1. Chapter 1: An overview of law firm
risk management
By David B. Cunningham Benefits of effective risk management
Studies show that investors will pay a
Introduction premium for public companies that are well
Risk is the uncertainty caused by the governed. Despite its private ownership,
occurrence of an event that might affect the the reasoning is no different for a law firm.
achievement of objectives. The management Premiums come not only in the form of
of a law firm’s risks involves decisions that financial rewards, but also in attracting and
are not simply about avoiding a negative retaining clients and high caliber talent.
impact, but also about pursuing a positive Risk management as an element of good
(but un-guaranteed) impact on business governance is still relatively new in law firms.
opportunities. Consequently, effective risk Jim Jones, managing director of Hildebrandt
management not only mitigates losses, and chairman of Hildebrandt Institute, notes
but can also positively contribute to the that, “Ten years ago there were very few
competitive standing of a firm. This tension general counsels. Now, the overwhelming
between adverse risks and desirable business majority of AmLaw 200 firms have general
opportunities makes risk management an counsels, and most of the AmLaw 100
essential element of firm governance. roles are full time. And, their plates are very
For most firms, the management of risk full.”1 In large, progressive law firms, other
is an evolving discipline whose elements are risk-specialist roles have appeared with
at varying levels of maturity. The primary responsibilities for loss prevention, security,
areas of risk relevant to a law firm are: and business continuity. In most firms,
however, risk responsibilities have simply been
Information technology (IT) risks; added to the plates of existing leadership
Financial risks; roles. These investments in directed effort
Practice management risks; reflect a growing acknowledgment of the
Operational risks; business implications of risk management.
Strategic risks; and The benefits of effective risk management
Environmental risks. include fewer surprises, improved planning,
improved information for decisions,
While departmental and practice leaders have enhanced reputation, protection for lawyers,
appreciation for risks in their own areas of and personal well-being. Specific benefits for
responsibility, the view of a firm’s full portfolio firms can include the following.
of risks is often fragmented. This chapter
focuses on a holistic approach to managing Loss prevention
risks, while subsequent chapters provide Loss prevention is the traditional focus of law
deeper examinations of particular areas of risk. firm risk management, notably mitigating
1

2. Chapter 1
legal incidents, preventing malpractice Growth in lateral talent – Ability to
claims, and ensuring the security of IT attract and retain high caliber-talent;
systems. This focus on avoidance of claims ability to clear conflicts appropriately and
will continue to grow in importance, as expeditiously (see later chapters for more
evidenced by the American Bar Association’s detail); proper handling of new lawyer
(ABA) Profile of Legal Malpractice Claims: electronic materials; and reducing liability
2004-2007,2 which demonstrates that the for matters brought to the firm by laterals.
largest claims are growing in both frequency Growth and retention of clients – A
and in dollar amount. These trends are minority, although a growing number, of
expected to continue, as reflected by one corporate legal departments now request
law firm chief information officer (CIO) who information on firm risk procedures. In
observed that lawyers often overlook risk a few recent situations, corporations
procedures in their scramble for work. have sent their own risk auditors to verify
(not just ask about) the quality of law
Cost savings firm procedures. Increased corporate
Beyond mitigating potential losses, effective regulatory pressure, along with greater
risk management can also lower costs, involvement from corporate purchasing
in terms of professional liability insurance departments, will continue to grow the
premiums, costs of and access to capital, opportunities for law firms who pay
and time commitments from committee attention to the trend.
members and risk staff. As Stuart Pattison, Quality of client relationships –
vice president of insurer CNA Global notes, According to the Association of Corporate
“Many firms have high deductibles on their Counsel’s Value Challenge,4 legal
professional liability policies so reducing the departments have made it clear that firm
number and size of claims has a direct effect matter management and communications
on their bottom line.”3 are often below their expectations.
These basic control elements, including
Departmental efficiencies budget reconciliations and status
Proactively addressing risk areas can improve communications, are simple to implement
operational efficiency in business areas such and reap legal department loyalty.
as IT. Baker Robbins & Company’s studies Alternative fee arrangements –
indicate that well-run IT departments not only Some legal departments are pressuring
address risks well but also maintain lower- law firms to participate in the risks
than-median levels of staffing. Best of all, and successes of matters, spurring
these well-run departments spend thousands success-based fee arrangements.
of dollars less per lawyer per year than many Indications show that firms that address
of their less well-run peers. their budgeting, staffing, and scope
management processes will win more
Competitive edge work, thus turning risk management into
Perhaps the risk management holy grail is premium fees.
to address risk situations so well as to have
a direct impact on the firm’s competitive Quality of working environment
advantage. The downshift of the economy Higher-quality and more timely decision
has fostered just such opportunities: making, faster ability to respond to and
2

