14
SRA Regulatory Risk Framework March 2014
SRA Regulatory Risk FrameworkMarch 2014
SRA Regulatory Risk FrameworkThe Solicitors Regulation Authority (SRA) regulates • Risk-based regulation means that risks to us individuals and organisations delivering legal acting compatibly with the regulatory objectives services in line with the regulatory objectives are assessed in terms of their probability and outlined in the Legal Services Act (LSA). The SRA the impact of any harm they cause to desired regulates in the public interest and in the interests of outcomes, before action is taken. This approach the consumers of legal services. ensures that regulatory activities and resources
are prioritised and applied proportionately.The SRA is an outcomes-focused, risk-based regulator. The SRA’s Regulatory Risk Framework outlines
how we operate and oversee risk-based regulation • Outcomes-focused regulation means that our goal through our risk management process, risk
is to ensure that those we regulate deliver the right governance and the organisational culture required outcomes for the public, in line with the intent of to embed a risk-based approach.the regulatory objectives.
Our Regulatory Risk Index sets out the risks that we manage under this framework.
You can view the Risk Index here.
Risk management process overview
Before acting, we We assess risks consistently and We continually evaluate our identify risks based on a share these assessments across effectiveness by monitoring
central risk index the SRA to aid understanding changing outcomes
We learn and adapt our tolerance, We monitor risk levels against We control unacceptable resourcing levels and approach our tolerance to direct control risk levels through
to controlling risks activities regulatory tools
2 Regulatory Risk Framework
3
Contents
1. Our regulatory approach . . . . . . . . . . . . . . . . . . . . . . . . 4
2. The regulatory risk management process . . . . . . . . . . . . . . . . 7
3. Risk identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Risk assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5. Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6. Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7. Evaluation, learn and adapt . . . . . . . . . . . . . . . . . . . . . . . 12
8. Embedding risk management . . . . . . . . . . . . . . . . . . . . . . 13
cause harm
to tangible
expression of
1. Our regulatory approachThe ultimate goal of our regulatory activity is to work In working compatibly with these objectives, compatibly with the following objectives set out in the SRA takes a risk-based outcomes-focused the LSA1: approach to regulation. This means we have defined
the desired regulatory outcomes we would expect to RO1 protecting and promoting the public interest achieve if we are delivering against the objectives.
RO2 supporting the constitutional principle of Outcome 1: The public interest is protected by the rule of law ensuring that legal services are delivered ethically
and the public have confidence in the legal system.RO3 improving access to justice
Outcome 2: The market for legal services is RO4 protecting and promoting the interests competitive and diverse, and operates in the of consumersinterests of consumers.
RO5 promoting competition in the provision Outcome 3: Consumers can access the services of servicesthey need, receive a proper service and are treated fairly.RO6 encouraging an independent, strong,
diverse and effective legal professionOutcome 4: Regulation is effective, efficient and meets the principles of better regulation.RO7 increasing public understanding of the
citizen’s legal rights and dutiesWe have also identified the risks that could prevent us from meeting these regulatory outcomes.RO8 promoting and maintaining adherence
to the professional principles The diagram below shows at a high level how these concepts relate.We seek to do this in a manner that is transparent,
accountable, proportionate, consistent and targeted at cases in which action is needed, in line with the principles of better regulation.
Regulatory objectives
RiSk FRA me w ORkRisks Outcomes
manage risk to achieve outcomes
4 Regulatory Risk Framework 1 See section 28 of the Legal Services Act 2007
Outcomes-focused regulation
The outcomes-focused approach to regulation These requirements shape our approach to every means that our goal is to ensure that legal services area of regulatory activity, for example authorising providers deliver positive outcomes for consumers individuals joining the profession, supervising firms, of legal services and the public, in line with the intent enforcement activities and the setting of policies of the LSA regulatory objectives. This is in contrast and standards.to our historical rules-based approach: we no longer
Risk-based regulation enables us to consistently and focus on prescribing how those we regulate provide proportionately direct resource by targeting resource services, but instead focus on the outcomes for the at those areas which pose an unacceptable threat to public and consumers that result from their activities.the regulatory outcomes.
