Our debut risk management and professional indemnity report with broker Marsh in February 2008 featured a timid segue into an unfamiliar topic. We suggested that neither were ‘glamorous subjects’, while observing that firms were ‘thinking harder than ever’ about how to mitigate risks. A necessary evil, if you will.
The risk landscape portrayed then – six months before Lehman Brothers was to collapse – still has a familiar ring: ‘When things are going well, as was the case from 2003 to mid-2007, resources are stretched and clients want every deal done yesterday. Throw in an overheated recruitment market in which the firm that blinks misses out, and the competitive pressure of having to race into every new, emerging market and firms could be forgiven for never thinking about their professional indemnity at all.’
While it was a call to take risk seriously and cite the industry for efforts until that point, the progress made since has been startling.
Eighty-six percent of respondents to our survey this year said they felt the risk management culture within their firms had improved significantly over the past decade; just 5% said there had been no material change. As one Legal Business 100 firm responding to the question commented: ‘With a few exceptions, risk and compliance has become embedded in most larger firms and is no longer a Cinderella function.’
While efforts to increase partner awareness have played a major role, one respondent says of the increased profile of risk management over the past decade: ‘Higher publicity of risk-related scenarios helped.’ The part played by the Solicitors Regulation Authority (SRA) has certainly been significant, through various moves including the move to outcomes-focused regulation in 2011, which in theory moved away from a rules-driven regime to encourage firms to self-monitor and adopt a common-sense approach; to the introduction of two senior roles within large commercial law firms, the compliance officer for legal practice (COLP) and compliance officer for finance and administration (COFA) – the formal incarnation of compliance champions within law firms – from the start of 2013.
As Angela Robertson, general counsel (GC) at Taylor Wessing, says: ‘The introduction of the COLP played its part; the obligation to self-report material breaches and serious misconduct provides a platform for training and awareness and promotes a desire to behave in the right way.’
In recent years there has been greater scrutiny by the SRA on the misdemeanours of large commercial firms, rather than just gunning for sole practitioners on the high street (see our recent feature, ‘Off the leash’).
* Average number of individuals involved in each area of risk management either full-time or part-time
Risk teams themselves have attributed a number of factors to driving tougher risk management. Responses to this question include: ‘Data and IT – certainly the rise in electronic systems and email has meant accidental data loss has become a hot issue.’
‘It’s important to demonstrate to colleagues that this is not just an internal requirement, this is something clients demand,’ says Andrew Clark, GC at Allen & Overy. ‘Clients are under pressure themselves to comply with confidentiality and also to the diversity agenda and issues around the Modern Slavery Act. You don’t need to convince people now that these are important issues. They are showing no sign of diminishing.’
Another points to a simpler root cause: ‘Lawyers becoming risk experts.’ This is true both in the sense of partners advising their clients on risk management issues but also fee-earners moving into risk management within firms.
Jo Riddick, GC and COLP for Macfarlanes, (see ‘Perspectives’ at the end of this page) observes: ‘The type of people heading up risk departments have become much more skilled at communication. There is a general approach, which is around winning hearts and minds, where we try not to say “no”. We are much more integrated in our businesses as a result, which means we can deal with things more effectively.’
LEGAL RISK PROFILE 1: WHAT IMPACT WOULD THESE SITUATIONS HAVE ON YOUR FIRM?
Situation and impact (mean score out of five)
IT security breach / data management accident or breach 4.2
IT system failure 4.1
Unwittingly becoming involved with client fraud/money laundering 4.0
Disaster/Business continuity failure 3.8
Liabilities exceeding resources, including insurance (eg professional negligence claim in excess of policy limits) 3.7
Serious legal or commercial conflicts of interest 3.5
Reputational damage to firm (e.g. from media, ex-employee, disaffected client) 3.5
Phishing and ‘Friday afternoon’ fraud 3.4
Financial loss (own or client) resulting from ‘vishing’ 3.3
GDPR (ie cost of breach/cost of implementation and policing) 3.3
Loss of key partners / staff 3.1
Inability to attract new partners / staff 3.1
Credit or other financial problems 2.9
Competition – including from Alternative Business Structures 2.8
Loss of firm’s biggest client 2.8
Bankruptcy/acquisition of significant clients 2.8
Failure to meet strategic plans 2.7
Onerous outside counsel guidelines, imposed by clients 2.7
Poor performance of key lateral hire(s) 2.5
Other global political factors 2.4
Sanctions and sanctions-related issues 2.3
Employment claims from former partners / staff 2.1
Currency fluctuations 1.9
LEGAL RISK PROFILE 2: WHAT IS THE POTENTIAL FOR THESE SITUATIONS OCCURRING AT YOUR FIRM?
