Risk Management

“Failure to close the photocopier lid is a disciplinary offence.” “No more than 1 person in the kitchen at any one time.” “The toilet roll is kept in the managing partners office and must be returned after use.”

This morning I was looking at a post on LinkedIn which generated a lot of comments and interest. The post is about a mobile phone policy which a content marketing business has felt it needed to implement, apparently written, according to the managing director, by the younger staff, and not by management.

Here is the policy.

Now, reading the comments, it’s suggested by some that this is a clever piece of content marketing to demonstrate the businesses ability to get engagement, but whether it is or not, I’ve seen that policy before, often, in law firms.

The policies in the opening paragraph of this blog are not made up for clickbait. They are policies which were in place in the first law firm I worked in. Now we’re talking 22 years ago, but just last year someone sent me a picture of a sign on the back of a bathroom door (which clients can use) which said in red capitals – DO NOT LEAVE THIS TOILET WITHOUT CHECKING IT HAS FLUSHED PROPERLY. IF NECESSARY, FLUSH AGAIN.

I find myself reflecting on what is happening in these businesses to motivate people to write such things, what are their frustrations, concerns, worries? Worries about productivity, wasted costs, cleanliness, and in respect of the mobile phone policy, possibly security. These are absolutely legitimate issues which need to be addressed, but I would suggest that sometimes the ways these policies are written is counterproductive.

Whilst the policy or notice itself may have the desired effect – we never left the photocopier lid up for example, what does this do for morale, and culture. Now this isn’t my area, I know people much better placed to talk about culture, but I do know about policies, and I would urge anyone writing them to think about the unintended consequences. Whenever we introduce controls, unless people properly understand the rationale, there is a risk they won’t comply. That they’ll dismiss it and will work around it.

Also consider how the policy might be interpreted. Avoid writing them when you’re frustrated! In one of the comments the MD of the company with the mobile policy was asked did it apply to him, and he said, he needed his mobile phone on the desk, and he could “restrain himself” from getting drawn into social interaction during the day.

I recently caught a Simon Sinek (who I love!) video about allowing our children access to mobile phones is damaging them and ultimately causing a problem for managers in the work place as people are addicted to them. I don’t disagree with him, but dismissing this as – they can’t restrain themselves, so I am going to threaten them with a ban – doesn’t seem to me to be the best way of tackling this.

Communication, explaining the impact, understanding why it is an issue, and arriving at a negotiated solution is going to be much better than issuing policies which can alienate people, breed resentment, and cause exactly the lack of productivity you were afraid of in the first place.

Be mindful when writing your policies, leave aside for a moment what your intention is, and put your self in the mind of the reader. Am I saying what I mean, will they understand why we need it to be this way, will they feel talked down to by the language? The more engaged the reader is, the more likely they are to comply.

[vc_row][vc_column][vc_single_image image=”372″ img_size=”full” alignment=”center”][vc_column_text]

A recent report produced by the National Cyber Security Centre (NCSC) highlights the need for even the smallest firms to undertake a cyber threat risk assessment and implement effective controls. The report cites a 2017 PricewaterhouseCoopers Law Firm survey, in which 60% of law firms reported an information security incident in the last year, up from 42% in 2014.  The report also cites SRA reports that over £11 million of client money was stolen due to cyber related crime in 2016.

The report ‘Cyber threat to the UK Legal Sector’ sets out, through case studies, the latest cyber security threats that are of particular relevance to the legal sector. The report also identifies practical steps firms can take to reduce the likelihood of them falling victim to such threats.

The report is the work of the NCSC and its sponsored Industry 100 scheme, with input from the Law Society, the SRA, Action Fraud and the National Crime Agency (NCA). The mission of the team is to increase the resilience of UK law firms who are particularly vulnerable to this type of threat as a result of the sensitive client information and significant funds they hold. These risks can disproportionately impact smaller firms who may have a small number of staff but may still be processing large volumes of data or handling significant client funds.

