Unstoppable: The Risk Report

Our debut risk management and professional indemnity report with broker Marsh in February 2008 featured a timid segue into an unfamiliar topic. We suggested that neither were ‘glamorous subjects’, while observing that firms were ‘thinking harder than ever’ about how to mitigate risks. A necessary evil, if you will.

The risk landscape portrayed then – six months before Lehman Brothers was to collapse – still has a familiar ring: ‘When things are going well, as was the case from 2003 to mid-2007, resources are stretched and clients want every deal done yesterday. Throw in an overheated recruitment market in which the firm that blinks misses out, and the competitive pressure of having to race into every new, emerging market and firms could be forgiven for never thinking about their professional indemnity at all.’

While it was a call to take risk seriously and cite the industry for efforts until that point, the progress made since has been startling.

Eighty-six percent of respondents to our survey this year said they felt the risk management culture within their firms had improved significantly over the past decade; just 5% said there had been no material change. As one Legal Business 100 firm responding to the question commented: ‘With a few exceptions, risk and compliance has become embedded in most larger firms and is no longer a Cinderella function.’

While efforts to increase partner awareness have played a major role, one respondent says of the increased profile of risk management over the past decade: ‘Higher publicity of risk-related scenarios helped.’ The part played by the Solicitors Regulation Authority (SRA) has certainly been significant, through various moves including the move to outcomes-focused regulation in 2011, which in theory moved away from a rules-driven regime to encourage firms to self-monitor and adopt a common-sense approach; to the introduction of two senior roles within large commercial law firms, the compliance officer for legal practice (COLP) and compliance officer for finance and administration (COFA) – the formal incarnation of compliance champions within law firms – from the start of 2013.

As Angela Robertson, general counsel (GC) at Taylor Wessing, says: ‘The introduction of the COLP played its part; the obligation to self-report material breaches and serious misconduct provides a platform for training and awareness and promotes a desire to behave in the right way.’

In recent years there has been greater scrutiny by the SRA on the misdemeanours of large commercial firms, rather than just gunning for sole practitioners on the high street (see our recent feature, ‘Off the leash’).

* Average number of individuals involved in each area of risk management either full-time or part-time

Risk teams themselves have attributed a number of factors to driving tougher risk management. Responses to this question include: ‘Data and IT – certainly the rise in electronic systems and email has meant accidental data loss has become a hot issue.’

‘It’s important to demonstrate to colleagues that this is not just an internal requirement, this is something clients demand,’ says Andrew Clark, GC at Allen & Overy. ‘Clients are under pressure themselves to comply with confidentiality and also to the diversity agenda and issues around the Modern Slavery Act. You don’t need to convince people now that these are important issues. They are showing no sign of diminishing.’

Another points to a simpler root cause: ‘Lawyers becoming risk experts.’ This is true both in the sense of partners advising their clients on risk management issues but also fee-earners moving into risk management within firms.

Jo Riddick, GC and COLP for Macfarlanes, (see ‘Perspectives’ at the end of this page) observes: ‘The type of people heading up risk departments have become much more skilled at communication. There is a general approach, which is around winning hearts and minds, where we try not to say “no”. We are much more integrated in our businesses as a result, which means we can deal with things more effectively.’

DATA OVERLOAD

While progress made by risk teams has been considerable, one issue has dominated their agenda over the last decade – the advance of technology and all its attendant associated risks. Whereas the need for instant advice and partners on-call 24/7 meant minor issues such as an inappropriate email or a BlackBerry being left on a train could happen, the main threat to firms is unauthorised access to systems and the misuse of client data – bringing us to the agenda-topping issue for risk teams in 2018 – the EU’s incoming General Data Protection Regulation standard. ‘IT security breach/data management accident or breach’ once again topped our risk profile chart (see above), with the highest aggregate score for potential and impact of 7.4/10, while ‘IT system failure’ came a close second, scoring 7.1/10. As a specific (but aligned) issue, the cost of a breach/cost of implementation and policing of GDPR was viewed as a likely and dangerous issue, scoring 6/10.

The issue was exacerbated in 2017 by high-profile breaches at large international law firms. One of the largest global offshore firms, Appleby, confirmed in October that it had been the victim of a ‘data security incident’ in 2016, before some client data was subsequently leaked to the press, putting the firm at the centre of the ‘Paradise Papers’ scandal that ran throughout November. Following the breach, Appleby said it had implemented a series of containment and remediation measures recommended by PwC’s IT forensics team, and engaged a US specialist cyber security team to complete a third-party systematic review of its IT security.

News of the Appleby breach broke four months after DLA Piper became collateral damage following a cyber attack in June, by what DLA described as ‘a particularly sophisticated strain of malware’. These incidents have served as wake up call for risk teams. Despite the level of focus on data security and safe IT systems by firms over the past ten years, 83% of respondents said ‘we have reviewed and updated our protocols as a result’, while only 4% said ‘our protocols are sufficiently robust’.

