Risk training – you have to do it, but are you wasting your time and money?
There is a clear role for risk-management training to contribute to better performance and culture within law firms, but it has to be part of a broader risk and compliance framework, writes Annette Beashel.
There is a lot of money, time and effort being spent on risk training for law firms.
Most continuing legal education schemes in various jurisdictions require lawyers to complete a minimum number of hours each year on ethics or risk-management training. The partner promotion process for most law firms requires risk-management training to be undertaken either inhouse or through a law society practice-management course. Large law firms have in-house legal and risk teams which provide regular risk-training programs. Most professional indemnity insurers recommend that law firms invest in risk training and offer risk training for their insured firms.
There is also pressure on the client side. It’s common for law firms to be asked in RFPs or supplier questionnaires about how they embed risk and compliance policies and what sort of training they provide to staff on risk areas such as anti-bribery and corruption, ethics or codes of conduct, privacy/data protection obligations, and information security.
But does all this risk training actually help in managing risk in law firms? Does risk training change behaviour?
Quick to forget
Let’s start with how effective training is in teaching you new information. Research around the ‘forgetting curve’ (first discovered by German psychologist Hermann Ebbinghaus) shows the astounding rate at which we forget information.
Within one hour of your training session, people will have forgotten, on average, 50 per cent of the information you presented. Within 24 hours, they have forgotten, on average, 70 per cent of new information, and within a week they would have forgotten about 90 per cent of the information.
If we put the forgetting aside, the ultimate problem with training is that it can explain best practice but it can’t by itself create a willingness in someone to behave in a certain way.
So, should we throw in the towel and scrap risk training all together? Absolutely not! But it’s important to recognise its limitations.
There are a lot of positive reasons to invest in risk training. It can help show regulators that you take risk issues seriously, it plays a role in defining risk culture by making clear what the firm considers to be the minimum standard and that acting ethically is important within your firm, and it’s an opportunity to invite discussion on risk issues impacting your office and firm.
Consider the bigger picture
To change behaviours, training will be only one part of the puzzle. You will also need to focus on having a robust risk and compliance framework regardless of the size of your firm. This includes:
- first and foremost, investing in developing a positive risk culture led by senior management. This will underpin every other aspect of your risk framework and drive behaviour;
- having defined values or a code of conduct for the firm;
- having systems, processes and policies in place to guide staff on best practice;
- appropriately supervising work. Partners must lead by example and be held accountable;
- having compliance checkpoints which reinforce policies, with escalation points for incidents;
- conducting audits and internal file or peer reviews; and
- finding ways to measure the impact of changes being implemented (e.g. staff surveys, statistics on engagement letter compliance etc).
Top tips to get the most out of your risk training
Training is very much still an integral part of ensuring robust risk and compliance in law firms. But it needs to be used wisely. The following points can help:
1. Relevance is important. Make training relevant to the person’s role or practice group and tell them why they should invest their time. Avoid ‘sheep dip’ training whereby staff are put into a classroom-style training environment and then expected to come back to the workplace to implement their new learnt skills. For smaller firms, focus on your staff attending external risk courses which are relevant to your firm’s practice.
2. Stick to two or three key messages. You want that to be the 10 per cent of information that they actually remember.
3. Build in a few reinforcement points after the training to assist with retention of information. For example, raise key learning points on the topic at the next team meeting, highlight them in a newsletter article or an intranet article one to two weeks post training, and send a follow-up email from the presenter or senior partner noting the crucial messages from the training.
4. Make it interactive. This keeps people engaged, especially if delivering the training online.
5. Keep it real. The audience loves to hear war stories.
6. Training doesn’t have to be formal. There are plenty of ‘on the job’ risk-training opportunities outside of traditional seminars. For example, partners talking about their own near misses at team meetings, using supervision opportunities to discuss risk issues, and sending fake phishing emails to staff to see who picks up that it’s not a legitimate email.
Pitfalls to avoid
1. Doing training for the sake of it, or to ‘tick a box’, will not be successful.
2. Thinking that training is all you need to do!
3. Don’t forget about non-legal staff. Everyone has a role in managing risk.
4. Think about whether training is the answer to your risk issue or problem. Or would putting in place discreet compliance measures work better?
Risk training definitely has its benefits, and law firms need to implement effective risk-training programs in order to be successful and remain compliant. However, a risk and compliance-training program will have the most impact where it is part of a broader risk and compliance framework, including the development of a strong risk culture. Remember, culture will trump training every time.
Annette Beashel is Of Counsel in DLA Piper’s Office of the General Counsel Team. Based in DLA Piper’s Hong Kong office she is responsible for managing legal and regulatory risks for the Asia-Pacific region of the firm.