While firms may have taken action to secure personal information as a result of the General Data Protection Regulation (GDPR), this report identifies cyber security as a wider issue impacting commercially sensitive information, supply chain risks and financial controls that could make firms vulnerable to fraud and bribery. The 4 key current risks identified in the report are:

• Phishing attacks where attackers influence users into disclosing information or clicking a bad link which compromises the payment of invoices and money transfers;

• Accidental and deliberate data breaches as a result of insiders such as disgruntled employees looking to gain financially or ‘get back at a firm’ for perceived grievances;

• Ransomware – a type of malware that prevents firms from accessing files or data on their computer or network until a ransom has been paid to fraudsters.

• Third party suppliers failing to adequately secure their systems that hold your firm’s sensitive data or money transfer arrangements leading to loss of data or money. State actors can also target a law firm in order to gain access to corporate clients and their information.

The report also raises concerns that future increased use of online delivery methods; outsourcing of services; blockchain and Artificial Intelligence will increase the risks going forward. As Christina Blacklaws, President, The Law Society states;

“As data controllers, law firms handle significant volumes of confidential and sensitive information and client monies as part of their daily work. In the post-GDPR world and as the sector delivers and transacts more online, it’s vital that we get a common view and understanding of cyber threats and their impact.”

As well as understanding and assessing the risks, firms need to consider the adequacy of their existing controls and then strengthen them where necessary. The report identifies a number of simple key controls for firms to consider including:

• Implementing processes to verify (via independent means) invoices and account details for money transfers;

• Using ‘cooling off’ periods for changing account details for high value transactions;

• Encouraging a culture where suspicious transactions are queried;

• Educating clients about your firm’s invoice and money transfer processes to help them avoid falling victim to a phishing attack;

• Monitoring user access of systems;

• Keeping software, and especially operating system (OS), up to date;

• Control what software and applications you choose to allow into your firm; and

• Verify that third party suppliers, particularly those that hold their sensitive data, have basic cyber security controls in place.

All of the above controls are relatively cost effective for any firm but other controls may be disproportionate for smaller firms. To this end the NCSC’s ‘Small Business Guide’ offers simple practical technical tips for smaller firms. The NCSC also points firms to the government-backed ‘Cyber Essentials’ scheme. As well as providing simple but effective controls, certification under the scheme demonstrates a firm’s commitment to cyber security which can provide a competitive advantage.

UK-based law firms can also access cyber security expertise by signing up to the Cyber Security Information Sharing Partnership (CiSP), a joint industry and government initiative. There is a private CiSP group tailored to law firms which is free to join. Full details on the membership benefits and joining instructions can be found here: https://www.ncsc.gov.uk/cisp. The NCSC or the Law Society can sponsor your organisation, as appropriate.

The NCSC report also recommends the NCSC ‘10 Steps to Cyber Security’, a guide to help board members and auditors ask the right questions about cyber security.

As with most frauds these losses occur not because of the absence of controls but rather that the controls in place are not applied consistently.  According to the latest KPMG ‘Global Profile of a Fraudster’ report, weak internal controls were a factor in 61% of frauds.

A firm’s assessment should therefore also consider at a high level how likely it is that controls are adequately performed in each business area. Control systems should be reviewed at regular intervals to ensure that these remain current, relevant and appropriate to the needs of your firm. Risk models have to be regularly revisited and reconsidered in order to have assurance that the risk profile continues to be valid and in particular after:

• restructuring,

• downsizing,

• changes in business processes,

• when major new policies are being developed, changed or implemented differently,

• following identification of weaknesses,

• the introduction of new computer systems, and

• after an incident of fraud.

Firms wishing to obtain further information about conducting a risk assessment, raising awareness amongst staff or auditing the adequacy of their existing controls can contact us at hello@tealcompliance.com to find out more.  An initial call is always free.

[vc_row][vc_column][vc_single_image image=”424″ img_size=”full” alignment=”center”][vc_column_text]

At the recent Teal Annual Conference, I spoke to the delegates about Technology in Compliance. I’d like to pose some of the questions we talked about during the session. How would your firm answer?

