Operational risks cover mainly the following:

• People
• Processes
• Systems
• External events

People

People are essential in any business entity. In a law practice, people comprise not only lawyers but also each and every employee who works at the practice.

Every employee must be competent, efficient, and professional in the tasks that he or she is engaged to perform. Staff must be supervised, be honest and ethical as the business of law is also a regulated profession.

Succession planning is also essential for business continuity, in the event key personnel of the practice leave or have to be replaced.

Processes

Many hands are involved in a client matter, including support staff, legal secretaries and even the client himself or herself.

Processes ensure efficient and professional delivery of legal services.

Work flow systems (case management) enable every stage of a client matter and any money received to be tracked from the time a client file is opened until the matter is closed.

Risks of human errors/omissions and complaints for non-compliance with professional practice and ethical rules made under the Legal Profession Act are also addressed.

Case management need not be complex. There is affordable generic software designed for case management for law practices of every size.

Finally, processes include business development strategies and insurance risks review by a practice. This makes good business sense.

• Are there new areas of practice /business opportunities?
• Does the practice’s work carry any increased risk?
• Is our professional indemnity insurance cover sufficient?
• Do we need Key Man insurance or public liability insurance?

Systems

Systems relate mainly to technology both hardware and software. Technology is used to store data and documents. Client matter related data and documents must be protected in view of obligations relating to client confidentiality and protection of personal data.

Technology is used in legal practice for filing requirements, as required by the Courts, government agencies and statutory boards, as well as for the deposit and withdrawal of conveyancing money.

Technology risks in a practice are varied. They can range from poor or weak password management to clicking on unknown e-mail attachments. They can also arise from using obsolete technology or outsourcing IT to a third party with poor management. Cyber-attacks and data breaches through the lack of security technology are a significant risk and well-publicised.

External events

Unexpected events external to a law practice can have a significant impact on the practice, such as a disease outbreak (e.g. the 2003 SARS outbreak in Singapore), cyber-attacks or the loss of key suppliers or vendors of the practice.
2. Who should address operational risks?

Operational risks are addressed by the proprietor, partners or directors of the practice, staff (whether HR, accounting, IT, paralegal or other support) and the other lawyers in the practice.

Where applicable, certain types of operational risks can also be addressed by the appropriate external vendors engaged by the practice.
3. How to address operational risks

Operational risks are identified and addressed by knowing what risks your practice faces, and anticipating and managing them with:

• strategies;
• policies;
• checklists; and
• template forms and documents.

The good news is that strategies, policies and documentation can be found in the Law Society’s Practice Management Guide (2017 edition) (the ‘Guide’). The Guide contains written templates of precedent checklists, strategies and policies to address operational risks such as business continuity, business development, and HR management covering recruitment policies, induction, training and appraisal.

The Guide also has comprehensive templates for client file management processes including checklists for file opening, on-going file management and file closing. A comprehensive compliance checklist for anti-money laundering and countering of terrorism financing is also published in the Guide.
4. What’s next?

Start to identify what the operational risks of your practice are.

Ask how severe and frequent the risks that you have identified in the following areas occur:

• People
• Processes
• Systems
• External events

Begin to implement your plans and processes to address the operational risks that you have identified. As you do, begin to ensure operational risk management becomes an important part of your practice.

Help and support are available to practices and lawyers under the Law Society’s risk management training programmes and resources.

As a business, law practices have to manage their finances properly.

As a profession, lawyers are duty bound to protect their clients’ money. The Legal Profession (Solicitors’ Accounts) Rules (‘SAR’) sets out a framework of rules for this purpose. The Conveyancing and Law of Property (Conveyancing) Rules sets out a separate framework to safeguard conveyancing money.

Finally, as law practices receive, hold and pay out moneys, there are obligations to meet in law and under practice rules to combat money laundering and terrorist financing activities.

Financial risks for a law practice therefore commonly arise from:

• Poor financial and internal controls;
• Ineffective compliance /oversight over client money and conveyancing money; and
• Lack of responsibility, diligence and monitoring to address and report money laundering and terrorist financing risks.

