Feature

posted 28 Nov 2008 in Volume 3 Issue 2

Undertaking an effective file audit as part of a risk-management framework

Risk management is often seen by lawyers as pejorative – something to do with business prevention and disaster recovery. In reality, it is just good management, and as the introduction to the new British Standard Risk management – Code of practice (BS 31100) states: “Risk management is as much about exploiting potential opportunities as preventing problems.”

The legal industry has been slow to embrace risk management. However, things are changing propelled by the obligation in rule 5 of the Solicitors’ Code of Conduct 2007 for firms to make arrangements for the effective management of risk.

Most large and medium-size firms now employ people dedicated to risk management and are developing structured risk-management frameworks. The risk-management framework is beyond the scope of this article, however, the basic principles are set out in the British Standard, which is required reading.

The risk management framework is a continuum which starts with senior management buy-in and a proper understanding of the risk appetite of the business. This informs development of strategy, policies and procedures, risk profiling, and the formal recognition of roles and responsibilities. This toolkit is then implemented, communicated and embedded in day-to-day business practice.

At this point in the cycle, the risk framework has the maturity to warrant monitoring and review; this, and specifically file audit, is the subject of this article.

Risk review solutions

A risk review process will only work as part of a risk-management framework and must be designed to fit the culture, organisation and environment of the business concerned. Effective risk review is a cyclical process of risk identification, assessment, responding to findings and reporting, all of which feed back into, and provide information for, the subsequent reviews and the ongoing maintenance and improvement of the risk-management framework.

The available risk review methodologies include file audit, electronic checks, self assurance and certification, peer review and targeted review. Whichever is chosen should be:

Independent – wherever possible undertaken by someone without involvement in the matter under review;
Consistent – ensuring that the output has been obtained in a structured manner;
Measurable – using common key metrics for recording and reporting results;
Results owned by the business – ensuring buy-in and commitment to act on the findings; and,
Action orientated – the output must feed back into the ongoing development of the business.

The method chosen by a firm will depend on the perceived risks and the commitment of the business.

What is a risk review for?

First, to assist the senior management team in discharging its responsibilities for the effective governance of the firm through: assurance of defined client and matter related policies and processes; the identification of problems – actual or emerging; the identification of good practice; and, driving improvements in policy, procedure and training.

Second, to identify and mitigate risk. All firms will have different risk strategies, appetites for risk and risk profiles. There is no blueprint, although some risks are common to most firms, and the following have been reported as the ten most common causes of professional indemnity claims (Legal Business magazine – March 2008):

Failure to identify the client;
Inadvertently advising third parties;
Failure to define scope or ‘creep’;
Failure to distinguish the lawyer’s role from that of other professionals;
Failure to fully record instructions, advice in attendance notes, and so on;
Acting outside of professional expertise;
Missing time limits and deadlines;
Lack of supervision;
Time pressure; and,
Failure to manage conflicts of interest properly.

Most firms will address these through policy and procedure (i.e. addressing strategy, tolerance, authority and reporting) and through the design of its infrastructure (i.e. addressing people, operations, data and technology). These will drive the objectives which firms set for their risk review programme.

File audit

Of the available methodologies, independent file audit is the most effective, but also the most costly in terms of time and resource. This approach should be subjected to cost/benefit analysis and chosen, in preference to the other available risk review solutions, only where a cost benefit is clearly identified. The following are essential prerequisites to making a file audit effective:

It must have senior management support and commitment, this being communicated down through the business;
The goals and objectives of the programme must be communicated and understood by all participants;
It must reflect the risk strategy, appetite and profile of the firm and measure these consistently;
It must be evidence based;
It must be independent (the audit team and reporting lines);
It must be systematic;
Wherever possible, output from the process should be quantitative;
The output must be reported; and,
The approach and output should be focused on delivering actions.

Having decided that file audit is the right solution for your business, the approach must be planned. There is no right or wrong approach but there are some common steps:

Selection of the audit targets;
Development of the file audit template;
Selection of the audit team;
Selection of the file sample;
Analysis and reporting of results; and,
Responding to actions.

Selection of the audit targets

The audit targets, tailored to the risk profile of each firm, may include:

Client and matter vetting: conflicts of interest;
client identification (anti-money laundering compliance); client authority to instruct; and, reputation issues, profitability/commerciality, resourcing and credit worthiness;
Client engagement – client care and costs information, terms of business and acknowledgement by the client;
Use of the firm’s brand and sign-off;
Client and matter supervision;
Legal opinions;
Information barriers and confidentiality;
Disengagement with clients;
Limitations of liability and scope;
Cross-border working;
Bespoke client terms;
Financial management of files; and,
Record keeping – quality of the file, records management and archiving.

