Risk management champions can give firms a winning edge in 2017

A decade is a long time in legal practice and changes to regulations, work environments and external threats since 2007 underscore why law firm leaders need to be on top of their risk management strategies, writes Ronwyn North.

While researching cyber risk recently, I came across an article from 2007 in which the cyber risk in question was the then new technology for electronic faxes – that is, faxes direct to an email inbox!

It started me thinking about the ways in which law practice risks and risk management have changed in the past decade and what might lie ahead. You may recall that 2007 marked the success of ‘Kevin 07’ and the Labor Party’s campaign against Work Choices. There was the furore around the arrest of Dr Mohamed Haneef, the first person detained without charge under the 2005 Australian Anti-Terrorism Act (and who was later found to have been wrongly accused).

It was the year that Slater and Gordon became the world’s first publicly listed law firm. On the world stage, 2007 saw the release of the first Apple iPhone and ushered in the start of the sub-prime mortgage crisis in the United States that triggered the global financial crisis. The World Economic Forum’s list of the top global risks included asset price collapses, oil price shocks, pandemics and retrenchments due to globalisation.

That was then …

At that time, technology risk in law practices was all about managing emails, documents and discovery. The concept of a paperless office was in vogue, along with clients using text messaging to provide instructions. Social media tools such as Facebook and Twitter had yet to make a real impact in the workplace.

Another hot topic in 2007, and a particular preoccupation for any firm with cross-border connections within Australia, was ensuring compliance with new legal profession regulation. Considerable resources were deployed to bed down new processes relating to engagement letters, costs disclosure, conflict of interest consents and information barriers. The reforms were touted as harmonising state regulation but, like the legal profession reforms before and since, compliance in one jurisdiction was no guarantee of compliance nationally.

Under the new legislation, incorporated legal practices and multi-disciplinary partnerships needed to be able to demonstrate they had ‘appropriate management systems’.  The management systems in question targeted areas that gave rise to the most common complaints against law firms, such as trust accounts, costs, client communication, supervision and undertakings. Firms that subscribed to a quality system such as Law 9000 focused on management more broadly, but such firms were and remain relatively few.

Back then, compulsory insurers warned about a spike in mortgage-related claims and brazen identity fraud by girlfriends attending solicitors’ offices and pretending to be wives. Otherwise, risk-management education and related claims prevention initiatives continued pretty much the same as for the previous decade. At the profession-wide level, there was considerable angst about the potential extension to lawyers of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, something that remains unresolved a decade later.

Looking back, to the extent that the average law practice paid attention to risk management, the emphasis was on professional compliance and liability risk. Other operational risks were categorised or siloed by function such as finance, HR or IT, but there was no overall, practice-wide risk framework or risk-management plan.

What about today?

Rolling on to 2017, what are the priority risks and trends in risk management? On the global stage, the World Economic Forum’s latest Global Risks Report covers factors such as weapons of mass destruction, extreme weather events, natural disasters and the failure of climate change mitigations and adaptations, large-scale involuntary migration, large-scale terrorist attacks, and the risk of massive technology failure, data theft and fraud.

Of these risks, data and information security should be up there as a top risk-management priority for law firms, not only in relation to cybercrime but also regarding supply-chain risk as law firms become more and more dependent on technology and external technology products and providers. This focus on external sources of risk is different from the previous internal focus on a firm’s own IT systems and users.  Being faced with unpredictable events requires taking contingency planning and preparedness to a new level.

Another difference in 2017 is the growing recognition of strategic risk compared with the earlier focus on more operational or internally generated risks. Today’s law practices face an increasingly volatile environment of hyper-competition from within and outside the legal profession, digital disruption and changing client and workforce expectations of legal services and legal practice. It is claimed that the internet has ‘democratised’ legal information, which gives clients the means to reassess the value of independent professional advice.  Clients are more willing to self-represent, appoint in-house counsel or use alternative non-legal services providers. One significant result is downward pressure on fees, which has a knock-on effect into the structural arrangements and financial viability and sustainability of many law practices and their business models.

Strategic and uncontrollable risks require different approaches to mitigation from the familiar procedural controls used to mitigate what might be termed operational or preventable risks. Strategic decisions require careful assessment or reassessment of the risk-reward equation. Planning for unexpected events requires more imagination or envisioning, more rigour and more resources.

In 2017, firm leaders must be more proactive champions of risk management rather than simply being good in a crisis, or reactive to risk events and incidents when mistakes are made, rules are broken or processes are found to have failed.  Outside the legal profession there is interest in developing new approaches to managing risk and I will be interested to see how these might play out in legal practice. Some possible differences between managing risk in 2007 compared with 2017 and beyond are set out in the lists below.