2. Who are involved in addressing financial risks?

Certainly the leadership of a law practice, ie, the proprietor, partners or directors is in the frontline to address financial risks.

Lawyers who hold or receive office money and client money, have professional and compliance responsibilities.

Financial and accounting staff engaged by the practice for their knowledge and skills (such as accountants, financial managers and accounting support staff) play a critical role in managing financial risks. Last but not least, all staff ought to be aware as to who and how they are required to report on financial matters of the practice.

3. How to address financial risks?

Financial risks are mainly addressed by:

• Policies, systems and processes;
• Internal controls;
• Accurate financial records; and
• Compliance with relevant laws and rules.

Examples of common financial policies and systems are:

• A management structure to oversee and manage financial affairs of the practice;
• A reporting system for financial matters e.g. monthly, quarterly and annual reports for review by key personnel overseeing financial affairs;
• Cash management policy to control and manage cash flow to the practice e.g. establishing timely and accurate billing practices;
• Credit control policy e.g. having procedures to keep tap on bills sent and follow up for unpaid bills and
• An anti-money laundering policy and checklist for the practice.

Examples of common financial internal controls are:

• Budgetary controls;
• Separation of duties;
• Approval authority controls for payments;
• Password restricted access to financial records;
• Monthly reconciliation of moneys held against bank statements; and
• Trial balance – calculating daily or weekly trial balances.

Examples of common financial records are:

• Profit and Loss statements;
• Balance sheet; and
• Cashflow report.

Help is again available from the Law Society to address this risk. The Law Society’s Practice Management Guide 2017 (the ‘Practice Management Guide’) at Chapter 8 sets out the financial and internal control policies, systems, and processes for a law practice.

The Law Society’s Guide to Solicitors’ Accounts 2016 and the Practice Management Guide both explain how to comply with the SAR.

Continuing training programmes run annually by the Law Society on practice management and the SAR help lawyers and staff know and understand financial management.

The Practice Management Guide at chapter 9 sets out a comprehensive written compliance checklist and policy documentation that you can adopt to ensure that your practice is in compliance with the laws and practice rules to counter money laundering and terrorist financing.

The Ministry of Law’s ‘Safeguarding Conveyancing Money Guidebook for Lawyers’ explains the relevant rules and documentary processes law practices are to comply with when handling conveyancing money.

4. What’s next?

Begin to build in your practice a culture of financial management. As owners of a practice, make time to read and know the main financial records of your practice.

Create awareness amongst staff of the basic financial policies and internal controls of the practice. Highlight and explain the reporting lines in your practice as regards financial matters.

Finally, prioritise understanding amongst relevant employees of the rules in place to safeguard client money and conveyancing money, as well as those to prevent the practice from being used to launder criminal proceeds or move funds that support terrorist financing.

To identify quality risks, one must understand what the roles and responsibilities of lawyers and law practices are, as professionals and legal service providers.

Lawyers are Officers of the Court and members of an honorable profession.

As Officers of the Court, they must uphold the laws of Singapore and have a paramount duty to ensure the efficient and proper administration of justice and to uphold the standing and integrity of the Singapore legal system and profession. Lawyers as members of an honourable profession must be honest and avoid any compromise of their integrity and independence.

Lawyers are in a fiduciary relationship with their clients, which means that they have a duty to:

• act in the best interests of their clients;
• maintain the confidentiality of their clients’ affairs;
• avoid situations that create any conflict of interests with the clients that they represent;
• be honest, fair and courteous in dealings with their clients;
• be competent and have the required legal knowledge and skills to act for their clients;
• complete legal work entrusted in a diligent manner;
• account for moneys received and paid out on behalf of a client;
• charge fairly for work done;
• disclose and update information on legal fees or costs; and
• keep clients informed on the progress of their matters.

The Legal Profession (Professional Conduct) Rules 2015 (the ‘Rules’) set out the rules that govern the ethics and professional responsibility of legal practitioners practising in Singapore.

Quality in a law practice is measured from the viewpoint of professional service delivery. Lawyers or law practices that: (a) grossly delay client matters; (b) act in breach of their duty of confidentiality; or (c) overcharge or act in conflict of interests, may face civil claims from their clients and/or regulatory action when a complaint is made to the Law Society.

