Risk in the time of Covid-19: business as usual in unusual circumstances
by Pete Riddleston, learning & quality director, LawNet
Originally published in Solicitors Journal, March 2021
The move to remote working by most law firms during the pandemic has given rise to new operational challenges which demand strategic solutions. While maintaining business as usual, we need a quantum shift in approach, and this is certainly the case if we are to secure compliance with regulatory requirements and manage the high levels of risk we face now and in future.
Effective risk management stems from highly effective, firm-wide leadership and a common cultural perspective, where the emphasis is on continuous improvement. Firms must be aware of the key risk issues and target the root causes, with robust training and review processes. From my vantage point, working with our network member firms and the experts who deliver on our quality management, compliance and professional indemnity insurance, there are three topics that should feature at the top of every compliance professional’s checklist in the coming months: supervision, financial crime and risk culture.
Remote working and supervision
Supervision during remote working has been a major theme for our network members in recent months. We saw firms learning and evolving as they responded to the need for supervision structures fit for purpose.
Before the pandemic, supervision may have been less formal. Colleagues would constantly share ideas and information, whether in team meetings, supervision meetings or at the watercooler, so supervisors were well informed, as they could hear and see what was happening across the team. When people are working remotely, we need to adapt, formalising where necessary, and actively think about how supervision will be achieved and documented.
Online discussions via Zoom or Microsoft Teams may provide a viable alternative, but all supervisors must be attuned to asking questions and making themselves available in more structured ways than they may have done previously.
This is an issue that will not go away as the sector shifts towards hybrid working in the longer term, as we cannot rely on everyone being together in the office at same time. Informal requests for input will be less feasible and the learning / risk management interface needs to be more strategic, with systems reviewed regularly.
As individual solicitors are personally responsible for work done under their supervision, firms need to ensure they provide the infrastructure to support that responsibility, with effective processes and everyone aware of how those work. This is crucial in demonstrating to the SRA that the business has made a successful shift to online working while complying with the requirements of the Code of Conduct.
Tracey Calvert of Oakalls Consultancy, who acts as a compliance consultant for our LawNet members, says the approach is very much one of business as usual, as the SRA will not accept anything less, and processes must be adapted to reflect the current, unusual circumstances. She suggests firms look at how to ensure people work together as teams rather than as individuals, adapting anything that would normally be done in the office to suit remote working.
It’s also important that supervision arrangements cover the whole team and not just junior lawyers, trainees and paralegals. Supervision and accountability for more senior lawyers is equally important.
In one of our recent online roundtables, bringing together those responsible for compliance and risk within the LawNet network, we discussed issues around documenting all the online meetings now being held, from senior management and department level to team meetings and one-to-ones. While senior management meetings may be minuted, others may be less structured, shorter and more frequent, and it can be harder to maintain consistency in documenting them. But these can be vital in demonstrating that supervision is taking place, particularly for junior members of staff, so a solution must be found. Attendance notes justifying and explaining decisions remain as important as ever and supervisors should be checking for these.
Finally, supervisors should bear in mind the pandemic’s effect on mental wellbeing. This has been a hot topic in our network leadership forum as staff try to balance work, home schooling and the pressure of living under lockdown. Supervisors and leaders can demonstrate the right behaviours, saying they are heading out for a run or a walk, and giving others permission to do the same, or discouraging late night emails to relieve pressure on staff, who may otherwise feel they need to respond. Checking in regularly and watching out for danger signals is harder during remote working, but more important than ever.
Strategies for supervision during remote working:
Ask supervisors what support they need from management and compliance
- Keep calendars up to date so people can see when they can call their supervisor
- Encourage people to seek help and avoid becoming too self-reliant
- Watch out for staff showing signs of pressure, and lead by example by moving away from always-on culture
- Document, document, document – vital to demonstrate effective supervision
Squaring up to financial crime
There is an obvious link between staff supervision and managing the risk of financial crime, particularly as we adapt to our changing work structures. Less supervision or oversight brings more risk that staff will unwittingly enable fraudsters to break through, using socially-engineered situations, such as duping staff into handing over information, or cyber penetration, such as malware designed to bring down a firm’s operations.
Most compliance officers will be aware of a rise in professional indemnity insurance claims due to financial crime and we have seen reports of attempted fraud steadily increasing across our network.
