The risk debate: The gate keepers’ burden
08 April 2016 09:00
by Mark McAteer
Our annual Legal Business/Marsh round table saw law firm risk managers debate their role in fighting on two fronts – against demanding clients and internally with their fee-earners
Our 2016 risk management report, published last month, looked at a number of live issues for risk management teams within the UK leading firms, most of which place those teams at the frontline of potential battles.
Risk teams are engaging in a war of attrition with their knowledge management experts over the disadvantages from a cyber security perspective of open-access information systems and communication. They are also advising their firms to push back against onerous outside counsel guidelines, where clients are demanding that firms accept full liability for their work while trying to tie firms up over conflicts.
Both are battles that risk teams cannot win outright but if they can achieve some compromise, they can claim a partial victory. An IT security breach, or a data management accident or loss, remains by far the biggest nightmare for law firm risk managers, scoring highly for both 'impact' and 'potential' in the risk profile, according to our survey. At the same time, the imperative of sharing knowhow rapidly within a firm and externally with clients and other advisers cannot be escaped.
Similarly with conflicts and liability caps – while clients hold the upper hand in negotiations in all areas, there are some within the risk community who suggest that an economic assessment needs to be made of the value of a firm's client relationship before slavishly accepting onerous terms at the engagement stage.
With a slowdown in China, Brexit looming, conflict in the Middle East and an oil price slump putting pressure on economies, law firms are looking to get their work pipelines in order and there is a fear that risk management may have started to lose traction once again. However, risk managers argue that the application of a risk culture within a firm should be underpinned by commerciality.
With this in mind, we gathered together experts from some of the City's leading firms to discuss how they are applying a commercial approach to risk to deliver the best possible outcomes for their firms.
Mark McAteer, Legal Business: Is risk going down the list of priorities for law firms?
Angela Robertson, Taylor Wessing: The dilemma that firms face is they do not want to spend money but they realise there are certain things they need to invest in, such as cyber and data security. I am not sure it is going down the agenda; I suspect it is perhaps halting in its steps. We have to position it in a way that we are not saying: 'We need to do this for regulatory reasons,' but present it in a more positive light.
Claire Larbey, Eversheds: I have seen an increase in the profile for risk, especially within our firm. In particular, in the need for a centralised risk framework and management system, so the firm can effectively capture risk information and drive it up into the areas that it needs to be in: the executive, the board, the constitutional committee. I have seen a growing awareness – mainly driven by clients – but also, fundamentally, firms realise that they need to centralise control and understanding.
Juliet Tainui-Hernandez, Norton Rose Fulbright: The focus is different. Regulatory fear is reducing but client pressure has increased and it has done for the last few years.
I see that through outside counsel guidelines. It is essential that there is a centralised independent view of what a firm is signing up to – this should be the risk and compliance team. There is increased client pressure, but it is about trying to reach a balance with what is acceptable to a law firm.
Andrew Carpenter, Marsh: Risk teams now have procedures about which clients to take on. That is intrinsic to the business now. Therefore the focus has shifted away from the risk team being focused on which clients to take, to also considering whether the terms of the appointment are appropriate.
Andrew Clark, Allen & Overy: Are people less concerned about regulators? Possibly, but in an international firm you have regulators everywhere. One of the worries I have is ensuring we're complying with local regulation in all of our 44 offices. If we do more from the centre, will people be less concerned at what is happening in their own jurisdiction, for which we still need them to take responsibility?
I have often told the Solicitors Regulation Authority that client demands that we demonstrate compliance with their own internal requirements – particularly those of US financial institutions – are typically more rigorous than any regulatory regime we face. They are now a significant administrative burden on firms.
Roger King, Trowers & Hamlins: It is being an independent voice asking the question: 'Do we really want to take this work on? What is it going to do to other parts of the firm?'
Andrew Clark: I invariably find that if it is the client pressing for a particular compliance step then the lawyers are quickly persuaded we have to do it.
Angela Robertson: Increasingly I find I have client contact where partners say: 'Can you come up and meet this client?' They see that as a positive now, whereas a few years ago they might have thought: 'We do not want to acknowledge we have got a general counsel or a director of risk.'
Mark McAteer: What about the internal conflict between the KM function and the risk function over open access to all data for clients and staff? Because of data security being so high on the agenda, there is an inclination to close down access.
Andrew Cheung, Dentons: There is an obvious tension between risk and the business regarding knowledge management and client communications. The business is pushing for greater access to all content within the organisation and sharing of that information with clients and other third parties. Risk needs to ensure that only the right content is shared, confidentiality is maintained and information transfer requirements are met. It is not impossible to bridge this gap but the challenges are considerable.
Juliet Tainui-Hernandez: You have had closed systems for many years have you not, Andrew?
Andrew Clark: We have. It is pretty widely accepted now. Occasionally, particularly in the US where open file systems are still more common, we can get push back but there is very little debate about it now, for two reasons. First, because it is extremely useful in the world of conflicts when we are able to assure people that we have got a record of who has access to their matter and that the access is generally as limited as possible. That is very powerful evidence to convince people. Secondly, with increasing demands for information security, clients really value that we have a restricted file system and that the only people who will see their file are those working on it.
