The document discusses a panel presentation on law firm risk management. The panel addresses how effective risk management can both mitigate losses and contribute to a firm's competitive standing. They cover types of legal risks including IT, data, third parties, financial, practice management, strategic, operational and environmental. Benefits of risk management include cost savings, efficiencies, growth and client retention. The discussion notes trends of risk management becoming a formal department and integrating more closely with technology.
Ilta 2009 law firm risk management can it grow profitability - panel member dave cunningham aug 2009
1. Law Firm Risk Management: Can It Grow Profitability? Moderator: Adam Hansen Director of Information Security, Sonnenschein Nath & Rosenthal Panel: Pat Archbold , VP of Risk Practice, IntApp David Cunningham , Managing Director, Baker Robbins & Company
2.
3.
4. Legal Risk Types Risk Types Example Risks Key Roles IT Systems : Continuity, Recovery, Security, and Access Management. Data : Confidentiality, Integrity, Ethical Walls, Retention, Data Protection, Data Transfers, Hosting of Third-Party or Client Data. Third Party Suppliers : Maintenance/Support, Contracts and Outsourcing. CIO, General Counsel Financial Audit, Financial Internal Controls, Financial Transparency and Disclosure, Anti-Money Laundering, Counter-Terrorist Financing, Credit, Firm Investments, Currency, and Portfolio Risks. CFO Practice Management Client Relations, Lateral, Professional Responsibilities (including malpractice, conflicts, records, and litigation support), and Professional Development Risks. Practice Leaders, General Counsel, Directors of Conflicts, Records, Lit Support, Library, and KM. Strategic / Corporate Firm Governance, Risk Management Governance, Reputational, Marketing, and Market Risks. Managing Partner, Marketing Director, General Counsel Operational Employment, Fraud, Damage to Assets, and Insurance Mediation Risks. HR Director, COO, General Counsel Environmental Natural Disasters, Epidemics, and Resource Access Risks. COO, Business Continuity Team
17. Future: Risk Register/ERM Like-lihood Conse-quence Risk Priority Level of Risk Likelihood Rating Consequence Rating Adequacy of Existing Controls The Consequence of an Event Happening The Risk: What can Happen and How Can it Happen? #
18. Future: Client Requests 2009 Clients have asked firm for additional protections: 86% 2007 Clients have asked firm f or additional protections: 61%
19. Intake and Insider List Management Workflow software to manage intake processes Matter designated â confidentialâ â firm confidentialâ â price sensitiveâ Tracks access, locks across systems, hides matter names Next Steps: Integrate Risk and Technology Management Insider List Management
Various Assigned Points: Pats Notes: Loss Prevention: Claims (claim defense), fee disgorgement, litigation costs (holds, time etc) Cost Savings: Operational Efficiency One of our clients put down on paper the three FTEâs they would replace by name, after they automated new business intake/user provisioning One client replaced one FTE based on how they were going to automate their confidentiality management. Competitive Edge ISO Certification being sought for Government business etc Reputation: Above the Law: wonât name names but large firm had leak of associate reviews due to a search tool that hit information that was not secured, corporate legal reads this, they will ask some questions next time around. â the biggest injunction you could face is a client leavingâ One firm had a OCG that said anyone working for the bank would not work for the borrower, bank client came in and a lawyer who had sued them in a past life was in on a project meeting.
Insurance Private Equity markets already use the big accounting firms to analyze insurance and promote risk management to leverage costs of insurance, typically a leading indicator. 3 rd largest expense on law firms books after rent and salary. Insurers have lost money like everyone else, rates are going to go up Annual insurance reviews set premiums, underwriters want to assess their risk, lawyers often donât articulate what has been covered, reach out and proactively have the discussion to present what you have done and offer to document and help. Any broker will tell you that this can impact the discussions. Think like you are a business owner. Claims against firms are increasing, lawyers are perceived to have deep pockets, sue for receivable, expect a counter claim, tail of claims will occur even after recession ends. Cyber coverage being defined, it used to be that malpractice fell under general liability, now it is carved out, waiting for similar around cyber SIR Levels: The more confidence your insurance partners have, the higher SIR they may be comfortable in taking on. Long term effort to build a competent risk team, start small. Claims are the single largest contributor to increases in rates. Underwriters have a vested interest in your continual improvement in risk management. Risk Management budget funds often donât get used, ask your insurance partners. Look at the Korn Ferry article and Stuart Pattisons comments, not only is it the insurance claim aspect buy your firmsâ reptuation, if you canât stay competitive with peer firms????