As well as becoming more frequent, financial crime is continually evolving, so we recently updated our ISO9001 LawNet Quality Standard to help firms develop robust risk controls to tackle the changing face of financial crime.
To support this QBE, the underwriter of our professional indemnity insurance scheme has prepared guidance and templates, designed to help firms understand and review the risk controls that need to be in place. This covers three prevalent types of financial crime: property fraud by imposter sellers, third party push-payment fraud and insider fraud by rogue employees.
Identity verification is a key topic, particularly when clients may not be seen face-to-face. Identity checks are essential to satisfy money laundering requirements and to be sure of who you are dealing with, and even where a client is long-standing, due diligence compliance demands regular checks to ensure identity information is up to date.
With face-to-face client meetings less common due to lockdown, we have seen a speeding up in the shift away from wholly paper-based checks towards electronic verification, or a combination of the two. Many of the firms in our network are using sophisticated electronic verification systems using facial recognition software and the ability for clients to upload short videos to assist with verification. Feedback suggests that clients have found these products straightforward to use, which is key to successful implementation.
Sharing experiences of attempted fraud or loss suffered is an important opportunity to learn, which can help strengthen defences for the future. We encourage our member firms to share across the LawNet network and see the value of this approach in the new processes and training initiatives developed.
Tips to take on the fraudsters:
Ensure strong operational controls, with systems and supervision working together
Build consideration of financial crime risk into all matter-based risk assessments and file reviews
- Ensure that all staff are trained on the risk controls and issues relevant to their work
Check what is working, by undertaking regular penetration testing with people, processes, and technical systems
Improve awareness and share experiences to keep staff up to date and focused on best practice
Embedding a risk culture
At the heart of tackling financial crime is across-the-board awareness and recognition of the importance of risk management by all staff. This demands a firm-wide culture engendered by strong leadership and open communication. It’s an approach which moves beyond the assessment, check-box model to become part of the fabric of how the firm operates by creating a risk culture.
Not surprisingly, it is something that insurers look for and encourage in firms wishing to improve their risk profile. Our network insurers QBE have developed a tool on their QRisk platform which enables our members to assess where they are on the journey towards this approach to risk management. As Deborah O’Riordan, practice leader at QBE explains: “I would challenge those practices that haven’t yet looked at risk culture to do so.”
The challenges of remote working provide further impetus towards this. A number of our conversations with risk and compliance professionals have concentrated on how to maintain that firm-wide focus on risk management, particularly when remote working is likely to continue for most of us well into 2021.
Our members are tackling this by ensuring that it is business as usual in terms of carrying out file reviews, making corrective actions, reviewing matter risk assessments, looking at costs and time recorded, and checking timescales and deadlines. The aim is to ensure lawyers think about risk each time they pick up the file, rather than simply moving on to the next thing for the client.
Having a strong risk culture can also make it easier to effect behavioural shifts. Remote working may create security concerns if paper files are taken out of the office, whereas electronic files are less vulnerable to data breaches and make it easier to conduct file reviews remotely. There will be a learning curve when teams move from paper to electronic files, particularly during lockdown and working away from the office, but it can make all the difference when staff are committed to making the change because they understand ‘why’ and have risk at the heart of their everyday.
- Creating a culture that counts:
Engage in clear, regular messaging and training to explain new and updated procedures
Make expectations explicit by building risk management into every stage and level of staff recruitment and development
Enable a speak-up ‘no blame’ culture and lead by example by talking openly about concerns and failings
Learn, act, repeat … Avoid check-box approaches to training with regular shared experience learning opportunities
Make risk a hot topic in team discussions: highlight new frauds or new SRA requirements, and invite ideas on how to tackle them
The strength of a firm’s risk management reaches into every aspect of its legal practice, not just to keep down professional indemnity insurance premiums or avoid compliance breaches, but to maintain professional reputation, staff morale and beyond.
As we manage the ongoing constraints of the pandemic, the SRA expects us to maintain compliance standards. Our clients expect our legal work to be of the same high standard, wherever we may be working, and that our client service and risk management on their behalf be as professional as ever.
Making sure people are truly engaged and embracing risk management as part of the everyday can make a firm more agile and able to deal with these challenges, and any new threats that may arise.