EVENTS AND ROUNDTABLES > THE RISK DEBATE
The risk debate - The coming storm
On the day Brexit officially began, our annual Legal Business/Marsh round table found risk managers on the front line of a series of cataclysmic events
29 March 2017 will be a date that will remain ingrained in the memory, with Prime Minister Theresa May invoking article 50, formally triggering the Brexit process. Later that evening it was inevitable that the real effects of Brexit would dominate the discussion at our annual risk management round table.
The debate, which came on the back of our 2017 risk management report, published in March, looked at a number of significant issues for law firm risk teams. Overall, the uncertainty caused by Brexit and, closer to home, the systemic failures that contributed to the demise of King & Wood Mallesons (KWM) in Europe means that management boards at firms are seeing their risk teams as consultants and confidants – enablers of the business – rather than preventers.
With this in mind, we gathered together risk experts from some of the City's leading firms to discuss how they are being deployed to ensure the best outcomes for their firms.
Mark McAteer, Legal Business: Today's debate is particularly well timed and we will get onto that soon, but which particular issues have defined the risk landscape over the past 12 months?
Sandra Neilson-Moore, Marsh: There is a lot of uncertainty at the moment. There is uncertainty around our relationship with Europe, around the US, around regulation, tax and the way governments are trying to raise more money. The big one, probably, is cyber, where there is a lot of stuff going on that people are very worried about; a lot more penetration into law firms and other professional service firms; and a lot more emphasis from the clients of law firms about how firms will safeguard them, with layer upon layer of engagement documentation and issues. As insurance brokers and advisers to our clients, we are getting a lot more questions over how much firms should agree to clients' demands.
Nicole Bigby, Berwin Leighton Paisner: There is more bespoking.
Sandra Neilson-Moore: There is a lot more bespoking. The other thing that strikes me is that the clients themselves are having problems from their own suppliers. There is a load of uncertainty, a load of bureaucracy, a load of regulation and a lot of confusion, which is not good for risk – professional risk or any other kind of risk. We often talk about professional liability risk, but this is now linked to cyber risk; is linked to crime; is linked to employment practices liability insurance; is linked to management liability, and all those things are coming together in a very scary way.
Angela Robertson, Taylor Wessing: My concern is that we are facing more regulation over the next couple of years and lots of dilemmas for risk teams. We are moving into a new arena of more process to implement, but at the same time we need to be commercially agile to cater for the demands of businesses in a Brexit environment and the generally more challenging times. For risk teams, it gives us more prominence and that is really positive, but at the same time some of the regulation that we are having to implement is going to put us back to being viewed as a barrier. It is going to be difficult to achieve the right balance.
Nicole Bigby: We have seen a trend based around a regulatory mechanism driven by a failure-to-prevent template offence in the Bribery Act. A much more systematised, proactive position is required within an organisation and yet we need to be able to demonstrate a balance. You have to be able to demonstrate that the organisation is robust enough, because your board is potentially at risk now in relation to failure-to-prevent type offences, and still be flexible enough to find the opportunity and growth where it is needed. That is going to be even more challenging in an uncertain commercial environment.
Justine Cowling, DLA Piper: The additional regulation, as well as the need for law firms to be more innovative and come up with new ways of working, is also interesting for all legal, risk and compliance teams. We will need to consider our policies and procedures carefully, and ensure there is robust guidance to manage key risks, such as supervision, particularly where artificial intelligence and other tools will be used to support the junior lawyers in tasks they would have completed differently a decade ago.
Chris Andrews, Pinsent Masons: I would endorse that. I am seeing the twin tensions of more regulation and at the other end client demands and internal pressures to increase revenue, which are driving new ways of doing business – AI and new service offerings that may be peripheral to the traditional legal services. So we are managing the practical risk implications of those new ways of doing work at the same time as addressing the regulatory burdens that seem to be increasing day-by-day.
Emma Dowden, Burges Salmon: It is not easy to reconcile those. There is a danger that people could lose sight of what they are trying to achieve, because you end up just trying to comply with the process of complying with all the different regulations, which probably conflict, alongside needing to meet client demands and expectations. It would be very easy to get comfortable with following all of the processes, and not thinking about what the risks are and what the solution is, so that systematised approach is a real danger area.
Melanie Norbury, Osborne Clarke: The last few years have been relatively stable; we haven't had any large-scale change and, equally, as compliance directors, we've had the positive ear of our boards. More importantly, boards have generally wanted to listen because they realise how important it is to be compliant. We're now in an uncertain market, where our boards are considering conflicting priorities, so we're going to have to work hard to avoid being seen as 'prohibitors'. It's important that we maintain a careful balance.
‘It would be very easy to get comfortable with following all of the processes and not thinking about what the solution is.’ Emma Dowden, Burges Salmon
Mark McAteer: Sitting where you are, what do you think about KWM?
Sandra Neilson-Moore: All the classic failures come from perfect storms. It is like a domino effect. This thing goes wrong, that thing goes wrong and then it all falls down.
