If the risk management team could be described as a law firm’s conscience, then it follows that the past two years have pricked that conscience to new heights. Of course, Covid-19 has changed the way everyone does business forever and firms are scrambling to align themselves with a new corporate culture that clients are espousing – doing business the right way, not turning a buck at the expense of the planet and taking a genuine interest in maintaining a happy and productive workforce. Our annual risk and professional indemnity report in conjunction with Marsh Specialty reflects these new priorities, with firms understandably preoccupied with reputational risk tied to ethical behaviour under solid environmental, social and corporate governance (ESG) principles, as well as dealing with the new normal of nurturing a workforce that now operates predominantly outside the office.
Rise of ESG
Tech and cyber security threats, such as hacking and data privacy breaches, of course keep their place as the most serious risks facing law firms. ‘Data privacy breach or destruction of data’ and ‘IT security breach with commercially sensitive information stolen’ are the two most significant risks on our risk profile charts (see below), with aggregate scores for impact and potential of 7.8/10 and 7.3/10 respectively. These are the perennially most significant risks, featuring prominently in every report we have done since 2009, and are arguably even more important now, with flexible working becoming the new normal and the office no longer where many lawyers operate daily, making control and supervision potentially harder.
But there are other interesting concerns that also pull in higher-than-average aggregate scores, more so than before. ‘Supply chain/third-party service provider failure/breach’, was the fifth-highest risk on the chart and speaks to the importance of overarching ESG principles dictating how corporates (and their advisers) do business.
At its simplest level, the role of businesses in society has changed. Long-term sustainability of revenue is increasingly dependent on an understanding of social expectations. The influence of stakeholders has grown, and their expectations have had a direct impact on corporate culture and values. Law firms that do not keep pace with this paradigm shift face a backlash not just from clients but from regulators, staff, supply chain partners and other stakeholders.
Says Claire Hughes-Williams, a DAC Beachcroft partner specialising in professional negligence and professional indemnity insurance issues for law firms: ‘We predict that strong ESG behaviours are no longer “nice to have” but have already become, or are swiftly becoming, essential to firms. That includes not only firms’ behaviours but their attitudes to clients.’
The impact of social expectation is felt not just in the boardroom but among the risk management operations of a law firm. Therefore, risk managers have a role to play in helping the company understand, navigate and respond to these changing demands. As a result, a significant chunk of our survey questions this year focused on ESG issues – we wanted to see which firms were walking the talk in this regard. It comes as no surprise that 73% of respondents said that ESG is now firmly part of their firm’s risk management agenda. However, the fact that 10% say ESG does not currently fall under risk management means they are seriously behind the curve.
Why does Environmental, Social and Governance (ESG) Matter to Your Insurer?
Clients, insurers and employees are all key stakeholders asking questions about a business’s ESG credentials. So how do ESG-related risks apply to a law firm?
Culture is the starting point: Firms making efforts to achieve positive change, driven by a desire to do the right thing, even when nobody is looking, are attractive.
Be prepared to explain and evidence the firm’s efforts to address:
- Providing a safe, inclusive working environment for employees, and meeting the regulator’s expectations.
- ‘Burnout’ of lawyers/psychological safety.
- Effective supervision.
- Diversity and inclusion.
- Risk and governance – explain the framework that is in place, how it was created, and how often it is evaluated.
- The firm’s three risk priorities, including how the ‘ranking’ of these priorities has shifted over 12-18 months.
Having the managing partner attend the renewal meeting to talk about the management board’s pledge to culture change makes a difference to the presentation and ultimately sets you apart from other law firms, to deliver lower premiums.
Measuring real change makes a real difference to the story that a law firm is able to tell to an insurer. This is a case of ‘show, not tell’, through the evidencing of data collection, thus demonstrating policies are put into practice.
Hilary Battison
Senior Vice President,
Marsh Specialty
‘Firms that do not consider that ESG falls within their risk management remit need to be conscious that a number of ESG issues overlap with initiatives that are likely to already be on the firm’s risk management agenda,’ says Victoria Prescott, risk and error management and professional liability specialist at Marsh Specialty. ‘ESG issues go much further than purely a firm’s environmental goals. Alignment of ESG issues with risk management approaches is required for optimal outcomes.’
Says Justine Cowling, general counsel at Clyde & Co: ‘For any organisation to really embed ESG (and let’s not forget about the G), there needs to be complete cross-collaboration involving all the business services departments, operations (travel), procurement, HR (diversity and inclusion), finance (audit reporting requirements) and risk (ERM and governance). ESG is one of the principal risks on our ERM register and I am sure it will be there for some time.’
