Risk Management: What Your Firm May be Missing

In today's increasingly complex and regulated business environment, hundreds of different risks threaten law firms. While some of them can lead to malpractice claims that could destroy a firm's reputation and finances, others can be physically or operationally devastating.

Before a firm can begin to manage risk, it is important to define risk. In my many conversations with managing partners, executive directors or law firm CFOs, they all generally seem to think of risk in terms of insurance (malpractice, workers comp, business interruption, etc). While I agree this is one area of risk, the overall definition of risk is much broader. Risk is the potential for any issue to negatively affect an entity's ability to meet its objectives.

Taking Stock of Risk-Management Protocols: Why Now?

In today's risk-filled environment, it is more critical than ever to take control over the process of identifying and mitigating your firm's risks. There is nothing more sacred to a lawyer than his or her reputation. Likewise, there is nothing more important to a law firm than the cumulative reputation of its lawyers.

Although it takes years to establish a good reputation, it only takes one error in risk management to tarnish it, potentially irreparably. Take for example the collapse of Britain's Barings Bank in 1995. The actions of one trader were enough to bankrupt the UK's oldest merchant bank, used by the Queen herself. How could one employee be responsible for taking down such a strong institution almost overnight? The answer: poor enterprise risk management. 'There may be a temptation to view this debacle as being caused by just one individual ' the 'rogue trader' ' but in reality the fiasco should be attributed to the underlying structure of the firm, and particularly to the lack of internal checks and balances.' (Quote taken from erisk.com case study: www.erisk.com/Learning/CaseStudies/ref_case_barings.asp.)

Law firms can no longer manage risk in a vacuum, nor can the executive committee deal with it alone. For the most part, today's firms are simply too large, diverse and global.

Many overall characteristics of today's business environment pose higher risk levels for firms. Consider, for example, the following:

• Complexity ' increased complexity in the business and regulatory environment, leaving more opportunities for costly errors and violations;
• Competition ' the need for speed and agility in a highly competitive business environment, tempting firms to abandon traditional procedures that provided an extra measure of security;
• Growth ' inability to effectively execute change in the firm, including: identifying and capitalizing on new market opportunities, identifying merger candidates, or developing organic growth;
• Scrutiny ' missteps being more likely to be penalized due to increased scrutiny on the part of regulators, partners, clients, banks, licensing boards, litigators, etc. Moreover, the concept of compliance in law firms has come of age, just as it has for many clients of law firms in the banking, accounting, insurance and healthcare industries; and
• Exposure ' Beyond immediate effects on current operations, damage to a firm's reputation can impair its future opportunities. Damaging risk events can take place in the firm itself or by association with a rogue client. The latter problem makes it more important than ever that a firm balance the profitability of cross-selling new services to a major client against the risk of becoming too dependent on that single client. For example, if a firm becomes too dependent on a single client and that client, in turn, goes bankrupt, the result would be a significant loss in overall income to the firm.

For lawyers in particular, risks have expanded in part because their immunities have contracted. Consider the landmark Sarbanes-Oxley legislation. Although directed primarily at public corporations, '[t]he passage of the Sarbanes-Oxley Act in 2002 has made it harder for lawyers to diffuse ethical responsibility and to claim that they were unwitting participants in fraud,' says Stanford University Law School professor Deborah Rhode. 'The fact that [Sarbanes] went through overwhelmingly gave lawyers a sense that they weren't going to be able to claim the kind of immunity from accountability that they have traditionally been able to achieve'.'

Not only do examples such as these argue for a view of risk management that goes far beyond arranging balanced insurance coverage; they call for an organization-wide risk management program that is systematically designed and pervasively institutionalized.

Implementing a Risk-Management Program

Seven basic steps are needed to implement a law firm's risk management program effectively:

1. Assign Key Risk Management Responsibilities: Although risk management should be a standard agenda item for meetings of the firm's management committee, it is not feasible for the management committee itself to administer risk management. Instead, the firm must develop a formal risk management program that can be incorporated into the firm's overall strategy and operations.

A key element to establishing this program is the designation of a firm-level risk management partner, who oversees a risk committee. The risk management partner should be well respected through-out the firm ' someone who can drive the process and who has the business sense to keep the
program focused on risks that are most important to the firm.

The composition and size of the risk committee should reflect the size of the firm, number of locations, strategic direction of the firm, and whether operations are primarily domestic or based internationally.

The jobs of the risk committee are to facilitate the continual identification and evaluation of risks, to establish policies and procedures to guard against and manage those risks, and to monitor compliance with its policies and procedures.

Large branch offices and branches in other countries should likely have local risk management partners and risk subcommittees, since they can best address risk concerns that are unique to the locality.

2. Identify Your Firm's Risk Profile: As there are several different types of risks that can affect law firms today, we have categorized the largest of these risks into six key areas:

I. Performance Risks: These in-clude professional conduct, business dealings with clients and client base vulnerability.

II. Operational Risks: Such risks include office security, maintaining client confidentiality, the protection of client files and administrative and calendar errors. This category applies to all standard daily operations and encompasses all levels of staff.

III. Technology Risks: Risks associated with the computer, network, software, etc. Key risks in this area include maintaining the operational effectiveness of the network, as email systems are essential to running a smooth law firm operation; protecting electronic word processing files stored on the network and during transmission over email; using discretion over sending client communications; and protection from viruses, system hackers, theft or any sort of misuse or business interruption.

IV. Financial and Accounting Risks: These risks include anything associated with the financial functions or assets of the firm, including the effectiveness of accounting software, sufficiency of accounting department personnel and training, finance personnel turnover, the internal control structure, safeguarding of assets, purchasing decisions, control over cash inflow and outflow, controls around the payroll function (including T&E), and trust accounts.

V. Human Resource Risks: Risks to be evaluated here include those around the hiring-retention-termination of appropriately qualified staff, background checks, training, harassment issues, accurate payroll processing, diversity, discrimination, and agreements with outsource vendors as it relates to their human resource policies.

VI. Strategic Risks: Here the focus is on how the firm can adapt to external risk factors such as changes in the economic environment, changes related to regulatory attitudes, and changes in client operational decisions as to the use of law firms.

Since the primary thrust of a risk management program is to identify and mitigate risks, this overview of risk categories does not distinguish insurable (or otherwise transferable) risks from risks that are not insurable.

Cutting across all six categories should be an additional specialization of attention on contingency planning for major catastrophic disasters. This problem is so important and complex that having another designated chairperson and specialized subcommittee(s) may make sense. An essential responsibility of the overall risk management partner is to ensure the effective integration of such specialized efforts into the overall risk management plan.

3. Evaluate the Risks: A formal risk assessment process can start with a questionnaire to help firm members (and outside analysts, where appropriate) identify risk areas within the various functions of the firm. The questionnaire should also be designed to help rank the seriousness of the threat from each risk, and to identify risks that need to be better managed or monitored. To further prioritize this risk inventory, create a matrix chart for evaluating the effectiveness ' and the gaps or weaknesses ' of controls currently in place. The risk committee can then prioritize needed improvements and formalize a realistic plan for implementing them.

4. Establish Effective Risk Management Policies and Processes: A key foundation for an effective risk management program is the
creation of a formal and current policy and procedure manual for distribution throughout the firm. Then, both management and the risk committee must agree to carry out and enforce these new processes.

5. Communicate that Risk Management is Everyone's Responsibility: In today's fast-paced, constantly shifting environment it is critical that all employees recognize and accept that risk management is part of their job. This concept must be conveyed to all members of the firm in an effective manner along with the policies and procedures designed to mitigate the identified risks. While firms must be able to be reactive in their risk management efforts, it is far more effective and efficient for risk management to be a proactive process.

6. Monitor Policies and Processes: Without proper monitoring, a formal risk management process is meaningless. Take, for example, a firm with a policy in place to perform background checks on all new hires. Without proper monitoring of such a policy, it would be easy for a lapse to occur and an employee to come on board with a questionable background, thereby exposing the firm to greater risks. It is crucial for the risk committee to actively ensure that the defined policies and processes are executed effectively and accurately throughout the firm on an ongoing basis.

7. Ongoing Evaluation and Modifi-cation: To keep the risk management program up to date, the risk committee should meet regularly to review existing risk management processes and identify new risks. For example, the EU has recently enacted directives with regards to anti-money laundering procedures. If a firm isn't in compliance with these directives, they leave themselves open to unidentified risks and liabilities.

Summary

Too often, a firm with the best intentions sets out to address risk management issues with a very narrow view. The result is that the firm may be missing some very real risks that could affect the reputation, profitability and/or capability of the firm. In today's business environment, it is essential for law firms to take a broader view of risk management. A comprehensive risk management program should seek to identify all possible risks to the firm and then develop processes to manage the risks with the greatest damage potential (based on the combination of an event's likelihood and potential impact). Such a program is the most effective way to manage the risk process and ensure that the partnership continues to prosper.

In today's increasingly complex and regulated business environment, hundreds of different risks threaten law firms. While some of them can lead to malpractice claims that could destroy a firm's reputation and finances, others can be physically or operationally devastating.

Before a firm can begin to manage risk, it is important to define risk. In my many conversations with managing partners, executive directors or law firm CFOs, they all generally seem to think of risk in terms of insurance (malpractice, workers comp, business interruption, etc). While I agree this is one area of risk, the overall definition of risk is much broader. Risk is the potential for any issue to negatively affect an entity's ability to meet its objectives.

Taking Stock of Risk-Management Protocols: Why Now?

In today's risk-filled environment, it is more critical than ever to take control over the process of identifying and mitigating your firm's risks. There is nothing more sacred to a lawyer than his or her reputation. Likewise, there is nothing more important to a law firm than the cumulative reputation of its lawyers.

Although it takes years to establish a good reputation, it only takes one error in risk management to tarnish it, potentially irreparably. Take for example the collapse of Britain's Barings Bank in 1995. The actions of one trader were enough to bankrupt the UK's oldest merchant bank, used by the Queen herself. How could one employee be responsible for taking down such a strong institution almost overnight? The answer: poor enterprise risk management. 'There may be a temptation to view this debacle as being caused by just one individual ' the 'rogue trader' ' but in reality the fiasco should be attributed to the underlying structure of the firm, and particularly to the lack of internal checks and balances.' (Quote taken from erisk.com case study: www.erisk.com/Learning/CaseStudies/ref_case_barings.asp.)

Law firms can no longer manage risk in a vacuum, nor can the executive committee deal with it alone. For the most part, today's firms are simply too large, diverse and global.

Many overall characteristics of today's business environment pose higher risk levels for firms. Consider, for example, the following:

• Complexity ' increased complexity in the business and regulatory environment, leaving more opportunities for costly errors and violations;
• Competition ' the need for speed and agility in a highly competitive business environment, tempting firms to abandon traditional procedures that provided an extra measure of security;
• Growth ' inability to effectively execute change in the firm, including: identifying and capitalizing on new market opportunities, identifying merger candidates, or developing organic growth;
• Scrutiny ' missteps being more likely to be penalized due to increased scrutiny on the part of regulators, partners, clients, banks, licensing boards, litigators, etc. Moreover, the concept of compliance in law firms has come of age, just as it has for many clients of law firms in the banking, accounting, insurance and healthcare industries; and
• Exposure ' Beyond immediate effects on current operations, damage to a firm's reputation can impair its future opportunities. Damaging risk events can take place in the firm itself or by association with a rogue client. The latter problem makes it more important than ever that a firm balance the profitability of cross-selling new services to a major client against the risk of becoming too dependent on that single client. For example, if a firm becomes too dependent on a single client and that client, in turn, goes bankrupt, the result would be a significant loss in overall income to the firm.

For lawyers in particular, risks have expanded in part because their immunities have contracted. Consider the landmark Sarbanes-Oxley legislation. Although directed primarily at public corporations, '[t]he passage of the Sarbanes-Oxley Act in 2002 has made it harder for lawyers to diffuse ethical responsibility and to claim that they were unwitting participants in fraud,' says Stanford University Law School professor Deborah Rhode. 'The fact that [Sarbanes] went through overwhelmingly gave lawyers a sense that they weren't going to be able to claim the kind of immunity from accountability that they have traditionally been able to achieve'.'

Not only do examples such as these argue for a view of risk management that goes far beyond arranging balanced insurance coverage; they call for an organization-wide risk management program that is systematically designed and pervasively institutionalized.

Implementing a Risk-Management Program

Seven basic steps are needed to implement a law firm's risk management program effectively:

1. Assign Key Risk Management Responsibilities: Although risk management should be a standard agenda item for meetings of the firm's management committee, it is not feasible for the management committee itself to administer risk management. Instead, the firm must develop a formal risk management program that can be incorporated into the firm's overall strategy and operations.

A key element to establishing this program is the designation of a firm-level risk management partner, who oversees a risk committee. The risk management partner should be well respected through-out the firm ' someone who can drive the process and who has the business sense to keep the
program focused on risks that are most important to the firm.

The composition and size of the risk committee should reflect the size of the firm, number of locations, strategic direction of the firm, and whether operations are primarily domestic or based internationally.

The jobs of the risk committee are to facilitate the continual identification and evaluation of risks, to establish policies and procedures to guard against and manage those risks, and to monitor compliance with its policies and procedures.

Large branch offices and branches in other countries should likely have local risk management partners and risk subcommittees, since they can best address risk concerns that are unique to the locality.

2. Identify Your Firm's Risk Profile: As there are several different types of risks that can affect law firms today, we have categorized the largest of these risks into six key areas:

I. Performance Risks: These in-clude professional conduct, business dealings with clients and client base vulnerability.

II. Operational Risks: Such risks include office security, maintaining client confidentiality, the protection of client files and administrative and calendar errors. This category applies to all standard daily operations and encompasses all levels of staff.

III. Technology Risks: Risks associated with the computer, network, software, etc. Key risks in this area include maintaining the operational effectiveness of the network, as email systems are essential to running a smooth law firm operation; protecting electronic word processing files stored on the network and during transmission over email; using discretion over sending client communications; and protection from viruses, system hackers, theft or any sort of misuse or business interruption.

IV. Financial and Accounting Risks: These risks include anything associated with the financial functions or assets of the firm, including the effectiveness of accounting software, sufficiency of accounting department personnel and training, finance personnel turnover, the internal control structure, safeguarding of assets, purchasing decisions, control over cash inflow and outflow, controls around the payroll function (including T&E), and trust accounts.

V. Human Resource Risks: Risks to be evaluated here include those around the hiring-retention-termination of appropriately qualified staff, background checks, training, harassment issues, accurate payroll processing, diversity, discrimination, and agreements with outsource vendors as it relates to their human resource policies.

VI. Strategic Risks: Here the focus is on how the firm can adapt to external risk factors such as changes in the economic environment, changes related to regulatory attitudes, and changes in client operational decisions as to the use of law firms.

Since the primary thrust of a risk management program is to identify and mitigate risks, this overview of risk categories does not distinguish insurable (or otherwise transferable) risks from risks that are not insurable.

Cutting across all six categories should be an additional specialization of attention on contingency planning for major catastrophic disasters. This problem is so important and complex that having another designated chairperson and specialized subcommittee(s) may make sense. An essential responsibility of the overall risk management partner is to ensure the effective integration of such specialized efforts into the overall risk management plan.

3. Evaluate the Risks: A formal risk assessment process can start with a questionnaire to help firm members (and outside analysts, where appropriate) identify risk areas within the various functions of the firm. The questionnaire should also be designed to help rank the seriousness of the threat from each risk, and to identify risks that need to be better managed or monitored. To further prioritize this risk inventory, create a matrix chart for evaluating the effectiveness ' and the gaps or weaknesses ' of controls currently in place. The risk committee can then prioritize needed improvements and formalize a realistic plan for implementing them.

4. Establish Effective Risk Management Policies and Processes: A key foundation for an effective risk management program is the
creation of a formal and current policy and procedure manual for distribution throughout the firm. Then, both management and the risk committee must agree to carry out and enforce these new processes.

5. Communicate that Risk Management is Everyone's Responsibility: In today's fast-paced, constantly shifting environment it is critical that all employees recognize and accept that risk management is part of their job. This concept must be conveyed to all members of the firm in an effective manner along with the policies and procedures designed to mitigate the identified risks. While firms must be able to be reactive in their risk management efforts, it is far more effective and efficient for risk management to be a proactive process.

6. Monitor Policies and Processes: Without proper monitoring, a formal risk management process is meaningless. Take, for example, a firm with a policy in place to perform background checks on all new hires. Without proper monitoring of such a policy, it would be easy for a lapse to occur and an employee to come on board with a questionable background, thereby exposing the firm to greater risks. It is crucial for the risk committee to actively ensure that the defined policies and processes are executed effectively and accurately throughout the firm on an ongoing basis.

7. Ongoing Evaluation and Modifi-cation: To keep the risk management program up to date, the risk committee should meet regularly to review existing risk management processes and identify new risks. For example, the EU has recently enacted directives with regards to anti-money laundering procedures. If a firm isn't in compliance with these directives, they leave themselves open to unidentified risks and liabilities.

Summary

Too often, a firm with the best intentions sets out to address risk management issues with a very narrow view. The result is that the firm may be missing some very real risks that could affect the reputation, profitability and/or capability of the firm. In today's business environment, it is essential for law firms to take a broader view of risk management. A comprehensive risk management program should seek to identify all possible risks to the firm and then develop processes to manage the risks with the greatest damage potential (based on the combination of an event's likelihood and potential impact). Such a program is the most effective way to manage the risk process and ensure that the partnership continues to prosper.