Chapter 1: An overview of law firmrisk managementBy David B. Cunningham                                Benefits of effecti...
Chapter 1       legal incidents, preventing malpractice              Growth in lateral talent – Ability to       claims, a...
Risk Management for Law Firms: From Policy to Practicerecover from crises, fewer conflicts, and                        ena...
Chapter 1        Role                          Traditional risk                 Newer and emerging                        ...
Risk Management for Law Firms: From Policy to Practice Departmental directors         Risk management roles            Par...
Chapter 1       risks, and may be constrained by risk              and delegate the workload to those closest       mitiga...
Risk Management for Law Firms: From Policy to Practice                                                                  Th...
Chapter 1       to arrive at a risk score. Although termed a       addressing a risk, if any exist. Law firms can       qu...
Risk Management for Law Firms: From Policy to Practice Risks with positive outcomes (opportunities)                Risks w...
Chapter 1       3. From the author’s personal interview; quoted            with permission.       4. See
Upcoming SlideShare
Loading in …5

Risk management for law firms chapter 1 ark 2009 by dave cunningham


Published on

Published in: Economy & Finance, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risk management for law firms chapter 1 ark 2009 by dave cunningham

  1. 1. Chapter 1: An overview of law firmrisk managementBy David B. Cunningham Benefits of effective risk management Studies show that investors will pay aIntroduction premium for public companies that are wellRisk is the uncertainty caused by the governed. Despite its private ownership,occurrence of an event that might affect the the reasoning is no different for a law firm.achievement of objectives. The management Premiums come not only in the form ofof a law firm’s risks involves decisions that financial rewards, but also in attracting andare not simply about avoiding a negative retaining clients and high caliber talent.impact, but also about pursuing a positive Risk management as an element of good(but un-guaranteed) impact on business governance is still relatively new in law firms.opportunities. Consequently, effective risk Jim Jones, managing director of Hildebrandtmanagement not only mitigates losses, and chairman of Hildebrandt Institute, notesbut can also positively contribute to the that, “Ten years ago there were very fewcompetitive standing of a firm. This tension general counsels. Now, the overwhelmingbetween adverse risks and desirable business majority of AmLaw 200 firms have generalopportunities makes risk management an counsels, and most of the AmLaw 100essential element of firm governance. roles are full time. And, their plates are very For most firms, the management of risk full.”1 In large, progressive law firms, otheris an evolving discipline whose elements are risk-specialist roles have appeared withat varying levels of maturity. The primary responsibilities for loss prevention, security,areas of risk relevant to a law firm are: and business continuity. In most firms, however, risk responsibilities have simply been Information technology (IT) risks; added to the plates of existing leadership Financial risks; roles. These investments in directed effort Practice management risks; reflect a growing acknowledgment of the Operational risks; business implications of risk management. Strategic risks; and The benefits of effective risk management Environmental risks. include fewer surprises, improved planning, improved information for decisions,While departmental and practice leaders have enhanced reputation, protection for lawyers,appreciation for risks in their own areas of and personal well-being. Specific benefits forresponsibility, the view of a firm’s full portfolio firms can include the following.of risks is often fragmented. This chapterfocuses on a holistic approach to managing Loss preventionrisks, while subsequent chapters provide Loss prevention is the traditional focus of lawdeeper examinations of particular areas of risk. firm risk management, notably mitigating 1
  2. 2. Chapter 1 legal incidents, preventing malpractice Growth in lateral talent – Ability to claims, and ensuring the security of IT attract and retain high caliber-talent; systems. This focus on avoidance of claims ability to clear conflicts appropriately and will continue to grow in importance, as expeditiously (see later chapters for more evidenced by the American Bar Association’s detail); proper handling of new lawyer (ABA) Profile of Legal Malpractice Claims: electronic materials; and reducing liability 2004-2007,2 which demonstrates that the for matters brought to the firm by laterals. largest claims are growing in both frequency Growth and retention of clients – A and in dollar amount. These trends are minority, although a growing number, of expected to continue, as reflected by one corporate legal departments now request law firm chief information officer (CIO) who information on firm risk procedures. In observed that lawyers often overlook risk a few recent situations, corporations procedures in their scramble for work. have sent their own risk auditors to verify (not just ask about) the quality of law Cost savings firm procedures. Increased corporate Beyond mitigating