This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Guy Vincent

Partner, Corporate, Bircham Dyson Bell

Risk management should be higher up the agenda of all law firms

News
Share:
Risk management should be higher up the agenda of all law firms

By

By Guy Vincent, Consultant, Bircham Dyson Bell

Risk management is an issue that is rarely discussed, so it was encouraging to see it treated as front-page news in the UK recently. You didn't notice? During all of the excitement about the Scottish referendum, we witnessed a very public display of appalling risk management. The three major political parties in London had made their calculations about the outcome of the vote in Scotland many months ago. I am sure that they had all considered the likelihood of a 'no' vote against the likelihood of a 'yes' vote and plotted the event on their risk matrix, together with an assessment of the possible impact.

They got it horribly wrong. And the reason why they got it wrong was because they did not keep their risk register up to date. Only in the last few days before the vote did the Westminster elite realise that their risk assessment was dreadfully inaccurate. As it dawned on them that the likelihood of a 'yes' vote had increased to very high and the impact of that result was almost impossible to comprehend, they panicked.

Our rulers panicked because they had no plan. They had no plan because they had not reviewed the risk around the referendum on a regular basis. So they had not anticipated any alternative outcome and planned for it.

It is easy to draw a simple conclusion from the recent dramatic events that threatened the existence of the three-hundred-year-old union: risk management is vital. It is also easy to criticise our politicians for running around like headless chickens, but how good are we at maintaining risk systems in our businesses?

Managing business risks

Lawyers deal in risk as a commodity. How much risk is there in a deal? How great is our client's appetite for risk? Who will bear that risk under the terms of a contract? It is one thing for us to advise clients on risk and to negotiate the sharing of that risk on their behalf, but quite another for us to identify and deal with risks that may impact our own firms. How many of us updated our risk register (assuming we have one!) to take account of the referendum in Scotland? After all, the impact of a 'yes' vote would have been felt across the whole of the United Kingdom.

But starting with the basics, what is risk? A useful definition for professional practices can be found in the report of the Basel Committee on Banking Supervision: "The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events."

I suspect that, in almost all firms, risk management should be higher up the agenda. To get it right, you have to start at the top. Create a culture that is not about form filling or box ticking, but about an understanding that effective risk management is fundamental to the success of the business. Make a high-profile appointment of a senior manager to take responsibility, not just for setting up and maintaining the system, but also for being an ambassador for risk management across the business and from the top to the bottom of the business.

Work through your appetite for risk and build on that discussion to create a risk policy that everybody can understand. Introduce systems that measure risk and then manage it. Build a risk management model, perhaps using a traffic-light system. Identify and log events that may threaten the business and work through their effects and consequences. Plan how to eliminate or mitigate those consequences, then give people in the organisation ownership of those plans. Keep the register and the plans under review so that you are not caught out. Being caught out can be more than embarrassing, as it was for our politicians; it can also lead to financial and reputational damage to the business.

To avoid damage to the firm, make sure that you have the three classic lines of defence in place:

  1. responsibility for risk and control of that risk;

  2. oversight of the first line of defence; and

  3. independent assurance of the first and second lines of defence.

Common sense

In the end, so much of risk management is down to common sense. If you really know and understand your business, then you will know the weaknesses and the risks within it.

One politician who had a clear understanding of the risks he faced was Harold Macmillan; he expressed that understanding very simply as "events, dear boy, events".

Am I right? Do we need to spend more time on risk management?