The SRA regulatory outcomes identify what we Our regulatory risk appetite describes our attitude expect to observe when the market operates in line towards risk, including those which we tolerate or with the intent of the regulatory objectives. This find acceptable and the level at which risks become process provides us with a practical articulation of the unacceptable. Some areas that may historically have characteristics or results that we should be seeking to attracted attention under the SRA’s prescriptive achieve through our regulation.rules-based approach may now be within our
By adopting an outcomes-focused approach, we appetite for regulatory risk, allowing us to divert are able to encourage innovation within the market, resources to focus on more serious matters, and regulating a broader range of business structures move from being reactive to being proactive in who bring new approaches to the provision of legal approach. services, as well as providing greater freedom to those
We do not seek to eliminate risk completely, but we already regulate.to make the best use of our limited resources to
As an outcomes-focused regulator we evaluate the proactively reduce the risks posed to an acceptable impact of our regulatory activity on firms, consumers level. We also take an explicitly non-zero failure of legal services and the public and adapt our approach to regulation, meaning that we do not seek approach to continuously improve our delivery. to prevent every harm from occurring, choosing
instead to allow greater flexibility for the market to Risk-based regulationoperate freely as far as risks remain within tolerable levels. In the course of letting the market operate Day-to-day regulatory activities are guided by a risk-freely, risks will crystallise that fall both within based approach to regulation, focusing attention and outside our tolerance and we will respond and activity upon issues, firms and potential risks accordingly.that pose the greatest threat to our regulatory
outcomes. In order to achieve this, we need:
• A clear view on what the risks are to these regulatory outcomes and our exposure to them.
• To be able to demonstrate where our most significant risks lie, what regulatory controls we are applying to address them, and that these actions are both proportionate and effective.
• Clear governance arrangements in place ensuring that risks are escalated as appropriate and that there is accountability for the effective management of risk.
5 Regulatory Risk Framework
Regulatory activity consists of both proactive and The risk-based approach enables us to be flexible reactive controls that can be applied according to and adaptive to ongoing changes within the market. the nature, severity and immediacy of the risk or As new risks to the regulatory outcomes are issue posed. Our legal powers and regulatory tools identified, we learn more about them and adjust our include, but are not limited to: priorities to direct resources where they are most
needed. • controls on how a firm or individual practises
It should be noted that the SRA makes a distinction • issuing a warning about future conductbetween operational and regulatory risk. Operational
• closing a firm with immediate effect or imposing risks generated by the SRA’s activities, including our a disciplinary sanction, such as a fine activities to control regulatory risks, are identified
and assessed separately to the regulatory risks. • informing the market about undesirable This framework describes our approach to trends and risksthe latter, although the risk management approach
• adapting regulatory policy to minimise recurrence and behaviours can also be applied to these
of an issueoperational risks.
• setting qualification standards and ongoing competency requirements
6 Regulatory Risk Framework
2. The regulatory risk management processThe SRA Regulatory Risk Framework focuses upon Risks are typically considered at an individual, firm, individual, firm and market risks to ensure that thematic or market level. In some cases, risks may regulated individuals and organisations can achieve already have occurred, meaning that we actually the proper standards expected by consumers and assess and respond to the consequences of the the public. issue rather than to potential harm posed by a risk.
A risk is considered to be the combination of A key advantage to taking a risk-based approach impact (the potential harm that could be caused) to regulation is that it enables us to become much and probability (the likelihood of a particular more proactive, identifying and tackling risks before risk occurring). they occur, rather than acting retrospectively once
harm has arisen.In the SRA context, impact and probability are combined to give a measure of the overall risk The following diagram gives an overview of the posed to the regulatory outcomes. This assessment SRA’s process for managing regulatory risk.is then used to prioritise and select our response.
Risk management process
Before acting, we We assess risks consistently and We continually evaluate our identify risks based on a share these assessments across effectiveness by monitoring
central risk index the SRA to aid understanding changing outcomes
We learn and adapt our tolerance, We monitor risk levels against We control unacceptable resourcing levels and approach our tolerance to direct control risk levels through
to controlling risks activities regulatory tools
The risk management process is dynamic, with a constant feedback loop in place ensuring that we learn and adapt our approach to improve our management of risks, delivering better outcomes.
7 Regulatory Risk Framework
3. Risk identificationIdentification of risk is the starting point for any The Regulatory Risk Index groups risks into the regulatory activity, from triage of incoming reports
following four categories:or determination of applications through to policy development or regulatory process design. Identifying risks to regulatory outcomes involves drawing upon a Firm viability riskswide range of sources, including reports we receive
Risks arising from the viability of the firm and the way it about those we regulate, intelligence-gathering while supervising firms, contacting consumers directly and is structuredmonitoring markets and the economy.
In order to ensure wider consistency in the way in Firm operational riskswhich risks are identified, the SRA has identified a set
Risk arising from a firm’s internal processes, people of risks to the regulatory outcomes which are contained in our Regulatory Risk Index. and systems
The Regulatory Risk Index is fundamental to the Firm impact risksrisk management process. It provides a structure
that enables us to prioritise and organise incoming Risk that firm or individual undertakes an action or information in a consistent manner, whilst building a
omits to take action which impacts negatively on us comprehensive picture of our risk exposures across all areas of activity. The publication of our Risk Index
meeting the regulatory outcomesmakes transparent the areas of regulatory concern and provides a common language to promote clear
Market risksdialogue with those we regulate around risks.
