The dashboard of the Risk Management System is the nerve center of the risk management process. It provides an overview of an organisation’s risk profile, important alerts, top risks and the latest risk news.
This risk epicenter is now even more powerful with the addition of filters for categories and org units.
This granular view of your risks and controls enables you to drill down into any category or org unit and identify potential risks and opportunities. When using the filter, all elements of the dashboard, including reports, charts, control procedures etc. are updated with the filter.
After a successful 2016 that saw 150,000 course completions, we are excited to present our tentative plan for 2017 online course schedule.
Over 22 leading firms joined Director of Best Practice Gary Yantin and SRA Policy Executive Richard Williams for the second continuing competence user group. This candid conversation between the firms and the regulator focussed on how firms are implementing continuing competence since the changes to CPD in November, and to share best practice.
Many firms currently implementing changes to CPD
Richard spoke about how many firms are still in the process of implementing continued competence. He voiced the importance that the SRA places on the new approach and advised that there will be an annual declaration as part of a renewal exercise to make sure firms are meeting regulatory obligations. Richard also made clear that the SRA will not be carrying out spot checks on firms, but will use the annual declaration in conjunction with other regulatory data to explore concerns that they may have with the competence or standard of service provided by a solicitor or firm.
The Fourth Anti-Money Laundering Directive will be implemented by the end of June 2017. Many pages have been written detailing all of the changes and minutia. Below are the key changes that solicitors need to be aware of as part of their day-to-day work.
We will be updating our AML courses accordingly and launching a new version of our AML 360 course later in the year.
Here are the key updates:
Simplified CDD no longer automatic
Previously certain listed companies or public bodies would automatically qualify for simplified due diligence. This exemption is no longer automatic and any decision to undertake simplified CDD must be backed up with evidence and subject to a risk assessment.
Cash thresholds reduced
The limit for eligible cash transactions is reduced from €15,000 (£12,544) to €10,000 (£8,361) and is extended to receiving as well as making payments in cash.
Absolute turnover raised
The link to the VAT registration threshold of £64,000 is removed and the annual turnover limit is raised to £100,000 across all financial activities.
The risks of a hard brexit
Regardless of what the UK does with GDPR after Brexit, the biggest threat to data protection is from an exit from the EU without any deal. This is the so-called hard Brexit and fallback to World Trade Organisation rules until a further agreement is reached, or not. It’s the kind of Brexit Theresa May and many inside the Conservative party and Leave camp have called for. As we have seen, the crucial component for the UK after Brexit is to be judged as offering an adequate level of protection by the European Commission.
A hard Brexit with no deal means no assessment of adequacy. Furthermore, the UK cannot apply to the European Commission for an assessment of adequacy, that determination can only be given by the Commission itself. If the negotiations turned sour and both parties decided to walk away with no deal, perhaps due to the estimated €60bn leaving bill, there might not be much goodwill left to speed up a UK adequacy determination for GDPR.
Changes to Data Protection Under GDPR
Data protection law in the UK is based on the 1998 Data Protection Act. However, with continued changes in technology, 20 years on that law looks outdated and not relevant to the data protection concerns we face today. In May 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act and will impose many new responsibilities and sanctions on organisations. Despite all the noise around GDPR, the eight principles of data protection laid out in the 1998 Data Protection Act will remain relevant, with changes to some of the key principles. Below is an overview of the eight principles of data protection, with guidance on the changes and what they could mean for your business.
Editor’s note: the eight principles of data protection have now been amended to become the six principles of GDPR. You can read more about the six principles here.
The Eight Principles of Data Protection
1. Fair and lawful
Your organisation must have legitimate grounds for collecting the data and it must not have a negative effect on the person or be used in a way they wouldn’t expect. Organisations are required to provide full transparency about how they wish to use the data, as well as ensure their data is only used in ways customers would expect. Detailing precisely what a consumer’s information is being used for allows them to make an informed decision as to whether to share certain pieces of personal information.
Changes under GDPR
Under GDPR, conducting criminal record checks on employees must be justified by law. For example, a school is far more likely to be permitted to carry out such checks on their teachers than a restaurant hiring kitchen staff.
Around 50% of the FTSE 100’s financial year ends on 31st March
When Should My Organisation Publish its Modern Slavery and Human Trafficking Statement?
The 2015 UK Modern Slavery Act stipulates that all companies with an annual turnover of over £36 million must publish a Slavery and Human Trafficking Statement for 2016. The government guidelines recommend that a company’s Slavery and Human Trafficking Statement should be published prominently on its website within six months of the end of its financial year. Here are the relevant dates for companies to produce their statement:
|Financial Year End||Recommended Start Date||Statement Due Date
|31st March 2016||1st April 2016||September 30th 2016
|31st June 2016||1st July 2016||December 30th 2016
|31st September 2016||1st October 2016||March 30th 2017
|31st December 2016||1st January 2017||June 30th 2017
Here is a practical checklist with the steps you need to take to ensure your statement is published on time.
Our Research shows that around 50% of companies have a financial year end of 31st March. This means that over half of the companies with a turnover of over £36 million should have already published a Slavery and Human Trafficking Statement. As organisations get to grips with the new regulations under the Act, it is clear that not all the organisations are ranking so well.
The findings from a recent report by the Business and Human Rights Resource Centre shows that most organisations are still far from meeting the minimum requirements and showing that they take the Act seriously. The report gives an analysis of the FTSE 100 companies that have a statement due date of 30th September or that have already published a statement. Findings show that:
- Only 56% of the Slavery and Human Trafficking statements met the minimum requirements of the Modern Slavery Act
- In the Structure, Business & Supply Chains category, the average score out of 5 was 1.8
- The Risk Assessment & Management category had an average score of 2.2
- Only M&S provided Key Performance Indicators in their statement, with the Effectiveness category scoring an average of 1 out of 5
- The highest scoring category was that of Due Diligent Processes. Nonetheless, it achieved an average score of only 2.3%
Twelve Months Prior to Publication – Understand Supply Chains and KPIs
- Develop measurable KPIs for your anti-slavery programme
- Review and update your company’s supply chain risk assessment
- Review and update due diligence measures
The Oxfam story must be a warning sign to risk managers
As Oxfam finds itself engulfed in crisis due to the actions of its employees, we take a closer look at the consequences of reputational damage. Following sexual misconduct claims against the charity’s staff dating back to 2011 in Haiti, Oxfam is scrambling to contain the crisis, with the UK government threatening to cut its funding of over £30m. The charity must now demonstrate to the government that they have “moral leadership” to stand any chance of retaining any of the funding.
Introducing VinciWorks’ new AML 360° course for accountants
VinciWorks has just released a new course on anti-money laundering aimed at accountants. The course will focus on money laundering challenges that accountants in particular are faced with. This includes information on the EU Fourth Directive that comes into effect on 26 June 2017, as well as identifying potential red flags specific to accountants.
Our course is tailored for accountants who have already undergone training on anti-money laundering; users will be provided with in-depth knowledge to help keep them up to date with anti-money laundering laws. Real-world, industry-specific scenarios will help guide participants through money laundering questions that face accountants today.
How well do you really know data protection rules?
With the new General Data Protection Regulation (GDPR) coming into force in 2018, organisations are working hard to ensure they meet the new regulations. Companies processing over 5000 personal records per year or employing over 250 staff are now required to appoint a data protection officer, or DPO. Marketing teams will need to ensure they have consent from those they are marketing to and genetic and biometric information is now also considered sensitive data and GDPR.
Play the GDPR data protection game
Our game puts you in the manager’s seat of a company and provides feedback on the decisions you make