The bigger issue is on the business development and marketing front where people may want access to confidential information or personal data to facilitate communication. That requires a lot of care, huge work, the right IT system and the right software. As firms become more client-centric, the pressure for information about clients, contacts and people is very strong and we have to manage that carefully.
Simon Callander, Addleshaw Goddard: It is a business responsibility to determine whether or not to have open or closed access systems. I often look at these issues and put them in a non-IT context to analyse them. Let us take ourselves back 30 years: as a business, would any of us have thought it was acceptable for a fee-earner to go through all the filing cabinets, go through the correspondence and documents in the whole of the office and see what they could find? Absolutely not.
Juliet Tainui-Hernandez: I believe that clients' expectations are the opposite of what the market norm is. Clients view us with the expectation that we operate closed systems.
Simon Callander: Closed access is the only way to go. Knowledge sharing is important and you should be sharing good and bad experiences and learning from them. But you should be doing that within a proper structure. I do not mean anything rigid: it can be as simple as team discussions about what has gone on, what has been good, what has been bad. The killer argument is that an open system does nothing for quality as you can't assess how appropriate any particular document is or the reasons why it says what it says.
Sandra Neilson-Moore, Marsh: I agree, an open system makes it unnecessary to have any actual discussions, doesn't it?
Andrew Clark: Clients are really buying two things from us. They take our legal knowledge for granted. They are buying our experience, market knowledge, products and expertise. But they are also buying our confidentiality and we have to make sure the first doesn't jeopardise this.
Mark McAteer: This issue bleeds into another topic associated with control: liability caps.
Andrew Cheung: In a large number of cases it is still possible to negotiate a limit on liability. Unfortunately, the circumstances where we find it virtually impossible to limit our liability also happen to be the areas of greatest risk exposure. Panel arrangements, banks and the procurement process mean there is generally no opportunity for the majority of law firms to negotiate any limit of liability. The huge level of competition in the market, which has only been exacerbated by the state of global markets, means firms are increasingly finding themselves unable or unwilling to argue for limits on liability and clients are demanding firms underwrite more and more of their risk.
I firmly believe it is a prudential issue for the professional. Individual firms or practices within firms will take on huge liabilities and when the big claim comes the cost of insurance will go up for all of us and the higher levels of our cover are unlikely to remain available to the rest of us who are trying to manage this issue responsibly. This issue needs to be at the top of the regulatory agenda for the SRA.
Sandra Neilson-Moore: Where engagement limitation of liability is concerned, we have seen some significant claims coming out of a partner taking on a client where the accounting firm in the mix has really, really tight terms of engagement, including a limitation of liability that is usually very low, eg £500,000, £1m or £2m. In these claim examples, the law firm had no terms of engagement at all and because of that, no limitation of liability. Why would you do that, as a law firm? Why would you not negotiate hard with these people who are clearly able to agree the limits requested by the accounting firm? Otherwise, if there is multimillion-pound tax loss and the accounting firm has a £1m cap, who do you think is responsible for tax as far as the client who has lost many times more than that is concerned, when there is a law firm involved also?
Roger Butterworth, Bird & Bird: The law firm.
Sandra Neilson-Moore: Absolutely.
Angela Robertson: It all goes back to the centralisation argument. You need a small team of people who can actively make decisions around liability caps and any changes to the engagement terms. If you are seeing all of the requests come through you then you know what you are looking at across your whole business in terms of your risk exposure. It enables you to work proactively with the legal teams and say to them, 'You have got unlimited liability here, so what are you actually doing? How are you managing your matter?', and working with them to minimise the risk.
Roger Butterworth: I had to negotiate opposite one of the Big Four for tax advice. Not only did the firm limit its liability to £1m, but their lawyers also said the only liability was to redo the work. It took months negotiating with their general counsel's office to get that changed.
Andrew Cheung: That is buying power and market dominance for you. The legal profession is just too fragmented to ever be able to insist on the same.
Simon Callander: This is the risk none of us have talked about yet – the market disrupters. Take the Big Four. While they may lack our breadth and depth of experience and will face significant conflict issues of their own, they have something that we do not have. They have scale. As much as we talk about centralisation, most law firms are of a similar size and are faced with the same structural issue: we compete in the same market, we find the same issues and solutions but we are having to leverage the cost of those solutions over a much smaller scale. We operate in a fragmented market which is good for competitive price pressure but which leaves us bearing a high relative cost for things like knowledge management, risk and regulatory compliance that the Big Four will be able to disperse over their much larger scale. Only time will tell whether or not that will be sufficient to overcome their other challenges.
Sandra Neilson-Moore: The other problem is that in many jurisdictions throughout the world, with the US being a really big example, they cannot limit their liability. Your US competitors can walk in and say: 'It is not an issue for us. We cannot do it.' Law firms here may be under pressure to accept unlimited liability, but the engagement terms should at least include proportionate liability clauses.
