This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Jean-Yves Gilg

Editor, Solicitors Journal

Risk maturity: Adapting risk management systems to new threats

News
Share:
Risk maturity: Adapting risk management systems to new threats

By

Peter Bennett reveals how he is evolving the risk management system which saved his firm £3m in PII premiums

 


Key takeaway points:

  1. Leverage existing technology to improve operational risk management
  2. Make risk management part of the fee-earning process; it is essential to adoption
  3. Explain why risk management is important; don’t assume everyone understands. Education is key to ongoing adherence
  4. Don’t be afraid to publicise how well you manage your risks – clients will want to know

 

The high cost of professional indemnity insurance (PII) has always been a bone of contention in the UK legal sector and, once again, it is in the news due to the changes recently introduced by the Solicitors Regulation Authority (SRA). While
many firms are keen to reduce their premiums, the ability to do so depends
on the risk exposure of organisations
and their insurers.

At Bates Wells Braithwaite (BWB), we have been extremely successful in managing our risk. From 2006 to this year's most recent renewal, we have saved nearly £3m in PII premiums by undertaking proactive risk management. I first wrote about our custom risk management system in Managing Partner in February 2013; we are now evolving the system to protect the firm from
new threats.1

Creating the system

I joined BWB in 2006. Following a painful PII renewal in 2005 and, on reading 15 years' worth of solicitors' reports prepared for the firm's PII insurers, it became clear to me that a risk management system is a business imperative not just to reduce the firm's premiums, but also to ensure the long-term health of the organisation.

The firm's IT manager and I analysed the best way to create such a solution. Very quickly, it emerged that the fastest and most cost-effective way of developing such a system was to leverage our existing technology. We created a risk management solution within our legal workflow and case management system, Lexis Visualfiles.

The benefits of this approach were many. Foremost, the in-built developmental capabilities offered by the technology meant that the risk management solution was easy and quick to develop. Because we were expanding the functionality of an existing, already-deployed technology, we didn't incur any additional software costs or even have to purchase additional user licences.

Furthermore, the system was well understood by the IT team, so no new skills were required to create the solution. Familiarity goes a long way in user adoption - with the fee earners already using the system on a day-to-day basis, securing their buy-in to the new risk management solution wasn't an issue, as often tends to be the case with new technology. We embedded the risk management system into the existing fee-earner productivity tools in the client management system (CMS). In essence, creating the solution within our existing system delivered the return on investment.

Simplistically, the way our risk management works is that every new matter undergoes a risk assessment process. At matter inception, every fee earner completes a short, multiple-choice electronic questionnaire that takes just two to three minutes to complete. A risk score sheet is then automatically calculated by the system, providing a risk assessment that ranges from 'low' to 'danger' level risk.

In addition to the 'low' to 'danger' risk assessment banding, the risk score sheet fundamentally covers three areas. It highlights the weightings that lead to the danger-level risk assessment - i.e. the unique combination of risk factors that are driving the high score. This knowledge enables partners to actively manage risks pertaining to danger-level matters.

Similarly, the scorecard also advises on the money-laundering risk band, pointing to the anti-money laundering (AML) management strategy for danger-level matters.

Finally, the risk score for individual matters is compared with the cost estimate negotiated for each and any imbalance is highlighted. So, if the risk score is danger-level and the estimate is too low, the partner is alerted.

Improving risk management

We have come a long way since we first adopted risk management strategically. Risk management is now a default discipline at BWB. In fact, it has transformed our culture - unlike previously and in most traditional law firms, individual partners no longer have the authority to override firm policies. More importantly, partners don't want
to supersede policies anymore -
the system provides evidence and
irrefutable information based on
business rationale analysis.

When we first instituted the system, the information given to partners was generic. For example, the danger-level score may have been triggered because the matter was complex or of high value. However, today, the information provided to partners on high-risk matters articulates the specific factors that are driving the risk, along with suggested actions required to manage the specific risks within the matter. This is enabled by the algorithms in the risk management solution.

For example, a question asks if there is a single point of catastrophic failure. If the answer is affirmative, the partner is advised to understand exactly where the single point of catastrophic failure resides and what steps are required to manage, such as requesting a second partner to review key documents or instructing counsel to appraise clauses.

In some vital areas such as personal conflicts and working outside of the firm's areas of expertise, the risk management system applies a two-level check to enforce policy. In select high-danger situations, a matter can even be closed down unless two partners have evaluated and approved for it to continue. Then again, a matter may still be closed down, unless fee earners working on the task along with the partners in question are able to persuade the management board/ risk manager/ anti-money laundering (AML) reporting officer that it is safe for the matter to remain open.

We first developed this matter closedown process for credit control, followed by credit exposure and compliance. It has now been adapted for risk. It serves as a very powerful and unwavering tool to execute policy and compliance in the firm.

Expanding the scope

In the past 18 months, we have further expanded the scope of the discipline to cover reputational, data, conflict and AML risk management. All of these are extremely complex areas of risk that are traditionally hard to manage.

Take reputational risk: we proactively prevent any potential brand damage that may come from taking on new clients or matters. The risk management system does not take the decision, but it does isolate the two to three per cent of matters/clients which must be reviewed by our reputational risk group before fee earners are allowed to proceed. Undertaking an in-depth matter risk assessment pre-empts failure and protects the firm's reputation.

Today, data loss presents an extremely high risk to law firms - not just from the Information Commissioner's Office by way of large penalties. Breaches of highly confidential client information can result
in devastating repercussions for the firm and its clients.

Our risk management solution is about to be extended to facilitate data security. For every matter, the fee earner has to offer a view on the seriousness of any potential data breach on a scale of 1 to 5. '1' refers to serious but standard damage which any client data loss would involve, while '5' signifies something that would be deeply damaging to the client and place BWB on the front pages of the national press.

This kind of risk indication guides partners in devising measures to ensure the most sensitive client data is protected as securely as possible. In fact, this approach has made data security a board-level agenda item in our firm.

Future plans

We feel there is still scope to improve our risk management system further. We are creating special screens within the system solely for the central risk team,
to give them comprehensive visibility of
all the danger-level risks of the firm.

Originally, the risk management system was designed to highlight the top five per cent of danger-level matters for the immediate attention of the management board. With the risk management system having been fine-tuned over the years, we are
seeing much higher numbers of
danger-level matters.

Today, we have developed a good understanding of how real the danger-level risks are and how effectively the partners are able to mitigate them. This additional mechanism within the system allows the central risk management team to further investigate the high-risk matters to provide a more realistic assessment of the likelihood of the risk happening. This final filter will help to take some matters originally judged as high risk off the danger-level list. Often, many danger-level matters are highly profitable, so a more in-depth evaluation of their risk level
is essential.

Given the debilitating impact of a money laundering accusation, AML risk management is a major priority for our firm. We are implementing measures that take the management of this element further. We are integrating the AML risk generated from the risk management system with data completed by the AML investigators via a specialist AML reporting service.

Our AML reports are very good, but require human review to answer results queries such as:

  • Is this PEP our PEP?

  • Does that group structure require further reports?

  • Can we explain that low credit score?

  • How much weight should we give to the three special-interest persons?

  • The risk management system flagged an overseas client, but the AML report amplifies the risk by showing the legal entity is based in Iran rather than
    a low-risk overseas territory such
    as Ireland.


We are placing those results within the same simple Q&A screens and weighting answers as per the risk management system to increase or decrease the
AML risk profile for clients. Sometimes, this process pushes the risk level into a 'no' but, at other times, it allows us to create a special AML status on the client of 'AML high risk', i.e., caution is needed, enabling us to monitor and apply special conditions to any matters that are opened for those clients. This converts the AML process from a simple good defence at the time of entry into a long-term risk management tool.

Over the past three years, BWB has faced two major risk-related challenges. Our management board has instinctively looked to our risk management system as the go-to tool to help deal with them. In both cases, we have successfully used the risk management system to demonstrate to regulators the measures that we have taken to prevent their reoccurrence. Today, 60 per cent of our monthly COLP/COFA reports are derived from our risk management system.

The ability to screen out the small number of danger-level matters for management review has produced an amazing number of very interesting, diverse, profitable but risky matters which were previously below the radar. Routinely receiving information about these matters that are a potential danger for PII claims, AML, reputation, data sensitivity and conflicts gives me, the partners and the management board the necessary information to actively manage our 4,000 new matters each year. Our risk management system ensures that we are successfully managing our surprisingly diverse high-risk caseload.

Peter Bennett is COO at UK law
firm Bates Wells Braithwaite
(www.bwbllp.com)

Endnote

1. See 'X-raying matters', Peter Bennett, Managing Partner, Vol.15 Issue 5, February 2013