Risk management: A bird’s-eye view

John Verry, who joined Charles Russell as a risk manager in January of this year, reflects a growing trend to recruit dedicated risk-management professionals who can apply their expertise and involve the entire firm in the risk-management process. In this article, he explains why firms, faced with a changing insurance regime, cannot afford to be laissez-faire when it comes to risk management.

Some three years have now elapsed since the demise of the solicitor’s indemnity fund (SIF) and the advent of the open-market insurance regime. It has been a profitable time for most of the profession and only now are premiums returning to the levels payable immediately prior to the SIF’s demise. Some firms have seen enormous savings in that period, while others have only seen modest reductions. The smart money, however, is on a 10-15 per cent increase in premiums again this year, which reflects the continuing upward trend.

In terms of underwriting the risk of the legal profession, the market is slowly finding its feet. As more claims data becomes available, and the more the market gets to know the legal profession, the more accurate the underwriters will become in rating the risks, and identifying those firms that present an acceptable level of risk and those that do not.

There have been a number of surprises for the market in terms of the relationship with the legal profession to date:

The incidence and value of claims, bearing in mind the profession as a whole emptied their cupboards of all claims (or at least should have done) by notifying the SIF prior to 31 August 2000;
The disorganised manner in which many firms appear to operate: leaving proposal forms to the last minute, poorly completed proposal forms, and failing to supply both relevant and important information requested within a reasonable time scale, if at all.

Probably the biggest surprise, however, has been the failure on the part of many members of the profession to understand what is meant by risk.

The whole concept of insurance is based on risk. The insurer transfers risk off the firm’s balance sheet and on to their balance sheet in return for a payment of a premium. Insurers are only prepared to do this, however, in a controlled manner. This means the insured taking all available steps to minimise their exposure to the risk of error, which in turn reduces the exposure of the underwriter.

Mistakes will happen, that is why there is insurance, but it is there to cover the exception, not the norm. At the claims analysis stage, the underwriter wants to see that the insured took all reasonable steps to avoid the error that led to the claim; in short, that some degree of risk management had been involved

Probably the biggest impact the commercial market has had on the legal profession has been to raise the profile of risk management to a stage where firms not only think about it, but also actually do something.

The legal profession is a long way behind other professions and indeed industry when it comes to managing risk inherent in its workplace. Corporate governance has developed through Cadbury, to Turnbull and now to Higgs. The construction industry has developed considerably, demonstrated by signs such as: “No hard boots, no hard hat, no job.” Can you imagine the equivalent: “No retainer letter, no Rule 15 letter, no job,” being the slogan in a legal office?

The reason for this is, of course, historical. For some 12 years the profession self-insured through the mutual fund, the SIF. That organisation was doomed to failure, as it did not have the power to decline a bad risk and impose good working practices on its members. No such hurdles face the open market – firms now have their choice of insurer, but the insurer also has its choice of firms. Claims against solicitors are long-tailed, that is, the mistakes made now will become the claims of next year or the year after that or several years into the future. As claims histories develop, then underwriters will become more selective.

Against such developments, and without wishing to sound dramatic, firms must address the problem of their risk exposure and manage it now. Firms must be able to show to underwriters that they are taking the appropriate steps to manage risk. It may be possible to convince an underwriter that a poor claims history is a thing of the past if you can prove that you have created and implemented a risk strategy that is understood and adhered to by all in the firm.

Its no good just having a risk strategy, it has got to work. Claims records drive underwriters. While nominal discounts may be given for certain quality standards, they will only be forthcoming if the claims history is one that lends itself to a discount. Rest assured, firms with a poor claims history will not obtain sizeable reductions in their premiums just because they have a quality standard.

So what does the oppressed managing partner do when told by the partners to do something about risk management and get the premium down? Again, at the risk of oversimplifying matters, there are two ways of proceeding, the internal and external way. This article concentrates on the former, although there are two points that I would like to touch upon when considering the external way of managing risk. Some firms appoint a consultant, probably with the objective of obtaining a quality standard, such as Investors in People, ISO or Lexcel. There are two points to consider here:

Why are we obtaining a quality standard?
How do we pick a consultant?

