Practical steps to an effective risk-management strategy

Law firms may take a varied view of risk from a wide perspective, including risks to the firm’s reputation to a narrow regulatory approach to managing specific claims. Whatever the approach, all firms must now adopt some kind of risk-management strategy if they are to survive the potentially damaging claims of the current environment. Chris Andrews, a risk partner at Clifford Chance, explains his role and the practical steps firms can take to ensure they are covered against every eventuality.

In today’s business climate, no firm can afford to ignore the active management of risk. Although law firms may not feature as defendants in litigation as frequently as accounting firms, the consequences of one major claim can still be devastating – both financially and in terms of the damage caused to the firm’s reputation. The recent demise of Andersen dramatically exposed the vulnerability of professional-services firms to “reputation collapse” and clearly demonstrated how the activities of one office or practice area can affect the survival of the whole organisation. In addition, the environment in which law firms operate, even if they only have offices in one jurisdiction, is increasingly regulated. EC directives and national implementing legislation on money laundering, data protection and interception of communications, to name but a few, are sources of legislation affecting the operation of law firms in England, where non-compliance could present a real risk of censure or embarrassment.

While firms may vary in their appetite for embracing risk, the fundamental issue is to decide which risks to accept and which to avoid, and not to slide into a situation of taking on risk through apathy or ignorance.

With that as the overriding aim, the role of the risk partner can be divided neatly into a few stages as a process for considering the range of risks that are faced by a law firm and how to respond to them. The stages are:

Parameters of risk;
Identification of risks;
Classification and prioritisation of risks;
Allocation of tasks and monitoring of activity;
Culture and communication.

The rest of this article deals with each of these in turn.

Parameters of risk

The first task of any organisation and, therefore, the initial responsibility of a risk partner, should be to agree the parameters of risks to be addressed. This is a matter for each organisation to agree for itself and, ideally, should be linked into the overall strategy of the firm. Risk management is not something that happens in isolation, but actively supports and is fuelled by the firm’s vision or goals.

At Clifford Chance, we have taken a wide view as to the ambit of risk management and see it as: “The processes we have in place to identify, assess and manage the risks that threaten the financial or commercial interests, or reputation of the firm.” Firms might equally adopt a narrower approach and see risk management as limited to ensuring compliance with applicable legislation and regulation, and perhaps to managing claims when they do arise.

Identification of risks

Having agreed the scope of risk to be managed by the risk partner/team, the next important activity will be to identify the individual and types of risks within that scope that need tackling. Risk-management literature has suggested various different classifications of risk (for instance operational risk, enterprise risk, credit risk).

Fundamentally, regardless of the nomenclature, the classification must be relevant to the underlying nature of the business. It may not be a quick process to consider and identify the risks inherent in a law firm, but the value of such an exercise should not be underestimated. The analysis will direct partners or key decision makers to areas of exposure, and serve as a tool to ensure active management of all identified threats to the firm. That is, of course, provided that the analysis document is not treated as the end of the process and consigned to a filing cabinet, in which case the benefit of the process is likely to have been wasted.

The following headings should act as prompts for law firms considering broad classes of risk:

Strategic risk: merger/lateral-hire compatibility, media risks, brand risks, partner defections, internationalisation;
Information/IT-systems risk: virus threats, protection of IP rights, compliance with IP obligations, internet-related risks;
Financial risks: the process for fee estimates – management of work in progress, adequacy of accounting systems, adequacy of insurance cover, fraud risk;
HR risks: discrimination/harassment policies, career-management issues, succession planning, training and education, health and safety issues, travel risk;
Quality risk: ignorance of relevant professional standards, non-conformity with standards, rogue lawyers;
Engagement risk: client-care letters, client and third-party litigation, claims management, confidentiality, limitation of liability;
Regulatory risk: money-laundering risk, conflicts/independence, data-protection compliance;
Infrastructure risk: physical security, business-continuity planning.

