Risk….what should everyone be looking for?

The essential risk list is as follows:

The Solicitors Regulation Authority (SRA) monitoring and enforcing of the Solicitors’ Code of Conduct 2007 (Code of Conduct);
The Legal Services Act 2007 and the risks it presents;
Compliance with the Money Laundering Regulations 2007 – a year after their implementation on 15 December 2007 – the Third Directive;
Responsibility at senior management level;
A framework for managing risk across the business;
Accountability in practice areas and
support functions;
A risk-evaluation process;
Business-continuity planning;
Credit crunch risks;
People and culture issues;
Client engagement;
Finance;
Protecting partner assets;
File auditing;
Managing your insurance;
Office systems;
Location and premises issues;
Professional indemnity insurance;
Health and safety;
Fire;
Employment legislation;
Retaining talent;
Reputation;
Data protection;
And more…

This seemingly endless list is not for the faint hearted, and when presented ad hoc in this way it can be daunting. None of it is productive, in the sense that income is not directly obtained from any of these activities. All of it cannot be covered in one article such as this; therefore only some of the areas will be discussed. The objective, however, is to try to demonstrate some of the areas of difficulty in law firms that prevent them from managing and managing risk better; and then getting everybody on board and singing from the same hymn sheet so that what lies above falls into place more easily.

In a law firm, the risk involving everyone can be broadly divided into operational management, strategic risk and regulatory risk. There is no magic in this as such risks are applicable to most businesses. Indeed, similar headings will be found in the Lexcel quality standard that accredited firms have to maintain and to demonstrate their competency in.

The burden of compliance and legislation, although great, is not necessarily higher than in other industries – food being one example, and financial services another. So you are not alone!

Law firms, by their very nature, are arguably three times more difficult to manage than other businesses. The reason is that their structures are not, on the whole, in the corporate style (which makes line management issues easier). The matrix form of structures (different reporting and authority for different things) means that communications and decision-making is often fragmented and inconsistent. This evolves from partnerships within which there is often a great desire for autonomy on the part of individuals. When I first joined a law firm, the senior partner said to me: “You’ll get used to it eventually, but you’ll have to find out and get to know who to go to to agree a decision.” The lawyers who manage law firms, however, are rarely trained in management and mostly come to the business of law from an entirely different motivation than that of their commercial brethren.

The training now required by the Solicitors' Code of Conduct 2007 (the Code) is still minimal and in many cases, to be frank, is received as an irrelevant but necessary evil. The link with good management and risk does not seem to be as readily apparent or highly regarded in the profession as it should be. Many of the support managers in law firms, if you have them, are not treated as equals and have to fight for grudging respect. It is this group, however, who can be fostered and whose loyalty will see that strategy and policy will be implemented. Ignore them at your peril. They can be the underestimated, unseen force behind making or breaking success. They are the ones who will ensure that risk is successfully managed across the firm, if they are fostered as they should be, in a ‘no blame’ culture. They are the ones who are behind the implementation of procedures, for example, within case management systems or file audits.

The responsibility of managing risk is not often top-of-the-pile when it comes to partners’ priorities. Sometimes it is seen as onerous and, on occasion, delegated to subordinates for whom the responsibility is really too great. Alternatively, the responsibility is passed to a partner with the least line of resistance and whose interest in the subject is secondary. The risk in this alone is enough to make your hair curl as it is a matter of not knowing what has been missed. Ignorance is bliss – until the axe falls.

Again, in the extreme, the cases that have been run for corporate manslaughter in industry undoubtedly arise from a failure to control delegated risk management – but the buck stops with the executive. This is probably not very likely in a law firm, but I am waiting to see the first case come before a disciplinary hearing for failure to comply with rule 5. I didn’t miss it already, did I? All of that is if the firms in question recognise they must have a risk manager.

That said, it is possible to minimise the possibility of failure. The consequences of failure are often more dire financially, or to reputation, than any other for the whole business. Weighing the balance of the expense of minimising risk, if the firm decides on the side of saving money by ignoring it, that is, in itself, a risk. You can choose to take that risk. But managing risk well can make the business more profitable. Getting everybody on board will pay dividends.

The solution? This can best be described as building the bricks that make risk management part of the culture of the firm. It means that the firm should not be a slave to risk, but that every part of the firm’s activities is the product of thoughtful and careful procedure, common to all, whatever their level. In other words, any member of the firm will say: ‘This is the way we do things around here’. Looking at the list above, this may well create problems for smaller firms that lack the resources to manage it effectively. The onset of the Legal Services Act 2007 may add to the pile of concerns, but looked at positively, this will be an opportunity to obtain buy-in from the skilled managers taking equity, who, until now, have not had sufficient reward from joining the senior management of law firms. This, however, may be the final straw for small firms, unless they practice niche areas of law. Even the mid-sized firms are more likely to think that joining forces with another firm will create the desirable critical mass to afford buying in the right skills, let alone competing effectively.