With regard to the first point, if it is simply to obtain a reduction in the firm’s premium you are most likely wasting your time and money. The objectives of these standards run deeper than that. It is invariably about improving service delivery to the client, which is an integral part of risk management. Quality standards are not cure alls. You have to work hard to obtain them, to keep them and ensure they work.

Another side effect of the open market and the rising profile of risk management is the explosion in the numbers of expert consultants available to give advice and assistance to firms. Personal recommendations are probably the best way of checking a consultant’s credentials. In any event, you should ask searching questions. What is the consultant’s particular area of expertise and what experience do they have of the legal profession? Ask for references, or talk to firms that have previously utilised their services.

Internal risk management

This has been the preferred route of a small but growing number of forward-thinking firms, including my firm, Charles Russell. This requires the appointment of a dedicated risk manager. It may be an internal or external appointment but it should be borne in mind that the appointment leaves no time for fee earning. For such an appointment to succeed:

There must be a clearly defined role for the risk manager. Prepare a job description. It is likely that the individual concerned will be responsible for a number of other roles such as compliance issues (data protection, money laundering, financial services and, last but by no means least, professional-conduct compliance);
There must be consensus and commitment to the appointment by all the partners. This applies not only to the appointment but also to the creation and implementation of the strategy; otherwise you may as well save your time and money. Unless everybody is committed, any risk-management strategy is bound to fail;
There must be an effective structure in place to manage risk. The SIF risk audit (now available from Law Society Publishing) has a very good template for such a structure.

One of the main advantages of creating a risk strategy internally is that it will be tailor-made to fit the needs and requirements of the firm. Quality standards serve a purpose, and there is a lot of good-quality information in them. One size, however, does not fit all. For some firms, a quality standard mark may well be the best way forward, for others, this will not necessarily be the case.

A real danger is that the firm spends time and money managing risks that are of little or no consequence to the firm. There is a very fine line between over and under-regulation. An internal appointment will help to strike the right balance.

Each department within a firm has a different risk exposure. What may be a major risk in one department (such as time limits in litigation) may not be in another (say commercial, where the major risk is communication and ensuring that the final document reflects the client’s instructions). The risk manager will need to identify the risks facing the firm then analyse them and finally take steps to manage those risks.

There will be core risks that affect the whole firm, but to varying degrees, depending upon the departments concerned, there will be specific risks, which will need to be addressed. The first step is identifying those risks. Suggested ways of doing this include:

Speaking to the departmental staff at all levels: support staff, paralegals and fee earners (including partners). Ask them to identify the risks that concern them. Do not confine these questions to just operational-risk areas (that is, risks associated with carrying out the client’s work), but include strategic and disaster-risk areas;
Including other administrative departments in this process: human resources, facilities, information services, IT and, most importantly, accounts. They will be able to see how each other works at close hand and will invariably have constructive comments to make as to what new procedures should be introduced and how existing procedures may be improved upon;
Undertaking a file audit: check to see how various departments manage their files. The audit will concentrate on administrative matters, as this is where most solicitors make mistakes – they do not get the law wrong, the failings occur in the service delivery to the client. Two further points with regard to audits are:

What to look for;
Which files to check.

Look out for evidence of delay and failure to use the diary system with regard to critical dates. Has the client been kept up to date on developments? How good was the supervision of the file and, where applicable, if the file has been delegated to a fee earner, how structured was the delegation? Has the firm’s procedure been followed with regard to undertakings and have office procedures, for example, post supervision been followed? What about compliance issues? Has the Rule 15 letter been sent and the client-care and costs-information code complied with? This list is not exhaustive but is indicative of the points that need to be addressed.

The real skill, as any auditor will tell you, lies in identifying the right files to audit. The audit will not normally review the standard of legal advice, it is more administrative driven. The objective is to go straight to the file that the fee earner does not want you to choose. A good way of doing this is to liaise with the accounts department. Use the management information that is generated for the partners to identify problem files. How long has the file been open? Check time recording, look at the client ledgers and identify where there has been little or no movement. Large amounts of work in progress may also indicate potential problems. Find out what management information reports are generated, or can be generated and then decide how that information may be utilised to identify potential problem files.