Law practices which can be targeted to launder proceeds of crime, must also comply with the laws and professional rules to combat money laundering (Anti Money Laundering (‘AML’)) and terrorist financing (Countering Terrorist Financing (‘CTF’)).

2. Who are Involved in Addressing Quality Risks?

Lawyers who own and manage a practice have a critical role to lead and oversee their practice’s commitment to client service and professional values.

Their leadership sets the example for executives, paralegals and support staff in turn to honour and commit to professionalism in their work.

“A legal practitioner in the management of a law practice must make a reasonable effort to provide a working environment which prioritises competence, professionalism and ethical consciousness on the part of every individual working in the law practice” (see Rule 35(1)(a) of the Rules).

Every lawyer plays a role in addressing quality risks by his commitment to the guiding general ethical principles for practitioners described in Rule 4 of the Rules.

3. How to Address Quality Risks?

Quality risks are addressed by:

• training;
• policies;
• processes;
• systems;
• controls;
• checklists; and
• template forms and documents.Tell-tale signs that a practice is facing quality risks are negative feedback or complaints from clients on service and threats of professional liability claims.Help is available by way of undergoing training courses run by the Law Society.The Society’s Practice Management Guide (2017) provides written policies and systems relating to:
  • client care;
  • conflict of interests;
  • client money;
  • client confidentiality; and
  • prevention of money laundering and financing of terrorism.

  The Guide contains a comprehensive standard letter of engagement and compliance checklist template forms for client due diligence.

4. What’s Next?

Start to build a culture where work policies, systems, processes and procedures bring everyone in the practice together instead of the law practice merely comprising lawyers and employees who operate separately.

Build a practice philosophy, mission and values.

Be a training and skills development focused practice.

Recognise and reward competence, professionalism and ethical consciousness.

Lawyers own and run a business.

Lawyers are also professionals held to high standards of ethical and professional behaviour towards their clients, third parties, fellow professionals and as Officers of the Court.

When it comes to regulatory matters, law practices and the legal profession have to meet duties and responsibilities set out by external regulators such as:

• ACRA – The Accounting and Corporate Regulatory Authority enacts laws relating to the setting up and carrying out of a business or a corporation which includes law practices.
• IRAS – The Inland Revenue Authority of Singapore enacts laws relating to filings and payments of Personal and Corporate Income Tax and the Goods and Services Tax.
• PDPC – The Personal Data Protection Commission enacts laws relating to protection of personal data collected and used about individuals.
• MOM – The Ministry of Manpower enacts employment laws relating to basic terms and working conditions of all types of employees with some exceptions.
• CPF – The Central Provident Fund governs provident fund contributions and other payments when hiring employees.

Additional regulatory duties and responsibilities are imposed by internal regulators, namely bodies that are tasked specifically to only oversee the legal profession namely:

• Supreme Court – The Registrar of the Supreme Court regulates the issuance, refusal, cancellation or suspension of practising certificates of Singapore legal practitioners.
• The Legal Services Regulatory Authority (‘LSRA’) – LSRA approves names, registers and sets business and license conditions for various law practice entities, including Singapore law and group practices.

LSRA has the power, on account of non-compliance or in the public interest, to suspend or revoke a law practice’s licence, order the practice to pay a penalty not exceeding $100,000 or administer a warning.

Finally, LSRA registers all foreign qualified lawyers who practise Singapore or foreign law in Singapore.

• The Law Society of Singapore (the ‘Society’) – The Council of the Society oversees compliance with rules pertaining to professional conduct, professional indemnity, keeping of accounts/handling of clients’ money, submission of accountant’s reports and qualification to practise as a proprietor, partner or director of a Singapore law practice. It also has the power on specific grounds to intervene into a law practice to protect the public or clients’ interests or client money.

Regulatory risks arise from either non-compliance or poor compliance with the laws, regulations and rules that govern the operation of a law practice or the professional conduct of lawyers or both.

The consequences of non-compliance with regulatory obligations for a practice and/or a lawyer include criminal sanctions and financial penalties.