potential losses, effective regulatory pressure, along with greater risk management can also lower costs, involvement from corporate purchasing in terms of professional liability insurance departments, will continue to grow the premiums, costs of and access to capital, opportunities for law firms who pay and time commitments from committee attention to the trend. members and risk staff. As Stuart Pattison, Quality of client relationships – vice president of insurer CNA Global notes, According to the Association of Corporate “Many firms have high deductibles on their Counsel’s Value Challenge,4 legal professional liability policies so reducing the departments have made it clear that firm number and size of claims has a direct effect matter management and communications on their bottom line.”3 are often below their expectations. These basic control elements, including Departmental efficiencies budget reconciliations and status Proactively addressing risk areas can improve communications, are simple to implement operational efficiency in business areas such and reap legal department loyalty. as IT. Baker Robbins & Company’s studies Alternative fee arrangements – indicate that well-run IT departments not only Some legal departments are pressuring address risks well but also maintain lower- law firms to participate in the risks than-median levels of staffing. Best of all, and successes of matters, spurring these well-run departments spend thousands success-based fee arrangements. of dollars less per lawyer per year than many Indications show that firms that address of their less well-run peers. their budgeting, staffing, and scope management processes will win more Competitive edge work, thus turning risk management into Perhaps the risk management holy grail is premium fees. to address risk situations so well as to have a direct impact on the firm’s competitive Quality of working environment advantage. The downshift of the economy Higher-quality and more timely decision has fostered just such opportunities: making, faster ability to respond to and2
  3. 3. Risk Management for Law Firms: From Policy to Practicerecover from crises, fewer conflicts, and enables a firm to take a portfolio view of itslower stress levels contribute to an improved situation. The corporate risk managementcommunity and more engaged workforce. community has provided numerous risk models to categorize risks, althoughReputation none are universally agreed upon acrossAs John Shutkin, general counsel of Clifton industries. Based on input from law firms, theGunderson LLP (formerly general counsel risk categorization in Table 1 is adapted forof Shearman & Sterling), notes, “By far, the a legal environment.greatest risk to a professional services firm is These risk areas can be directlyto its reputation; that is its ultimate asset.”5 mapped to leadership roles across the firm, along with broad responsibilities of aAreas of risk in law firms chief operating officer (COO) and generalA common categorization of risk types helps counsel. A general counsel (or designatedin the understanding of risk. Agreement on risk partner) can be expected to be involveddefinitions, scope, and categorization of risks in any area when relevant issues and Risk type Example risks Key roles IT Systems: Continuity, recovery, security, CIO, general counsel and access management Data: Confidentiality, integrity, ethical walls, retention, data protection, data transfers, hosting of third-party or client data Third-party suppliers: Maintenance/ support, contracts and outsourcing Financial Audit, financial internal controls, Chief financial officer (CFO) financial transparency and disclosure, anti-money laundering, counter-terrorist financing, credit, firm investments, currency, and portfolio risks Practice management Client relations, laterals, professional Practice leaders, general responsibilities (including malpractice, counsel, directors of conflicts, conflicts, records, and litigation records, litigation support, support), and professional library, and knowledge development risks management Strategic/corporate Firm governance, risk management Managing partner, marketing governance, reputational, marketing, director, general counsel and market risks Operational Employment, recruiting, fraud, Human resources (HR) director, damage to assets, and insurance COO, general counsel mediation risks Environmental Natural disasters, epidemics, and COO, business continuity team resource access risksTable 1: Types of law firm risks 3
  4. 4. Chapter 1 Role Traditional risk Newer and emerging responsibilities responsibilities General counsel (GC) This role now exists in the Increasingly assuming a leading role majority of AmLaw 200 in aggregating firm-wide risks and firms. Risk partners and taking a proactive stance in identifying, risk committees fill this role treating, and monitoring risk areas. where the GC role does Close working relations with risk not exist. directors and CIO. Risk directors Clerical set-up roles for Significant administrative departments, (conflicts, records) attorney decision making. with dotted-line responsibility to the general counsel. Working as part of a team to decide conflicts rather than simply process the information. CIO or IT director Technology uptime, Traditional responsibilities, along with disaster recovery, security, significant data management risks, and IT contracts. including