Blog Post

Compliance has become culture

Crispin Passmore • Sep 08, 2019

Culture, risk, regulation and building resilience in law firms 

During my last year at the Solicitors Regulation Authority (SRA) I took responsibility for its supervision and investigations functions. I had long talked about risk, regulation and what drove good and bad behaviour among lawyers, learning from academics such as Moorhead and Vaughan. I have come to the view that risk and culture need to go hand in hand. A firm can have the best risk processes in the world but if there is a culture of non-compliance or exceptionalism it will not be effective.  Equally, there are areas outside traditional risk management, such as a hard drinking culture within a team, that may raise greater issues than have been previously addressed.

Almost all law firms will manage compliance risk at a senior level but my sense is that there is a growing awareness of the fact that culture also impacts on risks  Whilst compliance risk can be dealt with by systems and processes, culture is more complex and is more difficult to measure and address.

Part of what drove me to think about this is my own experience. I have been a senior executive  in four organisations over the last 20 years, ranging in size from around 30 staff up to 1200 spread over a dozen locations. I am also an experienced non-executive and currently chair Audit and Risk Committees at a UK wide regulator and a housing association with 30,000 homes and corporate borrowing and investment plans that run into hundreds of millions. Additionally, I work closely with the leading regulatory solicitor, Iain Miller of Kingsley Napley to offer firms help on these issues – both before and after problems arise. In all of this work the one thing that I have learned is that leadership is all about setting the tone and culture. It is about valuing behaviours and skills at least as much as knowledge; it matters for risk management as much as for performance or change programmes. If a firm’s risk management is focused on 16 or 20 box grids, with dry debates about likelihood and impact it isn’t really risk management at all.

It is well recognised that the legal market is changing; more demanding corporate clients want a partnership on diversity, corporate social responsibility and sustainability on top of ever better value. Competition is increasingly dynamic with traditional law firms, the Big Four, managed legal services and tech providers all vying for a bigger share of the (admittedly growing) global corporate legal market. And the workforce of legal businesses is changing to meet these demands. A more diverse, dispersed and dynamic workforce cannot be managed as if it is the homogenous law firm of 20 or 30 years ago. You only get compliance (with regulatory obligations or business strategy) if you get the culture right; each individual has to be able to do the right thing when no one is looking. Compliance has become culture.

Any firm in the top 200, and probably any with a turnover over about £2m, should have a system of risk management that, as a minimum, seeks to emulate best practice. This should be based upon clear risk management governance, properly identified strategic risks, and the three lines of defence approach. You can read more about this model here. Strategic risks are not simply the biggest risks in each department or programme of activity. They should be the things that can damage or sink the business and be the product of a mix of bottom up and top down discussion that allows the Board to see the risks to its strategic objectives and ensure that are managed. I use Board in this blog to cover the most senior people in any business overseeing the senior delivery team. It might be a Board that is recognisable to a quoted company, the public sector or an NGO, or it may be a Senior Partner and an executive partnership team. What is key is that there is clear leadership to identify the issues it wants the chief executive or managing partner to focus and report on. If culture is not an explicit theme across those strategic risks or a risk in itself then it is worth asking why not.

The SRA is launching its new Standards and Regulations (STARs) (available as a beta web tool here) on 25 November 2019. The clarity that comes from the Code of Conduct for Solicitors (and its parallel for regulated entities) provides a steer for law firm leaders. Firms have their own set of responsibilities, including their role in ensuring that the governance of the firm is effective and that the firm ensures that individuals comply with their obligations. These obligations  needs to be read in conjunction with the SRA Enforcement Strategy. That was launched February 2019 and again puts culture at its heart: “The context in which professionals work, the culture of an organisation and pressure from peers and managers, is likely to have significant impact on their actions and decisions.” So when something goes wrong the SRA will be looking at the firm’s culture, how the leadership team and Board set that culture and how they have effective governance to monitor it.  

So what might governance look like when managing risk and, specifically, culture? The three lines of defence model ensures that resources are properly focused. Getting the right mix of strong management or other internal controls; clear policies on risk and process with compliance teams and independent assurance is a prerequisite but it is not enough on its own.

Getting an effective risk committee is as important as the systems. If risk is overseen by the same people as run the business and set the strategic direction then there is a possibility of group think because of the lack of external challenge.  In my experience law firms, by their nature, have issues around creating cultures where people challenge upwards so independent approaches to risk are crucial for the Board to have any proper grip on risk and culture. My top tips for a risk committee might be:

          - Get the structure right and empower the risk committee.
          - Have independent members on the risk committee.
          - Ensure there is an adequate budget for internal audit.
          - Use external provider of internal audit services.
          - Tell the risk committee you want a focus on culture.


I am sure that most law firms recognise that they cannot stop bad things happening so they have systems and process ready for when they do. Most likely these will be things like disaster recovery plans for major IT failures or premises lock downs. More and more the best risk committees focus on building resilience as much as trying to avoid risks materialising. That applies to cultural failure as well. Firms need to work on building the right culture but they also need the equivalent of an IT disaster recovery plan for cultural failings. Many cultural failings lead to regulatory and compliance problems. How many law firm leaders are currently wishing that they or their predecessors had better focused on culture now that they are dealing with the fall out from #metoo?