2. Who are Involved in Addressing Regulatory Risks?

Lawyers who own and manage a practice, whether as proprietors, equity partners or directors, have responsibility for regulatory oversight. As owners of the practice they must run their practice both as a legal business and as a professional practice.

Each lawyer receives relevant practice training and must meet and keep up to date with the professional obligations set out in the legal profession’s rules and regulations.

Staff who are delegated duties impacted by regulatory compliance, such as business development, management, financial, accounting and paralegal staff, must be trained to understand what is expected of them whilst they perform their functions.

3. How to Address Regulatory:

• knowledge based training;
• skills training;
• work policies;
• work processes;
• work systems;
• controls;
• checklists; and
• template forms and documents.

Relevant information, knowledge and guides (such as the Society’s Practice Management Guide) are available from public websites of both the external and internal regulators.

Regular talks and training are offered by regulators. Both lawyers and their staff can attend certain training seminars organised by the Society.

4. What’s Next?

With changing expectations of consumers of legal services, developments in technology and new and emerging risks, law practices can expect a continuous increase in regulations made by both external and internal regulators.

Change is constant; don’t let it be a cause of concern but instead see it as an opportunity to improve your practice.

Build in your practice a culture of open and clear communication that enables lawyers and staff to know, understand, question and clarify how they are expected to meet compliance and regulatory standards.

Reputation is defined as having a place of esteem, respect or being recognised or held to regard by others.

Reputation is based on how others perceive us and this also true for law firms.

A law practice’s reputation impacts:

• retention of its existing clients;
• attraction of new clients;
• how third parties deal with the practice;
• whether other law practices/ lawyers will refer work to it;
• recruitment and retention of quality lawyers and staff; and
• staff morale.

This category of risk is often cited as an overarching or all-embracing risk as it arises from other risks, namely, operational, financial, quality and regulatory risks as set out in the other parts of the risk management framework.

In particular, sources of reputational risks include the following:

• Clients – Dissatisfied clients can easily and quickly share and spread negative opinions especially via online platforms. Clients pose a reputational risk when they use a law practice to misuse the legal process e.g. to evade taxes, to misuse the law or to conceal the proceeds of a crime;
• Behaviour – Unethical, criminal or civil misconduct by the practice, its lawyers and/or staff seriously hurt the standing of a practice. A negative work place culture/environment affects opinions that others have about the practice.
• Regulations – Poor or non–compliance with regulations can result in investigations/inspections by regulators and sanctions for violations. Publicity of such regulatory action can reduce the practice’s overall standing;
• Operations – Ineffective/absence of systems, policies and processes in a practice can result in mistakes, lapses and high staff turnover that in turn reduce performance and productivity; and
• Cyber – With computers and other technologies pervading the work place, cyber-attacks are real and cause the loss of data and client confidential information.

2. Who are Involved in Addressing Reputational Risks?

Reputational risks can occur at all levels of a law practice. Everyone who works in a law practice has a role to play in maintaining and protecting its reputation:

• proprietors, partners or directors set the tone and lead by example;
• heads of departments;
• lawyers and paralegals;
• executive staff in finance, accounting and IT; and
• other team leaders.

3. How to Address Reputational Risks?

There are several ways to address reputational risks, for example:

• adopting a firm-wide approach to manage or mitigate reputational risks;
• ensuring coordination and communication between different departments or teams handling different types of risk (e.g. operational risk, financial risk, etc.);
• monitoring and reviewing the online reputation of your law practice; and
• incorporating reputational risk into your business continuity plans.

4. What’s Next?

Reputational risk is inherent when running a law practice.

Use the following checklist and ask – is your practice:

• organised;
• reliable (including your IT systems);
• demonstrably efficient;
• attracting quality people;
• a positive work place;
• compliant with regulatory/ethical standards;
• client focused; and
• open to criticism and feedback.

Examine areas in your practice that can expose your practice to reputational damage. Work on the area(s) that you see the highest risk to your reputation and address what you need to do before you move on to the next area.

‘Reputation – Your Firm’s Most Prized Asset’, Singapore Law Gazette (January 2018)