Feature

posted 26 Apr 2005 in Volume 7 Issue 10

Risking it all? Preparing for all eventualities in a changing world

Protecting your firm from physical and/or reputational damage may seem obvious, but firms can still be knocked sideways or even under by a big claim or unforeseen disaster. And signs suggest that many firms are still not doing enough to shield themselves from even the day-to-day risks. Fraser Ashman, partnership secretary at CMS Cameron McKenna, uses his career experience in risk to explain why firms should be bothered enough to change their ways.

The legal-services sector in the UK is worth £9.1bn a year. This is big business. An intelligent understanding of the risks faced by law firms, and a coherent plan for dealing with them, is central to the sustained performance of firms and of the sector as a whole.

Five years ago, Google returned fewer than 200,000 results following a search for law-firm risk management. When I last looked, it was over four million. I am not sure if that proves anything, but it is some measure of a huge leap in risk-management activity and interest.

My career, prior to CMS Cameron McKenna, was first in the asbestos industry and then, for more than 20 years, in nuclear-facilities design and construction. For the past three years, I have been the firm’s MLRO. You will therefore understand that risk and its management has been a large part of my working life – although I would regard myself as something of a poacher turned gamekeeper.

I have to confess, though, that when I first became involved in construction management, I used to resent what I regarded as the interference of the quality-assurance (QA) department in my projects.

Two things changed my mind. First was the calm, rational persistence of the QA manager who showed me that, far from interfering, the QA process enabled the collective experience (good and bad) of the company to be harnessed, helping me and others to do things better, and with a greater assurance of meeting deadlines, pleasing the client and safeguarding profit, which, in the engineering-construction business, could be very thin. Second was the fact that I had no choice. The company worked to ISO requirements and was obliged to operate to prescribed quality standards and to carry out quality audits.

These two elements – a real purpose and compulsion – are essential to the success of a risk-management programme in any organisation and must become embedded as an integral part of the way in which law firms work.

Risk management can be seen as simply applied common sense, which, at one level, it undoubtedly is. But there are still those in all firms who think that it is a nuisance and just another overhead. If we all act sensibly, so the idea goes, we will be okay. That is just about possible, but we wouldn’t get the best of hearings from our professional-indemnity insurers at renewal time if that was as far as our risk management went.

To work properly, a risk-management programme must cover just about everything an organisation may do. Risk assessment should be applied to every aspect of business, not just on a day-to-day level, but also in terms of strategic thinking.

To give a simple example, there is little point in detailed management of specific operational risks if a firm makes fundamentally flawed decisions about the businesses it is in. For instance, if all we have is commodity work, we are going to have to compete, essentially, on price alone. That probably means, to have anything like an acceptable level of profit, we have to recruit ever-cheaper staff, reduce supervision and/or increase throughput; we pedal faster to stay where we are and increase our risk. A risk-based approach to strategic planning will tell us (if nothing else does) that we need to develop our practice in other ways.

Why bother?

Properly considered and organised, risk management carries a significant cost, which needs to be justified by the resultant benefits. It is, therefore, worth looking at why we bother to do it before moving on to preparing a plan and making it work.

There are two basic reasons. The first is to safeguard our organisations from damage. Primary damage arises as a direct consequence of the risk event – the building burning down, the civil claim, the regulatory fine, and so on. The secondary damage is reputational, which, for law firms, is every bit as concerning as the primary risk. In fact, it is probably of greater potential harm because its management is largely taken out of our hands. Being at the mercy of others is not a comfortable position.

Although it was more than a couple of years ago, the Andersen affair remains a stark reminder of how things can spiral out of control, even in an organisation that was regarded by many as an exemplar of process.

Andersen collapsed following revelations about its role in the failure of Enron. The essentially local actions of a small number of individuals, and the shredding of documents, undermined the integrity of the audit practice of the whole global organisation. As chance would have it, this happened at a time that coincided with the audit renewal season. Too many clients feared that these specific wrongful actions were a characteristic of the whole firm and took the only action for which they could not be criticised – they changed auditors and a chain reaction followed. The worst can happen.

I worked for a managing director who had a wealth of aphorisms, one of which was: “Nobody is entirely useless – you can always serve as a bad example.” It may be amusing, but only when it applies to someone else.

Another, and rather more subtle reason for bothering, is that an organised and structured approach to risk management helps us to deliver services to our clients in a more effective way. A law firm’s practice-risk-management manual should be fundamentally about client care: being aware, organised and professional, and getting things right first time.

It is also important to understand that clients come in two forms – the external client who pays the bills and the internal client who, for people like me who do not earn fees for the firm, have the right to expect the same high level of service demanded by external clients. Risk management in a law firm is not just about partners and fee earners.