Risks arising from or affecting the operation of the These risks cover potential harm caused by the activities of individuals and firms as well as external legal services marketfactors such as macro-economic changes or lack of consumer awareness. The Risk Index is not designed to be exhaustive and will evolve as new risks emerge. You can view the Risk Index here.
8 Regulatory Risk Framework
4. Risk assessmentConsistent assessment throughout the organisation, Firms and individualsand across the broad spectrum of risks that we
Risk assessment will be used to inform decisions handle, is essential to ensure that action is targeted about individuals, for example their entry to the proportionately at controlling the risks that we do not profession or the nomination as role holders such tolerate. Assessment takes into account both risks as compliance officers, and in response to that have occurred as issues and those that could conduct issues.potentially occur.
Firms will be assessed according to:SRA risk assessments take into account a broad range of information and are performed at several
• their regulatory footprint or potential to impact different levels:
upon objectives
• regulatory reports and notifications• the severity of a particular risk if it were to occur
• firms and individuals• the probability of a particular risk arising in that
firm• thematic
For example, a firm’s footprint takes into account • market-wide attributes such as firm turnover, client money held,
Regulatory reports and notifications number of fee earners and type of work undertaken. These attributes have been identified as being
The SRA has dedicated teams who manage the relevant to the firm’s potential to impact upon the receipt and assessment of reports made to the regulatory objectives. Indicators used to gauge organisation in relation to regulated individuals and the probability of risks arising within a particular firms. These reports can, for example, relate to such firm might make use of attributes such as ratios of things as escalations from other regulatory agencies partners to supervised staff, past regulatory findings or reports from consumers and others who have against individuals now working in the firm, or concerns about legal service providers. applications for waivers from particular regulatory
requirements.All incoming reports are risk assessed to inform prioritisation and action. This assessment takes Risk indicators are drawn from a range of information into account the number of consumers affected, and are identified and weighted with the use of vulnerability, financial impact and public confidence statistical analysis. The SRA’s risk analysis also as well as factors relating to the credibility of the makes use of qualitative information which provides source, strength of evidence and severity of the risk us with a fuller picture across the spectrum of itself. regulatory risk and provides important context for the
interpretation and application of statistical results.We also receive notifications such as changes to firm management or roles held by individuals. These assessments are used to inform our
monitoring and control activities, including the All relevant information gathered by the SRA is supervisory approach taken.recorded and available to inform further assessments
at individual, firm, thematic and market level.
9 Regulatory Risk Framework
Thematic Changes to the risk assessment model
The SRA uses a process of risk aggregation to The SRA’s risk assessment model has been combine firm and individual assessments. If they constructed to be very flexible. The model contains are aggregated according to a particular theme parameters that can be set by senior management then we call this a thematic risk. Thematic risks to reflect their risk appetite and tolerances, as well help us to gauge our exposure to specific regulatory as new or emerging risks. risks across specific themes. An example could be
The accuracy of risk assessment within the model financial difficulties in the personal injury sector.is dependent upon the quality and adequacy of
Likewise, market risks can also be considered available regulatory information. We recognise across a theme. An example could be competetive the time and cost associated with the provision of contraints in south west, England. data to the SRA and therefore regularly assess
the relevance of our regulatory information to Thematic risks are regularly reviewed within the ensure that we are being proportionate in imposing SRA’s internal governance and are used to prioritise information requirements on those we regulate, regulatory activity, direct resource and develop whilst securing sufficient data to inform accurate policy. They are also used to inform the market and timely risk assessment. Ultimately information about the SRA’s areas of concern through a Risk gathered allows us to focus regulatory attention and Outlook (see section 7). activities where they are most needed.
Market-wide The SRA’s Risk Centre undertakes a regular exercise to review and adjust the model to ensure its Market risks allow us to gauge our exposure to ongoing integrity and completeness. specific regulatory risks across the entire market.
5. monitoringRisk monitoring takes place across the SRA to ensure that risks are constantly reassessed in line with tolerance and escalated as appropriate. Monitoring is done through regular reviews at individual, firm, thematic and market levels, in line with the governance outlined in section 7.
Risk tolerances provide limits against which risks can be compared to understand whether they remain acceptable. Tolerances provide thresholds against which action can be taken consistently across the SRA.
10 Regulatory Risk Framework
6. ControlsRisk control is the process by which regulatory tools individual’s practising certificate, influencing market and interventions are applied to manage issues, practice and consumer awareness through the use reduce risks or exploit opportunities. of education or communications to a broad target
audience.The choice and application of regulatory tool is dependent upon the risks posed. Efficient, Objective decision-making proportionate and effective management of and governancerisks relies upon a clear understanding of the
As a recognised regulator, the SRA has formal risks themselves, and a consistent approach to decision-making governance arrangements that set application and evaluation of controls. The SRA’s out the decisions that can be made, by whom and operations all use the same Regulatory Risk Index in what situations. The decision-making process in developing and overseeing their processes to and supporting governance ensure a proportionate ensure we can learn from the effectiveness of approach and appropriate oversight in evaluating particular control approaches on different risks.and managing risks.