3. Risk Management for Law Firms: From Policy to Practice
recover from crises, fewer conflicts, and enables a firm to take a portfolio view of its
lower stress levels contribute to an improved situation. The corporate risk management
community and more engaged workforce. community has provided numerous risk
models to categorize risks, although
Reputation none are universally agreed upon across
As John Shutkin, general counsel of Clifton industries. Based on input from law firms, the
Gunderson LLP (formerly general counsel risk categorization in Table 1 is adapted for
of Shearman & Sterling), notes, “By far, the a legal environment.
greatest risk to a professional services firm is These risk areas can be directly
to its reputation; that is its ultimate asset.”5 mapped to leadership roles across the
firm, along with broad responsibilities of a
Areas of risk in law firms chief operating officer (COO) and general
A common categorization of risk types helps counsel. A general counsel (or designated
in the understanding of risk. Agreement on risk partner) can be expected to be involved
definitions, scope, and categorization of risks in any area when relevant issues and
Risk type Example risks Key roles
IT Systems: Continuity, recovery, security, CIO, general counsel
and access management
Data: Confidentiality, integrity, ethical
walls, retention, data protection, data
transfers, hosting of third-party or
client data
Third-party suppliers: Maintenance/
support, contracts and outsourcing
Financial Audit, financial internal controls, Chief financial officer (CFO)
financial transparency and disclosure,
anti-money laundering, counter-terrorist
financing, credit, firm investments,
currency, and portfolio risks
Practice management Client relations, laterals, professional Practice leaders, general
responsibilities (including malpractice, counsel, directors of conflicts,
conflicts, records, and litigation records, litigation support,
support), and professional library, and knowledge
development risks management
Strategic/corporate Firm governance, risk management Managing partner, marketing
governance, reputational, marketing, director, general counsel
and market risks
Operational Employment, recruiting, fraud, Human resources (HR) director,
damage to assets, and insurance COO, general counsel
mediation risks
Environmental Natural disasters, epidemics, and COO, business continuity team
resource access risks
Table 1: Types of law firm risks
3

4. Chapter 1
Role Traditional risk Newer and emerging
responsibilities responsibilities
General counsel (GC) This role now exists in the Increasingly assuming a leading role
majority of AmLaw 200 in aggregating firm-wide risks and
firms. Risk partners and taking a proactive stance in identifying,
risk committees fill this role treating, and monitoring risk areas.
where the GC role does Close working relations with risk
not exist. directors and CIO.
Risk directors Clerical set-up roles for Significant administrative departments,
(conflicts, records) attorney decision making. with dotted-line responsibility to the
general counsel. Working as part of
a team to decide conflicts rather than
simply process the information.
CIO or IT director Technology uptime, Traditional responsibilities, along with
disaster recovery, security, significant data management risks,
and IT contracts. including data transfer agreements,
ethical walls, data protection, and
legal holds.
Increasingly risks and professional
development in relation to knowledge
management, e-discovery, conflicts,
e-records management, new business
intake, and search.
In progressive firms, significant role
alongside general counsel for enterprise
risk management.
Director of security Not traditionally present in A limited number of these roles now exist
law firms. in US law firms, many with a portfolio
view, including IT, facilities, policies,
human resources, and data management.
Chief risk officer (CRO) Not traditionally present in Although one of the fastest growing
law firms. titles in corporate America, DLA Piper is
the only law firm known to have a CRO
on staff.
Business continuity planner Generally associated with Often addressed via a virtual
(BCP) the IT department, with committee, BCP maintains its traditional
a primary focus on IT elements while also contending with
continuity and recovery. risks (such as H1N1, also known as
swine flu) that may force the firm to
continue operations for extended
periods without physical proximity to
other firm members.
Only the largest firms have a
dedicated BCP role. These roles are
evolving from an IT focus to a firm-
wide business focus.
4

