The documentation disaster: partial records, missing systems, and the risk to law firms

The SRA examined 25 firms and found that:

41% maintained only partial breach records.

In many cases, these records lacked:

• The circumstances of the breach
• The rationale behind decisions
• Details of remedial action
• Any assessment of risk or seriousness

This isn’t just poor administration.
It means firms are unable to justify their decisions if challenged by the regulator.

Documentation is not a box‑ticking exercise. It underpins:

• Regulatory defence
• Risk management
• Accountability
• Transparency

Without full records, firms cannot:

• Demonstrate compliance
• Show reasoning behind decisions
• Identify trends or patterns
• Learn from past mistakes

In short: no records = no protection.

The SRA also found structural failures in how firms store and manage compliance data:

• 11% of firms had no system at all for storing reports
• 17% had no internal reporting policy
• Some relied on scattered emails or inconsistent folders

This raises a fundamental question:

What is the point of documenting breaches… if you can’t retrieve or evidence them?

In today’s environment, where technology is widely available, this is not just surprising - it’s avoidable.

One of the most dangerous findings is what Brian calls the “verification vacuum.”

• 11% of firms had no process to check staff compliance with policies
• Yet 94% of firms had office manuals in place

The result?

Policies exist - but nobody checks whether they are followed.

Many firms rely heavily on trust.

But as experience shows, trust without verification creates risk.

Without proper controls:

• Errors go undetected
• Misconduct can develop
• Breaches can become systemic

In extreme cases, unchecked trust can lead to serious financial misconduct.

File reviews are one of the most effective tools for monitoring compliance.

The SRA found:

• 83% of firms conduct file reviews
• But many are ad hoc and inconsistent, not systematic

This creates a missed opportunity.

Done properly, file reviews can:

• Identify emerging risks
• Highlight training needs
• Detect compliance breaches early
• Improve supervision

But when treated as a tick‑box exercise, their value is lost.

Another critical issue is under‑utilisation of existing systems.

Many firms have:

• Case management systems
• AML fields and workflows
• Digital compliance tools

Yet in practice:

• Fields are incomplete
• Processes are bypassed
• Systems are used only partially

This creates a false sense of security.

Having a system is not enough.

Compliance depends on how well systems are used, not whether they exist.

The documentation problem extends into training and competence:

• 19% of COLPs had no learning and development records
• Only 44% could evidence compliance training in the past year
• 25% had no compliance training at all in 12 months 

This raises a critical issue:

How can firms demonstrate competence without documented training?

The SRA expects evidence - not assumptions.

And without records, firms cannot:

• Prove ongoing competence
• Support practising certificate declarations

Evidence compliance with training requirements

Poor documentation has real consequences.

When records are incomplete or inconsistent, firms risk:

• Failing SRA audits
• Inability to justify decisions
• Increased likelihood of enforcement action
• Professional indemnity exposure
• Reputational damage

As Brian summarises:

This isn’t compliance - it’s a paper trail of negligence waiting to be discovered.

Interestingly, the issue is not limited to firms.

The review also highlights a gap at regulatory level:

• The SRA identified 1,377 internal reports across firms
• Only 9 were reported externally
• But the regulator does not maintain centralised records of breaches

This raises questions about:

• How trends are identified
• How intelligence is used
• Whether systemic risks are fully understood

Episode 5 reveals a core truth:

Compliance without documentation is not compliance.

Across the series so far, we’ve seen:

• A role nobody wants
• A lack of knowledge
• A lack of time
• A mental health crisis
• And now, a failure to evidence compliance itself

This is not a series of isolated gaps.

It is a system under strain.

Documentation is often seen as administrative.
In reality, it is the foundation of compliance.

Without it, firms are exposed.

Because when the SRA asks:

• What happened?
• Why did it happen?
• What did you do about it?

The only acceptable answer is not:

“It’s in someone’s head.”

It’s:

“Here is the evidence.”