There is a good analogy with financial services. The progression of the Financial Services Authority under the direction of the Financial Services and Markets Act 2000 has meant that there are hardly any small or ‘one-man-band’ businesses left. This is because they couldn’t cope with the cost and implementation of compliance.

Whatever conclusions you are reaching so far, it has to be said that risk is not often regarded as a strategic issue that should be part of any firm’s business plan. In the corporate world, organisations are moving beyond regulatory and corporate compliance to protect their brand and reputation. The legal profession must do the same and has some catching up to do.

Having considered the macro view, what about the operational side of things? This is mostly about consistent systems and procedure. It is, in fact, the area where money can be saved. For a start, good risk management leads to fewer claims (obviously, the fewer the better or none) and directly affects the bottom line and the partners’ pockets. Who can now ignore the emphasis insurers are putting on good risk management? You can be assured that they will become more and more discerning, and now the banks are getting interested too. All staff should know and be trained about how they can influence risk. They need regular updates in their areas of expertise and generic updates where risk affects everybody, such as anti money-laundering procedures, health and safety. They must be guided by the same consistent procedures.

A well-managed firm will have a clearly defined business structure. This is best demonstrated by a flow chart available to everybody, with everybody on it, so that they can identify where they are, where they stand, who reports to whom and who does what. What has this got to do with risk? The answer is accountability. There is no hiding place or ambiguity about the role of each person within the organisation. It identifies duplication issues or the reverse, missing functions required to manage. In the smaller firms, such a flow chart can look very strange because the individuals will fulfil several responsibilities. Many may want to opt out, thinking that such an activity is surely unnecessary. But it is surprising how many people in a relatively small operation don’t know what others actually do. This may go some way to explain why cross-selling in law firms is generally poor and why law firms are at risk of losing business to competitors. If everybody knows, surely business opportunities will not be lost as easily.

The foregoing fits nicely in with communications. Good communications is probably the hardest part of management. It is essential to keep people informed, to ensure feedback, to involve others to obtain buy-in to decisions. Communications are, however, full of pitfalls. Whether written or spoken, there are always those who misinterpret, so it is necessary to be clear about the forums used to apply consistency of information. This makes it very obvious where the risks are. Misunderstanding can escalate throughout an organisation very easily. Having noted the care required, however, having no information is far worse. People can spot that something is going on and will draw conclusions that are probably wrong.

I am not unknown for my enthusiasm for good practice management systems (PMSs) that use IT to the fullest extent possible. This creates the opportunity for common procedures at all levels. But the idea has to be embraced at partner or board level; otherwise the culture will not filter through to all.

It is entirely possible to acquire fully-integrated PMSs. This should help to keep you safe from the vagaries of the Solicitors’ Accounts Rules to compliance with the Code. But it isn’t perfect. The Law Society’s Software Solutions panel works hard to encourage suppliers to ensure that their systems can be relied on. Choosing an IT supplier from the annual guide is probably a safer bet. However, many lawyers in firms say that they prefer to manage the systems themselves rather than be managed by the system. In terms of risk management, although understandable, this is susceptible to inconsistency. At the very least the risk elements of case management can be automated by alerts to avoid missing them. Examples include the terms of business, anti-money laundering ID checks, limitation dates and so on.

Such systems should now also enable you to run cash flow forecasts and budget variance analysis recently included in the code of conduct. They should enable you to manage finances, but you do need to grasp the important key performance indicators (KPIs) and not burden people with reports they don’t understand. Understanding financial management is essential, as is ensuring that there are partners within the business who do. The opportunities for finance directors post-Legal Services Act 2007 must be boundless. But when you meet, as I do, partners who do not know the difference between cash and profit, I find it very worrying.So take heed, not just from me but from your accountants and banks, as there will be more emphasis on this, especially in a recession. How to apply the learning across the business is one of the major factors. Once again, I am afraid to tell you, in law firms there is not a culture of good financial management generally. It commonly comes to my attention that just before pay day, or when there is no money in the office account and the firm is bumping up against the overdraft limit, the accounts manager is rushing round telling people to get their bills out or chase payment. So where is the cash management and what is the risk, especially when business is tight?

To ensure that a culture of good financial management exists across the board, partners must lead by example and hold the collective line. The rest will follow as night follows day. But there must be no exceptions and no passengers. Poorly performing partners and senior people are usually cloned by their support staff. Poor financial management is a high-risk area. Insolvency practitioners will tell you that more businesses fail through bad cash management than anything else. To ensure that this is understood (not beating them across the head) across the whole firm at all levels is the best risk-management activity you can undertake in a recession.

You can be the best lawyers in the world, but this won’t save you unless everybody gets their bills out and paid.

Mike Gorrick is a partner at the consultancy SSG Legal. He can be contacted at mike.gorick@ssglegal.com