What are YOU doing to stop human trafficking?

18 Oct

Warning – if you’re of a sensitive disposition, or can’t tolerate women with strong opinions, look away now.

Today is Anti-Slavery Day. Slavery is still very much with us, and closer than you might think. Unless you’ve had your head in the sand it would be hard to have missed recent news stories such as this one about a 10 year old girl trafficked into the UK to be used as a servant, and then exploited in every way imaginable.

And lets not pretend that this only happens in cities. It’s happening in my home town in South Wales, and in villages.

So, have you been turning a blind eye?

It doesn’t often happen that my professional and personal interests come together. Yes I find legal compliance fascinating, and am bloody good at it. But I’m also passionate about human rights, specifically human trafficking. Not being one to beat around the bush – I care VERY deeply about preventing the trafficking of women, children and adult males for sexual exploitation. So there. It’s out. I’m a feminist who wants to see an end to slavery. Who wants to see those people who traffick vulnerable people put behind bars. And don’t get me started on those who exploit the victims whilst they’re caught in the system. Yep – if for instance you’re a punter and you’re using a prostitute who you suspect has been trafficked and is working against her will, you’re guilty too.

Anyway, back to the story. Yesterday afternoon I was fortunate enough to attend the Finance Against Trafficking conference. It was one of those rare occasions where my personal and professional passions met, where you knew you were surrounded by like minded people, and where the things you’re interested in aren’t considered taboo subjects. Oh the relief! I’m going to be writing a few blog posts about the areas covered during the conference over the next few weeks, but one thing I will say now is that as a business, you ought to start thinking about human trafficking. Whether you’re a sole trader or huge corporation, it’s not something you can ignore any longer. And yes that includes law firms. If you think that it doesn’t apply to your firm, think again. I know for a fact that traffickers try to legitimise illegal trafficking arrangements by using solicitors to draft contracts with trafficking victims for instance. And that that will be just the tip of the iceberg. Much more on the role of law firms in future posts though.

In the meantime, please do take a look at the Finance Against Trafficking website. They’re doing a sterling job, and are lovely people to boot.



30 Sep

I’ve just finished reading ‘Quiet’ by Susan Cain. If like me you’re someone who needs their own space to wind down or think, read it. If you’re not someone who needs their own space to wind down or think, read it anyway so that you can learn about us more sensitive souls. We’re out to reclaim the word ‘introvert’. No more negative connotations. Shy? Not necessarily. Calm, measured and thoughtful? Absolutely.

It makes me want to cry inside when I see quieter people forced to work in open-plan environments because the managing partner’s wife is studying feng-shui and apparently this set up will be good for business. As a manager, it is your responsibility to ensure that your employees work in an environment which is conducive to productivity. If you’re less gobby and sit behind a partner who shrieks and yells at every email that comes her way, then you’re not going to be as productive as you could be in your own space where you can work undisturbed.

Open-plan set ups will never stop some people from spending too long looking at the website or instant messaging friends on Facebook, so it’s  a myth that they give you more control over your work force. And if you want that much control anyway, you should probably move into politics. If you have effective supervision procedures in place then you don’t need to herd workers together like battery hens. And effective supervision procedures do not mean that you should read everyone’s emails. That’s just silly. And an invasion of privacy.

Yes extroverts likely prefer open plan set ups, but let them have the choice as to when they want to be around people. Have lots of nooks and crannies where quiet people can escape to if you insist on sitting them largely in one big room. If louder people want to sit near others all the time then let them have the choice. But don’t force quiet people to be like them and do the same, because (and trust me on this) eventually they’ll leave.

If you’ve read business books that tell you that quieter workers should be bought out of their shells and forced to work and behave in a certain way, give them to charity and start again. Yes quieter people can learn to behave in extrovert ways – I’m not backwards in coming forwards for instance, but if you try and force us to speak for the sake of speaking, or work a room by talking about bollocks, then you’re not likely to get far. I’m Welsh godammit. You’re lucky if we grunt at each other when we meet in the street!

So has this got anything to do with risk, or am I just letting off steam? Yes and yes. If you have too few quiet people in your business then you’re likely to be taking more risks, in every arena. We quiet people (usually) think before we speak, and definitely before we act. We survey the horizon. This is not to say that we don’t take risks. Far from it. But the ones we take are calculated and measured. We’d try our damndest not to put peoples livelihoods at risk if we were managing pension funds for instance, and certainly wouldn’t pay several times more than a company is worth if we worked in M&A, just for the thrill of the chase.

