Risk Management Policy (Dec25)

Introduction

We, as a firm, are committed to providing a reliable, effective, and expert service to all clients.

All policies and procedures adopted by us are intended to avoid, reduce, or mitigate against potential risk to the firm or our ability to provide services to clients to the standard we have set for ourselves and to the standards expected by regulators.

We use Access Legal Compliance to manage various aspects of risk management and the system should be used as laid down in our policies and procedures.

Purpose

This policy governs all of our risk management activities. It explains how we manage risk and what is expected of us all.

The key message of our risk management strategy is that prevention is better than cure.

Scope

This policy applies to all employees, including managers, consultants and any third-party that it has been communicated to.

Responsibility

We accept that the firm cannot operate ‘risk-free.’ However, it is important for us to take all reasonable steps to minimise identified risks, and this must involve all of us.

Timothy Halliday (COLP) is also the firms’ Risk Manager. He is responsible for this policy and the management of our risk profile. These risk management duties include:

  • Keeping our policies and systems for managing risk under review.
  • Monitoring risks to which we are subject, including receiving and recording risk notices and monitoring risks that could develop.
  • Taking appropriate action to address risks identified.
  • Promptly reporting any facts or matters that they reasonably believe can amount to a serious breach to the SRA, as appropriate.
  • Negotiating and liaising with our professional indemnity insurers; and
  • Arranging risk management training when training needs are identified.

It is the responsibility of us all to adhere to our policies and procedures and to report without delay anything that could result in a claim for compensation, a complaint, or a breach of our professional rules. Failure to do so may result in disciplinary action.

Reports should be made to Timothy Halliday (COLP) or Nicola Robinson  in his absence.

What is risk?

The term ‘risk’ refers to the probability of direct or indirect loss or harm, resulting from inadequate or failed internal processes, people and systems or external events.

Loss or harm includes any interference which stops or reduces our ability to achieve our objectives, namely continuing to provide a high standard of service to our clients and to make a sustainable profit.

Why is risk management important?

Effective risk management contributes to the success of the firm and will contribute to good client service, a good reputation, profitability, compliance with our regulatory obligations and effective working procedures for us all.

Our approach is customised to fit the specific needs of our practice, ensuring that our strategies are effective whether we are a small practice or a larger organization. This tailored approach helps us better manage risks and maintain high standards of service.

The cost of our professional indemnity insurance is a considerable overhead and largely linked to our risk profile. Our risk profile is largely judged on our claims history, although insurers are increasingly looking at the systems and procedures that we have in place to manage and reduce our (and their) exposure to risk.

It is important to realise that poor risk management is not limited to direct financial loss but can also result in loss of clients, loss of our good reputation and loss of fee earning time in dealing with incidents and breaches of our regulatory requirements. As such, risk management is integrated and embedded into our organisational processes. It is factored into business planning, performance management, audit and assurance, business continuity management and project management.

Our approach

We manage risk by:

  • Identifying risk.
  • Assessing the likelihood of that risk occurring.
  • Considering the impact that the risk could have on us if it occurred.
  • Taking steps to eliminate or mitigate identified risk.
  • Reviewing identified risk and mitigation steps periodically.

This approach is a never-ending cycle as risk changes and develops constantly.

Types of risk

There are three broad types of risk that we must consider:

  1. Strategic risk – means the risks that arise from the business decisions that we make. For example, losses that might arise if our business plan is not successful or if our business model does not remain effective in the legal market.
  2. Regulatory risk – means risks that arise from failing to comply with our regulatory obligations i.e. compliance with the SRA Standards and Regulations.
  3. Operational risk – means the risks that arise from the way do things i.e. the systems and procedures that we have (or do not have) in place. For example, missing a key date on a client’s file or giving an inappropriate undertaking that we cannot honour.

 In practice, the three types of risk overlap, with many risks falling into more than one risk type.

Systems for managing risk

We use a variety of systems to manage identified risk. Our key systems are outlined below:

Policies and procedures

All our policies and procedures have been developed to manage a form of risk. Policies and procedures are designed to ensure that we all work in a consistent way, therefore, we should all know what to expect of each other.

It is particularly important that you familiarise yourself with our policies and procedures and adhere to them in order to help us manage risk.

Our risk reporting arrangements reflect the two-way nature of risk management:

  1. We require all risks identified by file handlers on files to be reported appropriately to supervisors and managers for guidance and monitoring.
  2. Supervisors and managers are, in turn, required to identity management and monitoring strategies and ensure these are communicated back down to file handlers.