If we get things wrong:

We expose ourselves to an increased risk of claims by disgruntled clients
or third parties – or action by regulatory authorities;
We face an increased cost of PI insurance or, in an extreme case, the inability to obtain insurance at all – which equals going out of business. At the moment, it may seem unthinkable that this should happen to a law firm, but some actuaries have struggled to maintain cover in recent years;
We incur the internal cost and emotion of dealing with claims and the diversion of valuable time away from the primary business aims of the organisation;
We risk serious reputational effects – not just from claims, but from the risk of involvement in money laundering (noting that a couple of solicitors have gone to prison in the past year or so), failing to avoid problems in relation to market abuse, and so on. The list, if not endless, is very long and will grow as we identify new areas of concern, and legislation and decided cases add to or change our perceptions;
Last, but by no means least, we lose the client in question – and that client could be the mainstay of the firm or of an important practice area.

Risk defined

It’s perhaps worth defining risk before moving on to how it can be managed. A definition that appeals to me is provided by the Basel Committee: “The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, and from external events.”

As noted earlier, the management of risk can be thought of as applied common sense – although we shouldn’t take that too far.

As individuals, we are all aware that we shouldn’t walk in front of a bus or put our hands in the fire. As we grow and become more experienced in the ways of the world we begin to recognise and understand risks that may be less easy to spot. Even so, we are still prone to repeating mistakes.

But organisations cannot learn in the same way. Identifying experience and keeping it in an accessible and usable form cannot rely on memory and intuition. If we as individuals are capable of forgetting difficult lessons, then how much easier is it for organisations to do so? If we add to that the fact that law firms of any size spend a lot of time trying to overcome the silo mentality that can develop between areas of practice, then we know that this learning is not going to happen just by chance.

Failure to effectively absorb within the organisation the lessons of experience can have unforeseen consequences some time after the original event.

It is also a fact that organisations routinely encounter sets of circumstances of a more complex magnitude than those faced by individuals. They must, therefore, avoid making the same mistakes, by recording and making available to their people the fruits of individual and collective experience to create a shared and consistent understanding among what may be a large number of people, perhaps in various parts of the world and with different native languages and cultural backgrounds.

This is quite a feat and it can only be achieved by using a structured and disciplined approach involving:

Definition;
Analysis;
Codification;
Measurement;
Training;
Compliance monitoring.

These are the essential elements of risk management.

Developing your risk-management plan

Effective risk management begins with understanding what it is your organisation does, in detail. And I emphasise ‘your’ because, while there will be features common to all organisations, we are all, in truth, sufficiently different from each other to make a one-size-fits-all approach inappropriate and even dangerous.

Let’s now turn to how to go about identifying your risks. There are essentially two choices: do it yourself or get outside help. I am normally a pretty strong advocate of self-help, but there can be benefits in seeking some degree of consultancy advice. Provided you choose someone with skills and experience relevant to this sector, you can avoid reinventing the wheel and will have help in focusing on the key issues. You may consequently end up with a slicker and more cost-effective solution.

But this is your business and your plan. You must own and drive its development and success.

However you decide to go about it, your first step will be to decide your categories of risk. You can be specific – for example, having categories such a money laundering, fraud, market abuse, etc., or more generic with categories such as financial, economic, political, etc. It’s up to you, but you must be as comprehensive as possible. There is plenty of helpful literature around and if you choose to seek external help, you will be offered basic frameworks.

Having decided on the categories, you then need to create a list of the risks in each of them. The most common approach remains brainstorming and a benefit of this is that it gives you the chance to involve all the key people and will help give them a feeling of ownership.

We inhabit a literate world in law firms and there should be no difficulty in achieving elegant descriptions of your assessed risks. This is important because you need to understand the nature of the risk so you can be confident that your chosen countermeasures are appropriate.

But you also need to know how big each risk is so that you can create a ranking order that enables us to tackle the most significant first.

To do this you need to create a risk matrix or risk grid, which is simply a table (see figure one).

This enables you to look clearly and separately at the two key factors of probability: the likelihood and consequence of each risk arising. It is usual to ascribe numbers to each of these elements. One for low, two for medium and three for high is the most common scale. It is possible to use a five-point scale, but I don’t think that does any more than create a false impression of precision.

You will see that an event of high probability and high consequence will have a score of nine, whereas low probability and low consequence will score one, and so on. In broad terms, this gives you the size of your risks and helps you focus on the most serious first.

Next, you must agree your mitigating actions, for instance, stopping the activity, insuring, improving management control, etc.