So what if we don’t know lots of dirty jokes, or can’t work a whole room in 5 minutes? I can swear in Welsh and Icelandic and that’s good enough for me. We’re not anti-social or boring. I like to walk up big mountains for a hobby and love being around people. When I attend networking events I can usually come away with a new friend, rather than just a series of hello’s and a selection of business cards. We ‘quiets’ just need more time to ‘be’. By recruiting only ‘louds’ you’re likely setting yourself up for a fall. It’s all about getting the balance right.

Life as a COLP. A poem.

20 Sep

“You won’t have to do much” Bob had said after I’d drawn the very short straw

“I’m sure we’ve a Staff Handbook that could easily be tweaked,

And there’ll no doubt be guidance galore”


I tried not to cry when the handbook arrived and I spotted the date last amended

1984 was a great year for Wham

But this is not what the SRA intended


“I need your help” I’d whispered to Pam, my erstwhile and noble PA

“Bob thinks that this is a short term job

But the Ethics helpline have said absolutely no way”


With a plan set in motion, and the goals held in mind, we ploughed through the OFR tome

Trying not to freak out at behaviours and outcomes

That would render our colleagues disowned


After I’d had to explain what laundering meant, to Pete our MLRO

We’d devoured the Practice Note and through blood, sweat and tears

Birthed a manual that would impress Fluck and Co


“Bob won’t come out” Pam announced at the fire alarm evac roll-call

“I asked him to leave 3 times” she sighed

But Man U are playing against Millwall


“We need a new Complaints Partner” said I to Bob over coffee and much needed cake

Telling a client that they “can just piss off”

Is not something Sam Barrass will take


“I was desperate” sobbed Jim as he tried to explain why his laptop was not where it should be

I thought I’d be quick and that the files would be safe

But those train toilet cubicles confound me


“But the cat sitter’s booked and I’ve bought a new club!” said John from Dispute Resolution

On hearing the news that long jollies to Cannes

Were now banned under bribes and corruption


My hair has gone grey, my shoulders have hunched and my eyes are all sort of sunken

But I’ve covered all bases and am happy that now

We’re as compliant as Townsend and Phippen


By Hayley Crawshaw

Social media for Solicitors. Count to ten…

5 Sep

Before hitting tweet, post, send or return. Don’t post any pictures where you can see your knickers, and/or where you’re extremely drunk. And if you are extremely drunk, step away from your communication device and go sleep.

Law Society Practice Notes

Read this one and this one. Once your reputation has been tarnished, it can be extremely difficult to repair. Whether malicious or accidental, the ‘wrong’ tweet or Facebook post could bring you no end of grief. This is not to say that your firm shouldn’t be tweeting or Facebooking – I absolutely think that you should be, but tread carefully. Take precautions. Be mindful. Implement a policy.

Social Media Policy

Make sure that you cover all forms of social media. Be it blogs, Instagram or LinkedIn – your policy should apply regardless. Using your personal device at home and posting under your own name? It doesn’t matter. If it breaches the policy then you can still ask employees to remove offending posts.

Privacy settings

Information published on the internet can stick around for a very, very long time. Think that your information is private? Think again. When did you last check your privacy settings? Restrict the number of people who can post publicity material in the firm’s name, and make sure that all who have personal accounts have made it clear that “The views expressed are my own and don’t reflect those of my employer”.

Permitted use

Acknowledge the importance of the internet and social media in helping to shape the way that your firm is thought of, both by the public and the industry as a whole, but make it clear that employees have to accept responsibility for making sensible decisions about what is and isn’t acceptable. It is not acceptable for instance to breach client confidentiality, to have arguments online, or to post naughty pictures. Ever.

You may want to restrict use of non-work related social media to outside core working hours, and that even on the work-related sites make it clear that posts should be about industry developments or regulatory issues. Not Miley Cyrus.

Related policies

Make it clear that employees should also familiarise themselves with your Information Security, Data Protection, Client Confidentiality, Whistleblowing and Equality and Diversity policies. Posts should never be abusive, obscene, discriminatory or derogatory. Do not harass, gossip or share confidential information. If you do, your behaviour WILL come back to bite you on the bum.

Made a mistake? Correct it. Now. If the discussion becomes heated, try to be conciliatory rather than wading in. Are you feeling angry or upset? Go make a cuppa rather than sounding off online. And never, ever talk politics or religion on a public forum. You will annoy someone somewhere.