Mark McAteer: The KWM story and how that relates to Swiss Vereins depends on your perspective, because you can see it both ways. You could say that it shows that the verein system works, because that means certain parts of the business are ring-fenced from liability. The other argument would say you have not got a single partnership, no-one sharing responsibility, and therefore you are being hung out to dry.
Sandra Neilson-Moore: Why should KWM not, as a brand, a culture and an entity, survive a bad purchase? It is sour grapes and a failure to recognise the changing world when people say it is not a real firm and it should have all gone down like Dewey did. It is good that KWM did not all go down, isn't it? Surely it must be.
Angela Robertson: It has been a wake-up call for everybody across the City because, arguably, law firms have spent a lot of time being complacent and nobody now can. There has been so much about the KWM collapse that it resonates with everybody that this could happen to any firm. We all have to stay on top of the game. It is all about reputation. In a way, that might bring some benefits.
Andrew Cheung, Dentons: KWM was a clarion call for firms to focus on the fundamentals. You can have a really good firm with a great brand and it can fall apart quickly, not because of a dramatic and cataclysmic event, but because management doesn't pay attention to those less obvious but vital parts of the business, which are difficult to change. It was not an iceberg that sunk KWM; it was an aggregation of little things, a thousand cuts.
Mark McAteer: Talking of cataclysmic events, what effect is Brexit having for you practically in terms of strategising, risk management, planning?
Roger Butterworth, Bird & Bird: There are two aspects: there is the effect of Brexit on the clients and the effect on the internal law firm structure. English governing law and English jurisdiction are used so much around the world. Part of that is because of enforceability of judgments across Europe. You do not want to lose that; that would be a loss for our clients and a loss for others. In terms of law firm structure, the fact that lawyers are virtually free to move around Europe, being part of pan-European structures – if we can preserve that, that is to the good, both for lawyers themselves and for efficiency of the service to clients.
Andrew Cheung: Quite a lot of resources are going into Brexit planning at the moment and these largely fall into two areas. One is strategic, looking at how we position ourselves in Europe, what service lines will wax and wane in a post-Brexit Britain, and whether we move services over into Europe? That is necessarily uncertain and speculative, but still vitally important. The other area, which requires the largest effort right now, is about business resilience to weather the uncertainty that is coming, focusing on the fundamentals, legal delivery transformation, financial hygiene, process efficiency and performance.
Angela Robertson: That will dictate the trend of risk management, rather than Brexit itself. It is the way the firm responds to it that will shape how we react within our teams to the challenges ahead, but at the moment we just have to work with the regulations that are either already with us or are about to be upon us.
Nicole Bigby: A feature of managing uncertainty is a level of agility. It is thinking about and across what your range of possible scenarios may be, how much flexibility you have, what timeframes you need to adapt to them, depending upon whichever of those scenarios transpires.
Sandra Neilson-Moore: That argues that the risk management function is going to become more important, not less important. They may just not have got round to thinking about it yet.
Andrew Carpenter, Marsh: It is interesting, because to me there has been a slight tightening of the ship within law firms. Because of this uncertainty, firms need to maintain fee income; need to maintain profitability of the firm; need to maintain the loyalty or the culture of the partners to keep the firm going. Against that you have the drive to maintain revenue, so you could have cultures of individual partners trying to take on work that they would not normally do, because they are trying to maintain their worth within the firm. That is where risk becomes very important again, because they may be pushing different models, different types of work because of this tightening of the ship. Pressure is on them individually to perform.
Roger Butterworth: Risk is becoming institutionalised. It is becoming a recognised department and a function that has to be consulted when changes are happening or things are going wrong. It is becoming hardwired, whereas before it was just fluid: someone who had an interest in this area, someone who was asked to take responsibility. We have gone beyond that now and, therefore, are getting closer to where the financial institutions and commercial clients are, with it being part of the fabric.
Mark McAteer: Has it got to the extent where the engagement with risk is proactive rather than reactive? Are they still waiting for the proverbial to hit the fan before they come to you?
Chris Andrews: No, there is a more strategic use of risk management functions and Brexit is a good example of that. When there is a big event and the troops are mobilised to start planning, the risk function is part of the team that is mobilised, so it is proactive more than reactive. New service offerings is another example of where we are seeing an involvement of the risk function earlier in the planning process.
Melanie Norbury: We are looking at things widely at the moment, for example: what does this mean for our future stars; are they the same stars that we thought they were before Brexit? Also, how do we keep these colleagues engaged because they may not be attracted to this partnership model anymore? Will they be more attracted to Europe or other places? We are also very much involved in the consultation of risk; where is our revenue going to come from today and in future generations? How do we attract revenue in different ways?
Andrew Cheung: One thing Brexit has done – and it is a trend that has been ongoing for a little while – is drive the risk function and the GC or head of risk up the value chain right into strategic decision-making, so not just on the periphery of strategy when decisions have already been made. This is in contrast to, say, 2007, when we were struggling for a seat at the table on operational issues.
Mark McAteer: The other big issue from our report is cyber security insurance, whether that is sufficient and whether any new threats have been coming through in the last 12 months from a cyber perspective?
Sandra Neilson-Moore: The professional liability insurance of law firms in this country should cover all their third-party, client-related, cyber liability exposures, so if you get hacked, if you lose your client's data or your client's data becomes corrupted, any liability you have to your client should be covered under your professional liability policy, full stop. If it is not, you have a problem with your coverage. Your first-party exposures, like business interruption, crime and response stuff – that is the kind of stuff that should be in a cyber insurance programme. The big problem is that there has been this huge rush to sell cyber products. We have resisted that, while under much pressure to do so. What we have said is if you want to buy cyber insurance, we should meld it to your crime, your PI and all the other stuff to make sure that it works.
Andrew Carpenter: Gap analysis is very important because it is important that within your own firm, working with your IT and your tech people, people understand where the exposures are, where the coverage is and as important who your response people would be. Who would you want to use? As law firms, you have relationships with key providers, key suppliers, consultants to you that you would use. You do not want bog-standard wording, that you phone up a support number and they provide you with someone; you want someone you work with all the time, but the policy is going to pay your increased cost of working; it is going to respond in the way you want it. You may yourselves be part of the response team that you would get paid for.
Certainly, for the larger firms, you need to own this document, to understand it. Some firms go through this process and say, 'We are not going to buy it because we have these contracts; we will take that risk,' but it is an informed risk, rather than buying the cover.
Sandra Neilson-Moore: If you have the liability, whether through indemnity or whether through an obligation to top up the client account, you are liable. Your policy will pay. If that starts to happen with any kind of regularity, if insurers start paying out significant sums, which they are doing at the small firm end, things will change.
Angela Robertson: That is my concern. It is going to completely change the landscape.
Chris Andrews: I also have sense that it is sometimes becoming part of some clients' own risk management strategy to try to offload the risk onto their law firms (by asking law firms to hold funds on transactions), which is unattractive from our perspective.
Nicole Bigby: It is quite frightening, when you think about the risk of not only potentially indemnifying the client's position but also that of a supply chain fundamentally, because the weak links may be outside your control – through your own suppliers or the client's suppliers.
Angela Robertson: Cyber insurance is sometimes perceived to be the easy or the cheaper option, because to address all of the potential risks in your business and look at your IT systems, not just in the UK but internationally, is a massive undertaking. There is a certain amount we need to do to invest in our IT because if you do not put the basic steps in place to protect the business, then you are going to be calling on your insurance, but it is a costly business.
Andrew Cheung: If you do not put those steps in place, then you are in breach of your panel terms. You are going to lose all your main clients. If 75% of our income walks out of the door, there is no insurance policy that is going to fix that. That is game over.
Mark McAteer: To wrap up, what are your predictions for the next 12 months?
Roger Butterworth: It is not going to get better; it is going to get more demanding. It is going to get more complicated. Client requirements are going to become more demanding and more contradictory. Regulations are going to increase. But apart from that it will be great!
Chris Andrews: It is going to be client demands for services being performed in a different way that is going to have an impact on the shape of the law firms to be able to deliver those services. Keeping up to speed with those changes is going to be a big issue.
Emma Dowden: The composition of law firms will look very different. So you talk about AI and we will end up with legal engineers, effectively.
Sandra Neilson-Moore: That is going to make you guys much more important, because you are going to be focused on risk. Look at how much your teams have grown in the last ten to 15 years, with all this change and uncertainty, and I suspect as well – this would be an interesting question to put out there – with less power of the partners. It used to be that your autonomous partner – always a man – was sitting there going: 'I don't give a monkey's what you say; I am doing it this way.' You do not have those people very much any longer.
Angela Robertson: That is right, because there is that underlying fear that they have. Rather than the sort of conversations that you have just described that used to take place in the past, now partners are saying: 'Tell me what I need to do and I will do it.'
Chris Andrews: Part of that is because, when it comes to partner assessments, which drive remuneration, which drive behaviour, risk management is now one of the criteria by which partners are judged, so there may still be some mavericks, but more often you are seeing people who recognise that doing the right thing has some value for them.
- Chris Andrews Director of risk and compliance, Pinsent Masons
- Nicole Bigby Partner and director of risk, Berwin Leighton Paisner
- Roger Butterworth General counsel, Bird & Bird
- Andrew Cheung General counsel EMEA, Dentons
- Justine Cowling Head of risk management, DLA Piper
- Emma Dowden Chief operating officer, Burges Salmon
- Melanie Norbury Legal and compliance director, Osborne Clarke
- Angela Robertson Director of risk and general counsel, Taylor Wessing
- Andrew Carpenter Managing director – FINPRO, Marsh
- Sandra Neilson-Moore Managing director – FINPRO, Marsh
- David St John Managing director – FINPRO, Marsh
- Mark McAteer Managing editor, Legal Business