5. Risk Management for Law Firms: From Policy to Practice
Departmental directors Risk management roles Part of a firm-wide risk team,
have been specific to addressing cross-departmental risk
each departmental scope, issues including laterals, business
notably finance and continuity, and data confidentiality.
HR risks.
Insurance underwriters Vary in the depth of Some are taking a more active role
assessments. in encouraging firms to undertake risk
assessments and, in limited cases,
providing a fund for doing so.
Clients Traditionally passive on a Increasingly active in asking questions
firm’s risk processes. about risk procedures. In very limited
cases, taking an active role in auditing
their biggest law firms.
Partners/lawyers Active conflicts decisions, Conflicts decisions becoming more
participant in paper-based centralized, while records management
records process, and has decentralized to the lawyers via
minimal matter budgeting. e-mail. Matter scoping and cost controls
becoming more prevalent. Some
practices employing business managers.
Table 2: Law firm risk roles
exceptions arise. These roles are further partner, as the focal point of legal risks,
outlined below. and the CIO might take the primary
The firm’s exposure to these risks roles in leading a virtual team of firm risk
and the maturity in understanding them stakeholders. When structured progressively,
will vary not only by risk area, but also this team will take an ‘enterprise’
by office, department, practice area, and perspective of risk. Building a successful
cultural boundaries. risk management environment provides a
foundation for the subsequent assessment
Roles in risk management and treatment of risks.
As firms address the expanding breadth
of issues and the coordination necessary Communicate and consult
across risk areas, roles and responsibilities Communications are a critical element
are evolving. Table 2 outlines traditional of any successful risk management
responsibilities and the changes occurring program. In a professional services
in these roles. environment, stakeholders include not only
the firm managers but also the lawyers,
A successful risk management secretaries, and departmental staff closest
environment to the business transactions of the firm. An
Unlike disciplines such as IT and human early responsibility in establishing a risk
resources, law firm risk management rarely management program is to identify these
has its own department and departmental stakeholders as they will be affected by risk
leadership. The general counsel or risk incidents, will serve as eyes for identifying
5

6. Chapter 1
risks, and may be constrained by risk and delegate the workload to those closest
mitigation measures or controls. to the risks. Risk self-assessment drives the
Communications and consultations aim to responsibility and accountability of risk
make risk management explicit, demonstrate management to individual business process
how it adds value to the organization, and owners and lawyers and reinforces their
build trust that the multiple perspectives of responsibility and accountability for the risk
the firm stakeholders are being considered. areas they ‘own.’ An effective risk management
To accomplish these aims, proactive program promotes ‘diligent action’ over
communications become a leading role for increasing levels of assessment and establishes
those in active risk management roles including a report mechanism from process owners and
policy advocacy and lawyer and staff education. lawyers upward in the firm.
Establish the context Monitor and review
In establishing the risk management context, Ongoing review is necessary to ensure
the firm needs to define the scope of its risks the firm’s analysis remains relevant and
and the parameters in which to address its treatments are meeting expectations
them. It is impractical to undertake a full-firm successfully. The firm should react to lessons
assessment of all risks in a single gulp. By learned and feedback from those who live
triaging the scope of the effort, a firm can with the risk measures on a daily basis.
select not only particular areas of risk, but Firms face a reality that upfront
particular geographic regions, groups of investments in risk assessment and treatment
stakeholders, or business departments. require continuing investments in education
For example, a recent study of UK law and compliance monitoring. To contain
firms by Marsh identified the top five risks these ongoing efforts, considerations during
facing law firms in order of severity as:6 risk treatment should include the degree to
which compliance is automatically assessed
The bankruptcy or acquisition of or gated (where one cannot proceed until a
significant clients; quality condition is met) by the technology
IT security; in place to support a risk process. Later
Pressure on fees and the need for chapters consider the role of technology and
‘instant’ advice leading to claims; automation in greater detail.
Conflicts of interest; and
Errors made by staff/lawyers on complex, Risk assessment process
high-value transactions. Guidance on the management of risk
is available related to sources such
Based on client pressure, some law firms as the International Organization for
have prioritized the achievement of ISO Standardization (ISO) and Sarbanes-Oxley,
9001 or 27001 certification to address the although no standard is directly focused on
risks and quality of their data management the unique situations of professional service
across the organization. firms. While seemingly an obscure source,
it is beneficial to look to the Australia/
Promote self-assessment New Zealand AS/NZS 4360 standard for
To triage limited resources, a firm should guidance;7 it is acclaimed as the gold
embrace the discipline of risk self-assessment standard for a practical, easy to use, risk-
6

