Posted by Brian Rogers, director of regulation and compliance services at Legal Futures Associate Riliance 
When law firms think about the new requirement to have risk registers and compliance plans in place, and for their COLP/COFAs to report breaches, most of them will tend to think that the only organisation that will take an interest in them if they don’t will be the Solicitors Regulation Authority (SRA). However, they would be mistaken, as professional indemnity insurers are also waiting in the wings.
Historically, firms have turned their minds to the renewal of their professional indemnity insurance between July and September, and once they have secured cover, have gone about their business as normal only returning to the issue at the next renewal or when they get a claim, or have to report a circumstance. But things may now need to change.
All firms are required to carry professional indemnity insurance and cannot trade without it, so insurers could wield enormous power if they chose to do so.
Like any other business, insurers need to risk-assess the business they are in and mitigate any threats that could impact on their operations, by refusing cover for firms that are considered to be poor risks, for example.
The majority of firms are familiar with the annual routine of completing multiple renewal forms that have been lengthened from the previous year to include questions that relate to new areas of risk that have been identified, so they know that insurers are constantly trying to obtain as much information as they can use to risk assess applicant firms. It should therefore come as no surprise that during this renewal season, insurers will want to see the new information that firms are now required to keep for the SRA.
A well-formulated compliance plan and ‘living’ risk register will indicate to the SRA that a firm is well managed and is capable of being left alone to serve its clients; the firm may make mistakes no matter how well it is run, so it may need to report breaches, but as long as it can show it takes matters seriously and improves, it will still allow the SRA to focus on the less well-run firms that are clearly seen as high risks to client protection.
It makes sense to think that if a firm has to produce evidence to show the SRA is it low risk, that the same evidence should be produced to insurers to do the same thing before they agree to provide indemnity cover.
Some firms may say that insurers are not entitled to see such information, but why shouldn’t they if they are potentially exposing themselves to the risks within these firms?
Others may say that the information is confidential to clients, but if client-specific information is recorded, it is likely a potential claim is lurking somewhere in the background, in which case firms have a duty to inform the client of such a fact so they can consider making a claim on the firm’s policy (Outcome (1.16) – “you inform current clients if you discover any act or omission which could give rise to a claim by them against you”).
So what are insurers likely to make of the various responses they might get from firms when requested to provide their risk register, compliance plan and breach reports at renewal?
Firm 1: What are those?
Outcome: Cover denied, firm has to close.
Firm 2: We have not got round to fully completing the compliance plan, our risk register is only partly completed, and what we have recorded has not been updated for six months; we have not reported anything to the SRA because we don’t want to put the firm on its radar.
Outcome: Cover denied and firm has to close, or premiums are so high that the firm is no longer viable and has to close, or premiums are so high that staff have to be made redundant and/or drawings have to be reduced to pay premiums in order for the firm to remain open.
Firm 3: Of course you can. Firm produces evidence that clearly shows it takes risk and compliance seriously and is well managed.
Outcome: Cover provided at a reasonable level of premium for the low risk posed.
It may take the SRA months to get to a point where it can take action against a firm that is clearly not engaging with the new risk and compliance requirements (see the recent announcement by the SRA in relation to the firms that have failed to nominate compliance officers), but it can take far less time for insurers to find a firm such an unacceptable risk that they refuse to cover it, leaving it with no alternative but to close.
The SRA and insurers do not want to see firms go out of business, but they both have responsibilities to stakeholders (clients, the profession, shareholders, etc) to ensure that the firms they regulate or insure are fit to be in business. It is therefore imperative that firms take steps to show they are low risk and of no threat to the public at large; firms that choose to take what they may see as the easy option, and do little or nothing, have only themselves to blame if the risk of closure becomes a reality.