Exposure Diagnostic

Find out where
your firm stands.

Ten sections. The output is a precise picture of your firm's governance posture across every relevant regulatory framework. No commitment. No login.

A B C D E F G H I J

Section A

Firm Identity & Regulatory Registration

Establishes your regulatory baseline. Every answer activates or deactivates specific governance engines in your REACH LAW configuration.

A1 *

Firm name and SRA authorisation number

A2 *

SRA-regulated entity type

Authorised Body (ABS)

Recognised Body (traditional partnership, LLP, or company)

Sole Practitioner

Registered European Lawyer or Foreign Lawyer

A3 *

Is the firm also FCA-authorised or FCA-registered?

Yes FCA-authorised

Yes FCA-registered (appointed representative)

Under review / pending

A4 *

ICO registration is the firm registered for data processing activities?

Yes current ICO registration held

No we believe an exemption applies

No we are not registered and are uncertain whether we should be

A5 *

Does the firm conduct AML-regulated work under MLR 2017?

Yes the firm is registered with HMRC as a supervised entity

Partial some practice areas are AML-regulated, others are not

Does the firm handle matters involving OFSI-sanctioned jurisdictions or sanctioned individuals?

Yes regularly

Occasionally

No / not applicable

A7 *

Approximate number of fee earners at the firm

1 to 5

6 to 15

16 to 30

31 to 50

Section 1 of 10

Section B

AI Tool Ecosystem

Builds the complete governed tool registry. Every tool named becomes a monitored node in your governance architecture.

B1 *

Which AI tools are currently in active use by fee earners at the firm?

Microsoft Copilot / Copilot for Microsoft 365

ChatGPT (OpenAI) consumer or API version

Claude (Anthropic)

Harvey AI or other legal-specific AI platform

Clio, LEAP, or other practice management AI features

Google Gemini or Google AI tools

Other AI tools (please specify below)

B2 *

Has the firm formally approved these tools for use, with written policy?

Yes written AI usage policy exists and is current

Partial informal guidance exists but no formal written policy

No tools are in use without formal approval or policy

B3 *

Are fee earners using personal (non-firm) AI accounts for firm work?

Yes this is known and occurring

Possibly it has not been formally assessed

No only firm-provisioned tools are used

Has the firm conducted a data protection impact assessment (DPIA) for any AI tool in use?

Yes DPIA completed for all AI tools in use

Partial DPIA completed for some tools

No DPIA has been conducted

Section 2 of 10

Section C

Communication & Document Volume

Establishes throughput requirements for the governance layer. Every answer calibrates processing capacity.

C1 *

Approximate volume of client-facing documents produced per month using AI tools

Fewer than 50

50 to 200

200 to 500

More than 500

Not currently tracked

Are AI tools used to draft or assist with client correspondence (emails, letters)?

Yes routinely

Yes occasionally

Are AI tools used for legal research or case analysis?

Yes regularly

Yes occasionally

Section 3 of 10

Section D

IT & Network Infrastructure

Determines deployment feasibility and integration architecture for your REACH LAW configuration.

D1 *

Primary IT infrastructure model

Cloud-first (Microsoft 365 / Google Workspace)

Hybrid (on-premise servers plus cloud services)

Primarily on-premise

Managed IT service provider (outsourced)

Does the firm have a dedicated IT function or person responsible for security?

Yes internal IT team or designated IT lead

External IT support provider only

No dedicated IT function

Section 4 of 10

Section E

Regulatory History & Governance State

Establishes your pre-deployment compliance baseline and urgency weighting.

E1 *

Has the firm been subject to an SRA inspection, visit, or investigation in the last three years?

Yes and findings were issued

Yes no findings issued

Has the firm received a formal SRA complaint or regulatory notice in the last three years?

Yes

Prefer not to say

E3 *

Does a written AI governance policy currently exist at the firm?

Yes formal written policy, reviewed in the last 12 months

Partial guidance exists but not formal policy

No written AI governance policy exists

E4 *

If the SRA requested a complete record of how AI-assisted compliance decisions were made in the last 12 months, could the firm produce it?

Yes complete and retrievable

Partially some records exist but not comprehensive

No this record does not exist

Section 5 of 10

Section F

Growth & Forward Projection

Ensures the specification is built to your 12-month projected capacity, not today's snapshot.

F1 *

Expected change in fee earner headcount over the next 12 months

Significant growth (more than 20%)

Moderate growth (up to 20%)

Stable no significant change expected

Reduction planned

Is the firm planning to expand its use of AI tools in the next 12 months?

Yes actively evaluating new tools

Possibly

No current toolset is fixed

Section 6 of 10

Section G

Shadow AI Discovery

Surfaces ungoverned AI activity through behavioural indicators. This is often the most significant exposure area.

G1 *

Has the firm formally assessed whether fee earners are using AI tools that have not been approved?

Yes formal shadow AI audit conducted

Informally through conversation, not audit

No assessment has been conducted

Are fee earners aware of their obligations regarding client data and AI tools?

Yes formal training delivered and recorded

Partial guidance given but not formally recorded

No formal training or guidance

Section 7 of 10

Section H

COFA Financial Governance

Configures the SRA Accounts Rules 2019 compliance layer for COFA-relevant firms.

H1 *

Does the firm hold client money?

Yes client account is held and active

No third-party managed client account only

No client money held

Are AI tools used in any part of the financial management or billing process?

Yes

Not currently but under consideration

Section 8 of 10

Section I

Continuity, Succession & Incident Response

Configures operational resilience and escalation protocols.

Does the firm have a named deputy or succession plan for the COLP role?

Yes formally documented

Informal arrangement exists

No succession plan in place

Does the firm have a documented AI incident response procedure?

Yes formal procedure documented and tested

No formal procedure

Section 9 of 10

Section J

COLP Declaration

By completing this declaration you confirm you are the named COLP and that the information provided is accurate to the best of your knowledge.

J1 *

Your full name (as the named COLP)

J2 *

Your email address

How did you hear about REACH LAW?

Referred by a colleague

SRA or professional body communication

Web search

Other

Declaration

By submitting this diagnostic, I confirm that I am the named Compliance Officer for Legal Practice (COLP) at the firm identified in Section A, that I understand my personal liability for the firm's regulatory compliance including AI governance, and that the information provided throughout this diagnostic is accurate to the best of my knowledge and belief.

I confirm the above declaration

Section 10 of 10

Diagnostic complete

Your firm's governance posture

Exposure

Your firm has material governance gaps that create direct personal liability exposure for you as the named COLP. These are addressable. The first step is a conversation.

A Firm Identity & Regulatory Registration

Baseline established

B AI Tool Ecosystem

Governance gap

C Communication & Document Volume

Review required

D IT & Network Infrastructure

Adequate

E Regulatory History & Governance State

Critical gap

F Growth & Forward Projection

Capacity risk

G Shadow AI Discovery

Unassessed exposure

H COFA Financial Governance

Low risk

I Continuity & Incident Response

Review required

J COLP Declaration

Complete

The next step is a conversation.

Your diagnostic output has been noted. A REACH LAW deployment specification can be built from these answers. No obligation to proceed.

Talk to REACH LAW How it works

Reach Law
Governance Infrastructure
reach-law.co.uk

Product

How It Works
For COLPs
COLP Dashboard

Legal

This diagnostic does not constitute legal advice. SRA-regulated UK law firms only.

Find out whereyour firm stands.