Law firms learn to  love risk management

Ask any risk management specialist which areas are relevant to law firms and they will come up with an endless list. Specific areas would include strategic risk, corporate governance, financial, business continuity, reputational, environmental, fraud, regulatory, IT and operational risk.

So where do you start? More importantly, how do you demonstrate that the procedures, planning and ever-increasing administrative burdens being placed on lawyers will eventually have a positive effective on the bottom line?

Over the past eight years, I’ve grappled with these issues myself, and followed first hand the way in which the legal sector has come to understand and even embrace risk management.

Cynics claim lawyers have been resistant to regulation and complacent about risk because they have managed to avoid the disasters suffered by their colleagues in accountancy and banking, such as the collapse of the world’s largest accountancy firm Andersen in 2002, which resulted in tighter regulations for auditors.

Certainly, the recent troubles affecting the world of finance have gone some way in bringing home the message that a lack of alarm bells to identify the signs of trouble could be catastrophic.

These days, it is probably fair to say that risk management is discussed at board level and becoming more and more embedded in law firms’ strategies and management practice standards.

We have travelled a long way since 2001, when I first entered the world of risk management while working for law firm Hammonds. Having spent four years in the recruitment department, I moved to the newly-formed quality team, which had been set up to focus on regulatory compliance, or, more specifically, compliance with the Data Protection Act 1998.

The team’s role soon changed to focus on introducing the concept of risk management and developing a quality management system (QMS) to carry out remote, electronic process auditing, department or business unit manual paper audits and key client audits. Our work was primarily focused on the firm’s UK offices and aimed to mitigate the risks associated with the regulatory aspects, service delivery and overall management of client relationships.

At that time, the firm was probably at the leading edge of quality and risk, especially in terms of its QMS. However, as the regulatory and compliance requirements on law firms increased, both clients and professional indemnity insurers wanted to be sure that firms had good risk management procedures in place. On top of that, the new Solicitors’ Code of Conduct in 2007 required all firms to have in place procedures that could be demonstrated and were applied in practice. As a result, firms had to quickly catch up.

We continued to build our expertise in risk management and, as further aspects of risk were identified and we developed a greater understanding of how best to manage them, our ‘quality’ team was renamed the ‘quality and risk’ team.

As team leader, I was delighted to see our hard work win public recognition when our team won the ‘best management of risk’ award in the Managing Partner’s Forum European Practice Management Standards Awards 2008.

Shortly afterwards, I left for a new challenge and joined DWF, a firm that again had been a leader in this area, as head of risk and compliance. DWF has had a compliance and risk management committee (CRMC) in place for just over five years and attained firm-wide ISO 9001:2000 accreditation four years ago.

The CRMC is a sub-committee of the board and takes responsibility for the management of risk and also supporting the QMS. Each of the support teams at DWF work alongside the CRMC, focusing on the identification and management of their own risks. However, over the past 12 months, increased competition, the economic downturn and tighter regulations have prompted the board to take it to the next level.

Following my appointment, it was agreed that a firm-wide risk assessment should take place to identify and evaluate the full range of potential business risks and the level of controls in place to manage them. The aim was to interpret the concept of risk, in a broad sense, and identify and control legal market risks and operational hazards, as well as reputational, political and technological risks.

We gathered feedback from senior partners, heads and directors from the support teams, and analysed audit outcomes, claims and complaints files, exit interviews and the media. We felt that only then could we identify and prioritise risks, by looking at the potential cost to the firm multiplied by the likelihood of the event occurring.

One of the lessons we have learned from the banks is that no matter how many procedures are written, they have to focus on the right things. The process we used aimed to ensure that this was the case.

As part of the assessment, we took the opportunity to look at the main barriers that might be encountered when implementing the risk management policy. Of course, old habits die hard, and some of the ‘old faithfuls’ were apparent, such as desire to ‘please the client’ and complacency. However, we also identified a major benefit – we had buy-in from the board and a number of senior partners and team leaders who agreed that this was the right thing to do and an important piece of work.

The risk register we produced has enabled the board to have a more centrally managed and systematic view of risk. It has also helped to prioritise the work of the risk and compliance team, who ensure the register is constantly reviewed and updated. The board understands that to deliver increased benefits, tough objectives will be needed, which, in turn, will mean greater risk. The risk that remains will depend on the level of controls the firm has in place.

This journey has not just been about increasing the number of controls within the firm, but also about designing and introducing better controls which the risk and compliance team, alongside the CRMC, have successfully delivered.

The CRMC reports monthly to the board on the management of ‘prioritised’ risks, as well as identifying any new and emerging risks. This allows the board to cascade communication on its risk management efforts and how this might impact on the firm’s culture both now and in the future.

One positive outcome we have seen following the assessment has been the development of a more robust and clear business continuity plan. This has significantly improved the way the firm is viewed by clients and prospects alike. Meanwhile, professional indemnity brokers and insurers have welcomed our ability to clearly identify where the risks lie and, perhaps more importantly, show the controls we have put in place.

Of course, past claims records are critical in determining professional indemnity premiums, but if a firm can demonstrate a commitment to standards – with an understanding that one size does not fit all – then eventually the error rate will begin to fall and quality of service will start to shine through.

The future of risk is just as important as past claims or failures. The risk profile of any firm will continue to change, due to strategy decisions, new clients, changes to regulations and, of course, the unknown and unmanageable external factors, the economic downturn being a prime example.

Maintaining risk management standards requires a level of commitment from the top that is driven down throughout the firm and embedded to such an extent it becomes second nature. Firms with boards or leaders who most actively demonstrate their support for risk management are likely to see benefits to the bottom line at an earlier stage.

Robust systems, processes and education will drive forward the quality of the end product. Any risk managed well will increase confidence both internally and externally in the firm. Staying focused on that goal is our aim.