Situation and potential (mean score out of five)
Onerous outside counsel guidelines, imposed by clients 3.2
IT security breach / data management accident or breach 3.1
Competition – including from Alternative Business Structures 3.0
IT system failure 3.0
GDPR (ie cost of breach/cost of implementation and policing) 2.7
Reputational damage to firm (e.g. from media, ex-employee, disaffected client) 2.7
Unwittingly becoming involved with client fraud/money laundering 2.7
Serious legal or commercial conflicts of interest 2.7
Bankruptcy/acquisition of significant clients 2.6
Other global political factors 2.5
Phishing and ‘Friday afternoon’ fraud 2.5
Poor performance of key lateral hire(s) 2.5
Financial loss (own or client) resulting from ‘vishing’ 2.4
Loss of key partners / staff 2.4
Failure to meet strategic plans 2.4
Disaster/Business continuity failure 2.4
Inability to attract new partners / staff 2.4
Loss of firm’s biggest client 2.3
Sanctions and sanctions-related issues 2.2
Employment claims from former partners / staff 2.0
Currency fluctuations 2.0
Liabilities exceeding resources, including insurance (eg professional negligence claim in excess of policy limits) 1.9
Credit or other financial problems 1.7
LEGAL RISK PROFILE 3: WHAT IS THE POTENTIAL OF THESE PROFESSIONAL NEGLIGENCE SITUATIONS OCCURRING AT YOUR FIRM?
Professional negligence situation and potential (mean score out of five)
Errors made by staff/lawyers on routine ‘bread and butter’ transactions 2.9
Increased claims as a result of pressure on fees and the need for ‘instant’ advice 2.8
Conflicts of interest 2.8
Errors made by staff/lawyers on complex, high value transactions 2.7
Inadvertently advising third parties 2.6
Lawyers advising outside their area of expertise 2.5
Infringement of regulations 2.3
Errors made by confusion caused by SRA’s outcomes-focused regulatory approach 2.2
Insurance claims emanating from foreign offices 1.9
While progress made by risk teams has been considerable, one issue has dominated their agenda over the last decade – the advance of technology and all its attendant associated risks. Whereas the need for instant advice and partners on-call 24/7 meant minor issues such as an inappropriate email or a BlackBerry being left on a train could happen, the main threat to firms is unauthorised access to systems and the misuse of client data – bringing us to the agenda-topping issue for risk teams in 2018 – the EU’s incoming General Data Protection Regulation standard. ‘IT security breach/data management accident or breach’ once again topped our risk profile chart (see above), with the highest aggregate score for potential and impact of 7.4/10, while ‘IT system failure’ came a close second, scoring 7.1/10. As a specific (but aligned) issue, the cost of a breach/cost of implementation and policing of GDPR was viewed as a likely and dangerous issue, scoring 6/10.
The issue was exacerbated in 2017 by high-profile breaches at large international law firms. One of the largest global offshore firms, Appleby, confirmed in October that it had been the victim of a ‘data security incident’ in 2016, before some client data was subsequently leaked to the press, putting the firm at the centre of the ‘Paradise Papers’ scandal that ran throughout November. Following the breach, Appleby said it had implemented a series of containment and remediation measures recommended by PwC’s IT forensics team, and engaged a US specialist cyber security team to complete a third-party systematic review of its IT security.
News of the Appleby breach broke four months after DLA Piper became collateral damage following a cyber attack in June, by what DLA described as ‘a particularly sophisticated strain of malware’. These incidents have served as wake up call for risk teams. Despite the level of focus on data security and safe IT systems by firms over the past ten years, 83% of respondents said ‘we have reviewed and updated our protocols as a result’, while only 4% said ‘our protocols are sufficiently robust’.
That firms have felt it necessary to look hard again at their own systems and protocols comes as no surprise to risk experts.