Cyber bullying

If a member of your staff has been harassed or bullied online, do something about it, and quickly. Make sure that everyone knows to come to your COLP (Compliance Officer for Legal Practice) if they need guidance or reassurance about what they’ve seen or want to post. And don’t forget to take screenshots straight away, before the evidence disappears.


Forewarn staff that use of the internet and social media websites may be monitored, and disciplinary action taken if they’ve acted liked eejits. If they commit a criminal offence then they can also expect a ride in a police car. Your COLP should have the right to demand that certain material be withdrawn immediately. Make it clear if you also use internet searches to conduct due diligence on job candidates.

Conclusion – use the internet responsibly

Would you tell your mum what you are about to post? Are you being nice? Is your boss likely to have a hernia when they see it? Act professionally, even when posting in a personal capacity – you will be associated with whatever you publish, even if you were on a stag or hen do, or a mean friend used your hand held device to post on your behalf something which seemed hilarious at the time. This is why pin codes were invented. Use them.

Social media can be a fabulous marketing tool if used properly. You just need to set certain boundaries. Use it. Don’t abuse it.

Taking Risks – How Far Would You Go?

28 Aug

Do you think like an explorer, or do you prefer to have complete control over a situation? I recently read a National Geographic article on The Mystery of Risk (June 2013) which asked why some people are prepared to take risks, whilst others will always walk the line.

As a Risk and Compliance Consultant for Law Firms you may well think that I’m risk averse. That I’m the party pooper always saying no to the exciting and interesting things, like clients in foreign jurisdictions, or unusual transactions. I’m not. I believe in taking calculated, methodical risks. For me the important factor is not that you avoid risk altogether, but that you think about what you’re doing, at all times, and that you trust that old crumpet – gut instinct.

By all means take on clients from far off places, just make sure that they’re not on any sanctions lists and that you’ve conducted appropriate due diligence checks. If a transaction is unusual – ask pertinent questions and really get to Know Your Client and their business. If it makes financial and business sense, then dive in and enjoy. If it doesn’t, then move on. Life is too short not to try new things (that aren’t dodgy), and similarly to take stupid risks. Your gut will always tell you if you’re being a twit so learn to trust your ‘second brain’.

Dopamine is a neurotransmitter that helps control motor skills, and it is the dopamine system that provides the oomph. The drive. The desire to take risks to accomplish something. And yep you’ve guessed it. Dopamine is produced not only in our brains but in our guts. If I’m asked a question and my stomach flips, I know not only to give my trademark ‘are you taking the mick?’ look, but to sit down and analyse the situation properly. You don’t have to spend hours conducting a risk assessment, but you do need to be able to demonstrate that you’ve put some thought into your decision, and that there’s an audit trail, should it all go pear shaped and the SRA (Solicitors Regulation Authority) come a’knocking.

Think of your risk register, assessments and reviews as the adrenaline kicking in to counteract the release of the dopamine. Whilst the dopamine is telling you to get on the Pepsi Max Big One (Google it), the adrenaline will be reminding you that actually that’s not such a good idea having just eaten a supersized portion of fish and chips.

On a personal note I enjoy trekking, wild swimming, kayaking, and travelling to off the beaten track places. I’ve been described as both loopy and brave for doing such things. I’m neither. I just assess situations and never dive straight in. If I want to walk up a mountain in winter, then I assess the avalanche risk and take the necessary equipment. If I want to go swimming in a lake, I go with friends and we take precautions. If I want to post things about issues that mean a great deal to me on Twitter, then I accept that I may lose followers who aren’t passionate about such causes or who can’t accept that orrible things are happening in the world. All are calculated risks, and ones worth taking for the rewards.

If you’re fortunate enough to have a Risk Manager for your firm as well as a COLP (Compliance Officer for Legal Practice) then that person will be well versed in building, developing and maintaining risk registers. The Compliance Plan will have been founded on gut instinct as well as blood, sweat and tears; and they’ll face new compliance challenges head on.

If you haven’t been able to afford to employ such a person then panic not, as here comes the selly sell bit 🙂 Freelance Risk and Compliance Consultants are value for money, and having taken additional risks in going freelance so that they could spread the love, may, dare I say it, have even more to offer than an employee. Not least because they won’t be bound by office politics, and so can be forthright.