Pat UK legal market regulated by FSA and SRA Rule 5 is a list of rules on how the firm operates SRA Completing audits of law firms and coming in to check how they are managing risk, Rule 5 sets out a list of rules on how the firm operates, worth a look, risk register concept later Rule 3 around conflicts anticipated to change and will allow UK firms to be more aggressive at winning corporate work, if they have a compliant âinformation barrierâ, US firms working in the UK typically abide by US conflicts rules and are at a disadvantage. FSA looking to defend existence and is focused more on law firms. MarketWatch is a regular update the FSA sends out and has had several public statements on law firms. Insider Reports: âprice sensitiveâ jurisdictional variance. AML is mandatory, requires the firm assign a compliance officer, you will see this title more than GC in the UK. Risk organization grew under that title and is expanding. US Legal Market is self-regulated?? Are they? ABA Model Rules: states have varying interpretations on rules, advertising, on-going training, etc, very slow to change, concerns about self interest US has the title of GC mainly driven by claims against firms, UK does not have many claims against firms. Records was a big driver, e-discovery, courts getting smarter about technology issues. Model Rule 1.10 is the most recent change, has to do with lateral mobility. Started with Ethics 2000 commission, just go done??? Some global firms adopt ABA rules globally and are impacted by this. Says âyou can take the lateral on without consent, if you put up ethical wall and give a description of the screen and the lateral and a partner attest to compliance.â Cite judges comments Common elements here is that many jurisdictions are looking more closely at how firms use technology to manage risk and compliance issues. AML, Information Barriers-Rule 4, ethical walls 1.10, Canadian Bar report on Conflicts, New South Wales.
You can see evidence of agencies that are not technically over seeing the legal market starting to focus on the traditionally âprotected classâ of law firms. The veil of protection because you are a lawyer or solicitor is gone. Similar investigations have taken place by the SEC with less publicity in the US.
Both of these are within the past 6 months and just a sampling of the changes, the fact that this peer group did not exist 3 years ago demonstrates the trend in this area. The ABA is fighting the red flag rules cited above, again a question of âself interestâ or âself regulationâ? HITECH Act has gotten many law firms scratching their heads as to what they need to do, many of our customers are taking active steps now, goes in to effect 30 days after publication in the Federal Register. Regulations that technically donât cover lawyers, SOX, do define minimum standards from the SEC for lawyer behavior. IRS requires written documentation of conflicts waivers Client intake management, records management, conflicts management, confidentiality management, docket management
Pat: In 2 years an almost 30% gain in movement towards a centralized risk function. More and more firms are naming an individual to oversee risk issues The good news is that it gets done because someone is assigned. The bad news is that you have little support and a lack of data to get your initiatives funded with resources and tools. How many of you have a full time GC in your firm? How many of you had a full time GC 5 years ago? How many of you know who your insurer is? How many have a budget dedicated to risk management that is outside of your IT budget? ILTA and IT organizations have established a standard for 3-5% of revenue on IT but Risk does not have a set budget and is challenged to get funding, many top risk organizations are developing that standard and tying back to the insurance issues we discussed earlier.
Pat It is tough to decipher the org charts based on titles, some handle claims, some operational issues like conflicts/records or intake, some insurance, some policy?? Externally you need to be cognizant of your insurance issues, brokers etc and how IT can help to best position the firm. Clients drive risk initiatives: One of our early confidentiality management clients was based on a client demand due to a merger. IT is fundamental to almost all of the risk challenges a firm faces, many examples.