Roger Butterworth: I don't understand how US firms are still in business?
Sandra Neilson-Moore: Regarding total limits of coverage, it takes an extraordinarily vindictive claimant to tear the firm to shreds and put it out of business. Even regulators will not usually do that. During the savings and loan crisis in the US, the regulators took all the insurance, and a little more besides, but let the firm survive.
Most commercial clients will also behave this way. So long as you buy reasonable limits they will usually go away for that, something the Americans call the drag up theory. Firms there do not want to buy more than they think they absolutely need. Personal claimants are more vindictive: an individual with a lot of money may want to sink the firm because they are angry at you.
Simon Callander: Taking Andrew's word 'prudential', the bigger prudential issue is that certain outside counsel guidelines may restrict access to the market. From the industry perspective I would say that is a bigger problem than liability caps themselves which should be left for individual firms to negotiate.
Andrew Cheung: I am not sure that is the case. We have much more success in pushing back on unreasonable conflicts clauses with clients than we ever do in pushing back on liability. Conflicts is also an issue you can manage centrally and then assess. The decision to voluntarily avoid certain work to comply with a conflicts clause only effects a single or small group of matters. Decisions around liability exposure tend not to be centrally reviewed, risk assessed and actively managed and one large claim on an unlimited basis could sink the firm and make it unaffordable for other firms to be insured. That is one matter that could impact the whole firm and the professional at large. Conflicts simply do not have that level of impact.
Angela Robertson: It is easy to have that discussion with the client around conflicts. It is not so personal, whereas the whole liability issue is putting the firm in a very different kind of spotlight.
Mark McAteer: Is there actually more dialogue taking place with clients over conflicts and liability?
Roger Butterworth: A lot of the problem is that it is just part of their procurement process. As far as any negotiation at all takes place, it is often with the client's procurement team, who do not have the same understanding as the in-house lawyers would. Some clients have been through the pain and they have then reverted the outside counsel guidelines to the general counsel, so we can talk to someone with requisite expertise.
Sandra Neilson-Moore: Procurement-driven tenders are the bane of a professional service providers' existence. Procurement-type measures are based around getting the cheapest price for products and services that are perceived to be identical and are often tick-box exercises, which you fail if you cannot 'tick' a particular 'box'. What providers of professional services are selling is differentiated value and it is soul-destroying when this is ignored in favour of simply how cheaply you can offer your services, compared to others.
Andrew Cheung: The procurement process has been very effective at shutting down law firms' ability to negotiate reasonable terms. Procurement teams make you agree to all sorts of things that previously you would have had a sensible conversation about. When faced with a yes or no tick box in reality you have to say: 'Do I want to assume each of these risks or do I want the work?' In many firms that decision is made by the pitching partner, who is often focused more on winning the work than thinking on the implications if something goes wrong. With global markets as they are who could blame them? That is what procurement has done and we all have to live in that brave new world.
Juliet Tainui-Hernandez: There are a lot more negotiations on risk and conflict issues now with clients than when I was starting out in risk around 15 years ago. We didn't see much of this. Now it is a full-time job for a couple of people.
It depends on the client. Not all clients are procurement led. Some are but there are some pretty sophisticated panel arrangements and negotiations going on now between firms and clients. There is definitely an acceptance that there will be some negotiation. You may not be successful but there is an expectation that there will be a discussion between the firms and the clients. It goes to the whole crux of whether the relationship is going to be a profitable one on both sides. There are areas that are more difficult to negotiate on than others.
Andrew Cheung: Firms tend to be very good at quantifying the financial benefit of client relationships. I do not know of many firms that comprehensively quantify the financial costs, taking into account all the freebies they have to provide – like secondments, knowledge management and technology platforms – the massive discounts on fees and write-offs needed for 'relationship purposes' and then adding to this the economic and risk costs of terms, conflicts and claims exposure. Ideally on an ongoing basis, firms should be able to calculate a true financial benefit figure and answer the question: 'Do we really want to continue with this client relationship?'
Juliet Tainui-Hernandez: This is an area where risk and compliance can support the strategy.
Andrew Cheung: Part of the difficulty in addressing this issue is that it requires a multidisciplinary analysis. Marketing is doing its bit, the partner is doing their bit and risk is doing its bit but there is a challenge getting them to join up their efforts and analysis and deal with this issue holistically. Until that happens, it will be very difficult to empower risk – or indeed any part of the firm – to refuse to accept onerous client terms. LB
- Roger Butterworth General counsel, Bird & Bird
- Simon Callander General counsel, Addleshaw Goddard
- Andrew Carpenter Managing director, Marsh
- Andrew Cheung General counsel UKMEA, Dentons
- Andrew Clark General counsel, Allen & Overy
- Roger King Partner, Trowers & Hamlins
- Claire Larbey Risk director, Eversheds
- Mark McAteer Managing editor, Legal Business
- Sandra Neilson-Moore Managing director – FINPRO, Marsh
- Angela Robertson Director of risk and general counsel, Taylor Wessing
- Juliet Tainui-Hernandez Head of compliance, Norton Rose Fulbright