So if you don’t yet have a lovely new set of compliance policies and procedures in place; your staff have never received training in anti-money laundering or anti-bribery and corruption; or you fear that you may well be facing a visit from the regulator in the near future, take a risk, and speak to a consultant. Most of them don’t bite.

What does collaboration have to do with compliance?

10 Jul

Absolutely everything! I’m not talking about collaborative partnerships in terms of a legal relationship, or the use of collaborative lawyers to resolve family disputes. I’m talking about teamwork.


In a nutshell, if the workplace culture is one where there’s a lack of trust, whether that be in senior management or even colleagues, then it’s going to be extremely difficult to ensure that the firm complies with all of its professional statutory and regulatory obligations. Compliance cannot be the responsibility solely of the COLP (Compliance Officer for Legal Practice), COFA (Compliance Officer for Finance and Administration) and Risk and Compliance Manager. It has to be something all employees believe in, and which is encouraged from the top down.

What’s the point?

If you’re at the stage where you don’t see the point of compliance, but are yourself a member of the senior management team, then it might be time to take a step back and reassess your perspective. What is your problem with compliance? No seriously, that’s not me being provocative. I genuinely want to know. From my perspective, compliance is all about doing things right, getting everything in order, spring cleaning your business, and ensuring that as a senior manager you’re in the know – that there aren’t any nasty surprises lurking in the shadows. If you disagree, might there be things happening behind the scenes that you’re perhaps too afraid to address?


Yes compliance can be expensive if you opt for all of the bells and whistles, and yes it can be time consuming unless those given responsibility for it are prepared to learn quickly, or turn to those in the know for guidance. But as with everything in life there are always options. If you can’t afford to employ a full time Risk and Compliance Manager, then go for a part-time one or Risk and Compliance Consultant. If you can’t afford online verification systems then don’t buy them – they’re not essential. If you don’t know where to start, then just start anywhere. Seriously, there’s no need to get bogged down.

Building trust

Lead by example. Even if in the past you’ve said something along the lines of “I don’t do compliance”, it’s never too late to change your mind. You, as one of the firm’s leaders, are responsible for inspiring your employees to adopt ideal working behaviours. You have to accept responsibility, do what you say you will and support your staff, otherwise credibility flies out of the window. Without confidence and trust in the firm and its leaders, you will not achieve the outcomes you may have set in your grand 3 year strategic plan. And remember that trust can easily be lost.


Live the rhetoric. Be honest about all of the issues that need addressing – those which are glaringly obvious even before your COLP has sat down to create/review your compliance plan and risk register. If you can start addressing these issues immediately then do so, identifying stakeholders and allocating roles as you go. Now you’ve set the groundwork for two-way communication. By acting with integrity and honesty you will do the right things. Reliability and credibility go hand in hand. Without them it will be nigh impossible to have employees meet agreed standards. Yes they might talk the talk, but unless you and they see the wood from the trees, and acknowledge that compliance can be of great benefit to the firm as a whole, then they won’t be walking the walk.

Building blocks

In a workplace culture which fosters consideration and support of others, having effective compliance policies and procedures in place can improve both internal and external business relationships. An environment in which compliance is respected rather than scorned can lead to ambitions being achieved and challenges overcome. When you truly embrace collaborative working relationships people will want to be  a part of what you have going on, whether that be as an employee or client. Once such a powerful culture has been experienced, there’s no going back.

Information Security – moving beyond the DPA and Law Society Practice Note

28 May

Cyber security – own the risk

E-crime and hack attacks only happen to the big guys, right? Wrong. The media will only report the high profile security breaches yes, but that’s because they have to sell newspapers. Unfortunately, attempts to steal intellectual property and personal data are on the increase in all industries, including professional services. Sadly it may sometimes be the case that the person who steals the information did it simply because they could, and picked the target at random. So please don’t become complacent and think ‘oh it’ll never happen to us’. Given the nature of my work I’m naturally cautious, so when my bank account was emptied by some fraudsters last year it came as something of a shock. Fortunately I was alerted quickly, took action, and was given the money back by the bank, but the bank had to take the hit, and in my conversations with them they said that this sort of thing was now a regular occurrence. The e-criminals are one step ahead. Is changing your passwords regularly enough? Don’t just assume that your IT department has considered all of your digital networks vulnerabilities. Make sure that cyber security is on the managing board’s agenda.

