Trouble ahead?

With rumours of a possible recession persisting, robust risk assessment should be high on the agenda of all businesses. Law firms need to ensure all their employees are aware of potential problems – and equipped with the skills to tackle them.

By Joanna Goodman

The latest Money Laundering Regulations, which came into effect on 15 December 2007, have brought risk management to top of mind for all law firms. Failure to observe the regulations can lead to criminal sanctions, and firms are compelled to educate their fee-earners about the potential risks. The profession’s keen new regulator, the Solicitors Regulatory Authority (SRA) which was established in January 2007, takes a “risk-based approach to regulation”, and on 1 July 2007 it published a new code of conduct that obliges law firms, not only to follow a comprehensive set of rules, but to demonstrate and monitor ongoing compliance. Risk-management training is an ideal way for firms to identify the risks they face – both generally and in relation to particular practice areas – and find the best ways of mitigating them.

In addition to regulatory compliance, important business drivers are also leading firms to invest in risk training. Frank Maher, a partner at solicitors Legal Risk, identifies reputational issues among the most important of these. Although the current market in professional indemnity (PI) insurance is extremely favourable to law firms, this situation is not guaranteed to continue, particularly in the light of tighter regulation and increased vigilance, and Maher warns that in future the availability of cover may be of more concern even than its cost. In recent years, firms have tended to increase their PI cover. However, there is also general acknowledgement that effective and appropriate risk-management training can achieve a lot more than the obvious objectives of increasing awareness and reducing exposure to risk. The right approach will also demonstrate to regulators, insurers and, of course, existing and potential clients, that a firm is taking these issues seriously by ensuring all their people understand the key areas of risk and their own responsibilities.

An approach based on education and training fits the trend for law firms to take a strategic approach to learning and development. Lawyers are obliged to complete 16 hours of continuing professional development (CPD) each year, so incorporating risk-management and money-laundering training into the strong learning culture that underpins the profession is generally a matter of devising and delivering a training programme that suits the firm’s structure and working practices.

The main issues

The top priorities for risk-management training include money laundering, conflict checking and compliance with the code of conduct. Systems and processes around client engagement; matter inception and management; confidentiality; internal and client communication; and business continuity, are regularly included in training programmes, which are then delivered, via a variety of channels and media, by internal risk managers and external providers. There is general agreement that it is also crucial to provide tailored training for support staff, whose roles also expose the firm to key risks.

Roles and responsibilities

A tougher regulatory environment has brought the need to allocate clear lines of responsibility. Firms are obliged to designate a money laundering reporting officer (MLRO). Research by Legal Risk found that the proportion of firms appointing specialist risk managers has increased dramatically over the past two years, in recognition of the need to develop a comprehensive risk-management strategy, covering strategic and operational risks as well as compliance. As Martin Baker, risk-management partner and MLRO at international firm Taylor Wessing LLP, observes: “As well as keeping people up to speed with the rules and regulations, it is now equally important to focus on control and audit functions – not just complying, but being seen to comply.”

David Pester, managing partner of TLT, agrees. “Risk management – including training and development – is integrated into the way we run our business and work with our clients. Because we conduct a significant proportion of our work for banks and others in the financial-services sector, which are a heavily regulated area, regular reviews and external audits underpin the services we supply. That includes the way we train and develop our people, as well as how we operate and deliver services to our clients.”

This logic forms part of the rationale for establishing a framework for risk training, which should include clear objectives and regular refresher/update sessions. The need to demonstrate compliance has led many firms to bring in external expertise to review and update their risk-management policies and procedures and deliver appropriate training.

A framework for training delivery

As this type of strategic approach involves significant investment, large firms tend to lead the way. One example is DLA Piper, which places high priority on training and development. Its dedicated risk-management group, led by chief risk officer Julia Graham, works closely with the firm’s HR and communications department to develop a strategic framework for risk management, including training, across its international offices.

The risk-management group is divided into three teams. The corporate team works with the board to develop the firm’s overall policies and practices. The regional team contributes to developing policies and implements them locally; delivering onsite training that is tailored to the local regulatory and cultural environment. A central-services team then carries out essential risk-management processes such as client identification and conflict checking.

“Everyone in the team is assigned a particular role,” explains Graham. “For example, one person is responsible for the risk-management training programme that covers all areas of risk management, from compliance to health and safety. This umbrella approach ensures consistency across all our locations and practice areas.”

Risk management training is divided into three segments each of which has a different focus and delivery method.

Structured training. Lawyers are trained in risk management as part of CPD throughout their careers, from graduate trainees; through qualification; becoming associates; potential partnership candidates; partners; and lateral hires. Training at each key stage includes a detailed, interactive three-to-four-hour training module on risk management. “We devote the majority of our time and attention to this programme,” says Graham. “The programme is owned and delivered by the risk team and tailored to the firm’s specific requirements.”

Graham emphasises that effective risk training is an ongoing commitment. “Training occurs regularly as part of the firm’s curriculum and on a regional and topic specific basis. We recently trained newly-appointed associates in Belgium and the following week trained lateral hires in London. We also constantly update the courses,” she says, adding that the content of the modules is adjusted to reflect lawyers’ different responsibilities as they move up the career ladder.

Hot-spot training. This normally takes the form of a series of workshops or road shows, in response to occurrences in the market, a change in regulation or a change in the firm’s policy on a particular issue.
Universal training. This includes the compulsory training that is necessary for compliance, but Graham emphasises that it is not confined to the code of conduct or the money laundering regulations. “It is delivered to the desktop and covers situations where there is a need to inform everyone about how the firm approaches a particular issue,” she
says, offering data protection and the use of display screen equipment as typical topics.

Face-to-face training, in particular, needs to be aligned to a firm’s structure and culture. Where DLA Piper delivers risk training by role, Taylor Wessing tailors it to specific practice areas, although additional training is provided to the money-laundering team and the-risk management committee. “We deliver risk training by practice group as part of their know-how training,” explains Baker. “As well as using real-life examples that are directly relevant to people’s day-to-day work, including partners in the training session demonstrates to the rest of the group that they take these issues seriously and encourages everyone’s buy in.” Partner-level lateral hires also receive one-to-one training on risk management and money laundering from the relevant partners. The risk-management team is currently attending practice group meetings across the firm to iron out any issues around the new money-laundering regulations. “We made a decision that the risk-management team would be available to support practice groups and this has been most effective. For example, we were able to explain to one practice group that they could adopt a quicker and simpler risk-management procedure,” he adds.

TLT combines internal peer-group training, devised and delivered by the firm’s risk and HR teams, with external training in specialist areas. Risk training is included in the training modules, which are delivered at various stages of a lawyer’s career. “It’s all about designing a programme that fits the organisation, its values, its people and its clients,” explains Pester.

Risk experts such as Maher also tailor workshops and online courses to the size and profile of the firms they advise. There is general agreement that it is crucial to take an inclusive approach to risk training and ensure its remit reaches beyond compliance. “Operational and strategic risks also represent significant threats to a firm’s reputation and position in the marketplace,” observes Mark Booth, risk manager at Manchester firm Turner Parkinson LLP. Booth has introduced compliance and risk management into the firm’s standard procedures, as well as delivering training workshops to partners, fee-earners and support staff. He draws on his experience in PI insurance to advise Turner Parkinson LLP and other mid-size firms on the key risks they face. “Most negligence claims don’t arise out of lawyers’ mistakes,” he says. “The majority are due to failures in managing processes or systems – for example a communication failure leading to key dates being missed.”

A virtual benchmark

In 2004, tighter regulations produced the need for a benchmark in terms of compliance and training. To this end, 14 of the largest law firms formed the Online Compliance Consortium (OCC) with a view to collaborating on the development of online training courses, including anti-money laundering (AML), and 16 firms joined in producing risk-management courses (see p. 46). “The OCC enables firms to share the costs and set a benchmark. “The original founders set it up for their own benefit, but they subsequently realised it was worth selling to other firms that want to emulate what the big firms were doing,” explains Maher. The courses are now used by more than 100 law firms and include fee-earner and support-staff modules and refresher courses. They feature real-life anonymous case studies and interactive multiple-choice exercises.

Although most firms offer face-to-face training, either by peer group or by practice group, this is often supported by e-learning, which is a popular way of delivering compulsory universal training. Not only does it enable time-poor lawyers to complete courses without interrupting fee-earning work; it allows them to review particular aspects of the course, which is regularly updated in line with the latest requirements. The OCC courses take about two hours and do not have to be completed in one sitting. Online training courses also give firms the ability to monitor, track, and therefore demonstrate, evidence of compliance.

Real-life case studies: this could happen to you!

Firm-wide buy-in underpins effective risk management. Although due diligence processes such as identity verification can be built into matter inception and practice management systems, risk training also needs to address the human factors. “People need to buy in to the concept of risk; otherwise as soon as they are in a hurry they will get around the system,” observes Maher. Internal and external training providers use real-life examples to grab the attention of their intelligent audiences and make sure they understand the rationale behind the process. In a recent feature for Managing Partner² Neil Woodcock, global chief operating officer at Salans, aptly described these as “war stories”. Tailoring case studies to the audience – either by responsibility or by practice area – keeps partners and associates involved. Audience participation, discussion and even role play are all part of interactive risk-management training, which is supported by e-learning modules.

Real-life examples are not just for partners and fee-earners either. The OCC risk-management course includes an example where a misplaced fax resulted in unfortunate consequences. Booth believes that addressing some key risks is a matter of raising awareness and applying common sense. He offers training in diary management to avoid missing key dates – one of the top reasons for professional-indemnity claims – and advises on measures to protect client confidentiality such as vetting temporary staff and ensuring that documents are stored securely, as well as conducting personal risk profiles on key individuals.

Influencing behaviours and adding value

There is general agreement that top-level commitment underpins firm-wide buy in to risk training and its key objective: developing a genuine risk-management culture. Pester emphasises that this must be supported by the firm’s core strategy and values. “Compliance is just one part of the jigsaw,” he says. “Demonstrating consistency and good systems through the right approach to training and development is clearly a way for firms to differentiate themselves and enhance the value they offer buyers of legal services.”

Those featured in this article emphasise the need for running regular training sessions to keep risk awareness top of mind and up to date. It is equally important that the training itself, whether it is organised in-house or via external providers, and whatever the method of delivery, is reviewed regularly to ensure it remains topical, valid and aligned with the risk profile of the firm and all its stakeholders. This entails getting and acting on feedback. At DLA Piper, structured training modules are planned 12 months in advance, and always followed by feedback questionnaires. “We keep records of how many people we train at each level and what they think of the training, and we’re always looking to improve and update,” says Graham.

At Taylor Wessing, Baker uses discussion and feedback to guide the future direction of compliance and risk training. “We encourage an exchange of views because if people have no input into the process, they may be less willing to implement it.” he says.

“It is equally important to identify which elements are essential and which can be developed beyond compliance to enhance the performance of the business,” adds Pester. “Fundamentally, integrated risk management is about embracing the benefits that can flow from compliance.” And developing a culture of risk awareness through effective training and development is surely a major benefit to any business.

References

Maher, F., Risk Management for Law Firms, Ark Group 2007;
Woodcock, N. ‘Building good behaviour’ in Managing Partner, volume 10, issue 3 July 2007 .