Managing compliance in law firms

Legal/Regulatory environment

The government, in every country, frames its legal system and regulates business according to its defined priorities. The laws which are passed by the government for business operations are considered as the legal environment. The role of government, regulators and other supervisory authorities is to preserve order and protect the interests of consumers and other relevant stakeholders.

Compliance with the regulatory requirements of the business is adhering to the obligations relevant to the business sector in which it operates (GACP – CISA). ‘Compliance obligations’ are the requirements that an organisation has to comply with (‘compliance requirements’) and chooses to comply with (‘compliance commitments’). This includes applicable requirements set out in statutory, regulatory and supervisory requirements, as well as relevant industry and general codes, requirements and best practice guidelines (collectively), that an organisation subscribes to or follows.

In South Africa, the compliance function is both statutory and self-regulated. Legislation mainly applies to the financial services industry. In legal practice, the Legal Practice Council (LPC) is the regulator of legal practitioners and the Office of the Legal Services Ombud (OSLO) oversees the regulation of the legal profession. Compliance risk is the most important threat facing an organisation. The most obvious reason to comply is often the law and the risk of penalties, sanctions as prescribed by the legislation, and other potential consequences for failing to comply, e.g. litigation and reputational damage, is high. Complying with the requirements provides additional benefits to an organisation, such as:

• Good business practices;
• Reputational risk;
• How your business should operate; and
• Client satisfaction;

Compliance function

The structure of the compliance function should be appropriate to the organisation’s business. A small organisation does not require a full-time compliance officer and the management will have to assume responsibility for several different functions. Compliance and risk management work together. The focus of the compliance functions is to act independently in the oversight of compliance (De Rebus ‘A culture of compliance; How to build and maintain a compliance framework’ – September 2021, DR 20). The responsibility of the compliance function provides a clear mandate to manage and report on the compliance risk of the practice.

The role of the compliance function is to identify, assess and monitor the compliance risks faced by the organisation and advice and report to senior management about these risks. An organisation is usually in a state of being in accordance with the compliance obligations or in the process of becoming so. Compliance risk is different to legal risk. Compliance refers to adherence to the law as it is written down in the legislation. Legal risk considers a wider view of legal principles and considers other types of legal risks arising from transaction errors, contract breaches, litigation, etcetera. Compliance risk occurs when procedures implemented by the organisation are not adhered to and/or are inefficient and ineffective.

Meeting regulatory requirements is a complex challenge posed by the inherent difficulty in the interpretation of the various regulatory requirements, and industry-specific regulations that organisations are obliged or expected to comply with (De Rebus ‘Risky business: Managing risk to innovate, change and develop’ March 2022 DR 12). Organisations have a strong incentive to internalize the enforcement function by instituting procedures to guard against compliance risks. The development of a fully effective compliance function, however structured, can take some time before the value of the function is realised (De Rebus – September 2021(op cit)). The compliance function is a platform to institutionalise a compliance process and is underpinned by the development, approval and implementation of a compliance policy, charter and manual.

Compliance policy/charter

The management should establish a compliance policy that is appropriate to the purpose of the organisation. The policy is an outward statement that seeks to determine compliance with the spirit of the law. It goes beyond a policy, and is functional, defining operations – anything operational is included in the charter. The compliance policy should articulate the scope of the compliance management system and should be available as documented information and regularly updated.

Training

Education and training of the employees should be tailored to the obligations and compliance risks related to the roles and responsibilities of the employee, assessed for effectiveness, recorded and retained. An effective compliance program will include adequate training and communications so that employees understand their compliance obligations. Training should address what to do when an employee thinks an activity is potentially unlawful.

Leadership

Tone at the top refers to steps taken by management to require and incentivize lawful behaviour and participation in compliance training. The management should demonstrate leadership and commitment concerning the compliance management system. The management and the compliance function should ensure that they are effectively informed on the performance of the organisation’s compliance management system and its continuing adequacy, including all relevant non-compliance in a timely manner, and actively promote the principle that the organisation encourages and supports. The tone and culture set by the management more often than not dictate the compliance behaviour of lower-level employees.

Culture of compliance

Active monitoring to evaluate all efforts, and regular training on compliance obligations is essential in building a culture of compliance into operations of the organisation, from C-suite to the post room (De Rebus – September 2021(op cit)). If senior management does not actively support and cultivate a culture of compliance, a company will have a paper compliance program, not an effective one. An efficient compliance program will promote an organisational culture that encourages ethical conduct and commitment to compliance with the law. For a compliance program to be effective, those with the responsibility for the program must have sufficient authority, and seniority within the organisation’s governance structure, as well as adequate resources for training, monitoring, auditing and periodic evaluation of the program.

Compliance and risk management framework

Rule 54.14.7.1 of the LPC Rules made under the Legal Practice Act 28 of 2014 (LPA), requires the legal practitioner to implement and design internal controls to provide reasonable assurance of reliable financial reporting and to ensure that they operate effectively, and are monitored regularly throughout the reporting period. The monitoring of the implementation and design of internal controls is the responsibility of the legal practitioner. The internal control systems must be followed in everyday management or actual operations of the practice.