Access Legal Compliance

We, as a firm, have made a strategic decision to use Access Legal Compliance to manage our risk and other compliance areas centrally; it also allows us to maintain an audit trail of our risk and compliance activities so we can produce relevant evidence should we ever be asked to do so by regulators, indemnity insurers, auditors, etc.

Access Legal Compliance has been recognised by professional indemnity insurers as an effective way of managing risk and compliance and is quoted on their proposal forms under the risk management section.

Access Legal Compliance must be used as defined in our various policies and procedures; failure to comply with required usage could lead to disciplinary action being taken.

Compliance officers

Timothy Halliday has been appointed as our Compliance Officer for Legal Practice (COLP) and his responsibilities are:

  • Take all reasonable steps to ensure that we are compliant with:
    • The terms and conditions under which the firm is authorised by the SRA to provide legal services.
    • The SRA Standards and Regulations.
    • Any other statutory or regulatory obligations applicable to us.
  • Maintain a record of breaches that allows him to:
    • Monitor our overall compliance with our statutory and regulatory obligations.
    • Assess the effectiveness of our systems and controls.
    • Identify at an early stage, breaches that are serious either in their own right or because they form a pattern that is indicative of a systematic failure to achieve compliance.
  • Review the breaches register at regular intervals to determine whether any action is required.
  • Promptly report any facts or matters that they reasonably believe are capable of amounting to a serious breach to the SRA or other approved regulator or matters which they reasonably believe should be brought to the SRA/other approved regulator’s attention in order that they may investigate whether a serious breach has occurred or otherwise exercise their regulatory powers.
  • Ensure that effective compliance systems are in place to undertake the following:
  • Check non-standard undertakings are given appropriately, monitored, and complied with.
  • Appropriate checks are conducted on new employees or contractors.
  • Regulatory deadlines are complied with, for example arranging professional indemnity insurance cover, renewal of practising certificates and registrations and the provision of regulatory information.
  • Risks are appropriately monitored, reviewed, and managed.
  • Issues of conduct are given appropriate weight in decisions the firm takes, whether on client matters or practice-based issues such as funding.
  • File reviews are conducted as set out in the File Review Policy.
  • Employees are developed and trained as necessary to carry out their role.
  • Necessary approvals of managers and the COLP/COFA are obtained.
  • Arrangements are in place to deal with planned/unplanned employee absences; and
  • Compliance with data protection legislation.
  • Prepare and maintain our compliance plan.

 Nicola Robinson has been appointed as the Compliance Officer for Finance and Administration (COFA) and his/her responsibilities are:

 Take all reasonable steps to ensure our compliance with the SRA Accounts Rules.

  • Maintain a record of breaches that allows her to:
    • Monitor our overall compliance with the SRA Accounts Rules.
    • Assess the effectiveness of our systems and controls; and
    • Identify at an early stage, breaches of the Accounts Rules which are serious, either in their own right or because they form a pattern that is indicative of a systematic failure to achieve compliance.
  • Review the breach log at regular intervals to determine whether any action is required.
  • Promptly report any facts or matters that they reasonably believe are capable of amounting to a serious breach of the Accounts Rules to the SRA or other approved regulator or any factors or matters which they reasonably believe should be brought to the SRA/ other approved regulator’s attention in order that they may investigate whether a serious breach has occurred or otherwise exercise their regulatory powers;
  • Assist the COLP in preparing and maintaining our compliance plan.
  • Ensure that effective compliance systems are in place to undertake the following:
  • Only appropriate people authorise payments from the client account.
  • Risks are monitored, reviewed, and managed.
  • Check non-standard financial undertakings are given appropriately, monitored, and complied with.
  • Issues of conduct are given appropriate weight in decisions the firm takes, whether on client matters or practice-based issues such as funding.
  • The necessary approvals are obtained from managers and the COLP/COFA; and
  • Duties to clients and others are met even when employees are absent.

 Compliance plan

We have a firm-wide Compliance Plan which sets out how we manage our compliance with the requirements of the SRA Standards and Regulations. Planning how compliance is to be achieved reduces the risk of us breaching our regulatory obligations.

The COLP has overall responsibility for the compliance plan. You can access a copy of the compliance plan by speaking with our COLP and he will be happy to discuss any aspects of it with you.

Risk register

We have identified the main risks to the firm and recorded them in the firms’ Risk Register.

Each identified risk has been categorised according to the risk type and given an overall risk rating which considers the likelihood of the risk occurring and the impact that the risk would have on the firm if it did occur.

The risk register also identifies steps that we can take to mitigate the risks identified where possible.