Some firms would do well to take heed of those comments, as 51% of those surveyed said that their firm’s ESG strategy is influencing their interactions with insurance brokers or insurers, meaning it is a topic for discussion at insurance strategy meetings. However, the 16% that feel ESG is a separate concern to insurance is something their risk teams will need to look at, especially when 58% of respondents say that they have had clients who have clearly set out ESG requirements before they instruct a firm, while another 21% said they had on occasion been asked by clients about their ESG policies, although they have not imposed any specific requirements. When the client selection process is seemingly intertwined with clear ESG principles, how can it not be related to insurance?
As Hughes-Williams notes: ‘One new development in the ESG space is its importance to insurers in the professional indemnity underwriting process. Firms with strong ESG credentials are seen as better risks to insurers. With the PII market harder than ever and premiums accounting for an increasing proportion of fee income, firms that overlook ESG are unlikely to impress their insurers at pre-renewal meetings, and so will miss the opportunity to save on this critical overhead.’
‘It is not surprising that 79% of firms have been asked about their ESG approaches,’ says John Kunzler, also a risk and error management and professional liability specialist at Marsh Specialty. ‘The 21% that have not may be composed of firms that deal with a lower concentration of global, international or UK financial institution clients.’
In terms of priorities, we asked those completing the survey to rank, in order of importance, ten ESG issues, both for their clients and themselves. ‘Raising awareness of ESG or setting targets’ emerged as the most pressing concern across both, followed by ‘Failing to meet carbon emission targets’ and ‘Inability to meet stakeholder requirements (eg investors, insurers, customers)’. Interestingly the failure to meet stakeholder requirements was perceived as the most-important issue for clients but only the fifth most-important issue for law firms – perhaps a perception that shareholders are the most important stakeholders for a public company, whereas equity partners in a law firm are not viewed the same way.
‘As owner-managed businesses, law firms mostly do not have to deal with investor concerns,’ notes Kunzler. ‘Underwriters and clients are raising questions about ESG approaches. Leaving aside diversity and inclusion, and carbon emissions, firms appear confident that they can meet requirements.’
It is perhaps no surprise that setting ESG targets and meeting them – especially regarding environmental impact – are seen as the main priorities. In many ways being seen to take important steps to lessen environmental harm is the low-hanging fruit of the ESG trio – less controversial and easier to produce tangibles than diversity and inclusion or business ethics, areas where having a light shone into the gloomy recesses of a firm could be a worrying prospect. This is reflected by responses to the request ‘Please identify which ESG policy your firm has implemented with the most success and impact in the last 12 months’. Responses were invariably skewed towards the ‘E’ of ESG – ‘achieving net zero by 2030’ and ‘our commitment to reductions across the entire value chain to reduce absolute scope 1, 2 and 3 greenhouse gas emissions 50% by FY2030 from an FY2020 base year’ were among the clearer responses. Others provided a candid insight that for many firms, getting to grips with ESG policies is very much at an early stage. ‘Just started that journey as only appreciated significance when pitching for work as a law firm last year,’ noted one respondent – a reminder that law firms are at different stages of their ESG journey depending on the level of interest from their clients.
Client acceptance is the litmus test for firms as regards ESG engagement, with one law firm noting its most successful ESG policy of the last 12 months was a ‘business ethics policy to consider clients/mandates’. However, it is clear that, for all these good intentions, the issue of which clients firms can comfortably act for ethically is still taboo. The industry is not quite at a tipping point yet but, with full regulatory disclosures set to become the norm, firms will have to face up to some difficult discussions with clients. Half of all those surveyed said that they would ‘potentially consider’ scoring or assessing potential and existing clients on their ESG policies, which could affect whether they act for them and on what terms, while a fifth said this was something that they already do. The remainder, 29%, said they have no plans to do this. Asked whether they had refused a client or instruction or altered their client acceptance procedures on ESG grounds, 29% said yes, although it is not clear whether that constitutes a laudable ESG policy or a well-trodden practice of simply refusing criminals as clients. This comment from one risk manager was typical: ‘We review new clients and matters against agreed criteria and decisions are made by senior independent committee.’
‘It is a cornerstone of the rule of law that all clients can obtain representation,’ comment Kunzler and Prescott. ‘Nonetheless, firms will increasingly need to consider their own ESG approach as a formal part of client selection and retention. Without undertaking this process reputational risk may be greater: for example, when acting in controversial circumstances it may be harder to justify the firm’s position to stakeholders.’
As pointed out by ESG expert Paul Watchman in our special report ‘We good corporate citizens’ a year ago: ‘Corporate law firms can pick and choose their clients. They’re not like barristers, there’s no cab-rank rule.’ The pressure on firms to do the right thing has been thrown into sharp relief by the war in Ukraine, with many firms publicly closing their Russia operations or distancing themselves from Russian clients.
