Coronavirus

In this Blog dealing with questions received from our clients through our Ask Teal Service, we look at what we see as the biggest risk and compliance issue that will arise as a result of Coronavirus and the impact it has on law firms.

What do you think the biggest risk and compliance issue will be?

Mistakes, undoubtedly. Staff are going to be feeling under pressure, feeling scared about quite a lot of things; illness, suffering possible bereavements, any financial disruption and the impact on their job that that might have. This could lead to a lack of concentration and staff suffering from mental health issues.

From a risk manager’s point of view, this creates situations where we see things happening such as staff missing deadlines and key dates, then realising that they have done something wrong and not wanting to tell anyone for fear of getting into trouble – this may then lead to further problems such as backdating of documents and similar things. So there is clearly the potential for things to go wrong and for claims to be made against your firm’s professional indemnity insurance.

We think that these issues will likely arise as a result of isolation being experienced by staff and a lack of support from others, a lack of good regular communication with staff members, and from the usual files reviews and supervision dropping away – these are all things that will lead to negligence claims.

One of the challenges that we have in the legal market is that we are already in a hardening market for professional indemnity insurance. It is likely that underwriters will be looking to see what measures law firms have put in place now to combat claims arising from the disruption likely to be caused by Coronavirus to enable them to continue good risk management. This will allow firms to put forward their best case to insurers at the time of renewal.

In this next blog in our series looking at some of the many queries received from our clients through our Ask Teal Service, we consider the client confidentiality issues that may arise when staff work from home.

What are the likely client confidentiality issues when staff work from home?

You’ll need to ensure that your firm continues to comply with rule 6.3 of the Code of Conduct for Firms (which of course applies equally to solicitors), obliging it to keep the affairs of both current and former clients confidential unless disclosure is required or permitted by law or where the client consents.

You’ll also need to consider data protection issues, including the security of the information held at home.You may already have considered this as part of your work in connection with the GDPR.

You should consider how work will be undertaken by staff based at home. For example, where staff have families and may not have access to childcare, they will need to fit in their work alongside other important commitments. With schools closed, it may be difficult to prevent children from interrupting staff whilst working. Staff may need to give some thought as to how they can communicate with clients in a confidential and professional way.

You may recall the famous case at a London law firm where a Partner revealed confidential client information to his wife’s best friend, who then revealed that J K Rowling had written a detective novel under a pseudonym – and he was subsequently disciplined by the SRA.

You should provide guidance to your staff on how to deal with client information when it is kept out of the office. Ensure laptops contain appropriate and current security features and that staff continue to follow your security protocol.If staff use their own equipment, you should check that their virus software is up-to-date and robust.

Remember: criminals will be aware that many eyes may be taken off balls in these highly unpredictable times so it is important that staff are aware of the risks of working at home, in these difficult times, and take steps to mitigate them.

What about dealing with confidential waste?

After scanning documents, you will need to ensure that confidential waste is securely disposed of.

This includes scanned documents and any work produced at home, including draft documents. Consider providing staff with shredding bags to use at home if they don’t have access to a shredder. These can then be returned to the office for secure disposal when staff are next in the office.

Photo by Emma Matthews Digital Content Production on Unsplash

One of the interesting features of the current lockdown is how it seems to be enabling people to open up their minds on thinking about their businesses. Maybe it has something to do with our seeing how the Powers That Be are restructuring themselves away from the traditional confrontational model that has evolved over the history of modern democracy and adopting a more collegiate approach.

Part of that greater visibility is very much in evidence at the moment with Mr Johnson finding himself battling with the more severe manifestation of COVID-19. Apart from some minority extreme views – including a town mayor who has been sacked by her party for saying that Mr J’s suffering in ITU was completely deserved – expressed by media trolls, there has been some welcome and very human support unfettered by political issues. Mr J’s plight has also brought into very sharp focus how the Government is dealing with his absence. The answer is in a largely seamless temporary transition of responsibilities for maintaining momentum and direction. Business goes on and the fight against the virus continues.

So how is this reflected in the running of our own businesses? Key and core compliance standards state very clearly that we should all have an effective and implementable Business Continuity Plan in place. This is not just a Disaster Recovery Plan, which deals with how we get back on our feet after being stopped in our tracks. The key word is “Continuity”, implying that although we may feel pain from a traumatic event, business goes on with both momentum and direction.

A key element of this is in our succession planning. This doesn’t just involve who’s going to take on the role of Senior or Managing Partner, MD or CEO or indeed who is next going to be elevated to an equity position. We are looking at a whole range of situations where team leaders or individuals with key roles in fee earning teams (and including key admin/management roles such as COLP, COFA, MLRO, DPO) need to be backed up by someone capable of filling those roles without internal or external customers being able to see any perceptible join.

Of course, in smaller firms it may be that there simply isn’t the internal resource to fill the void. In these circumstances you may have to look to external help from another like-minded firm, or other outsourced resourcing, for example in compliance or parts of the necessary financial management.

This is all an important part of the duties to clients set out in the Principles.