data transfer agreements, ethical walls, data protection, and legal holds. Increasingly risks and professional development in relation to knowledge management, e-discovery, conflicts, e-records management, new business intake, and search. In progressive firms, significant role alongside general counsel for enterprise risk management. Director of security Not traditionally present in A limited number of these roles now exist law firms. in US law firms, many with a portfolio view, including IT, facilities, policies, human resources, and data management. Chief risk officer (CRO) Not traditionally present in Although one of the fastest growing law firms. titles in corporate America, DLA Piper is the only law firm known to have a CRO on staff. Business continuity planner Generally associated with Often addressed via a virtual (BCP) the IT department, with committee, BCP maintains its traditional a primary focus on IT elements while also contending with continuity and recovery. risks (such as H1N1, also known as swine flu) that may force the firm to continue operations for extended periods without physical proximity to other firm members. Only the largest firms have a dedicated BCP role. These roles are evolving from an IT focus to a firm- wide business focus.4
  5. 5. Risk Management for Law Firms: From Policy to Practice Departmental directors Risk management roles Part of a firm-wide risk team, have been specific to addressing cross-departmental risk each departmental scope, issues including laterals, business notably finance and continuity, and data confidentiality. HR risks. Insurance underwriters Vary in the depth of Some are taking a more active role assessments. in encouraging firms to undertake risk assessments and, in limited cases, providing a fund for doing so. Clients Traditionally passive on a Increasingly active in asking questions firm’s risk processes. about risk procedures. In very limited cases, taking an active role in auditing their biggest law firms. Partners/lawyers Active conflicts decisions, Conflicts decisions becoming more participant in paper-based centralized, while records management records process, and has decentralized to the lawyers via minimal matter budgeting. e-mail. Matter scoping and cost controls becoming more prevalent. Some practices employing business managers.Table 2: Law firm risk rolesexceptions arise. These roles are further partner, as the focal point of legal risks,outlined below. and the CIO might take the primary The firm’s exposure to these risks roles in leading a virtual team of firm riskand the maturity in understanding them stakeholders. When structured progressively,will vary not only by risk area, but also this team will take an ‘enterprise’by office, department, practice area, and perspective of risk. Building a successfulcultural boundaries. risk management environment provides a foundation for the subsequent assessmentRoles in risk management and treatment of risks.As firms address the expanding breadthof issues and the coordination necessary Communicate and consultacross risk areas, roles and responsibilities Communications are a critical elementare evolving. Table 2 outlines traditional of any successful risk managementresponsibilities and the changes occurring program. In a professional servicesin these roles. environment, stakeholders include not only the firm managers but also the lawyers,A successful risk management secretaries, and departmental staff closestenvironment to the business transactions of the firm. AnUnlike disciplines such as IT and human early responsibility in establishing a riskresources, law firm risk management rarely management program is to identify thesehas its own department and departmental stakeholders as they will be affected by riskleadership. The general counsel or risk incidents, will serve as eyes for identifying 5
  6. 6. Chapter 1 risks, and may be constrained by risk and delegate the workload to those closest mitigation measures or controls. to the risks. Risk self-assessment drives the Communications and consultations aim to responsibility and accountability of risk make risk management explicit, demonstrate management to individual business process how it adds value to the organization, and owners and lawyers and reinforces their build trust that the multiple perspectives of responsibility and accountability for the risk the firm stakeholders are being considered. areas they ‘own.’ An effective risk management To accomplish these aims, proactive program promotes ‘diligent action’ over communications become a leading role for increasing levels of assessment and establishes those in active risk management roles including a report mechanism from process owners and policy advocacy and lawyer and staff education. lawyers upward in the firm. Establish the context Monitor and review In establishing the risk management context, Ongoing review is necessary to ensure the firm needs to define the scope of its risks the firm’s analysis remains relevant and and the parameters in which to address its treatments are meeting expectations them. It is impractical to undertake a full-firm successfully. The firm should react to lessons assessment of all risks in a single gulp. By learned and feedback from those who live triaging the scope of the effort, a firm can with the risk measures on a daily basis. select not only particular areas of risk, but Firms face a reality that