The COLP and risk manager reviews the risk register regularly as part of our risk management approach.

The COLP and the risk manager are responsible for managing the risk register and would be happy to discuss any queries with you.

Practice area risk assessments

We have also conducted a risk assessment for each practice area to identify and mitigate the key risks posed by each work type.

It is important that you familiarise yourself with the risks identified in your practice area.

You can access a copy of the practice area risk assessments from your head of department.

If you have any concerns about areas of risk posed by your practice area, please speak to your head of department.

File risk assessments

The level of risk presented by every file needs to be considered by the file handler. Risk is an issue before, during and after action is taken in every matter. It is quite clear that the proactive management of risk issues will reduce the incidence of claims and complaints.

All file handlers must conduct a risk assessment before conducting work on a matter and upon concluding a matter. Risk assessment forms are available on the firm’s case management system and their use will be monitored as part of ongoing file reviews.

Matters must also be monitored as they progress and any change in risk profile must be brought to the attention of your supervisor or manager, who will decide upon a management and monitoring strategy before communicating this back to the file handler.

Please refer to our File and Case Management Procedures Manual for further details on file risk assessments.

Staff supervision

Our policy and procedures for staff supervision are set out in a separate policy document but it is important to note their existence and the importance that they have in relation to risk management.

Our supervision procedures cover the following areas:

  • Allocating named supervisors to each practice area.
  • Allocating a supervisor to each matter.
  • File progress and inactivity checks.
  • File reviews.

Please refer to the Supervision Procedures and the File Review Policy for more details about our supervision procedures.

File and case management

We also have separate manual governing file and case management. Again, these have been developed to manage risks that may arise in accepting a case and managing a file.

For example, our File and Case Management Procedures Manual covers, among other things:

  • File opening and closing procedures.
  • Costs information.
  • File maintenance.
  • Confidentiality
  • Key dates; and
  • Undertakings

Please refer to our File and Case Management Procedures Manual for further information. Our procedures for managing risks associated with conflicts of interest are covered in our Conflicts Policy.

Monitoring how we do business with third parties

We must ensure that we only do business with reputable third parties and that the quality of their work meets our high standards. If we fail to properly monitor our business relationships with third parties, then we could face reputational harm, loss of clients, financial loss, or regulatory implications.

We have, therefore, also developed a policy governing third-party services. If you are involved with our third-party business relationships, please ensure that you are familiar with and adhere to our Outsourcing Procedures.

Business continuity

We have developed a business continuity plan to address some of the major events that could occur and that would cause significant disruption to our operation if they did occur.

This plan aims to limit the impact of such events (where possible) and to provide practical guidelines to those responsible for using the plan in an emergency, as to what action might be necessary and who should take that action.

The type of events covered by the plan include:

  • Fire
  • Flooding
  • Loss of electrical power.
  • Loss of ICT and telecoms facilities; and
  • Limited access to our premises for any reason.

The plan is subject to continuing review and is tested periodically.

Remote/hybrid working

We are very aware that whilst a remote/ hybrid working arrangement brings with it a number of tangible benefits, it is also important to consider that employees working in this way pose an increased risk to the firm across various key areas, such as supervision, confidentiality, data protection and wellbeing. For this reason, we have put in place various processes and procedures as safeguards against such risks which it is mandatory for all employees with this type of working arrangement to follow. Please see the Flexible, Remote and Hybrid Working Policy for further information.

Communicating risk management information

Risk management information is predominantly communicated in the following ways:

  • Developing policies and procedures detailing risk management requirements and expectations.
  • Training on key compliance and risk management topics.
  • Creating a culture of risk management awareness; and
  • Ensuring that we have an ‘open door’ approach to risk management.

If you have any questions or concerns about risk management in the firm, please contact the COLP or the risk manager who will be happy to discuss matters with you.

Risk management system review

The COLP and the risk manager will undertake a review of the operation of our risk management system at least annually. This will comprise a review of:

  • Professional indemnity insurance claims and circumstances reported.
  • File review data.
  • Client complaints.
  • Client feedback.
  • Matters reported to the COLP/risk manager/COFA/MLRO.
  • Serious breaches reported to the SRA.
  • Less serious breaches recorded.
  • Data protection issues (subject access requests, breaches, complaints)
  • Any situations where we acted despite there being a conflict or a high risk of a conflict; and
  • Any identified remedial action.

Review of this policy

This policy will be reviewed at least annually by the COLP/risk manager.

Dec 2025

Go Back
01538 755 761
Email Us

©eric-whitehead 2026. All rights reserved