Adds Hughes-Williams: ‘Recent SRA guidance following the introduction of Russian sanctions has confirmed that firms should not hesitate in turning down clients or terminating retainers with clients who make them feel “uncomfortable”. It is important not to lose sight of the fact that firms must act independently and free of bias, and that individuals and companies are entitled to legal advice, no matter how undesirable or “un-ESG” their behaviour might be. That is a central principle of our legal system that must be upheld.’
Hybrid minds
The welfare of staff is a key component of a sound ESG programme; this and the attraction and retention of talent is a concern to law firms and their risk managers. Central to this is remote working, as firms continue to grapple with the best way of keeping their workforce engaged.
The pandemic was a catalyst for many to re-evaluate their working lives and for firms to think differently about how work gets done. The upshot of all this was the so-called Great Resignation, which led to staff shortages across industries. The main fallout, however, is a completely different approach to how law firms engage with their talent – simply paying above market rates or dangling the equity carrot is not enough. Making sure their firm is an organisation that the next generation wants to work for is far more important, and a key risk that needs careful management.
Enterprise Risk Management for Law Firms
Managing in a Volatile Uncertain Complex and Ambiguous (VUCA) world is a current buzzword in management circles. 1987, when it first appeared, was eventful: a global stock market crash started in the US and The Banking Act 1987 introduced more formal regulation of deposit takers by the Bank of England in response to the Johnson Matthey collapse.
Enterprise Risk Management (ERM) approaches are now expected to identify, monitor, and control hazards and opportunities, delivering good Environmental Social and Governance (ESG) standards for law firms. Current major concerns are cyber risk, approaches to employment, and geopolitical issues. Increased transparency and stakeholder expectations are driving significant change requirements for law firms. For many, the law firm model is still largely based on an owner-managed profit distribution approach. That model has not historically required such significant resource as it now needs to develop and implement controls, monitoring and assurance to deliver the governance now expected.
To assist with these challenges, Marsh can field a multi-disciplinary team, ranging from the historic core strengths of design, delivery and development of insurance programmes and error reduction, to consultancy input on resilience, ESG and ERM projects.
John Kunzler and Victoria Prescott
Risk and Error Management, Professional Liability,
Marsh Specialty
The risk and compliance team has a role to play in putting the policies, processes and practices in place that balance employee needs for flexibility and purpose with equal treatment and the values of the firm. Risk managers must also recognise the potential for burnout and the risk of department attrition if the wellbeing of staff is not adequately considered.
Hybrid working is now the new normal. Sixty-five percent of those surveyed have some sort of flexible working policy, specifying which days employees should attend the office, while 25% give employees total flexibility and autonomy to remote work when they see fit. Just 4% of responding firms are full-time office based. Of course, flexible working is a key part of ESG as it promotes both an engaged workforce and flexibility is an important aspect of improving diversity and inclusion – something that risk managers recognise, with 71% noting ESG factors played some part in their firm’s decision over hybrid working arrangements. However, Prescott notes it is ‘slightly surprising’ that ESG wasn’t a factor for almost 30% of respondents.
However, remote working creates risks of its own and managers have mixed feelings about it, despite 66% saying that altered working patterns will either significantly or slightly reduce annual costs to the business. Cowling says flexible working at Clyde & Co has been ‘positively received, relatively straightforward to implement, but the jury is out on how it affects a young lawyer’s development’. Comments from survey respondents on the overall impact of hybrid working range from the overwhelmingly positive: ‘Greater flexibility allows for a happier and more efficient and productive workforce’; to the cautious: ‘provides flexibility but raises information security and supervision challenges’; to the positively archaic: ‘home working only works for low-intellect/creativity jobs’ and ‘I hate it – office working is better’.
The perils of inadequate supervision in part explain some of the negative attitudes to the status quo. ‘Workforce availability affected by a pandemic’ scored an aggregate 6.8/10 on our risk profile charts, the third-highest-ranked risk. This is also reflected in concerns among risk managers about the reporting of risk, with some feeling the shift to home working has meant that making notifications has taken a back seat. Says one risk manager: ‘Although the number of notifications has remained about the same, the number of issues reported to risk has gone down a bit. I’m concerned that this might be because somehow awareness of the obligation to report has been reduced as a result of us being out of the office. We will be redoubling efforts to raise awareness of the obligation to notify in the coming months.’
Another adds: ‘We have not seen a huge change, but I can imagine that the implications of working from home and working under different pressures may have caused things to slip or be missed.’