There are other aspects of Continuity Planning that are often overlooked that are significant in securing stability in a crisis:

When did you last check your non-PII insurances?

Are your

KeyPerson Insurances,Health Insurances, and(if the worst comes to the worst) Life Insurance Policies

maintaining an appropriate level of cover? Providing effective continuity through locum cover can be an expensive business, especially when you’re still paying a high-level salary to the affected person.

And fee-earning will inevitably see a drop in the early stages of cover.

It’s also vital that when planning you ensure that you have the right person in the role of back-up.

Remember that: –

It’s emphatically not a paper title – the nominated person must know what’s involved and be committed to take on the task. There should be consensus in the Management Team that you have the right people in the right posts. The rest of your colleagues at all levels should also be fully aware that you have a plan in place and who will be doing what. Are the deputies properly trained in what they’re supposed to be covering? If not, urgent steps need to be taken for the right level of training to be delivered, whether sourced internally or externally. The regulatory bodies will need to see audit trails both of the decision-making process and the training plan and schedule.

So once again it turns out that “bare” compliance issues in the COVID-19 crisis have much more flesh on them than you would first expect and are closer to the heart of how we manage and lead our firms than we might have anticipated. Nobody could have foreseen the cataclysmic effects of Coronavirus four months ago when the issues uppermost in our minds were the Election and Brexit. But that doesn’t mean we should feel that we’re too late to get to the party of making our SOP’s and Compliance Policies really relevant and fit for purpose. And without relishing the thought of ending on a pessimistic note, if there does turn out to be a second wave, wouldn’t we prefer to be prepared?

Photo by Mati Flo on Unsplash

So how do you go about this supervision thing when you’re all isolated?

There’s much that’s written elsewhere on the Teal Compliance website about the ways in which you can effectively implement a robust supervision system when we’re all working in different locations.

But there are wider implications just in the general good governance sphere of running a business in a thoroughly business-like way. Supervision isn’t just the lynchpin of SRA Principle-Centric, well-delivered legal advice. Other regulatory standards, particularly AML, Lexcel and GDPR/DPA, set it at the heart of effective compliance delivery. And looking at it from a purely common-sense point of view, why wouldn’t you have very clear definitions of roles and their ceilings and reporting and escalation lines right through to COLP, COFA, and DPO level?

It’s something of a truism, but actually having the right people in the right roles is crucial to being able to demonstrate effective Governance. It’s not just a question of seniority or experience – although these are obviously factors to consider.

We will also need to bring into the mix: –

how potential supervisors manage their own workloads; andwhether they have the capacity to take on additional responsibilities;what their style is like – are they empathetic and constructive with their supervisees?;their capability to act as a catalyst to encourage more junior colleagues to identify, address and sort their own problems;whether they are they good teachers;how they are able to interact with their own supervisors.

These are complex areas to identify but they are all crucial in getting the right person in the right role.

The best forum for identifying them is in the firm’s Personal Development Review system.

Does your firm’s system cover these areas effectively and is it fit for purpose?

Really important meetings in this context are very difficult to deal with remotely as it is easy to miss the nuances that can come through (for example in body language) in a real world one to one.

However, as we get used to dealing with matters in a virtual world then it may be an aspect that will become more commonplace. Preparation work in the completion and consideration of questionnaires and answers certainly can be carried out. Interim follow up/catch up/ periodic or weekly one to ones could also be developed to operate virtually.

All the above is likely to beg the question of relevance when we’re all in crisis-handling mode and trying to ensure financial survival. But surely we owe it to our firms to broaden the scope of what survival means as soon as we possibly can?

Things aren’t likely to return to the status quo ante and we need to plan to what changes we are likely to have to adapt and how we can deliver effectively. A well-structured and organised firm is far more likely to survive viably to enable it to move forward when things eventually return to normality. We need to look behind the bare text of what the Regulations say and look at what it seeks to achieve and harness this so that it forms a useful and integral part of our firms’ core strategies. Compliance doesn’t have to be an enemy!

Given that in the immediate future we are likely to have more time on our hands due to the drop in new matters coming on stream, where could we start? Try breaking down the task into manageable chunks; involve your team in the thinking process; review how effectively the supervision structures and procedures are working in your firm.

Some of the tasks will be:

Defining the scope of the roles;Defining the person qualities;Identifying potential candidates;Defining the firm’s structure graphically and developing it into an organogram.

Effective structures are pointers to a well-organised entity that has a strong belief in good governance principles. They’re usually aware of how they work best – and it’s a short step from there to a well-maintained bottom line with the capability to grow when some semblance of normality returns.

There’s a real opportunity here – but we’ll be either broke or too busy fee-earning to seize it when we’re the other side of the COVID-19 crisis – so grab hold of it now!

Sadly, in these challenging times, there are firms that, for one reason or another, are finding themselves in unexpected commercial difficulties that make their longer term viability questionable.

Radical reconstruction by consolidation through merger may be the only alternative to closing doors for good, with all the unsavoury knock-on consequences that this entails.