Consensus among risk managers is the number-one priority for their teams in 2018 is implementing GDPR. Law firms across Europe have been only too ready to advise clients on preparation for the 25 May implementation deadline but there is little clear evidence that firms have fully grasped the need to get their own houses in order. However, there is nothing like the threat of penalties of up to 4% of global annual turnover (or €20m) to concentrate minds.
Riddick is a confessed data security obsessive and sits on The Law Society’s GDPR committee. She strikes a pragmatic note: ‘The big firms have been looking at it for the last two years. A lot of firms and clients will not be 100% ready in terms of having expunged all of their data and having it where they want, but they should have good policies in place which should explain to staff in plain English what to do about a data breach. We’re not looking for perfection on 25 May, and I’m quite happy to say that.’
SLINGS AND ARROWS
One 2017 development that was striking for risk managers was the SRA pursuing a string of actions against large international firms for professional misconduct by its partners or failure by the firm to deal with those misdemeanours effectively. Clifford Chance (CC) became the first Magic Circle player to fall foul of the SRA, when the firm and its disputes partner Alex Panayides were each fined £50,000 for their role in the well-documented Excalibur professional negligence saga.
It was a symbolic move but small beer relative to CC’s global revenues, and to the fines received by White & Case and Locke Lord in 2017. US-based Locke Lord, with a small City arm, was ordered to pay a record £500,000 after one of its former UK lawyers engaged in ‘dubious financial arrangements’ with a client’s bank account. White & Case was slapped with a £250,000 fine last July after the Solicitors Disciplinary Tribunal (SDT) found that the firm had failed to identify a conflict of interest and failed to protect confidential information regarding a $2bn commercial dispute. Earlier in the year, Clyde & Co was hit with a £50,000 fine, while three of its partners received individual £10,000 fines, for breaching accounting and money laundering rules in early 2017.
The SRA has been particularly proactive of late. The SDT broke its record for highest fine administered more than once in 2017, suggesting a fresh prosecution drive on the SRA’s part.
This is reflected in the survey. In response to the question ‘To what extent have instances of large fines and regulatory sanctions against large law firms in 2017 for misconduct/breach of regulations had an effect on attitudes within your firm?’, three quarters said ‘Regulators are targeting large firms now; we must be vigilant’, while only 4% agreed with the statement ‘The SRA is flexing its muscles, the trend will pass’.
However, risk experts interviewed are not in total agreement that larger commercial firms are being targeted by the SRA. Says Roger Butterworth, risk and compliance partner at Bird & Bird: ‘My take is that the SRA took a while to decide on its priorities, and initially put more attention on high street firms: it had a legacy of claims that the Law Society had taken a while to work through and there was an expectation the SRA would deal with them. So it probably did not pay a huge amount of attention to larger firms and now it is catching up.’
‘Regulators need to demonstrate they are regulating the areas they cover proportionately and fairly, so will be checking large and small firms,’ says John Kunzler, head of financial and professional liability at Marsh. ‘Given approximately half the regulated group work in large firms, even with strong frameworks and controls, it would be surprising if regulatory findings did not continue from time to time, and perhaps with greater frequency than in the recent past.’
Riddick notes: ‘The SDT said when it made its Clyde & Co decision that the firm didn’t do anything deliberate but because it was a large firm we have higher expectations. That’s fair to some extent but we are aware we are in the spotlight, and we have the resources to get it right. The environment is not benign.’
CLEAR AND PRESENT DANGER
While the regulatory environment is hardly benign for LB100 firms and risk teams have had to fight hard to establish effective cultures within their firms, the market has been helped by enduringly soft professional indemnity insurance (PII) costs. Prices for insurance, particularly for large City and international firms, have not tracked the growth in revenues experienced by many firms. More than half (53%) of respondents said the cost of insurance, as a percentage of annual turnover, has decreased over the last decade, and just 17% reported it to have increased.
‘Regulators need to demonstrate they are regulating the areas they cover proportionately and fairly, so will be checking large and small firms.’
John Kunzler, Marsh
And while risk experts have argued for years that the benign environment for PII insurance cannot continue, the market has continued to defy such predications. ‘PII insurance for London-based law firms is the most comprehensive in the world,’ says Butterworth. ‘The cover levels that can be bought in London are higher than can be bought in the US. Particularly taking that into account, the insurance is very good value. Its impact on annual expenses has decreased and the bigger the firm the better the value of the insurance premium compared to annual expenses.’
WHAT ARE THE MAIN BARRIERS TO IMPLEMENTING A RISK MANAGEMENT CULTURE AND STRUCTURE AT YOUR FIRM? (ORDERED BY LB100 RANK)
‘The firm lacks an international risk management platform, which means there is no consistency across the international office network.’
‘It won’t happen to me’ attitude.’
‘Risk is not represented at board level.’
‘Having the right level of expertise to implement the culture consistently.’
‘Inability to use the available resource smartly.’
‘The size and diversity of the firm makes it difficult to ensure that all partners and legal advisers understand the issues and remember why compliance matters, all the time.’
‘Cost of software solutions.’
‘Risk team resources spread too thin.’
‘Poor partner examples (not walking the walk).’
‘Systems – even market leading risk systems are not properly joined up.’
‘Appreciation of the sheer diversity of increasing risks for instance source of funds, IT risks, etc.’
‘Cultural and regulatory differences between offices in different countries.’
‘Lack of skilled personnel.’
‘The low impact it has on our daily practice.’
‘Seen as unnecessary for smaller firms (as much of it is).’
‘Conflict with old fashioned mentality/Culture emanating from experienced lawyers.’
WHAT HAVE BEEN THE GREATEST SUCCESSES YOUR FIRM HAS ACHIEVED IN IMPLEMENTING A RISK MANAGEMENT CULTURE AND STRUCTURE? (ORDERED BY LB100 RANK)
‘The risk team has gone from strength to strength and is recognised as adding value to the business.’
‘Joinder of risk and compliance.’
‘Recognition of risk by senior management.’
‘Partners are prepared to report issues to the COLP, including claims and regulatory breaches. This is on the back of a supportive culture, if a partner is facing an investigation or a claim.’
‘Support for centralised business acceptance.’
‘Appointment of a general counsel.’
‘Audit feedback sessions with team leaders.’
‘There has been a noticeable increase in proactivity within the practice groups with a significant investment of time by each in identifying and progressing compliance initiatives. ‘
‘Consultative not tick box, ‘no question is too silly for RM’ approach.’
‘Appointment of a GC with a risk management remit – and ‘go to’ person for help, which happens on a daily basis.’
‘Clear and regular internal reporting on risk KPIs to department heads giving rise to intra-departmental competition on performance.’
‘Improved approach to financial hygiene and clarity regarding client monies.’
‘Interactive and helpful compliance team for AML.’
‘Information/data protection policies implemented and certified by BSI Group (ISO 27001).’
‘Lexcel policies being approved by banks as advisers because our risk management culture is sufficiently robust.’
‘Improving indemnity situation.’
‘Client admission process improved.’
‘AML policies assumed by all professionals as a cornerstone of our risk management culture.’
‘We’ve decreased,’ agrees Riddick. ‘Over the last few years we’ve seen a decline in our weight on turnover. The figure may have gone up, but our turnover has gone up. Our rates have declined, which is attributable to being able to demonstrate a good risk management history and a good claims record.’
A good claims record may become increasingly rare over the next ten years for some firms that may previously have seemed titanium. The twin spectres of increased scrutiny from the SRA and a volatile world of tech-infused cyber threats, means the journey of legal risk professionals has only just begun.
Perspectives: Angela Robertson, Taylor Wessing
Taylor Wessing director of risk and general counsel Angela Robertson began her professional life as a commercial litigator at Clifford Chance (CC). Intent on focusing on management, in 2000 she was invited by CC to set up and manage the first centralised global conflicts team at a law firm in Europe.
She left CC in 2011 to join Eversheds as its first GC, leading the risk and compliance team. From there she joined Taylor Wessing in 2015, to lead the risk management function.
Moving into risk was opportunistic. I was attracted by the opportunity to establish a new team with a global remit – and in an area of work that was developing. It represented a new challenge away from the strictures of fee-earning.
In the early months I missed my practice group, but as I grew my team I came to appreciate the strategic importance of the risk team and the role it plays in protecting the interests of the law firm and its clients.
There is a great sense of achievement in shaping the culture and behaviours in a firm and gaining the trust of partners. Balancing regulatory requirements with commercial aspirations is a challenge for any risk manager – but hugely satisfying!
Servicing the firm is a priority but there are opportunities to offer our risk expertise to clients – this I see as a new challenge.
Successful risk management is all about gaining trust and breaking down barriers – overcoming rather than creating obstacles. The high point is being able to make a difference – achieving a good regulatory outcome, seeing a commercial conflict issue to a resolution, and obtaining a good outcome for a client. Also celebrating the team’s successes. Risk management is a team effort.
Best piece of career advice was to take nothing at face value and avoid assumptions.
Perspectives: Roger Butterworth, Bird & Bird
With a career spanning four decades and three City law firms, Roger Butterworth has had quite a journey.
He qualified as a corporate lawyer at Linklaters. The prospect of partnership convinced him to move to Simmons & Simmons in 1986. He made partner in 1988 and spent a big chunk of his time working on the rail industry privatisation in the 1990s. When he joined Bird & Bird in 1998, it was ‘very much a growing firm at the time, a very exciting place to work’.
Yet in 2003 he doubled up his fee-earning role with risk management. As the awareness of risk issues in the City grew, he finally stopped fee-earning in 2007, while remaining a profit-sharing partner. He was the firm’s general counsel between 2010 and 2016 and he now manages a team of 23 people dealing with risk and compliance matters across the firm’s offices.
Risk is a key role for the firm worldwide. There is less pressure than with fee-earning, and a better work-life balance, but it’s no picnic. Lawyers in different jurisdictions work with their own culture. They like to be entrepreneurial and do things their own way. Every office around the world has a risk partner, not a full time role, but a champion for risk and regulation issues, to make sure all partners are aware of risk issues.
Being a transactional lawyer has been an advantage, because the approach is about making things happen. One of the first things I did as part of my new job was handling the conversion of the Bird & Bird partnership into an LLP. That took up most of my time for about 18 months. It was itself a corporate transaction with 400 documents to sign on the last day. It felt like closing a big transaction.
The risk management culture within law firms has become more pronounced over the past ten years. The Solicitors Regulation Authority is taken more seriously than the Law Society was. Also, clients are less forgiving if things don’t go as they expect. The recession meant there is less legal work around but not necessarily fewer lawyers: that put more pressure on fees and at the same time clients expect more. Finally, clients’ in-house legal departments are much larger and therefore better placed to oversee the external law firms.
Perspectives: Jo Riddick, Macfarlanes
Jo Riddick, general counsel (GC) of Macfarlanes, began her career as a litigator at Norton Rose in 1985, where she handled IP disputes as well as defamation and insolvency work.
She and her husband moved out to the Middle East for ten years during the 1990s. Lacking experience in Sharia-focused disputes, she switched to corporate and commercial law, focusing on franchise work while setting up the Bahrain branch of a West End law firm. After moving to Dubai, Riddick took a part-time job with an emerging Dubai investment house that was a forerunner to Abraaj Capital, handling mainly investment-focused legal work as senior vice president and then as GC for the business.
After having four children, she returned to the UK to become a corporate partner at Pitmans but sought to return to the risk brief she had covered as a GC. She joined Macfarlanes as head of risk in 2008.
I naturally seeped into risk and compliance while also developing Pitmans’ learning and knowledge function. In 2008, when my youngest child was eight, I felt ready to return to the City. Macfarlanes was looking for its first head of risk management – it all came together.
When I joined Macfarlanes I was the sole head of risk management and I had a PA. Now I’ve got a team of nine, which is a fairly lean team for the City. You’ll see that everyone’s teams have got bigger and more specialist, you have to keep the work your team is doing interesting by cross-skilling your analysts so that they work on client due diligence as well as conflicts. I just hired a risk and compliance lawyer into the team for the first time, to support me on the GDPR and claims side because there’s so much of it.
GDPR and data protection is fundamentally legal. I used to give workshops on data protection during my fee-earning days at Pitmans. Having said that, you need a holistic approach and you need to work with experts, particularly in cyber. I work very closely with the head of IT on cyber security.
There is no average day. It’s very reactive and creative. You need to have a very commercial, big-picture kind of approach.