2007 risk management profile

• Operational/internal risk focus.
• Negative/incident driven: good risk management constitutes an absence of incidents (claims, complaints, injuries, outages, losses) and learning from incidents and being able to eliminate mistakes, violations and variations.
• People are the problem: Controls focus on processes and compliance to avoid and eliminate risk.
• Technology is a risk.
• Risk is managed in silos or segregated/piecemeal.

2017 risk management profile

• More focus on strategic and uncontrollable risks.
• Positive/performance driven: Good risk management constitutes maintaining and improving performance, meeting objectives under pressure and learning from what goes right and being able to perform and adapt in difficult and changing conditions.
• People are the solution: Controls focus on capability and culture to be able to judge and take risk competently and confidently.
• Technology can help manage and reduce risk.
• Risk is managed via an enterprise-wide, integrated  framework.

One definition of risk is the ‘impact of uncertainty on business objectives’. A law practice’s general business objectives in 2017 are likely to be the same as 2007 – good results for clients, client satisfaction with the service they receive, sustainable profit, and job satisfaction and personal wellbeing for all personnel.

However, specific business objectives do change, as do plans for how these objectives will be achieved. Add to these the challenges of a changing world and practice environment and a case can be made for every practice manager to ask from time to time whether their firm’s current risk management arrangements are appropriate and sufficiently robust for the times we live in and what is ahead.  For some firms the outcome of a risk review will be a tweak of current arrangements; for others, it will be an overhaul.

Four actions to consider taking right now

Someone has to champion a risk review and that someone might as well be you. If so, here are some actions you might consider taking to get the process under way.

1. Initiate conversations across the firm about the changes in legal practice that people have observed since 2007 (or another date you choose), along with their views about changes ahead and their potential impacts, good or bad. The conversations can be with individuals or groups, informal or formal, but the more you get people talking with each other about the practising environment and its challenges,  the better  they will be able to discuss and decide if changes are needed to risk-management arrangements.

2. Consider your current risk framework and arrangements. Is this the first risk review you have undertaken, or is there an existing process for asking and answering questions such as: What might happen that will help or hinder us in achieving our objectives? What are we going to do about it if it is not okay and, even if it would be okay, how do we optimise our position to take advantage of it? How structured or unstructured are the arrangements? Are risks identified, controlled and monitored in an integrated practice-wide approach, or is the approach piecemeal?

3. Take stock of your current ‘risk list’ and risk-management activities. What proportion of those risks and incidents would you categorise as strategic, preventable, or outside of your control. And what proportion of your risk-management resources is directed to each (e.g. time, money spent on a) analysing and monitoring strategic opportunities and threats and adjusting strategic plans and execution;  b) operational controls and auditing in the various client facing and support areas; c) threat assessments, scenario planning, contingency planning and stress testing)?  How confident are you that you have the right risk priorities, a mix of activities and adequate resources?

4. Think about the risk-management accountability and capability of your people. Are accountabilities for managing various kinds of risks clearly articulated? Does everyone see managing risk as part of their job? How do you know? How confident are you that there is a shared appetite for risks and safeguards? Would you describe your people as capable risk thinkers and risk takers who make sound decisions under conditions of uncertainty? Can they identify risks and take appropriate action themselves, or do they need to be told? Can you engage their attention about what might happen before it happens, or only after it does?

Once you have a sound understanding of where you are now and what is ahead for the practice, you will be in a position to consider the future direction of risk management and commit to a risk-management plan for 2017 and beyond. In many firms, the decision will not be yours alone and you will need the firm’s leaders on side to make significant and meaningful change.

If your firm’s leaders do not already proactively champion risk management, then it is all the more important that you do your best to persuade them to join you in conversation and consideration of the matters raised above. None of us can know for sure what the future holds, but an up-to-date approach to risk management will give you a better shot at managing life’s uncertainties than one that is years out of date.

Safe practice!

Ronwyn North is the managing director of Streeton Consulting and a qualified lawyer who specialises in consulting to the legal profession on practice management issues, including risk management. She can be contacted at rjnorth@streetonconsulting.com.au.

Further reading: Managing Risks: A New Framework, by Robert S. Kaplan and Anette Mikes, Harvard Business Review June 2012;  From Safety-I to Safety-II: A White Paper by  Professors  E. Hollnagel (Denmark), R. L. Wears (US)  and J. Braithwaite (Australia)