So now – more than ever – there are likely to be opportunities for merger to the potential benefit of both parties.

In any potential merger situation it is becoming increasingly clear that compliance needs to be at the top of the priority list. Overall, it is a great indicator as to the management style of the merger target as, on a broader scale, the major regulatory standards are placing an increasing significance on the wider principles of good governance as an underpinning ethos to the compliance that they foster.

So… if you’re an acquiree what do you need to do to prepare the firm for marketing, and as an acquirer what do you need to look for?

They are actually two sides of the same coin. If you are the firm looking for help through merger, it’s similar to a job interview – prepare, prepare, prepare, and then prepare. This applies to training all levels of staff in what we are doing and why. Make sure that everyone is on board as their future employment may depend on it.

As an acquirer, the due diligence cannot be too thorough, especially in the current climate when many personnel are likely to be dispersed.

The overarching standard is of course the SAR Principles, revised and reduced from 10 to 7 in November 2019. They are as follows and should be thoroughly interrogated: –

“You act:

in a way that upholds the constitutional principle of the rule of law, and the proper

administration of justice.

in a way that upholds public trust and confidence in the solicitors’ profession and in legal

services provided by authorised persons.

with independence.

with honesty.

with integrity.

in a way that encourages equality, diversity and inclusion.

in the best interests of each client.”

In support of these Principles the firm needs to have a COLP and COFA and you should check that the roles are filled by someone who is appropriately qualified and trained – and takes the role seriously.

You are seeking to adduce evidence that the firm not only talks a good talk but actually delivers on those verbal assurances. There will usually be two aspects to the proof needed that there is such delivery.

You will need to check that there are SOP’s that are encapsulated in a systematised written format. These will, or should, form recognisable parts of the firm’s Operations Manual. It maybe that there are a number of different manuals though e.g. the Data Protection or Lexcel Manuals. If the Manuals are stored electronically the fact that they’re all in the same “Compliance” area is indicative of how orderly the firm’s management processes are. Hopefully the Manuals will all be assembled ready for inspection – a well organised firm should have sufficient confidence in its systems to know what a merging firm will be looking for.

You will need empirical evidence. This will take the form of findings from interviews, both formal and informal, and from written records relating to inductions, training and Personal Development Reviews or Appraisals.

There will be clues as to the effectiveness of the firms’ governance with such items as structural organograms and procedures for escalating responses for incident handling. Minutes from meetings of all types, and policy review schedules can also be very helpful

Aside from broader good governance you should check for clear documentation of the firm’s supervisory structures. There is increasing emphasis being placed on this in the SRA principles as well as the GDPR/DPA legislation.

How do you find it?

1. The paper (or electronic equivalent) trail is self-explanatory – time consuming but worthwhile.

2. Gathering empirical evidence is more challenging but probably more revealing. The firm’s COLP and COFA will always be interviewed. Further interviews should be carried out with a good cross-section of all staff and include front and back office staff at all levels. Remember that conversations solely with partners/senior management will give a slanted perspective.

3. Insurances

Appropriate levels of PII insurance will be checked together with the firm’s Complaints and Claims registers in support of this.How these are administered is a good indicator of the general management style of the firm and attitude towards compliance.

Appropriate cover in other areas to complement the firm’s Business Continuity Planning will also be checked.

Supervision

From the point of view of supervision checks you should speak to both supervisors and supervisees on whether issues are dealt with on a one-to-one basis or in teams; whether training needs are formally identified and how the training is delivered and monitored.

File Reviews.

These are another rich source of data and are a vital part of delivering the quality required by the SAR. Check how often they are carried out and by whom and what happens to the results of the reviews.

Training Schedules and Attendance Records

These are very revealing about the firm’s overall attitude towards compliance and its effective implementation especially when read in conjunction with staff interviews for cross-referencing

The firm’s approach towards conflicts avoidance should be carefully monitored.

The firm’s management of its central Key Dates diary should be similarly examined.

How do you evaluate it?

1. It is advisable not to rely on just one opinion and to apply some sort of consistent level of scoring on how compliance is being managed.

2. Results from interviews are likely to be more subjective so a structured series of open questions contained in a questionnaire will help towards achieving consistency

What is it telling you?

Working on a “RAG” (Red, Amber, Green) method of assessing levels of compliance it would be highly unusual and deeply suspect to come up with a full pack of Greens. It is a useful indicator but not the whole story. What you are really looking for is the overall style of approach to the whole portfolio of regulatory compliance. Every firm will have setbacks or issues occurring that expose actual or potential weaknesses in a firm’s breach prevention armoury. These are of themselves not necessarily the most important thing. What really matters is: –

how the firm approaches dealing with the actual or potential issues andthe overall compliance-embracing culture of the firm andhow the firm works to embed and keep embedded this culture at all levels

If you are in any doubt about carrying out this sort of exercise then you shouldn’t hesitate to ask for outside help. A third pair of eyes can in any event add an element of objectivity that may be difficult to maintain internally when people are either enthusiastically – or unenthusiastically – polarised about a merger project.

Good Luck!