No man is an island
Using risk management to overcome uncertainty

As law firms have grown, they have taken on many of the characteristics of corporate entities, with sophisticated structures, business and financial controls. And, just as corporates have had to face up to risk-management strategies like never before, so have law firms needed to accept the importance of positioning a risk strategy at the heart of their business. In part one of a two-part article, Julia Graham, director of risk at DLA, assesses the essential emergence of risk management in the legal world.

Half of Europe’s top-100 companies now have a dedicated risk manager and, as risk management continues to come of age as a profession, many companies choose to focus on actively managing their risk rather than primarily concentrating on insurance buying and administration. The last ‘Aon European risk management and insurance survey1’ noted that differences remain in risk-management practice across Europe. This finding concurs with varying levels of government intervention in such areas as corporate governance. However, we can expect greater consistency in risk-management practice to emerge.

The Centre for the Study of Financial Innovation’s annual Banana Skins 2003 report2 focuses on the world of banking, but includes risks that should feature on all agendas, such as the rising tide of governance and regulation. For the first time, these risks also feature in the Aon survey, but are made prominent, not only because of repeated corporate failure, but also due to a fear of regulatory overkill. Neither of these surveys is new, but they serve to act as established and useful benchmarks and barometers to risk managers when setting their risk agendas. Three interesting features, common to both surveys, are:

A perceptible escalation of the intangible risks in the league tables at the expense of the more tangible, quantifiable and transferable risks;
Continuing concern over risks that are difficult to predict and consequently plan for;
Aggregation and domino effects in a more global business world.

The Banana Skins report reminds us that all businesses and industries are inter-connected and, while one might postulate that a major banking failure is unlikely, the impact of failure of any major industry or industrial giant could create a huge fall out that would hit us all. We are reminded that: “No man is an island, entire of itself, every man is a piece of the continent, a part of the main. If a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a manor of thy friend’s or of thine own were: any man’s death diminishes me, because I am involved in mankind, and therefore never send to know for whom the bell tolls, it tolls for thee.” John Donne

It’s risk Jim, but not as we’ve known it

Whether your goal is to grow for shareholder benefit or partner profitability, all business entities exist to provide stakeholder value. In an environment of intensifying competition, as markets and businesses mature internationally, there is an added pressure on growth and profitability across firms. In parallel to such developments, the severity and breadth of risks have also increased, disturbing the balance of risk and reward.

The role of management is to create an environment that facilitates the identification and tight control of negative risks, while recognising and converting business opportunities. The challenge, however, is to determine how much risk the business is prepared to accept. Effective risk management, if embedded into the entity’s strategic and operational processes, provides the framework to overcome uncertainty to help management determine and agree an acceptable level of risk and opportunity.

It consequently shouldn’t come as a surprise to see a new generation of risk managers tasked with creating such risk-management frameworks to address the spectrum of risks, covering operational practice to boardroom-level strategic issues. This firm-wide risk management isn’t a new concept, but it is a poorly defined and articulated one. The goal for firms is to:

Enhance the opportunity to grow value and enhanced capability;
Align risk appetite or tolerance to strategy;
Link growth and risk with return;
Enhance risk-response decisions;
Minimise operational surprises and losses;
Provide an integrated management approach and response to multiple risks across the enterprise.

The Committee of Sponsoring Organisations of the Treadway Commission (COSO) defines enterprise risk management as: “A process effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding achievement of entity objectives3.” The components of the COSO framework are:

Internal environment – management, philosophy and attitude to risk;
Objective setting – connection of risk to objectives;
Event identification – determination of what risks an entity faces;
Risk assessment – severity (impact/probability) estimates of inherent and residual risk;
Risk response – actions to reduce exposure;
Control activities – measures to ensure responses are carried out;
Information and communication – sharing of risk information across the entity.

Enterprise risk management is consequently entwined with corporate governance in providing information to the board on the most significant risks and how they are being managed.

To successfully apply enterprise risk management, an entity must consider the entire scope of its activities at all levels: strategic (top down), functional units or business streams (bottom up – otherwise known as ‘bidet management’) and significant or ‘material’ change (planned or unexpected). Further, risk management should interrelate with performance management, by providing risk-adjusted measures, and with internal control as an integral aspect of management.

But, of all of these goals, the most fundamental is the alignment of risk management with the vision and mission of an entity and its strategic-planning objectives; in other words, risk managing what is at stake.

