The wider picture: Where UK law firms are failing in risk management

Should law firms focus on compliance or risk management? The question may seem curious to solicitors in England and Wales, at whom this article is aimed, as the requirements in principle 8 and chapter 7 of the Solicitors Regulation Authority's Code of Conduct mean that compliance, for solicitors, involves managing risk. And managing risk includes managing the risks to compliance. So, although there may be a distinction in the wider world, the two concepts are largely subsumed in each other for ?the purposes of law firms regulated by the SRA.

The question, however, is borne out of concern that many ?in the profession have been driven, consciously or otherwise, to focus their efforts on computer systems, spreadsheets and ticking boxes on forms in order to demonstrate an aura of compliance. Being able to demonstrate compliance is of course important. ?Yet it can distract people from standing back and asking whether the practice is a sustainable business and manages its risks ?on an enterprise-wide basis, leaving them instead focusing ?on ticking boxes.

By way of illustration, many cases of rogue partner/employee activity have happened in firms with quality kitemarks such as ?Lexcel, where reviewers have been satisfied that internal procedures have been followed, but not stood back and asked whether the transactions recorded on file accorded with the clients' (particularly lenders') intentions. One cannot help but recall the strapline of ?one kitemark, now thankfully gone: 'managing risk so you don't ?have to'. Quality standards have their role, but they are not an end ?in themselves.

How do we inject some vibrancy into the profession's attitude to risk when it is rendered torpid by a plethora of conferences, software products and books devoted to the topic of compliance? How do we convey the message that a passport and a gas bill are not client due diligence?

Risk awareness

Attitudes to risk may be diminished when compliance is a tick-box exercise, perceived as standing in the way of fee earning. While this is partly a training issue, the message has to come from the top.

Yet fee earners do (generally) appreciate being able to bill all of their time on a matter and see their bill paid promptly, perhaps even with a covering letter complimenting them on their service and a willingness to provide not only a reference but also a glowing testimonial for upcoming editions of legal directories. These may illustrate the upside of managing risk.

A starting point for those wanting to focus on the big picture is a firmwide client risk assessment. From next year this is expected to be mandatory in all law firms in the regulated sector with the implementation of the proposed EU fourth anti-money laundering directive.

It is important that this exercise is not perceived negatively as 'business prevention' and it should go wider than mere anti-money laundering compliance - it is as much about enabling work (for example, managing conflicts so that work can be taken on rather than turned away) and ensuring the firm is paid for it, as it is about compliance with rules and regulations. In addition, the end result may help to streamline the process, removing unnecessary obstacles to doing business.

The objective will be to assess the range of the firm's activities, the types of clients it serves, where they are based and their sectors, and the firm's route to market. This will lead to identification of the customers which pose risks to the business and compliance, for example those with complex beneficial ownership structures, and clients whose behaviours may pose additional risks. This, in turn, will enable the firm to address how it mitigates those risks and, in relation to each step to be taken to that end, who will be responsible for dealing with it.

Partners may have developed attitudes to risk which do not stand up to critical analysis. Some lawyers think their work is only low or medium risk because it comes from (or is recommended by) a major institution. They overlook the fact that those institutions may have been fined millions of pounds or dollars for non-compliance with anti-money laundering or anti-bribery legislation. They may ?also be dismissive of the risks posed by high risk sectors (such ?as energy) or country risks.

Financial risks

Client risk assessment is an important topic and a major project. However, it is also important to stand back and review the sustainability of the practice as a whole. The SRA has been reviewing the financial stability of many law firms, particularly following the demise of Cobbetts. Since then, we have seen a further top-100 City firm enter a forced 'merger' and others where there are significant changes in their financial fortunes. Will the day come when law firms have to meet capital adequacy requirements?

Banks and secondary lenders are becoming more wary of law firm finances and the opacity of their accounts, having sustained significant losses with recent collapses. Borrowed partner capital ?is more susceptible than hard cash.

How sustainable is your borrowing? This question is particularly relevant to firms which have had to borrow from secondary lenders, especially if they are borrowing for tax and value-added tax when they already have the money.