This list is clearly not exhaustive and, as indicated above, depending on the size of an organisation and the nature of its operations, some groupings may be more relevant than others. Whatever the form, however, the substance should be to capture the risks that the organisation chooses to manage.

Classification and prioritisation

Once an organisation has completed a process of risk identification, it is likely that there will be a daunting list of risk issues that are, or should be, addressed

by the organisation. The next stage of the process will be to agree prioritisation for risk-management activity having classified the risks in a manner that the organisation considers appropriate. One accepted model for risk classification is an assessment of the risks by reference first to the likelihood of occurrence, and second to the consequences or impact if the event does occur. The matrix in figure one is an example of what the resulting pattern of risk classification might look like when assessed by these two criteria.

This process will require discussion between those who have an interest in the issues. The outcome within each law firm is quite likely to be different, reflecting the risk appetite and state of progress of the firm. At the end of such a process, however, prioritisation of activity can be directed towards those risks appearing at the top right of the matrix (that is, a high likelihood of occurrence and serious consequences in the event of them occurring), and heading diagonally towards the bottom left (where both the likelihood and the consequences have been assessed as low). There is likely to be some internal debate as to whether a serious risk, which is felt unlikely to occur, should receive priority above a less serious risk that is more likely to occur, but such debate is valuable and should result in the recognition of risks that may previously have been ignored.

Allocation of tasks and monitoring of activity

The final part of the process for a risk partner is almost certainly the identification of individuals to take on the active responsibility for implementation of appropriate risk-management processes, and the ongoing monitoring of that activity. Clearly, the extent to which there is scope for dedicated resource will depend on the size of the organisation and the degree of specialisation. Many risks should already be addressed by existing functions within the firm, for example, a number of finance and HR risks may well be on the radar screen of the heads of the respective functions, and already be receiving appropriate attention; the risk partner will need to do little more than monitor the progress of that existing activity. However, others may not previously have been the subject of separate consideration and will have to be allocated to a new home.

In common with the management of any project, setting clear objectives (that is, what “success” will look like), a timetable for achieving them and having a regular reporting mechanism are key to the success of individual initiatives. This micro level of project management has to be balanced by a broader overview to ensure that macro issues are also considered, which could well influence the outcome of individual initiatives.

Culture and communication

For many law firms, a component underlying much of the desired risk-management activity will be to introduce or improve the culture of risk awareness and the acceptance by staff of the importance of considering risk and acting responsibly. For such a change programme, in addition to the infrastructure that may be necessary, visible support both from executive management and from the partner group in general is crucial. Leadership by example is key. Any change programme takes time to achieve its objectives, but success can be fatally undermined if messages become confused or are not supported by the action of those in a position of influence.

Although many of the behavioural changes may be seen as an administrative nuisance and a diversion from fee-earning activity, by tying them in to the firm’s own goals and making it a virtue to demonstrate the characteristics, it should, over time, be possible to effect the desired end result of creating a risk-aware culture. Some professional-services organisations have gone so far as to include risk awareness and activity on the list of desired characteristics that are reviewed in staff (and partner) appraisals.

The communication process that accompanies any activity can provide a useful opportunity to reinforce key messages – for instance, using “war stories” to explain the risks of inactivity, or the benefits of positive action. These can be from public-domain examples or from the firm’s own experience. For example, highlighting that a prospective client, who was turned down for financial uncertainty, subsequently became insolvent leaving creditors with little prospect of payment, can convey a positive message about the importance of client acceptance.

In summary, to succeed in developing and implementing an effective risk-management programme, there has to be the collective will to make the necessary changes, supported by the partner group. The plan should also follow an extensive review of the actual and potential risks that threaten the organisation. The managing partner, if also taking on the role of risk partner, has a variety of tools available to aid such a process, but visible leadership and drive will be equally important to success.

Chris Andrews is a risk partner at Clifford Chance. He can be contacted at: chris.andrews@cliffordchance.com.