Finally, you need to decide who is to be responsible and accountable for the management of the risks identified. The rule is that responsibility for the management of a risk should be placed at the lowest effective level. That is not to say that there should be no senior-management oversight but a risk manager (by whatever name) can only ever act effectively as provider of the systems for risk analysis, and as a facilitator and co-ordinator, making sure that there are neither gaps nor unnecessary overlaps and that there is an acceptable level of compliance. What he or she must not do is blur the responsibilities for the actual management of risks.

How do we make it work?

It’s great to have done all these good things: the thinking and analysis; scoring of the probability of an event occurring and assessment of its potential consequences; mapping out the steps to be taken to remove or minimise the risk; and producing the manual.

The finished risk-management document is the product of fine minds and superhuman effort to get contributions from the most awkward parts of the organisation. You rightly feel proud, but the question should be, what happens next? Well, I have to tell you that unless you do a whole lot more, the answer will almost certainly be nothing.

Like it or not, some people will find some or all risk-management requirements annoying or excessive. Others may say nothing – and do just as little. It is essential that the senior people in your firm are, and are seen, to be behind it. That is as close as you can get to a guarantee of success, and it will be a powerful aid in selling it to others.

But risk management, to be effective, must – and forgive the cliché – be the responsibility of everyone. The best lawyers will not be able to do much with a document that can’t be received because the IT system is down for the third time in a week. The most eloquent of drafting can be reduced to rubbish if the typing, spelling and punctuation are not checked. These are the things we are concerned about, as well as higher-level risks.

Soon, most firms will have some form of risk-management plan in place. The differentiator will then be how well firms comply.

How do you get everyone to take responsibility?

There are four elements:

Communication. I don’t just mean sending a copy of the risk manual round with a dictatorial memo from the senior partner. I mean communication that is designed to create ownership and head off any ideas that risk management is
just another thing imposed by an uncaring and remote bunch of bureaucrats
called management;
Relevance. If you have a chunky manual covering everything from conflicts to limitation of liability, there will be little that is relevant to people who are not fee earners. It may be worth compiling a separate version that deals with the issues faced by support staff;
Training. Choose the medium that suits you best, but ensure that it includes a feedback mechanism upon which you will act;
Geography. If you have a single office, the task is much easier. If you have other branches or offices – and it doesn’t matter that much if they are 100 or 1,000 miles way – you have to make a specific effort to ensure that what you require of those offices is relevant and communicated to them.

Where the other office is in this country, the task is relatively simple but the leader of the risk-management team should at least visit, explain what is required and why, and to carry out training and awareness raising. All updates and modifications to the plan must be provided to other offices at the same time as to your head office. After all, nobody wants to think themselves an afterthought.

If your other offices are in different jurisdictions, the same principles apply, but you must also have taken steps to make sure that the version of the plan for that office is tailored to local conditions. The people there must have the feeling that they have been thought about properly if you are to get buy-in and willing compliance.

Driving the message home is vital. There needs to be a continuous reminder that ‘this is the way we do things around here’. Get the best people on your side. Create peer pressure and keep at it.

Compliance

Be demanding in terms of compliance. You may be able to trust everybody, but you must still check and review. This can take many forms. My own preference is peer review. In CMS Cameron McKenna it is used as an integral part of training and learning. We are working department by department towards a system in which all fee earners review another’s file and have one of their files reviewed, using a checklist that takes them through all the elements of the risk manual.

Files are selected at random. We don’t use the results to name and shame (although a substantial misdemeanour would attract appropriate attention), but rather gather data to see what areas of compliance cause the most difficulty and tailor our training accordingly. We also provide feedback, again on a no-names basis, to the relevant department following the completion of the review.

There is a tendency to regard things that go well as a given – it’s what we expect of our people, and to a degree, this is reasonable. It is, however, negative to only publish lessons from failure. Try to highlight successes that exemplify good practice.

Also remember that risk management is based on defence in-depth. It is aimed at a wide variety of possible sources of risk and needs more than one dimension: you need a manual; think about LLP conversion if you haven’t so far; and use terms and conditions of business with your retainer letters. Train your people well and let them know that you have high expectations of them.

Keep your documentation up to date

Few things undermine the credibility of a risk-management plan as much as omitting recent developments or leaving in long-superseded information.

A health warning

Law firms are in business to make money by providing excellent services to clients.

Risk management is intended to support this aim. It is not an end in itself and a balance must be maintained between risk and reward.

The result of risk management must not frighten us or kill the entrepreneurialism that has made English law and law firms such a powerful force in the world.

Fraser Ashman is partnership secretary at CMS Cameron McKenna. He can be contacted at fra@cmck.com