That firms have felt it necessary to look hard again at their own systems and protocols comes as no surprise to risk experts.

Consensus among risk managers is the number-one priority for their teams in 2018 is implementing GDPR. Law firms across Europe have been only too ready to advise clients on preparation for the 25 May implementation deadline but there is little clear evidence that firms have fully grasped the need to get their own houses in order. However, there is nothing like the threat of penalties of up to 4% of global annual turnover (or €20m) to concentrate minds.

Riddick is a confessed data security obsessive and sits on The Law Society’s GDPR committee. She strikes a pragmatic note: ‘The big firms have been looking at it for the last two years. A lot of firms and clients will not be 100% ready in terms of having expunged all of their data and having it where they want, but they should have good policies in place which should explain to staff in plain English what to do about a data breach. We’re not looking for perfection on 25 May, and I’m quite happy to say that.’

SLINGS AND ARROWS

One 2017 development that was striking for risk managers was the SRA pursuing a string of actions against large international firms for professional misconduct by its partners or failure by the firm to deal with those misdemeanours effectively. Clifford Chance (CC) became the first Magic Circle player to fall foul of the SRA, when the firm and its disputes partner Alex Panayides were each fined £50,000 for their role in the well-documented Excalibur professional negligence saga.

It was a symbolic move but small beer relative to CC’s global revenues, and to the fines received by White & Case and Locke Lord in 2017. US-based Locke Lord, with a small City arm, was ordered to pay a record £500,000 after one of its former UK lawyers engaged in ‘dubious financial arrangements’ with a client’s bank account. White & Case was slapped with a £250,000 fine last July after the Solicitors Disciplinary Tribunal (SDT) found that the firm had failed to identify a conflict of interest and failed to protect confidential information regarding a $2bn commercial dispute. Earlier in the year, Clyde & Co was hit with a £50,000 fine, while three of its partners received individual £10,000 fines, for breaching accounting and money laundering rules in early 2017.

The SRA has been particularly proactive of late. The SDT broke its record for highest fine administered more than once in 2017, suggesting a fresh prosecution drive on the SRA’s part.

This is reflected in the survey. In response to the question ‘To what extent have instances of large fines and regulatory sanctions against large law firms in 2017 for misconduct/breach of regulations had an effect on attitudes within your firm?’, three quarters said ‘Regulators are targeting large firms now; we must be vigilant’, while only 4% agreed with the statement ‘The SRA is flexing its muscles, the trend will pass’.

However, risk experts interviewed are not in total agreement that larger commercial firms are being targeted by the SRA. Says Roger Butterworth, risk and compliance partner at Bird & Bird: ‘My take is that the SRA took a while to decide on its priorities, and initially put more attention on high street firms: it had a legacy of claims that the Law Society had taken a while to work through and there was an expectation the SRA would deal with them. So it probably did not pay a huge amount of attention to larger firms and now it is catching up.’

‘Regulators need to demonstrate they are regulating the areas they cover proportionately and fairly, so will be checking large and small firms,’ says John Kunzler, head of financial and professional liability at Marsh. ‘Given approximately half the regulated group work in large firms, even with strong frameworks and controls, it would be surprising if regulatory findings did not continue from time to time, and perhaps with greater frequency than in the recent past.’

Riddick notes: ‘The SDT said when it made its Clyde & Co decision that the firm didn’t do anything deliberate but because it was a large firm we have higher expectations. That’s fair to some extent but we are aware we are in the spotlight, and we have the resources to get it right. The environment is not benign.’

CLEAR AND PRESENT DANGER

While the regulatory environment is hardly benign for LB100 firms and risk teams have had to fight hard to establish effective cultures within their firms, the market has been helped by enduringly soft professional indemnity insurance (PII) costs. Prices for insurance, particularly for large City and international firms, have not tracked the growth in revenues experienced by many firms. More than half (53%) of respondents said the cost of insurance, as a percentage of annual turnover, has decreased over the last decade, and just 17% reported it to have increased.

And while risk experts have argued for years that the benign environment for PII insurance cannot continue, the market has continued to defy such predications. ‘PII insurance for London-based law firms is the most comprehensive in the world,’ says Butterworth. ‘The cover levels that can be bought in London are higher than can be bought in the US. Particularly taking that into account, the insurance is very good value. Its impact on annual expenses has decreased and the bigger the firm the better the value of the insurance premium compared to annual expenses.’

‘We’ve decreased,’ agrees Riddick. ‘Over the last few years we’ve seen a decline in our weight on turnover. The figure may have gone up, but our turnover has gone up. Our rates have declined, which is attributable to being able to demonstrate a good risk management history and a good claims record.’

A good claims record may become increasingly rare over the next ten years for some firms that may previously have seemed titanium. The twin spectres of increased scrutiny from the SRA and a volatile world of tech-infused cyber threats, means the journey of legal risk professionals has only just begun.

mark.mcateer@legalease.co.uk