Our regulatory response in any given situation is In some cases, formal decisions require referral to tailored to deliver particular outcomes by targeting an adjudicator, ensuring objectivity in approach.unacceptable risks. The SRA has a broad range
of regulatory tools and powers at its disposal in order to manage these risks. These include setting standards, issuing warnings, formal decisions to fine or reprimand, applying conditions to an
11 Regulatory Risk Framework
7. evaluate, learn and adaptThe SRA continually evaluates the effectiveness of There are also executive risk governance groups the Risk Framework and how well it is operating in with strategic and tactical oversight roles who practice to ensure desired outcomes are achieved provide assurance.and to identify potential improvements. There are five
Risk and outcome reporting provides a view of:key elements to our approach:
• delivery of outcomes• governance and oversight
• aggregate risk exposures• regulatory priorities and risk appetite
• material issues or events• reporting
• outlook, including trends and forecasts of risk • assurance
events or risk levels
• organisational learning and continuous • effectiveness of controls in reducing improvement risk levels over time
Governance and oversight ensures that there is a The SRA publishes risk and outcome-focused proportionate response to any new or emerging risks, information to inform key stakeholders about that risk exposure outside tolerance is understood performance and areas of concern. The SRA’s and enables us to adjust strategy in line with Risk Outlook sets out our assessment of the most changing priorities and observed outcomes. significant risks to the regulatory outcomes.
There is an established non-executive Regulatory On the basis of our evaluation, we learn and adapt Risk Committee that advises the SRA Board on our regulatory approach, resourcing levels and the delivery of risk-based and outcomes-focused tolerances to direct regulatory activities accordingly.regulation.
The SRA ensures that responsibility for all risk-based outcomes-focused activities are clearly defined and cascaded through internal governance and individual responsibilities as well as policies and procedures.
Strategic priorities are regularly reviewed to ensure that delivery of outcomes remains in line with regulatory intent and the principals of better regulation. Our risk appetite and tolerances are used to direct regulatory activity in line with strategic priorities at firm, individual, thematic and market levels.
12 Regulatory Risk Framework
OFR
maturity
Development drivers:Capability and capacity
IT enhancementEmbedding
Ant
icip
ate
End-
to-e
nd
Mon
itor/
Mea
sure
Proc
ess
Focu
s
Indi
vidu
al/
Silo
Foc
us
Fully
In
tegr
ated
8. embedding risk managementThe SRA has developed a model that sets out the used to assess the current level of OFR capability, key steps and capabilities that it is developing on identify realistic targets for improvement, and the path to full OFR implementation. This model is produce action plans for developing or enhancing
Intuitive
ResponsiveOptimised
General awareness Dynamic
• Risk and outcomes Building drive all activityconsensus Established
• Focus on continuous • All stakeholders Fragmented improvementawareness recognise,
Emerging understand and • System facilities • Functional risk support approach risk versus outcome framework Foundation including firmsanalysis and implemented• Risk tools available
response • Organisation wide but not embedded • Shifts in focus understanding of • Regulatory delivery • Ad-hoc — risk viewed • Awareness of risk tolerance and is assuredimplementation positivelyOFR objectives treatment
• Key risk behaviours • Limited awareness of • Key risk behaviours • Developing risk evidenced within risk and outcomes embeddedawarenessmarket• Risk averse • General awareness • Risk perceived
of risks & outcomesas process
Pre-2012 2012 2013 2014 Timeline
The OFR Maturity Model This model is designed to be behaviours that will serve to identifies five levels of a simple means of targeting embed the effective operation organisational maturity, described development activity and charting of the risk framework within in terms progress towards greater OFR its internal operations. When of the following attributes: maturity, rather than being enacted, these behaviours will
prescriptive or constraining. It ensure good risk awareness and • risk awareness provides a clear internal view a positive
of the organisation’s current risk culture.• risk oversight and governanceapproach to OFR, as well as
• risk appetite and tolerances The SRA’s Risk Centre works a definition of the intended with other functional areas • risk analysis, reporting destination.within the SRA to embed risk and outlook
As well as taking steps to behaviours through a programme • regulatory controls understand the organisation’s of internal communications and
progression towards outcomes- engagement.• decision-makingfocused maturity, the SRA • information governance has identified a number of key
• organisational performance
13 Regulatory Risk Framework
www.sra.org.ukThe Regulatory Risk Framework is available in alternative formats.To contact us, please visit www.sra.org.uk/contact-us. March 2014
