12 tips for contemporary risk managers in law firms

[Australasian Law Management Journal,Compliance & Risk Management,General Management,Strategy & Leadership,Uncategorized] May 16, 2019

The role of law firm risk managers is changing significantly. Here are some pointers from Peppy Mitchell on what modern in-house law firm risk managers should be doing in an increasingly volatile world.

Law firms are increasingly hiring dedicated risk managers with a diverse skillset.

In the rapidly changing world of legal services, firms and their risk managers need to consider the risk function broadly, going beyond traditional claims-management expertise to instead fulfil a variety of roles.

Different stakeholders, internal and external, have varying expectations of the role. Professional indemnity insurers will expect professional indemnity claims-prevention policies and training programs. Clients may expect quality certification, good governance and efficiency initiatives. Internal management will need in-house complaints handling and central procurement contract reviews. Law firm staff may expect everyday counsel on anything that falls into their ‘too-hard’ basket.

Professional indemnity insurers and claims risk

Historically, the work of risk managers in law firms focused on ‘claims risk’. In the Streeton Report[1], Ronwyn and Peter North demonstrated the benefits of identifying the underlying causes of past claims and responding in a systematic way. Many of tomorrow’s claims can indeed be prevented through the following measures:

1. Developing relatively simple processes such as checklists for taking instructions, having two sets of eyes on data entry, diarising limitation periods, and using advice precedents and workflow guides;

2. Maintaining firm-wide risk registers for complaints, claims and incidents to track patterns, flag areas of concern and facilitate early decisions on risk appetite and mitigation;

3. Communicating with brokers, insurers and any external lawyers; and

4. Educating people on the importance of risk management in claims prevention.

Professional indemnity insurance is typically in the top five expenses of a firm. So it makes sense for firms to do everything they can to keep their insurance costs down. As risk management increases in a firm, there is strong evidence that claims decrease. Insurers are looking for ‘good risk’ firms, so those firms with a dedicated risk manager will tend to do better in their PI renewal negotiations. Indeed, some insurers offer premium discounts.

Clients and quality assurance

Clients, however, have very different expectations. Some clients, particularly those within sectors with multiple external standards and certifications, anticipate that their legal firms do the same. They will ask whether the firm meets quality standards, such as ISO 31000: 2018 (Risk Management) and ISO27001/2 (Information Security Management). They will request the results of external certifications and audits.

In assessing whether or not to appoint a firm to their legal panel, bigger commercial and government clients will look for a risk manager who is responsible for:

5. Developing a coherent, firm-wide risk management framework;

6. Overseeing the admission and continuing professional development of legal professional staff; and

7. Facilitating governance structures for risk-aware decision-making, particularly when it comes to professional and ethical conduct (e.g. Risk Management Committee, Ethics Committee, Conflicts Committee).

What underlies many questions in client tenders is a need for assurance of quality legal services, a consistent approach and continuous process improvement.

Clients and efficient, resilient legal services

Today’s clients need and expect their law firms to perform work more efficiently.  They also need to know that their lawyers’ operations will be resilient in the face of disruption.  In this context, a law firm risk manager will be:

8. Consulting to the business on efficiency projects, where current processes are reverse-engineered and new technology is harnessed to develop better processes; and

9. Enhancing the firm’s resilience strategies and driving improvements in cyber security, crisis management and business continuity.

Successful firms are constantly striving to streamline legal services and reduce compliance costs, while always maintaining adequate supervision and ethical and professional standards. Typical efficiency projects on which law firm risk managers are asked to consult include:

  • centralising costs agreements;
  • managing the engagement process;
  • managing the change to electronic file management and paper-lite offices; and
  • automating time sheet and bill generation.

In-house counsel role

Surprisingly, there is a reluctance in many law firms to resource an in-house counsel role. Client organisations with anything above $50 million per annum turnover would typically have a dedicated in-house counsel role, but this is often not the case in law firms, particularly for partnerships. Instead, it may be a ‘risk management counsel’ who assists senior partners and performs in-house functions such as:

10. Reviewing and drafting procurement contracts for external suppliers;

11. Advising the business on responses to client tenders, as well as client-imposed terms such as outside counsel guidelines and compliance undertakings; and

12. Developing compliance programs to manage ever-increasing regulatory risk – anti-bribery and corruption, anti-money laundering, privacy, data security and anti-slavery.

Modern culture of educating to empower

For clients and law firms, the environment in which we operate is being disrupted and changing rapidly. One recent study describes the modern business landscape as being

increasingly ‘volatile, uncertain, complex and ambiguous (VUCA)’ [1]. The challenge, in such an environment, is not so much to keep doing the same thing consistently, but to be flexible enough to adapt.  This includes being able to adapt the role of your risk manager.

In a VUCA world, clients and law firms are moving away from external certification and efficiency projects towards risk management that is seen as a way of thinking, embedded at all levels of the enterprise.  The benefit of this approach is that risk-management activities do not get bogged down in endless box ticking and rigid checklists.

Instead, the focus is on education and empowerment, so that everyone within the firm regards themselves as a risk manager. If a risk manager’s focus is on changing hearts and minds, then risk-aware decision-making will become part of the DNA of a firm.  You strengthen your ‘first line of defence’ so the enterprise and all its people can:

  • manage claims risk more and more efficiently;
  • harness technology to streamline their legal processes, without compromising quality;
  • assure clients of business continuity and resilience;
  • solve client legal problems in an intuitive manner; and
  • be poised and ready to act swiftly in response to emerging risks and opportunities.

In a VUCA world, law firms and their risk managers need a broad perspective on their role.   Law firms need to think not just about what they do to deliver quality advice, but also about how they conduct their business in a resilient way. Whatever your perspective, one thing is for sure – law firm risk managers are likely to be very busy for the foreseeable future.

Peppy Mitchell is a senior lawyer and risk manager with 25 years’ experience in commercial law firms, both as a practitioner and in practice management. She drives strong risk management cultures, solid corporate governance and robust compliance programs. She can be emailed at peppy.mitchell@gmail.com.


[1] ‘Managing Client Expectations and Professional Risk: A unique insight into professional negligence exposure in the Australian legal profession’, by Ronwyn and Peter North, Streeton Consulting 1994.

[2] ‘Old Versus New, Embracing a New Risk Paradigm’ Australian Catholic University White Papers, November 2017.