The legal practitioner is responsible for supervising the practice concerning the design and efficacy of the internal risk management and control systems, risks inherent in the practice’s activities and compliance with laws, regulations and internal rules from the compliance management plan perspective. The firm’s internal control system is important to monitor and manage risk. The control environment is the ‘tone’ of the organisation and is the foundation for all other controls. One of the factors influencing the control environment in an organisation is the “tone at the top”, which defines management’s leadership and commitment towards openness, honesty, integrity, and ethical behaviour.

Each practice should design, develop, implement and maintain a compliance risk management program (CRMP) – a compliance framework that will be appropriate to the business (De Rebus – September 2021(op cit)). The organisation’s control framework/procedures should have the necessary compliance requirements embedded therein. The compliance management system and the effectiveness thereof should be monitored to ensure compliance performance is achieved. The compliance risks should be re-assessed periodically. A well-designed corporate compliance program is designed to detect the particular types of risks most likely to occur in a particular operation’s line of business.

When developing risk management plans, and proactively planning for designing controls etcetera, one of the key points to consider, is simply ‘to know the business’ (De Rebus – March 2022 (op cit)).  ‘To know the business’ can be achieved by implementing the recommendations contained in King III and King IV Codes, which make it clear that it is fundamental to understand and appreciate the context within which risk management should be performed.

Ownership structure

Legal practice takes the form of a sole proprietorship, partnership or private company. The only form of a commercial juristic entity that is permitted to operate a legal practice is a private company (s 34(7) of the LPA). Only a private company comprising exclusively of legal practitioners may conduct a legal practice. Thus, ownership in law firms is concentrated in the practitioners who are the controlling owners. In legal practice, the client represents the investor and the practitioner the management of the firm. In a concentrated ownership structure, a conflict of interests exists between the controlling shareholders (managers) and the minority shareholders (investors) since the minority shareholders are excluded from controlling and managing the resources of the firm.

Corporate governance

Corporate governance is how companies are managed and controlled (Cadbury Report, 1992). It regulates the exercise of power, i.e. authority, direction and control, within an organisation. The separation between management and diverse and remote shareholders has led to the need for limits to be imposed on the exercise of power within the organisation. Corporate governance is concerned with the resolution of collective action problems amongst dispersed investors and the reconciliation of conflicts of interest between various corporate claimholders (Marco Becht et al. ‘Corporate Law and Governance’ (www.academia.edu, accessed 14 – 09 – 2022)). The alternative mechanisms that may mitigate it are: (i) partial concentration of ownership and control (in the hands of one or a few large investors); (ii) voting rights, which concentrate ownership and/or voting power temporarily when needed; (iii) delegation and concentration of control in the board of directors; (iv) alignment of managerial interests with investors; and (v) defined fiduciary duties for management.

Corporate governance is a dynamic process in which corporate governance practices are revised and enhanced contingent on new corporate realities (Philip Brown et al. ‘Corporate governance, accounting and finance: a review‘(www.academia.edu, accessed 14 – 09 – 2022))). Internal characteristics are those that result from decisions and actions of the shareholders and the governing body, and external characteristics include monitoring by outside parties, e.g. external auditors. External governance characteristics are beyond the control of the shareholders and management. They complement internal governance characteristics.

Corporate governance structures

The board structure tends to reflect the firm’s industry and the need for monitoring of activities (Philip Brown et al.  (op cit)). The structures, processes and practices that the management uses to direct and manage the operations of an organisation determine how authority is exercised, how decisions are taken, how stakeholders have their say, and how decision-makers are held to account. Corporate governance structures assign power, determine roles, responsibilities and leadership, govern communication with stakeholders, and ensure accountability, from which legitimacy is derived.

The entrenchment effect of the controlling owner is mitigated by the alignment effect and decreases with the increase in the level of ownership stake beyond the minimum level needed for effective control, and can be achieved through alternative mechanisms (Marco Becht et al. (op cit)). Employing a mechanism to align the interests of the management with those of the investor, e.g. equity payment, will reduce the entrenchment effect of the controlling owner. Fidelity guarantee and increased professional indemnity insurance cover can be used as an alternative mechanism for increasing the level of an ownership stake in legal practice, thus aligning the interest of the practitioners and the clients. Foreign ownership has a better monitoring ability and complements organisations as external governance agents by providing incentives for shareholders to monitor managerial performance.

In legal practice, increasing the voting rights of the minority shareholders (investors) can be achieved through the legal/regulatory framework for effective enforcement of their property rights by heightening the regulations. The external mechanism of corporate governance of appointing outside directors to the governing body can be achieved through the appointment of a Compliance Risk Officer (CRO). Outside directors play a positive role in the board’s monitoring and control function. External governance affects the intensity of the managerial discipline.

The resultant alternative corporate governance structure constitutes a supervisory board that is responsible for monitoring managerial performance and balancing the competing interests in law firms. The supervisory board will ensure that the practice is compliant with applicable laws, rules, codes of conduct and good practices.

Management is about running the business and governance is about ensuring that the business is run properly. Compliance is operational and provides advice rooted in the law/integrity. Adhering to the compliance obligations relevant to the business sector in which it operates is imperative for an organisation to succeed. Compliance promotes high standards of corporate governance and ethical behaviour. It makes good business sense to comply with the relevant compliance obligations.