upfront particular geographic regions, groups of investments in risk assessment and treatment stakeholders, or business departments. require continuing investments in education For example, a recent study of UK law and compliance monitoring. To contain firms by Marsh identified the top five risks these ongoing efforts, considerations during facing law firms in order of severity as:6 risk treatment should include the degree to which compliance is automatically assessed The bankruptcy or acquisition of or gated (where one cannot proceed until a significant clients; quality condition is met) by the technology IT security; in place to support a risk process. Later Pressure on fees and the need for chapters consider the role of technology and ‘instant’ advice leading to claims; automation in greater detail. Conflicts of interest; and Errors made by staff/lawyers on complex, Risk assessment process high-value transactions. Guidance on the management of risk is available related to sources such Based on client pressure, some law firms as the International Organization for have prioritized the achievement of ISO Standardization (ISO) and Sarbanes-Oxley, 9001 or 27001 certification to address the although no standard is directly focused on risks and quality of their data management the unique situations of professional service across the organization. firms. While seemingly an obscure source, it is beneficial to look to the Australia/ Promote self-assessment New Zealand AS/NZS 4360 standard for To triage limited resources, a firm should guidance;7 it is acclaimed as the gold embrace the discipline of risk self-assessment standard for a practical, easy to use, risk-6
  7. 7. Risk Management for Law Firms: From Policy to Practice The approach to developing a Identify risk Analyze risk Evaluate risk comprehensive list can be any one or aFigure 1: The risk assessment process combination of:focused methodology. It is described more Existing materials, such as strategic plans,fully in the following pages. (An opposing audit reports, industry checklists, expertcontrol-based methodology seeks to identify judgment, and personal experience;missing or ineffective controls but can create Team-based brainstorming or facilitateda focus on an increasing level of controls workshops; andrather than a focus on the business risks they Structured flow charting or system analysis.were designed to mitigate.) Risk-based approaches can be described The people involved must have detailedas those producing significant amounts of experience in the particular business disciplineinformation about risk events and their type, while also being able to step back and thinkfrequency, level, impact, and root cause. With creatively. An intrinsic aspect of identifyingthe capture of proper risk information, a risk- risks is to have an understanding of the firm’sbased approach provides management with a assets at risk and their corresponding valueperspective of the significance and likelihood to the organization (stated financially orof risk events and enables management to subjectively on a scale). If such an inventoryprioritize the materiality of mitigating controls. does not exist, it should be created as a The AS/NZS 4360 standard establishes predecessor to the risk assessment.three core aspects of the risk assessmentprocess, as shown in Figure 1. Analyze risks Risk analysis creates an understanding of theIdentify risks level and nature of risks, and the consequentThe objective of risk identification is to create priorities in addressing them. While risksa comprehensive list of the sources of risks can be evaluated using either a quantitativeand events that might affect the achievement or a qualitative approach, quantitativeof business objectives. Associated with each assessments are atypical in law firms andrisk should be a source of risk, an incident, a should not be assumed to be superior.consequence, a cause, existing controls, when Qualitative assessments use scoring methodsthe risk could occur, and where it could occur. and the experience of staff and consultants The risk: The consequence of an Adequacy Conse- Like- Level Risk What can event happening of existing quence lihood of risk priority happen controls rating rating and how Consequence Likelihood can it happen?Table 3: Example risk register 7
  8. 8. Chapter 1 to arrive at a risk score. Although termed a addressing a risk, if any exist. Law firms can qualitative approach, this method typically refer to a wide variety of sources such as the involves assigning a numerical value or ABA Model Rules of Professional Conduct,8 relative ratings of the consequences and the IT Infrastructure Library (ITIL),9 and likelihood of risks. libraries of assessment materials from their Once the risk assessments are scored professional liability insurers. using a table formally termed a risk register Since risks can have either negative or (see Table 3), they should be sorted from positive outcomes (which are not mutually highest to lowest. This allows organizations exclusive), treatment considerations vary – to address the highest risks first. This sorting see Table 4. is more practically done by area of risk A comprehensive understanding is and by business department, although the necessary of not only the immediate cause general counsel and peers should review the of the risk but also its underlying root cause. list from a firm-wide perspective. Addressing the root cause (including cultural Risk analysis can be conducted as part of issues) can be more effective than mitigating a broad review, but also at the initiation of a the risk itself. new project or annual planning exercise. Contingency planning is an important complement to these options, as it aims to Evaluate risks help the firm recover from consequences The purpose of the risk evaluation is to make within an agreed timeframe. decisions, based on the outcomes of the risk analysis, about which risks need treatment Evaluate and select options and the priorities of these treatments. Risks The selection of treatment options are prioritized relative to the complete set depends on the clarification of treatment and take into account known priorities and objectives. The objectives define the risks the supporting business requirements. A that are to be treated, the causes that the common approach is to divide risks into treatment should address, what the three categories: intolerable risks (no matter treatment should do, and the required the potential opportunities, risk measures performance. To determine which treatment are necessary), grey-area risks (costs of risk options best meet the objectives, a firm measures and benefits of opportunities must might undertake a cost benefit analysis, be weighed), and negligible risks (no risk although it is reasonable to do so in a measures are necessary). qualitative manner. A firm can also consider options that Risk treatment process represent varying trade-offs between costs The objective of risk treatment is to change and benefits, as below: a risk to a level where the benefit outweighs the total cost of treatment, taking into The best achievable result; account that costs and benefits have both A satisfactory (but not optimum) solution; monetary and intangible aspects. The most cost-effective solution; The accepted practice (industry norm, Identify options which may or may not be good business Identification of options begins by practice); and considering the existing guidelines for The absolute minimum.8
  9. 9. Risk Management for Law Firms: From Policy to Practice Risks with positive outcomes (opportunities) Risks with negative outcomes Actively seek the risk Actively avoid the risk Change the likelihood Change the likelihood Change the consequences Change the consequences Share the opportunity Share the riskTable 4: Responding to positive and negative risk outcomesThe evaluation of treatment options is competitive, however, most insurers generallyfocused on establishing new treatments, do not want to impose tougher standardsalthough it is also useful for reconsidering compared to other underwriters. Law firms,the effectiveness of existing measures. likewise, recognize the potential benefit in the definition of best practices, but resistPrepare and implement treatment plans defined standards for fear of incurringTreatment plans should identify liability for any gaps they fail to address.responsibilities, the expected outcome The most thorough risk standards today areof treatments, budgets, performance those created by a handful of leading firms,measures, and the review process. The plan by insurers such as MPC Insurance, Ltd., andrequires communications and management by the very limited number of clients that auditinvolvement to create accountability and their law firms directly. This increased willingnessengagement amongst those affected. for clients to ensure firms are meeting As noted earlier, the treatment plan their corporate risk measures and insurers’sets in place a cycle of monitoring and advancing diligence in risk assessments,‘continuous improvement’ review. combined with firms’ continuing improvements in risk expertise, create a slow but fundamentalThe predicament of legal shift toward industry-wide risk guidance.risk standards As Adam Hansen, director of security forRisk assessment involves the identification, Sonnenschein, Nath & Rosenthal, reflects,evaluation, and estimation of the levels of “Firms are no longer exempt from meetingrisks involved in a situation, their comparison the risk management expectations of ouragainst benchmarks or standards, and biggest clients.”10determination of an acceptable level of risk. In the legal environment, however, risk David B. Cunningham is managing directorbenchmarks and standards are scarce, at Baker Robbins & Company. He can beso anecdotal peer comparisons, friendly contacted at, and periodic limited-distributionsurveys provide practical substitutes. Law Referencesfirms recognize that they face a predicament. 1. From the author’s personal interview; quotedAs risks become more complex and risk with continues to mature, generally 2. Standing Committee on Lawyers’ Professionalaccepted principles or standards are more Liability, Profile of Legal Malpractice Claims:valuable across the industry. To remain 2004-2007, American Bar Association, 2008. 9
  10. 10. Chapter 1 3. From the author’s personal interview; quoted with permission. 4. See 5. From the author’s personal interview; quoted with permission. 6. Marsh/Legal Business, ‘Law firms risk management survey 2009’. Available at lawsurvey.php. 7. See for further details of the standard. 8. Center for Professional Responsibility, Model Rules of Professional Conduct 2009, American Bar Association, 2009. Also see rules.html. 9. See 10. From the author’s personal interview; quoted with permission.10