1. How do your current systems and processes work for you?

2. As a firm, are you all working on the same system or is it a mix?

3. Are you confident that all your employees are using the same versions of documents such as your Client care letters and Terms of Business?

4. How often do you review your systems and processes?

The answers to the above questions are fairly self explanatory when it comes to assessing how effectively a firm is using technology to support their compliance function.

There are common themes for the majority of firms I meet. Firstly, there are still many firms that do not have a case management system (actually there are a lot) and who operate with a “S – Drive” where everyone can access and save documents. Secondly, there are those that have a mixture of different systems, and different levels of take up of those systems depending on the department.  There are of course some firms that use their CMS to the best of their advantage. This takes a significant amount of work, but the firms that make the effort, reap the rewards. Personally, I would like to see compliance embedded into the IT systems and processes within all firms.

By investing in people, processes and systems it allows compliance to become second nature, providing an additional layer to internal risk management, and an audit trail if something were to happen.

In addition, it can also help increase profitability – so what is there not to like?

With so many different systems on the market, if you do not have a system, or are looking to change, how do you choose the right one for your firm? Here are some pointers:

1. Select the project team in-house – have a mix of staff covering support staff, fee earners, IT, management. You need to have a complete overview from all perspectives. Also ensure you include different disciplines, as each will have their own requirements.

2. Scope the list of features you must have, should have and would like to have. A project cannot always be completed in one hit, and taking a phased implementation approach is often more successful.

3. Do your research into providers or bring in an independent consultant who can assist. It is not a case of one size fits all.

4. Know your budget – there is a vast difference between “out the box” and custom built.

5. Shortlist the systems that you consider will assist you in your business and arrange a beauty parade.

6. Have a selection of staff at demonstrations.

7. Take your time to work through the pros and cons.

8. Consider the change management that will be needed within the firm to implement the new system.

As a starter for ten, here are some of the features which you should consider embedding into your systems:

I am strongly of the view that we can effectively use technology within our compliance systems to minimise the risks involved of running a law firm.  Why make things more difficult for yourselves, your firm, your staff, and your clients than they need to be!

Teal Compliance regularly advises law firms with reviews of their IT system requirements.  If we can help your firm, we are always happy to have a free initial chat.  Contact us at hello@tealcompliance.com

[vc_row][vc_column][vc_single_image image=”471″ img_size=”full” alignment=”center”][vc_column_text]

At the start of 2018 most us will have sat down and set personal new year resolutions.     There are two questions I would ask:

1. How many of those resolutions are you maintaining?

2. Out of those resolutions, were any of them business focused?

Whether you are the decision maker in the firm or an employee it is always good to have goals to focus on.  Compliance underpins both the individual and firm wide goals, without it you are almost certainly not going to succeed.

At the very least whilst you may think you are succeeding without compliance, it will only take one complaint that leads to a negligence action or a rogue fee earner that will bring the walls tumbling down.  The foundation of any law firm is Compliance – how good would it be to achieve all your goals and sleep at night without the worry of “what if”?

Even in the most compliant firms partners will still at one time or another have that feeling of something going wrong, usually in the middle of the night.  At Teal we are here to make sure that those 3.00am wake up calls are few and far between.

Prevention is better than cure and sometimes the not knowing how to deal with something is far worse than the issue itself.

If you were building a house or a block of flats, you would not do so without the appropriate planning permission or foundations.  Building a block of flats on the same foundations as a single or double story house is a risk that we can all see.

You may not be able to see the risks in your own firm, which is where Teal can assist.  We know what to look for, how to deal with the warning signs and put systems in place.  We will set goals for you which we know you will be able to achieve.

Compliance is not about setting people up to fail, it’s about being realistic in training your staff, so they know what to look out for and question.  It’s about being preventative and having the knowledge of what is truly happening in your firm.  Not turning a blind eye because that fee earner bills a higher amount.  It’s about the culture and fit of the employees within your firm.  It’s your integrity, ethics and your reputation.

So, if we were to look at your goals – what would they be?