So how should Boards measure culture? Boards and non executives, including those on the risk committee should follow the mantra of  ‘noses in, fingers out’. But that doesn’t mean hold your nose – it means having the right culture at Board level – and in particular through the risk committee, to ask about culture and challenge the executive for evidence in line with the three lines of defence model.

It is wrong to be formulaic about measuring culture. Firms have different cultures for good reason – they are each trying to deliver their own strategy with different risks and varying risk appetites. And that means that measuring culture needs to be tailored. But some pointers might include:
 
          - Delve into the staff survey and don’t accept summaries. Ask for cross tab by protected characteristic or department for example. Look at variations beneath the organisational summary.
          - Use regular pulse surveys to check more frequently on areas you want to see improved. You wouldn’t accept an annual report on turnover or profits, so don’t on culture.
          - Develop a proper approach to 360 feedback for partners and other senior staff. If you think this doesn’t help because your lawyers don’t speak truth to power in 360 surveys, or you don’t think partners will act on the feedback, or that you have nothing to learn from your team then you almost certainly have a cultural problem.
          - Look at trends in whistleblowing, allegations of bullying, harassment, and use of NDAs. See what lies beneath sickness patterns and people leaving. Listen and don’t assume.
          - Look at Glassdoor and try to understand the messages rather than explain them.
          - Ask questions of senior staff rather than tell them what to do. Listen to their answers and agree priorities. 
          - Measure change on all of these but do not go overboard – remember it is fingers out and noses in.

If you want to get the culture of a law firm right then the leaders of that business need to get the culture of the Board and partnership right. Everyone has to ‘walk the walk’ – what you do as a leader matters much more than what you say. The Board needs to be brave on hard issues and make sure that it challenges those that it tasks with delivery. It must not be driven or corralled by agendas set by the executive – the Board should go where it needs to. The Board Chair or Senior Partner needs to ensure that everyone knows that diversity matters. A more diverse Board with wide experience beyond the firm and the legal market will help the Board ask itself and the executive the right questions. The Chair or Senior Partner needs to lead a culture in the Board and beyond that embraces challenge and awkward questions so that tough issues are never ducked.

Even with all this in place things will still happen. But there is a world of difference between a rogue partner going off piste and a culture that made the firm’s lawyers think that standards are not important. A case of sexual harassment by a partner is bad enough for a firm. Evidence of a hard drinking culture, and a pattern of staff surveys and exit interviews suggesting problems, all against a male dominated leadership and unclear routes for work allocation or promotion that appear to favour men might all suggest that the firm allowed it to happen or even facilitated it through poor culture. Good risk management and a focus on culture can reduce the chances of a problem arising and mitigate the consequences when it does.

A firm that does all of this is well placed for several reasons.  It is focusing on the right risks. It is looking at culture as a driver across those risks. And it is reducing the chance of the firm and its staff doing things they should not, while building resilience for when something does happen that everyone knows should not have. At that stage dust off the regulatory and compliance disaster recovery plan and be well placed for helping the firm minimise or even avoid SRA enforcement action.

A fabulous brutalist building in Miami

TLTF2023

By Crispin Passmore 12 Dec, 2023
The Legal Tech Fund ran the best event for innovators int he legal market that I have found. TLTF 2023 was a a great opportunity to learn new things but best of all were the connections made and friends seen. These enabled new discussions and deeper debates about technology, capital deployment and liberalisation. TLTF 2024 is just one year away - I'm already excited.

US regulatory reform and innovation

By Crispin Passmore 11 Sep, 2023
A guest blog from the team @ Innovation for Justice - t he nation’s first and only cross-discipline, cross-institution, and cross-jurisdiction legal innovation lab
one more lovely brutalist building - Golden Lane Estate, London

CMA review of online will writing & divorce: further thoughts

By Crispin Passmore 31 Aug, 2023
What does it mean for law firms?

Competition authority review of unregulated legal advice

By Crispin Passmore 04 Aug, 2023
Lawyers: don't hold your breath waiting for more regulation 
A nice brutalist building in New Zealand

Independent regulation the key to a modern legal market

By Crispin Passmore 09 Mar, 2023
New Zealand Law Society takes a step towards major reform 
Yet another brutalist building - picture provided by Unsplash

Axiom Advice & Counsel comes to market

By Crispin Passmore 25 Jan, 2023
Integration of alternative providers and regulated law
Crispin skydiving

I'm looking for sponsorship

By Crispin Passmore 10 Jan, 2023
I am fundraising for Law Centres. Please sponsor me. A lot.

Expanded grassroots support needed to move US regulatory reform needle

By Tom Gordon 29 Aug, 2022
A guest blog from Executive Director of Responsive Law
Damar Training logo

Legal apprenticeships - time for reform

By Jonathan Bourne - Damar Training 22 Aug, 2022
Towards a more diverse, inclusive, healthy and successful legal sector
A beautiful (though leaking) court build in Plymouth

CILEX, CILEX Regulation, SRA, Law Society, LSB: a tangled web

By Crispin Passmore 01 Aug, 2022
CILEX plans to shift regulation of legal executives to the SRA
More Posts
Share by: