Various Assigned Points: Pats Notes: Loss Prevention: Claims (claim defense), fee disgorgement, litigation costs (holds, time etc) Cost Savings: Operational Efficiency One of our clients put down on paper the three FTE’s they would replace by name, after they automated new business intake/user provisioning One client replaced one FTE based on how they were going to automate their confidentiality management. Competitive Edge ISO Certification being sought for Government business etc Reputation: Above the Law: won’t name names but large firm had leak of associate reviews due to a search tool that hit information that was not secured, corporate legal reads this, they will ask some questions next time around. “ the biggest injunction you could face is a client leaving” One firm had a OCG that said anyone working for the bank would not work for the borrower, bank client came in and a lawyer who had sued them in a past life was in on a project meeting.
Insurance Private Equity markets already use the big accounting firms to analyze insurance and promote risk management to leverage costs of insurance, typically a leading indicator. 3 rd largest expense on law firms books after rent and salary. Insurers have lost money like everyone else, rates are going to go up Annual insurance reviews set premiums, underwriters want to assess their risk, lawyers often don’t articulate what has been covered, reach out and proactively have the discussion to present what you have done and offer to document and help. Any broker will tell you that this can impact the discussions. Think like you are a business owner. Claims against firms are increasing, lawyers are perceived to have deep pockets, sue for receivable, expect a counter claim, tail of claims will occur even after recession ends. Cyber coverage being defined, it used to be that malpractice fell under general liability, now it is carved out, waiting for similar around cyber SIR Levels: The more confidence your insurance partners have, the higher SIR they may be comfortable in taking on. Long term effort to build a competent risk team, start small. Claims are the single largest contributor to increases in rates. Underwriters have a vested interest in your continual improvement in risk management. Risk Management budget funds often don’t get used, ask your insurance partners. Look at the Korn Ferry article and Stuart Pattisons comments, not only is it the insurance claim aspect buy your firms’ reptuation, if you can’t stay competitive with peer firms????
Pat UK legal market regulated by FSA and SRA Rule 5 is a list of rules on how the firm operates SRA Completing audits of law firms and coming in to check how they are managing risk, Rule 5 sets out a list of rules on how the firm operates, worth a look, risk register concept later Rule 3 around conflicts anticipated to change and will allow UK firms to be more aggressive at winning corporate work, if they have a compliant “information barrier”, US firms working in the UK typically abide by US conflicts rules and are at a disadvantage. FSA looking to defend existence and is focused more on law firms. MarketWatch is a regular update the FSA sends out and has had several public statements on law firms. Insider Reports: “price sensitive” jurisdictional variance. AML is mandatory, requires the firm assign a compliance officer, you will see this title more than GC in the UK. Risk organization grew under that title and is expanding. US Legal Market is self-regulated?? Are they? ABA Model Rules: states have varying interpretations on rules, advertising, on-going training, etc, very slow to change, concerns about self interest US has the title of GC mainly driven by claims against firms, UK does not have many claims against firms. Records was a big driver, e-discovery, courts getting smarter about technology issues. Model Rule 1.10 is the most recent change, has to do with lateral mobility. Started with Ethics 2000 commission, just go done??? Some global firms adopt ABA rules globally and are impacted by this. Says “you can take the lateral on without consent, if you put up ethical wall and give a description of the screen and the lateral and a partner attest to compliance.” Cite judges comments Common elements here is that many jurisdictions are looking more closely at how firms use technology to manage risk and compliance issues. AML, Information Barriers-Rule 4, ethical walls 1.10, Canadian Bar report on Conflicts, New South Wales.
You can see evidence of agencies that are not technically over seeing the legal market starting to focus on the traditionally “protected class” of law firms. The veil of protection because you are a lawyer or solicitor is gone. Similar investigations have taken place by the SEC with less publicity in the US.
Both of these are within the past 6 months and just a sampling of the changes, the fact that this peer group did not exist 3 years ago demonstrates the trend in this area. The ABA is fighting the red flag rules cited above, again a question of “self interest” or “self regulation”? HITECH Act has gotten many law firms scratching their heads as to what they need to do, many of our customers are taking active steps now, goes in to effect 30 days after publication in the Federal Register. Regulations that technically don’t cover lawyers, SOX, do define minimum standards from the SEC for lawyer behavior. IRS requires written documentation of conflicts waivers Client intake management, records management, conflicts management, confidentiality management, docket management
Pat: In 2 years an almost 30% gain in movement towards a centralized risk function. More and more firms are naming an individual to oversee risk issues The good news is that it gets done because someone is assigned. The bad news is that you have little support and a lack of data to get your initiatives funded with resources and tools. How many of you have a full time GC in your firm? How many of you had a full time GC 5 years ago? How many of you know who your insurer is? How many have a budget dedicated to risk management that is outside of your IT budget? ILTA and IT organizations have established a standard for 3-5% of revenue on IT but Risk does not have a set budget and is challenged to get funding, many top risk organizations are developing that standard and tying back to the insurance issues we discussed earlier.
Pat It is tough to decipher the org charts based on titles, some handle claims, some operational issues like conflicts/records or intake, some insurance, some policy?? Externally you need to be cognizant of your insurance issues, brokers etc and how IT can help to best position the firm. Clients drive risk initiatives: One of our early confidentiality management clients was based on a client demand due to a merger. IT is fundamental to almost all of the risk challenges a firm faces, many examples.
2/3rds of the amlaw 200 have a GC, org charts are growing under them this is an org chart from a 1000 lawyer firm) In order to bridge the gaps many firms have built a coherent organization. If you are a global firm this makes sense, how can you possibly execute on this if you are a 300 lawyer firm? You can’t but you need the same sort of communication and decision making ability. Just as there was no marketing department 10 years ago, there are few risk organizations but they will be a standard. Your mandate is to identify the areas you can patch up now to better manage risk. And, you can’t really see the details, but we’ve seen firms start to organize a distinct risk management organization that includes stakeholders across the firm I expect you’ll see more of this
The buzzword in IT for the past several years is the concept of matter centricity, saving all information in a central place to make it easier for lawyers to find things. How many of you have deployed a matter centric environment? How many of you have search tool? How many of you have an Enterprise Confidentiality Management solution? The main driver behind this is to better organize emails and improve how information can be managed as a record. The other big buzz word in legal IT and KM circles is “enterprise search” the IT people want to provide lawyers with a google like search capability for the information inside the firm. So they go ahead and analyze vendors (recomind, autonomy/IWOV, Microsoft, google) they install it and start testing and find it works great to find things that otherwise were not easily searched. Recent Above the Law article about associate reviews being exposed.
CRO is common in Corporate arena and now one global firm named a CRO last year, seems to be where it is going. Many lawyers that don’t want to practice but want to be engaged in a private law firm setting. Modeling the corporate space and the idea of GRC, one person can’t oversee it all, you need to build this in to the fabric of the firm.
Pat: Partnering with several UK and US firms to discuss the best way to leverage technology and risk investments to impact insurance and compliance initiatives Goal is to delegate risk management to the functional areas and report back to a central team like the CRO. HR, IT, Practice Groups etc all have duties to manage risk. This is a very easy way to demonstrate a ‘consistent, risk based approach” that the insurance and regulators like the SRA are asking of firms. Build a culture of risk awareness. How many of you have a full list of the risks you need to manage at the firm? DR, environmental, compliance, conflicts, ediscovery,
Our organization spends significant time dealing with this issue 25% increase over the past two years, 86% indicated they have seen an increase, curious what this audiences response is? Have you seen an increase in the number of client requests coming in? OCG, Bank not borrower etc, lateral hires. In an Ark session last Summer in New York we heard from the legal administrator at Axa Prudential We have compliance and privacy officers WE are governed by SOX etc I hate to use the V word, but you are a vendor You will be treated like every other vendor Anticipate questions RFP’s, government clients, stimulus spending ISO certification Audits Differntiate by demonstrating a process
Pat: Get involved in risk peer groups and study the issues, insert how IT can assist. One example, confidentiality working group as a part of our Global Risk Roundtable series, West Legal Education, The working group tied together the confidentiality lifecycle and determined that integrating intake and confidentiality is important. As an IT professional you can greatly assist the GC in assessing where the holes are, do this before it causes an issue and present management the data, they will not come to this on their own but when it fails they will come to you. Many matters are confidential but not an ethical issue, Madoff, Spitzer, Madonna, whatever the reason. To apply rules you need to have the data, matter intake is the chance you have to get it. You need seasoned experts that und Insurers are more and more starting to look for firms that can demonstrate consistency in process. By applying business rules you can also automate which information gets tracked and delivered in a report. We can tell what office the matter is billed out of from the PMS, if Germany and tagged as price sensitive, then deliver this additional set of data or different criteria to produce the data Assuming you actually got the lawyers to pay attention this something like this?, is it the best use of a highly paid lawyers time to be tracking and even thinking about these issues. If you free up even one hour for a lawyer the ROI is large independent of the process and accuracy argument.
Most US firms, unless you are an ALAS firm or self insured, have a risk management budget available, you can’t buy software or implement a tool with those funds but you certainly can pay to assess records, conflicts, confidentiality, etc Money often goes unused and GC’s don’t think about how IT might leverage those funds to get your house in order, not a lot but worth the research.
Pat; Hopefully you are never forced to get certified but you should start planning. As client requests increase, you should understand the various certifications and you don’t need to be officially certified but you should start to put processes in place that will ease the transition down the road, it takes a long time to get there and anything you do now will prepare your firm down the road. Educate the lawyers on these, they typically don’t have a clue. Norton Rose took on an initiative to get ISO certified, they compete with the Magic Circle, top 5 UK firms. They are seeking anyway possible to differentiate. One way, particularly for regulated clients or government clients is to have a certification, ISO, BSI 31100, Lexcel, From the COO’s desk they embarked on this process and are leveraging that for competitve gain. Confidentiality management was a part of this but general information management policies and procedures are critical, how do you demonstrate compliance. Many firms are working on this to respond to client requests.
Ilta 2009 law firm risk management can it grow profitability - panel member dave cunningham aug 2009
Law Firm Risk Management: Can It Grow Profitability? Moderator: Adam Hansen Director of Information Security, Sonnenschein Nath & Rosenthal Panel: Pat Archbold , VP of Risk Practice, IntApp David Cunningham , Managing Director, Baker Robbins & Company
Agenda <ul><li>Risk Defined </li></ul><ul><li>Legal Risk Types </li></ul><ul><li>Business Benefits </li></ul><ul><li>UK vs. US Risk Environment </li></ul><ul><li>Risk Roles and Organization </li></ul><ul><li>Risk Management Approach </li></ul><ul><li>Future of Risk Management </li></ul><ul><li>Three Next Steps </li></ul><ul><li>Questions and Answers </li></ul>
Risk Defined <ul><li>Risk is the uncertainty caused by the occurrence of an event that might affect the achievement of objectives. </li></ul><ul><li>The management of a law firm’s risks involves decisions that are not simply about avoiding a negative impact but also about pursuing a positive (but un-guaranteed) impact on business opportunities. </li></ul><ul><li>Consequently, effective risk management not only mitigates losses but can also positively contribute to the competitive standing of a firm. </li></ul><ul><li>This tension between adverse risks and desirable business opportunities makes risk management an essential element of firm governance. </li></ul>
Legal Risk Types Risk Types Example Risks Key Roles IT Systems : Continuity, Recovery, Security, and Access Management. Data : Confidentiality, Integrity, Ethical Walls, Retention, Data Protection, Data Transfers, Hosting of Third-Party or Client Data. Third Party Suppliers : Maintenance/Support, Contracts and Outsourcing. CIO, General Counsel Financial Audit, Financial Internal Controls, Financial Transparency and Disclosure, Anti-Money Laundering, Counter-Terrorist Financing, Credit, Firm Investments, Currency, and Portfolio Risks. CFO Practice Management Client Relations, Lateral, Professional Responsibilities (including malpractice, conflicts, records, and litigation support), and Professional Development Risks. Practice Leaders, General Counsel, Directors of Conflicts, Records, Lit Support, Library, and KM. Strategic / Corporate Firm Governance, Risk Management Governance, Reputational, Marketing, and Market Risks. Managing Partner, Marketing Director, General Counsel Operational Employment, Fraud, Damage to Assets, and Insurance Mediation Risks. HR Director, COO, General Counsel Environmental Natural Disasters, Epidemics, and Resource Access Risks. COO, Business Continuity Team
Business Benefits <ul><li>Loss Prevention </li></ul><ul><li>Cost Savings </li></ul><ul><li>Departmental Efficiencies </li></ul><ul><li>Competitive Edge </li></ul><ul><ul><li>Growth in Lateral Talent </li></ul></ul><ul><ul><li>Growth and Retention of Clients </li></ul></ul><ul><ul><li>Quality of Client Relationships </li></ul></ul><ul><ul><li>Alternative Fee Arrangements </li></ul></ul><ul><li>Quality of Working Environment </li></ul><ul><li>Reputation </li></ul>
In the News… <ul><li>(03/10/2009) </li></ul><ul><li>Top five risks identified as facing law firms (order of severity): </li></ul><ul><li>Bankruptcy or acquisition of significant clients </li></ul><ul><li>IT security </li></ul><ul><li>Pressure on fees and the need for 'instant' advice leading to claims </li></ul><ul><li>Conflicts of interest </li></ul><ul><li>Errors made by staff/lawyers on complex, high-value transactions </li></ul>A firm’s responses to application questions about risk management and loss prevention programs are often among the most important qualitative information an insurer uses to gauge the risk it may pose, according to Stuart Pattison, a vice president at Chicago-based CNA, one of the nation’s largest commercial insurers.