2/3rds of the amlaw 200 have a GC, org charts are growing under them this is an org chart from a 1000 lawyer firm) In order to bridge the gaps many firms have built a coherent organization. If you are a global firm this makes sense, how can you possibly execute on this if you are a 300 lawyer firm? You canât but you need the same sort of communication and decision making ability. Just as there was no marketing department 10 years ago, there are few risk organizations but they will be a standard. Your mandate is to identify the areas you can patch up now to better manage risk. And, you canât really see the details, but weâve seen firms start to organize a distinct risk management organization that includes stakeholders across the firm I expect youâll see more of this
The buzzword in IT for the past several years is the concept of matter centricity, saving all information in a central place to make it easier for lawyers to find things. How many of you have deployed a matter centric environment? How many of you have search tool? How many of you have an Enterprise Confidentiality Management solution? The main driver behind this is to better organize emails and improve how information can be managed as a record. The other big buzz word in legal IT and KM circles is âenterprise searchâ the IT people want to provide lawyers with a google like search capability for the information inside the firm. So they go ahead and analyze vendors (recomind, autonomy/IWOV, Microsoft, google) they install it and start testing and find it works great to find things that otherwise were not easily searched. Recent Above the Law article about associate reviews being exposed.
CRO is common in Corporate arena and now one global firm named a CRO last year, seems to be where it is going. Many lawyers that donât want to practice but want to be engaged in a private law firm setting. Modeling the corporate space and the idea of GRC, one person canât oversee it all, you need to build this in to the fabric of the firm.
Pat: Partnering with several UK and US firms to discuss the best way to leverage technology and risk investments to impact insurance and compliance initiatives Goal is to delegate risk management to the functional areas and report back to a central team like the CRO. HR, IT, Practice Groups etc all have duties to manage risk. This is a very easy way to demonstrate a âconsistent, risk based approachâ that the insurance and regulators like the SRA are asking of firms. Build a culture of risk awareness. How many of you have a full list of the risks you need to manage at the firm? DR, environmental, compliance, conflicts, ediscovery,
Our organization spends significant time dealing with this issue 25% increase over the past two years, 86% indicated they have seen an increase, curious what this audiences response is? Have you seen an increase in the number of client requests coming in? OCG, Bank not borrower etc, lateral hires. In an Ark session last Summer in New York we heard from the legal administrator at Axa Prudential We have compliance and privacy officers WE are governed by SOX etc I hate to use the V word, but you are a vendor You will be treated like every other vendor Anticipate questions RFPâs, government clients, stimulus spending ISO certification Audits Differntiate by demonstrating a process
Pat: Get involved in risk peer groups and study the issues, insert how IT can assist. One example, confidentiality working group as a part of our Global Risk Roundtable series, West Legal Education, The working group tied together the confidentiality lifecycle and determined that integrating intake and confidentiality is important. As an IT professional you can greatly assist the GC in assessing where the holes are, do this before it causes an issue and present management the data, they will not come to this on their own but when it fails they will come to you. Many matters are confidential but not an ethical issue, Madoff, Spitzer, Madonna, whatever the reason. To apply rules you need to have the data, matter intake is the chance you have to get it. You need seasoned experts that und Insurers are more and more starting to look for firms that can demonstrate consistency in process. By applying business rules you can also automate which information gets tracked and delivered in a report. We can tell what office the matter is billed out of from the PMS, if Germany and tagged as price sensitive, then deliver this additional set of data or different criteria to produce the data Assuming you actually got the lawyers to pay attention this something like this?, is it the best use of a highly paid lawyers time to be tracking and even thinking about these issues. If you free up even one hour for a lawyer the ROI is large independent of the process and accuracy argument.
Most US firms, unless you are an ALAS firm or self insured, have a risk management budget available, you canât buy software or implement a tool with those funds but you certainly can pay to assess records, conflicts, confidentiality, etc Money often goes unused and GCâs donât think about how IT might leverage those funds to get your house in order, not a lot but worth the research.
Pat; Hopefully you are never forced to get certified but you should start planning. As client requests increase, you should understand the various certifications and you donât need to be officially certified but you should start to put processes in place that will ease the transition down the road, it takes a long time to get there and anything you do now will prepare your firm down the road. Educate the lawyers on these, they typically donât have a clue. Norton Rose took on an initiative to get ISO certified, they compete with the Magic Circle, top 5 UK firms. They are seeking anyway possible to differentiate. One way, particularly for regulated clients or government clients is to have a certification, ISO, BSI 31100, Lexcel, From the COOâs desk they embarked on this process and are leveraging that for competitve gain. Confidentiality management was a part of this but general information management policies and procedures are critical, how do you demonstrate compliance. Many firms are working on this to respond to client requests.