7. Risk Management for Law Firms: From Policy to Practice
The approach to developing a
Identify risk Analyze risk Evaluate risk
comprehensive list can be any one or a
Figure 1: The risk assessment process combination of:
focused methodology. It is described more Existing materials, such as strategic plans,
fully in the following pages. (An opposing audit reports, industry checklists, expert
control-based methodology seeks to identify judgment, and personal experience;
missing or ineffective controls but can create Team-based brainstorming or facilitated
a focus on an increasing level of controls workshops; and
rather than a focus on the business risks they Structured flow charting or system analysis.
were designed to mitigate.)
Risk-based approaches can be described The people involved must have detailed
as those producing significant amounts of experience in the particular business discipline
information about risk events and their type, while also being able to step back and think
frequency, level, impact, and root cause. With creatively. An intrinsic aspect of identifying
the capture of proper risk information, a risk- risks is to have an understanding of the firm’s
based approach provides management with a assets at risk and their corresponding value
perspective of the significance and likelihood to the organization (stated financially or
of risk events and enables management to subjectively on a scale). If such an inventory
prioritize the materiality of mitigating controls. does not exist, it should be created as a
The AS/NZS 4360 standard establishes predecessor to the risk assessment.
three core aspects of the risk assessment
process, as shown in Figure 1. Analyze risks
Risk analysis creates an understanding of the
Identify risks level and nature of risks, and the consequent
The objective of risk identification is to create priorities in addressing them. While risks
a comprehensive list of the sources of risks can be evaluated using either a quantitative
and events that might affect the achievement or a qualitative approach, quantitative
of business objectives. Associated with each assessments are atypical in law firms and
risk should be a source of risk, an incident, a should not be assumed to be superior.
consequence, a cause, existing controls, when Qualitative assessments use scoring methods
the risk could occur, and where it could occur. and the experience of staff and consultants
The risk: The consequence of an Adequacy Conse- Like- Level Risk
What can event happening of existing quence lihood of risk priority
happen controls rating rating
and how Consequence Likelihood
can it
happen?
Table 3: Example risk register
7

8. Chapter 1
to arrive at a risk score. Although termed a addressing a risk, if any exist. Law firms can
qualitative approach, this method typically refer to a wide variety of sources such as the
involves assigning a numerical value or ABA Model Rules of Professional Conduct,8
relative ratings of the consequences and the IT Infrastructure Library (ITIL),9 and
likelihood of risks. libraries of assessment materials from their
Once the risk assessments are scored professional liability insurers.
using a table formally termed a risk register Since risks can have either negative or
(see Table 3), they should be sorted from positive outcomes (which are not mutually
highest to lowest. This allows organizations exclusive), treatment considerations vary –
to address the highest risks first. This sorting see Table 4.
is more practically done by area of risk A comprehensive understanding is
and by business department, although the necessary of not only the immediate cause
general counsel and peers should review the of the risk but also its underlying root cause.
list from a firm-wide perspective. Addressing the root cause (including cultural
Risk analysis can be conducted as part of issues) can be more effective than mitigating
a broad review, but also at the initiation of a the risk itself.
new project or annual planning exercise. Contingency planning is an important
complement to these options, as it aims to
Evaluate risks help the firm recover from consequences
The purpose of the risk evaluation is to make within an agreed timeframe.
decisions, based on the outcomes of the risk
analysis, about which risks need treatment Evaluate and select options
and the priorities of these treatments. Risks The selection of treatment options
are prioritized relative to the complete set depends on the clarification of treatment
and take into account known priorities and objectives. The objectives define the risks
the supporting business requirements. A that are to be treated, the causes that the
common approach is to divide risks into treatment should address, what the
three categories: intolerable risks (no matter treatment should do, and the required
the potential opportunities, risk measures performance. To determine which treatment
are necessary), grey-area risks (costs of risk options best meet the objectives, a firm
measures and benefits of opportunities must might undertake a cost benefit analysis,
be weighed), and negligible risks (no risk although it is reasonable to do so in a
measures are necessary). qualitative manner.
A firm can also consider options that
Risk treatment process represent varying trade-offs between costs
The objective of risk treatment is to change and benefits, as below:
a risk to a level where the benefit outweighs
the total cost of treatment, taking into The best achievable result;
account that costs and benefits have both A satisfactory (but not optimum) solution;
monetary and intangible aspects. The most cost-effective solution;
The accepted practice (industry norm,
Identify options which may or may not be good business
Identification of options begins by practice); and
considering the existing guidelines for The absolute minimum.
8