Once the file audit has been completed, feed back results to the head of the department;
A very useful exercise is to go through the firm’s claims history for the preceding five years (or longer if you so wish). See if there are any patterns to the claims, particularly if they emanate from a particular individual or department. Perhaps there is a common theme to the claims, such as missed time limits. Speak to the fee earners concerned to find out what actually happened, and how, with the benefit of hindsight, a repetition may be avoided. The firm should always learn from not only its mistakes, but also its near misses.

Once the reviews and interviews have taken place, the various risk areas should become apparent. Consider how best to manage those risks departmentally. Always work in conjunction with the head of department. Seek advice where appropriate. There will be ready access to experienced lawyers – use that experience to your advantage. While the risk manager should ultimately have the power to impose a procedure on the firm, he or she must be able to justify such a course of action, and this should only be as a last resort. It is far more preferable to work in conjunction with the partners, and introduce systems and procedures with their co-operation.

Remember that this will take time. It is asking a lot of people to change the way that they have worked, for what in some cases may be 40 years. Changing the culture of a firm will not be achieved overnight but it will be easier to do if the partners and staff understand what is being done and why.

Training also has a very important role to play. It is important that all staff are kept advised of what is being done and why. There is likely to be more acceptance and less resistance if staff members are involved in what is happening and explanations are given. The problem as always is getting people to attend such courses, so it may be wise to introduce an element of compulsion.

Having identified the risks, the next step is to create the system or procedure to manage them. There are risks that are common across the firm, irrespective of the field of law involved. The difference is likely to be the degree of risk to which each department is exposed. In some cases, there will be no difference in areas such as client-vetting procedures, including inter alia, conflict and money-laundering checks, the client’s ability to fund the retainer, etc. There will be a need to record the firm’s risk-management procedures in writing.

The danger here is creating a large unwieldy document that no-one is going to read. The answer is to break it down. There should be a central risk-management document that deals briefly with the firm-wide risks, for example, in relation to the use of diaries. The central manual will impose an obligation on all staff to use a diary system, and to research, record and react to dates on every file. The central manual is backed up by the departmental manual, which may or may not go into the specific risk in more detail and impose more rigorous procedures. For example, the litigation department’s risk manual will have a considerably more detailed section on time limits than the commercial department. Fee earners should be judged against their departmental manual.

These manuals will also serve as reference points. No fee earner is expected to know the manuals off by heart. They need to be able to refer to a document when in doubt. The skill is not necessarily knowing the answer, but knowing where to find it.

Risk management is a form of compliance and, as with all compliance issues, there have to be “teeth” to enforcement. Again, it is a fine line that has to be walked. You do not want staff consumed by fear that they may be in breach of a risk-management procedure. This will impact on their work. The fee earners will end up checking procedures and not getting any work done. If there is persistent breach, however, or flagrant non-observance, remedial action will be necessary. This may take the form of additional training or more supervision, to more draconian punishment, such as financial penalties or disciplinary proceedings.

The greater the exposure to risk management, the more familiar staff will become with it. Risk management is an integral part of the way clients’ work is done. It should not be regarded as an additional task to be undertaken or an administrative chore. A good definition of risk management is doing the client’s work as quickly and efficiently as possible, with minimum exposure to the risk of a claim. If this objective is achieved then everyone will be happy - the client will have a job well done, the fee earner will have a satisfied client and fees paid, and the underwriter’s exposure will be kept to an absolute minimum.

Now is the time for firms to take active steps towards risk management – underwriters and clients will expect nothing less. Firms no longer have the right to insurance. That went with the demise of the SIF.

Up until now, no-one has made money out of insuring solicitors over an extended period of time and it would be a misplaced belief that insurance may always be obtained “at a price”. There comes a time when an underwriter will view a risk as unacceptable, whatever the potential premium. There is also the danger that underwriters may simply walk away from a particular type of risk in search of more profitable fields.

The legal profession must take steps to prevent problems in the future After all, if firms cannot be bothered, then why should underwriters?

John Verry is a risk manager at Charles Russell. He can be contacted on: 020 7203 5350 or at: johnv@cr-law.co.uk.