Is your practice exposed to the risk of contagion? This is not ?just an issue for alternative business structures owned by banks, ?but also for practices which may form part of multinational firms, ?as happened with Dewey. The SRA is known to have been looking at a number of US firms with London offices to enquire about the big picture of their finances.

All firms should consider the financial stability guidance which has appeared on the SRA website under resources in chapter 7 of the SRA Code of Conduct. In particular, note its list of 'poor' behaviours, including "firms controlled by ?an 'inner circle' of senior management". ?Do all of your partners know the state of ?the firm's finances?

But, sustainability of the practice as a whole goes further than these headline issues. It permeates all aspects of the ?firm's systems and operation - not just ?the mechanics of service delivery, such ?as premises and IT, which would be addressed as part of normal business continuity planning.

The recent professional indemnity insurance renewal period pushed some firms to the brink and at least three top-100 firms had significant difficulty renewing their insurance, without which they could not practise. In the face of a rising tide of claims, some firms have obtained cover only on eye-watering terms in relation to the premium and uninsured excess, having enjoyed low premiums for many years.

Client pressures

Changes in client work can put significant pressure on a firm - commoditisation, changes in law and practice (as has happened with the personal injury referral fee ban) and new entrants to the market. It is not only high street firms which are seeing the pressures of changes in client requirements, though it is the personal injury sector which is grabbing much of ?the headline attention at the moment.

Increasingly, many clients will want to do what they can themselves, only farming out the difficult bits, and leaving law firms to take 90 per cent of ?the risk for 10 per cent of the profit. New methods of working ?with non-traditional providers, such as the Axiom model, will also erode law firms' client bases. These are not compliance risks in ?the accepted sense, but they are risk management issues.

Secondments present opportunities to 'get under the skin' of clients, but they also present challenges, and as do secondments ?of clients' employees to law firms. We can expect to see issues ?of conflicts and management of confidential information develop. ?One professional services firm has experienced a major issue resulting in significant loss of work and long-term damage to ?a client relationship as a result.

How does your firm's supervision work? Quite apart from the compliance requirement to be able to demonstrate that it is taking place, it can be a real differentiator in the delivery of client service, not just in managing the bare bones of risk. It is probably the area of greatest variation within law firms, let alone between different firms.

Technological risks

Information technology presents many risks areas. While many fear hacking attempts from the Far East (and there has reportedly been a major attempt on a City firm recently), the bigger risk is probably from one's own staff, who may abuse their data access privileges - particularly leavers taking confidential client data on portable media. But, also be wary of the risks of accidental data loss, such as a fax sent to ?the wrong number or confidential information sent to the wrong email address.

Those firms using cloud technology, if only for a discrete purpose, such as email backup, will be aware that a number of cloud providers have failed or closed access to their services at short notice, leaving firms with little opportunity to retrieve their data.

It is becoming increasingly difficult to avoid data being backed up to cloud services, almost through oversight. The Snowden revelations have been mind-focusing, as if there were not already data protection concerns about the jurisdictions ?in which cloud services are hosted.

Dependence on software for key functions such as accounts can also be ?a concern - what happens in the event of supplier failure? Will you have access to the code? Does the firm or a department have overdependence on one client, or a particular market sector? Some firms have suffered in recent times through cutbacks in public spending, undermining their public sector client base, for example.

Cyber liability policies are gaining traction in the United States at least, as much for the business continuity and reputation management services included in the package as for the protection against ?liability. Note, however, that all cyber ?policies are not created equal, and the terms vary widely.

The wider picture

The key message is that we should try to see the big picture of managing risks for our practices. Compliance by checklist may go some way towards being able to demonstrate compliance to regulators, but it can risk losing sight of the big picture.

Nonetheless, it may still be useful to review the firm's risk register in conjunction with the SRA's Risk Index. Work on an update to this is about to start and the SRA has indicated that ?it will assist firms looking to map their risks to the index.

When assessing your firm's risk, using the model designed ?by your regulator is as good a starting point as any, but don't ?forget to stand back and look at the wider picture.

Frank Maher is a partner at UK law firm Legal Risk ?(www.legalrisk.co.uk)