9. Risk Management for Law Firms: From Policy to Practice
Risks with positive outcomes (opportunities) Risks with negative outcomes
Actively seek the risk Actively avoid the risk
Change the likelihood Change the likelihood
Change the consequences Change the consequences
Share the opportunity Share the risk
Table 4: Responding to positive and negative risk outcomes
The evaluation of treatment options is competitive, however, most insurers generally
focused on establishing new treatments, do not want to impose tougher standards
although it is also useful for reconsidering compared to other underwriters. Law firms,
the effectiveness of existing measures. likewise, recognize the potential benefit in
the definition of best practices, but resist
Prepare and implement treatment plans defined standards for fear of incurring
Treatment plans should identify liability for any gaps they fail to address.
responsibilities, the expected outcome The most thorough risk standards today are
of treatments, budgets, performance those created by a handful of leading firms,
measures, and the review process. The plan by insurers such as MPC Insurance, Ltd., and
requires communications and management by the very limited number of clients that audit
involvement to create accountability and their law firms directly. This increased willingness
engagement amongst those affected. for clients to ensure firms are meeting
As noted earlier, the treatment plan their corporate risk measures and insurers’
sets in place a cycle of monitoring and advancing diligence in risk assessments,
‘continuous improvement’ review. combined with firms’ continuing improvements
in risk expertise, create a slow but fundamental
The predicament of legal shift toward industry-wide risk guidance.
risk standards As Adam Hansen, director of security for
Risk assessment involves the identification, Sonnenschein, Nath & Rosenthal, reflects,
evaluation, and estimation of the levels of “Firms are no longer exempt from meeting
risks involved in a situation, their comparison the risk management expectations of our
against benchmarks or standards, and biggest clients.”10
determination of an acceptable level of risk.
In the legal environment, however, risk David B. Cunningham is managing director
benchmarks and standards are scarce, at Baker Robbins & Company. He can be
so anecdotal peer comparisons, friendly contacted at dcunningham@brco.com.
discussions, and periodic limited-distribution
surveys provide practical substitutes. Law References
firms recognize that they face a predicament. 1. From the author’s personal interview; quoted
As risks become more complex and risk with permission.
management continues to mature, generally 2. Standing Committee on Lawyers’ Professional
accepted principles or standards are more Liability, Profile of Legal Malpractice Claims:
valuable across the industry. To remain 2004-2007, American Bar Association, 2008.
9

10. Chapter 1
3. From the author’s personal interview; quoted
with permission.
4. See www.acc.com/valuechallenge/index.cfm.
5. From the author’s personal interview; quoted
with permission.
6. Marsh/Legal Business, ‘Law firms risk
management survey 2009’. Available at
http://www.marsh.co.uk/research/2009/
lawsurvey.php.
7. See www.riskmanagement.com.au for further
details of the standard.
8. Center for Professional Responsibility,
Model Rules of Professional Conduct 2009,
American Bar Association, 2009. Also see
http://www.abanet.org/cpr/mrpc/model_
rules.html.
9. See www.itil-officialsite.com/.
10. From the author’s personal interview; quoted
with permission.
10