The risk-based approach

The Law Soc Practice Note  suggests that in order to comply with the Data Protection Act 1998 (DPA), Regulation of Investigatory Powers Act 2000 (RIPA), and the Computer Misuse Act 1990 (CMA) that you carry out a risk assessment of your information security requirements so that you can identify:

  • Your firm’s information assets
  • Threats to these assets, and their likelihood and impact
  • Ways to reduce, avoid or transfer risk

Confused already? I’d suggest calling in the experts rather than trying to conduct the risk assessment yourself, as you’ll be the only person you can kick if summat does get missed. Do you know what malware is? Would you know straight away if any of your data had been copied without your permission? How exactly is your cyberspace protected? Please don’t wait until the horse has bolted  to give cyber security the attention it deserves. It needn’t be expensive to have someone who knows what they’re doing review your existing systems, point out the holes, and make suggestions. And believe you me, it’ll be money worth spent.

Bloody gate pic

What harm could an information security breach cause?

  • Fake credit card and other financial transactions;
  • Putting the personal details of witnesses at risk of physical harm or intimidation;
  • As above, for offenders;
  • As above, for employees;
  • Causing embarrassment or inconvenience to individuals;
  • Identity fraud;
  • Other types of fraud;
  • Irretrievable loss of data;
  • Corruption of data;
  • Other misuse of data;
  • Serious damage to your firm’s reputation and prosperity;

Shall I go on?

Security controls

The DPA requires you to go beyond thinking solely about the way information is stored or transmitted. Under the 7th Principle you have to consider the security of every aspect of your processing of all personal data. This means that you must ensure that:

  • Only authorised people can access, alter, disclose or destroy it;
  • That these people only act within the scope of their authority;
  • If personal data is accidentally lost, altered or destroyed, that it can be recovered to prevent any damage or distress to the individuals concerned.

You’re not expected to turn your server room into Fort Knox, but you are expected to have ‘appropriate’ security measures in place. How you define appropriate is up to you, but I’d say it’s when you reach a stage where you stop waking up at night worrying about it.

Network security

The Information Commissioner’s Office (ICO) guide to information security  lists some of the more obvious management, organisational and physical security (lock cupboards and doors!) measures you should consider taking so I won’t repeat them here, but there follows some suggestions as to how you can protect your networks. You could also apply a recognised information security management standard from the ISO 27000 series.

  • Install a firewall and virus-checking system;
  • Ensure that your operating system is set up to receive automatic updates;
  • Ensure that the latest patches or security updates are downloaded;
  • Only allow your staff access to information that they really need to know in order to do their jobs;
  • Don’t let staff share passwords;
  • Encrypt personal data;
  • Protect all portable devices with encryption software, so that if they are left on a train, the information stays safe;
  • Don’t allow staff to use their own removable media, or connect their personal device to the firm’s infrastructure
  • Back-up information regularly, and store securely off-site;
  • Destroy the hard disk when disposing of old computers;
  • Install anti-spyware;
  • Password protect or encrypt the content of sensitive emails;
  • Encourage staff to use the blind carbon copy (bcc) option rather than (cc) so that recipients cannot see the email addresses of other recipients;
  • Encourage staff to use strong passwords which are at least 7 characters long, consist of a combination of upper and lower case characters and numbers, and prompt them to change them at least every 3 months;
  • Ask staff not to open spam emails.

This all sounds a bit Matrix

Actually, it’s more like Wargames (1983). Poor network design may be seen as an invitation to those who don’t have scruples, and it’s up to us to prevent their attacks. Don’t forget that sadly, the threat can also be internal. Sensitive information can be leaked by disgruntled staff, and websites defaced by those in the know. For this reason, consider segregating critical business information assets, whilst simultaneously using intrusion monitoring tools and regularly auditing the activity logs. Ensure however that there is very limited access to the audit system and activity logs. Don’t allow internal IP addresses to be exposed to external networks, but do employ someone to try and hack into your systems! Simulated cyber attack exercises can not only be very exciting, but also extremely useful.

Education and awareness

Train, train and train some more. Make all staff aware of their personal security responsibilities. There are plenty of e-learning packages available which can help you create a firm wide security conscious culture. Put clear policies in place, along with an effective system for reporting incidents and breaches quickly so that they can be contained, or the damages limited. And even if the horse has bolted, ensure that you always investigate the causes of any breach or any incident, and update your procedures accordingly. Users are the weakest link in any security chain, and by default the primary target. To quote David Lightman in Wargames, “I don’t believe that any system is totally secure”.


%d bloggers like this: