This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Risk test: The risks that create professional liability claims

Feature
Share:
Risk test: The risks that create professional liability claims

By

Matt Humphrey discusses how to test your firm's systems and processes for risks that could lead to professional liability claims

Over the past year, several law firms have closed because the cost of professional indemnity insurance has made it uneconomical for them to continue. While some of the causes of an expensive premium (such as those relating to the global economy) are outside your control, an effective risk management strategy can dramatically lower costs of all kinds. With the insurance market expected to harden further, it is time to take another look at your firm's risk management efforts.

Firms without effective and documented risk management procedures may be considered high risk by insurers. At worst, this could mean being rejected for cover or, at best, paying ?a higher premium. There are of course the wider implications of not having effective risk management, such as reputational damage to the firm and the knock-on effect to client and ?staff retention.

The challenge for law firm leaders is to strive to make ?risk awareness, both in terms of things that may go wrong and in terms of opportunities that can be seized, part of everything your firm does. Firms that can embed risk management in this way will be able to use it to drive performance and improve stakeholder satisfaction.

So, what does increase a firm's risk exposure? There are ?a range of factors, including:

  • mismanagement of client expectations;

  • inadequate internal controls, quality and practice management;

  • regulatory non-compliance;

  • inability to retain and/or recruit talent;

  • information system security weaknesses;

  • market pressures, resulting in declining revenues and restricted growth;

  • operational inefficiency;

  • inadequate business resilience;

  • absence of a robust strategy aligned with the firm's culture;

  • poor financial management;

  • inability to identify and respond to significant changes in the market; and

  • anything that leads to reputational damage.

There are several examples of UK law firms that have failed to manage their key risks effectively and ended up in administration over the past few years. One of the largest to enter administration recently was Cobbetts. The reasons cited for its failure include poor financial and strategic management, and the loss of key partners.?

In the US, there have also been high-profile failures of large firms, notably Howreys and Dewey & LeBoeuf. A cocktail of risks reportedly led to the demise of Howreys, including:

  • loss of faith in the leadership team;

  • accumulation of bad debts;

  • reliance on high levels of borrowings to support its ?growth strategy;

  • limited focus on cost cutting;

  • insufficient due diligence, which didn't uncover conflicts ?of interest between US and European clients;

  • declining revenues due to market conditions; and

  • loss of partners to competitor firms.

So, what does a good risk management framework ?look like?

Risk management framework

The purpose of a risk management framework is to outline to all areas of the business the ways in which they are expected to approach and manage risks. It advises how to deal with challenges that threaten the business and also guides staff how to identify, assess and manage risks in a uniform and consistent manner. It should also discuss approaches to maximising opportunities or 'upside risk'. It should consequently help to reduce the likelihood of bad things happening, while helping the firm to deliver on its strategic aims and objectives.

To lower your risk exposure, you must first understand it. Ask yourself the following key questions.

  1. Do we know what our key risks are? When was the last time we reviewed these?

  2. Do we know what might cause these risks to occur? If you can understand the underlying circumstances that made it possible for the risk to occur, any actions you take are more likely to be appropriate and effective.

  3. What would be the consequences if this risk materialised?

  4. What is the source of this information? If it is based on past experience, this is a starting point, but the biggest risks are those that can't be predicted. You need to ask yourself what is changing or coming up in the future.

  5. What seems so unlikely that we have discounted it? In risk language, what are the 'black swans'?

  6. What are we already doing to manage these risks? Assuming (and this may be a big risk in its own right) that these risks are not new, you are probably already doing something about them, but what? And, moreover, how effective is it? How do you know and how can you be sure? If these are 'black swan' risks, you may have no defences in place at all.

  7. Given what we now know about these risks, how much priority should we give them? How likely is it that these risks will occur in the short to medium term and how big would the impact be? You need predetermined measures for impact and likelihood to ensure consistency of assessment.

  8. How does this tie into our risk appetite? Do we know how much risk our firm is willing to accept in the pursuit of its long-term objectives?

  9. If the risk is outside our risk appetite, what could/should we do to reduce it?

  10.  How are we going to monitor our risk action plan to ensure that it is delivered and achieves the desired effect?

  11. Who is accountable for reporting, monitoring and reviewing risks? Who holds them to account for action (or inaction)? You need to make explicit some of the key responsibilities within risk management.

The benefits of such a framework are many, including:

  • you will be more likely to deliver what you set out to deliver and not be derailed by the unanticipated;?

  • you will have a common understanding of those risks that you are prepared to take and a common agreement about how to manage the risks you do not wish to face;?

  • you will learn from your mistakes, near misses and successes by discussing what worked, what didn't and what you can do to improve; and?

  • you will be able to demonstrate to your insurers, through a robust audit trail, that you are doing everything you can to reduce risks and that you are geared up to react to new risks that might emerge, such as cyber attacks that could result in a loss of client data.

Recording and reporting risks

The importance of maintaining a good audit trail cannot be overstated. It provides great comfort to insurers and investors alike and is vital evidence to defend a claim. In reality, this is probably only a matter of improved documentation of actions that you already take.

Learning from your mistakes is an important part of risk management, yet it is not uncommon for firms to bury some of their mistakes, such as by not recording or analysing complaints. Indeed, many firms say that they have never received a complaint.

However, it could be the case that complaints have ?been received and conciliated, but are not recorded as 'formal' complaints due to concerns about PII cover ?and reputation.

How many fee deductions or waivers do you make that are not classed as formal complaints? Complaints are the manifestation of risks; by failing to record and review them, you will be unable to spot trends or systemic issues and implement the required mitigating actions.

Probably the most beneficial action that you can ?take is to create a risk-aware culture. This results from informing employees of their responsibilities regarding risk management and equipping them with the tools to manage risks effectively.

Risk management should be an aspect of all decision-making processes and should become part of 'the way we do things'. You should talk about business risks explicitly and openly and all staff should be encouraged to do likewise.

For example, there should be easily accessible ?ways to raise risk matters (new risks, risks that are being poorly managed, controls that aren't delivering) and staff should be rewarded (through recognition of their input) ?for doing so.

One of the key areas of importance to law firms is reputation. If you lose your reputation for honesty, effectiveness and security, it is unlikely that you can survive as a business. By making sure that all staff understand the risks associated with a damaged reputation, you are more likely to avoid embarrassing situations, such as the sending of a careless email, loss of a laptop, mobile phone or USB stick, or rash comments on social media sites.

 

Managing firmwide risks

  • Educate yourself and your staff about the risks that your firm faces and what you are doing to manage them

  • Learn your risk lessons from others and take the necessary additional actions

  • Keep your insurers informed of risks that have been managed so that they can take this into account when setting your premiums

  • Take the management of risks to your firm seriously; as others have learned, it is a serious business when you don’t

 

Matt Humphrey is a partner in the risk advisory services team at UK accountancy firm RSM Tenon (www.rsmtenon.com)