lexcel England and Wales v6.1 standard for legal practices, Law Society, March 2018, 1.2f. »
2     Ibid – 5.18. »
3     See Provider activity report guidance, LAA, August 2017; updated October 2017. »