In the News… <ul><li>(03/13/2009) </li></ul><ul><li>“ In a much-touted speech on Thursday (12 March), FSA chief executive Hector Sants outlined a break with light-touch, principles-based regulation, arguing the City should be ‘very frightened’ of the body.” </li></ul>(05/21/2009) “ The Financial Services Authority (FSA) has brought charges of insider trading against two lawyers – including a current partner in the London office of Dorsey & Whitney – it has emerged. The move marks a more aggressive stance from the FSA , which earlier this year secured its first successful insider trading prosecution…”
US News <ul><li>3/20/2009 </li></ul><ul><li>The FTC Strikes Back: (Essentially) Everyone Should Be Complying With Red Flags Rules, Especially The Healthcare Industry </li></ul><ul><li>The FTC, with unusual frankness, emphasizes that no industry is exempt as a “creditor ” …….The FTC also pulls no punches when identifying potential “creditors,” listing a wide range of industries and businesses, including physicians, lawyers, merchants” </li></ul>Examples of business associates include third party administrators or pharmacy benefit managers for health plans, claims processing or billing companies, transcription companies, and persons who perform legal, actuarial, accounting, management, or administrative services for covered entities and who require access to protected health information. 08/06/2009 Dept. of Heath and Human Services 45 CFR Parts 160 and 164
Who’s Ultimately Responsible for Risk Management? 2007 Single Individual: 36% 2009 Single Individual: 63%
Risk Roles and Organization <ul><li>Firm Internal Roles </li></ul><ul><ul><li>General Counsel </li></ul></ul><ul><ul><li>Directors of Loss Prevention, Conflicts, Records </li></ul></ul><ul><ul><li>Professional Responsibility Partners/Ethics Partner </li></ul></ul><ul><ul><li>CIO or IT Director </li></ul></ul><ul><ul><li>Directors of Security, Business Continuity </li></ul></ul><ul><ul><li>Business Departmental Directors </li></ul></ul><ul><ul><li>Partners / Lawyers </li></ul></ul><ul><ul><li>Committees </li></ul></ul><ul><li>External Roles </li></ul><ul><ul><li>Insurance Underwriters/brokers </li></ul></ul><ul><ul><li>Clients </li></ul></ul><ul><ul><li>External Assessors </li></ul></ul>
Risk Management Becomes a Department in Law Firms
Risk and IT Speak in Different Languages DR, Malware, VPN, LDAP, SharePoint, SLAs, Five-9s, P2P Engagement Letters, Vicarious Disqualification, Rule 1.10, Advanced Waivers, Consider: Matter Centricity + Search= Exposure
Risk Management Approach <ul><li>Successful Risk Management Environment </li></ul><ul><ul><li>Communicate and Consult </li></ul></ul><ul><ul><li>Establish the Context </li></ul></ul><ul><ul><li>Promote Self Assessment </li></ul></ul><ul><ul><li>Monitor and Review </li></ul></ul>
Risk Management Approach <ul><li>Risk Assessment Process </li></ul><ul><li>Risk Treatment Process </li></ul><ul><ul><li>Identify Options </li></ul></ul><ul><ul><li>Evaluate and Select Options </li></ul></ul><ul><ul><li>Prepare and Implement Treatment Plans </li></ul></ul>
Future: Risk Register/ERM Like-lihood Conse-quence Risk Priority Level of Risk Likelihood Rating Consequence Rating Adequacy of Existing Controls The Consequence of an Event Happening The Risk: What can Happen and How Can it Happen? #
Future: Client Requests 2009 Clients have asked firm for additional protections: 86% 2007 Clients have asked firm f or additional protections: 61%
Intake and Insider List Management Workflow software to manage intake processes Matter designated “ confidential” “ firm confidential” “ price sensitive” Tracks access, locks across systems, hides matter names Next Steps: Integrate Risk and Technology Management Insider List Management