Is it time to outsource compliance?

Posted by Jonathon Bray, who runs Legal Futures Associate Jonathan Bray Legal Services

Bray: not many firms take a systemised approach

Bray: not many firms take a systemised approach

Nobody enjoys regulatory compliance. Those who say they do are lying.

It’s an unglamorous job. Nobody will thank you for getting in the way of practising law or the being the ‘tail wagging the dog’. Overcoming internal inertia can be a real headache, and so the role is usually reduced to box-ticking and paper trails.

Which, of course, is not what outcomes-focused regulation (or whatever OFR’s successor is being called) is all about.

We have been saying for a long time that we need move away from the language of ‘compliance’, focusing more on risk management, professional standards and legal ethics. From that point of view, the journey away from prescriptive rules is probably positive.

But that does not make it fun, or solve the issues of internal barriers and resistance. Added to that, many firms are still nervous about the inherent uncertainty built into OFR.

As a result, we have seen a trend towards compliance outsourcing. The market is still in its relative infancy, but the model looks something like this: smaller firms engage a risk and compliance consultancy to help the COLP and COFA manage risk, draft policies, train staff and deal with the regulatory stuff.

The model works well for small firms, and by small I mean small enough to not have employed dedicated compliance staff, but big enough to be concerned about staying off the SRA’s radar.

The compliance officers save a load of time, and get the peace of mind they wanted. The cost generally works out at about half a legal secretary’s salary. Everyone’s happy. It’s a bit of a no-brainer.

But what about the bigger firms? In truth, it is difficult for an external consultancy to be of much practical help. There are so many balls in the air that risk and compliance can be a full-time role. All we can do is high-level advice, which is fine as far as it goes, but the onus is on the firm to implement.

I can’t help but think there is an opportunity for law firms to come together to do this better.

Let’s say 10 firms combined their resources and created a separate service company, specifically to manage risk and compliance. Their very own firm that knows their businesses, people and processes inside out, and has the skills and resources to give expert and best practice assistance on a daily basis.

Of course, similar models of collaboration has been common in financial services for ages. There’s no reason it wouldn’t work in law. Most law firms outsource some functions, so why not risk and compliance?

Over the years, we have refined our own five-step process (‘COLP-help’) and it works well time after time. It looks like this:


Do an honest assessment of what the firm is doing, and compare it with regulatory rules, best practice and professional standards. It’s useful to start out simply asking what are you good at, and what are you weak at? You need to identify your key risk areas (data protection, client account, referrals, etc), which will be different for every firm. Produce a simple report to management and get support for the next steps.

Remedial action

Take action on the priority gaps, risks and breaches you identified in your report. This might well involve drafting or updating documents (for example, implementing policies, a compliance plan, registers, etc.), but don’t fall into the trap of thinking everything can be solved by drafting a shiny new office manual. That entirely misses the point of OFR.

Risk management systems, workflows, training, engaging with the regulator – these are the types of things that will be important.

Regular on-going monitoring

We find that having a regular, diarised focus on compliance yields the best results. We advocate monthly risk management meetings to identify and deal with emerging risks. You should also make sure that there is a compliance timetable, so that you know for example when file reviews should take place, when retainer documents are reviewed, when outsourcing agreements are reviewed etc. Systemising things in this way means that much of the job can also be delegated.

Audit trail

No matter how effective a firm’s systems are, we have learnt that if it isn’t recorded, then it didn’t happen. So, we always advise keeping central compliance registers, meeting minutes, reports and other core documents together. If the regulator or insurer ever needs evidence of a firm’s compliance systems, they will always be on hand, and the COLP and COFA can evidence that they have discharged their duties.

Get expert support

It always helps to have someone at the end of the line to talk through issues as they emerge. From conflicts issues to money laundering concerns, an external pair of eyes can very often relieve anxiety. You can, of course, use the SRA’s free ethics helpline. They are often very helpful, although sometimes they have a habit of quoting rules back at you.

None of this is rocket science – but not many firms take such a systemised approach. This is a shame, because it is proven to help embed risk management, professional standards and legal ethics into a firm’s culture. That is what OFR is all about, and outsourcing could help get you there.

Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Loading animation