Where has this concept come from? There are a number of roads, all leading to a similar destination:

In The John Liner Review⁴, author John Schaefer recognises the COSO model, but discusses the evolution of risk from its roots in insurance. He argues that recent increases in the cost of risk (primarily insurance) have raised awareness of the concept of risk management. While he acknowledges the relatively undeveloped terminology, tools and techniques, he urges risk managers to “be active in shaping the future” and brokers and insurers to be “ready to react to imminent change”;
In the UK, the Association of Insurance and Risk Managers (AIRMIC), The Institute of Risk Management (IRM) and ALARM, the National Forum for Risk Management in the Public Sector have collaborated in the production of a risk-management standard⁵. Drawing on a wide body of risk-interested opinion formers, the rapidly developing nature of the risk-management discipline is recognised, while accepting that some form of standard, with supporting terminology, is desirable. The standard recognises “risk management as a central part of any organisation’s strategic management. It is the process whereby organisations methodically address the risks attaching to their activities, with the goal of achieving sustained benefit within each activity and across the portfolio of all activities”. With original roots in those who insurance-risk manage, the standard travels beyond the insurable-risk agenda, promoting risk management as “a continuous process, which runs throughout the organisation’s strategy and the implementation of that strategy. It should address methodically all the risks surrounding the organisation’s activities past, present and in particular future”.
Work coming out of Australia and New Zealand⁶ originates in health and public-sector risk management, with more than a flavour of engineering process. These standards actively promote the concept that risk management is an iterative process consisting of well-defined steps that, if taken in sequence, support better decision taking by contributing greater insight into risks and their impacts. Hence: “Risk management is recognised as an integral part of good-management practice. To be most effective, risk management should become part of an organisation’s culture … integrated into the organisation’s philosophy, practices and business plans … rather than viewed as a separate programme.”

While the long-term impact on organisations of these views and standards, and COSO implementation, remain to be seen, risk life has changed forever.

Risk managing the legal way

In the above sense, risk management is a new arrival in the legal world. Of course, we know that risk exists in the world of law, but we only have to cast our minds back to 1986, when ‘profession’ was defined by the American Bar Association’s Commission as a “learned art in the spirit of public service⁷”. Until the end of the 1960s, the practice of law was the domain of sole practitioners and small firms. It was not until firms began to grow dramatically that management practices more usually associated with the corporation than the independent professional emerged.

As the fall out from the growth and globalisation of law firms settles, the profession is impacted by those same pressures of growth and profitability faced by any commercial entity. As the spirit of public service has given way to commercial reality, and as some firms have grown larger, they have developed the needs of corporate entities, with relatively sophisticated structures, business and financial controls.

Driven by changes in the profession, corporation-style needs and the same cost-of-risk pressures facing most other large business entities, it’s no surprise to see law firms turning to risk-management concepts.

As with any entity, risk management in a law firm should be a continuous and developing process throughout the firm’s strategic formulation and implementation. It should methodically address all the risks surrounding a firm’s activities past, present and future, and, to be successful, must be integrated into the culture of the firm, with policy and an underpinning framework sponsored from the top.

Dimensionally, risk management should be embedded in the strategic planning and management processes, part of operational activities, and in change-related transactions (planned and unplanned) that could be material to a firm, for example, a major capital investment or merger.

While risk management should be no more than good-management practice, it seems that in legal circles, there is too often a focus on the buying of insurance and the handling of claims, and that issues, such as those presented by our own rising regulatory tide, receive limited attention.

I accept that legal-business risks, as I would categorise them, are of primary risk importance and drive far more than the cost of a professional-indemnity programme. It is evident that, as with any professional-risk cover for any business, the price paid for the insurance cover obtained is one barometer of what the outside world thinks of a firm and its reputation. However, it was the recognition of the whole risk agenda, and the importance and positioning of this at DLA, that drew me to its door and to join its management team earlier this year.

One final pause for thought: I’ve mentioned the escalation in significance of risks to the risk manager associated with the rising tide of governance and regulation. It’s fair to say that whatever concludes from the Clementi report, legal life in the UK will never be quite the same again. At the core of Clementi is the desire for a more competitive, transparent and dynamic legal marketplace. It will be the law firms that take the mark-to-market approach to compliance rather than the regulation-driven mark-to-model approach that will be the winners. The laggards will be the firms that tick the boxes of the regulatory spreadsheet, playing a defensive 4-5-1 formation towards regulation, while those that win will be the firms that go for an attacking 4-3-3 formation, confronting and converting opportunities for scoring the business-development goal that the new regulatory environment will undoubtedly present.

In other industries, Basel II banking regulations are already separating the laggards from the leaders. This point simply serves to emphasis the upside and downside nature of risk management, and the move that needs to be made away from purely serving the downside aspects.

Part one of this feature on risk managing in the world of law has focused on an introduction to risk-management issues. Part two will focus on the practical aspects of designing and implementing a risk- management framework and specifically the non-insurance control of business-continuity management.

References

The ‘Aon European risk management and insurance survey 2002–2003
Banana Skins 2003: The CSFI’s annual survey of the risks facing banks
COSO: Enterprise Risk Management Framework 2004
John Liner Review, Winter 2004
Standards Australia AS/NZ 4360:1999
In the Spirit of Public Service: A Blueprint for the Rekindling of Lawyer Professionalism, published by the Commission on Professionalism, American Bar Association (1986), including a quotation from Dean Roscoe Pound – 1953

Julia Graham is director of risk at DLA. She can be contacted at julia.graham@dla.com.