Development of the file audit templates

Having decided what is to be audited, the next step is to develop the audit template. A template and the use of a structured checklist are essential to achieving consistency, the aggregation of results and the construction of meaningful reports. Figure one shows the checklist used by DLA Piper. While the template can be supplemented to address specific risk ‘hot spots’, the core content should be consistent to enable the identification of trends over time.

Selection of the audit team

Having decided ‘what’ and ‘how’, it is necessary to consider ‘who’ will undertake the audit. The team must possess the competence to undertake the work and be credible. Two approaches are common: peer review – where one partner or fee-earner audits the files of another; or, specialist review – the formation of a central audit team. Whichever approach is taken consideration should be given to:

The qualifications of the team – do you need someone with legal training?;
Whether local or practice area knowledge is required;
Variations in the audit complexity;
What training must be given to the team;
Independence; and,
Report writing and communication skills.

In multi-jurisdictional firms, language barriers, different cultural attitudes to risk and different rules on confidentiality must be addressed. These may affect the composition of the audit team.

The extent to which files can be accessed electronically may also influence the composition of the team and the way the work is tackled. Many law firms are still driven by paper, so physical files will have to be inspected: others use soft copy files so reducing the need for site visits.

Selection of the file sample

Generally speaking, the larger the sample size the better. This will, however, be influenced by resource constraints, the amount of time available and the extent to which the firm already has comfort from other risk review methodologies. The sample size will also depend on the objective of the audit. For audits addressing a particular issue you may choose to inspect all affected files. For a general audit, files from a cross section of all fee-earners, work streams, locations and/or departments may be chosen.

Whatever the sample, it should be statistically significant and relevant. It may also be necessary to expand the sample in response to the findings during an inspection, for example where an unexpected issue has been found to recur throughout the chosen sample.

Consideration must also be given as to how unavailable or missing files will be handled. These should not be allowed to force a change to the sample, but they must be managed and reported.

Analysis and reporting of results

Having completed the audit work, the results must be analysed and reported. The output can be both quantitative and qualitative. There is no right or wrong way to report findings, each firm will develop its own approach. Whatever measures are used they should be simple and realistic. Here are some characteristics of reports produced within DLA Piper:

Quantitative:
Consistent performance measures are established and applied;
Tolerances are set according to the risk profile of the issue;
Measures are in a form which facilitate aggregation and the application of consistent metrics; and,
Measures are translated into blocks of performance and presented as traffic light reports which are easy to compare and contract (see figure two).

Qualitative – comments are recorded by the audit team and communicated in narrative reports accompanying the quantitative analysis. This includes:

Commonly identified issues and one-off exceptions;
Explanation of commonly encountered omissions or errors;
Good practice identified that can be fed back into development of the framework; and
Recommendations for future action.

It is important that only similar metrics are aggregated, and when making comparisons with the output from previous audit reports, care must be taken to allow for significant policy or procedural changes which have taken place in the interim.

Responding to actions

File audits are pointless unless issues identified are communicated and action taken. It is vital to retain the confidence of everyone involved in the process and to obtain buy-in to its goals and objectives. This is achieved by ensuring that:

All reports, including actions, are validated and agreed with all of the stakeholders;
Care is taken with communication to maintain confidentiality and avoid inappropriate disclosure; and
All actions must be owned by the relevant stakeholder and followed through to an agreed timescale.

Actions, development of policy and procedure, and other resulting activity should be tracked. Progress should be reported to senior management at appropriate intervals. The results of the audit should also inform other firm-wide activities such as the training and development curriculum.

In summary

The key to successful file audit and embedding it within the business is to use it to deliver business improvement, not as a policing exercise. This ensures that the risk-management framework is kept up-to-date and remains relevant to the ‘real’ business.

File audits should not be a one-off or stand alone exercise, but are part of an ongoing programme through which the development of the risk framework can be measured. The approach must adapt to reflect change in the firm, take advantage of opportunities presented by developments in IT, and respond to developments in the firm’s policies and procedures and the regulatory environment.

Finally, whatever the risk review methodology adopted by a given firm, it must reflect the nature, complexity and business model of the firm, have senior management sponsorship and, above all, be conducted to the highest professional standards.