‘The biggest risk in our view – which can lead to claims and regulatory/disciplinary action – is the impact that home working can often have on supervision and monitoring colleagues’ wellbeing,’ says Hughes-Williams. ‘Over the last two years law firms have, for the most part, adapted well to remote working arrangements and have used technology as a means of supervising their teams. Despite the best efforts of law firm leaders, however, their insurers are starting to see the impact of remote working in their claims statistics. These statistics provide support for the argument that there is really no substitute for in-person interactions between colleagues and that technology cannot completely replace the benefits that come with working together in an office environment… what is clear is that it is no longer sufficient to say that stress and anxiety are “part of the job”. Firms must take action to manage these issues, or face damaging claims and regulatory scrutiny.’
Kunzler and Prescott observe that almost all firms have introduced flexible working policies, but 39% do not appear have updated supervision policies in the last two years. ‘This apparent gap in refreshing supervision to match a very different working environment is likely to be a source of risk if left unaddressed,’ they observe.
However, as Cowling notes, if processes are sound, then location is not an issue: ‘Having quality and clear working practices is key. If those are understood and adopted, it does not matter which location an individual works from. Is a document/call confidential in nature? If yes, then I must take steps to protect that confidence. And those working practices are adopted more quickly in places with a positive, risk aware, culture where there are good leaders setting approaches that people want to follow.’
Many firms have been prepared for hybrid working for some time, as Nicola Gillespie, director of contentious risk in the legal and risk department at Linklaters, notes: ‘Workplace agility was on our agenda for some time before the pandemic so we were able to swiftly implement our agile working policy in August 2020, hailed as a “game changer” in the legal industry at the time. The pandemic has simply accelerated our solutions for the risks we would associate with agile working more generally – proper supervision (especially of junior lawyers), support, collaboration, team cohesion and culture-building.’
Tougher times
There is a growing chasm between public expectation and the actions of governments globally. Increased domestic and foreign tensions mean more volatility in the markets, and increased economic and regulatory governance. Where there is volatility and a mismatch in expectations, there is increased scope of risk management issues to crop up. Firms must prepare for a world of more political, legal, environmental and criminal disruption. Even aside from obvious geopolitical aspects, digital transformation, climate change, and continued pandemic-driven volatility provide the potential for significant disruption to corporate operations.
Sanctions, for example, are and could continue to be a serious issue on the risk registers of international law firms. As Prescott observes, as most firms responded to the survey prior to the Russia/Ukraine conflict escalating, ‘it appears that a number of the top 100 UK law firms may have underestimated the potential significance of sanctions to their businesses’.
Hughes-Williams comments: ‘Even though firms are likely to have good governance, this is not always guaranteed. The challenges that some law firms have faced recently following the introduction of government sanctions imposed on Russia have underlined the need for firms not to lose focus in this area. The SRA is in the process of scrutinising firms’ reaction to the new sanctions regime.’
All of this considered, the cost and complexity of regulatory compliance is likely to rise – something unlikely to please professional indemnity specialists (see box above, ‘Professional indemnity: Good days over?’). Ability to demonstrate corporate resilience will become a key competitive differentiator for many firms facing a volatile geopolitical environment with increasing impacts on trade, tariffs, ransomware, cyber security and M&A. And, with that, the role of risk management teams in steering firms through a risk and compliance minefield could become more important than ever.
Professional indemnity: Good days over?
While there is an inevitable focus on doing the right thing, reputation management and employee wellbeing, opinions from those responding to the survey on the rising cost of professional indemnity insurance are strident, bordering at times on truculent. ‘We have gone from correction to greed,’ says one, referring to a hardening of the professional indemnity insurance market, which was noted in last year’s report and was widely considered to be long overdue, with firms benefiting from benign conditions for many years. The result is that 96% of respondents say that the cost of insurance, as a percentage of annual turnover, had increased compared to the previous year, while around half say they do not think their insurance is reasonably priced.
It is the perceived unfairness with the increased costs that appears to upset several risk managers. ‘It has increased steeply in the last couple of years as the market has readjusted, and this is disproportionate to our claims,’ says one, echoed by DWF’s group director of risk management and excellence, Deborah Abraham, who says: ‘Excess layers are increasing disproportionately without reference to historical claims history.’
Lack of reference to claims history on an individual basis is one bugbear, especially when 72% of respondents made between zero and 20 notifications last year, while 68% of all respondents said the number of notifications they made in the previous 12 months was broadly consistent or even slightly less than the number they usually make.
It seems the real gripe among firms is paying for the cost of insuring those at the lower end of the market, something that one disgruntled customer didn’t hold back on: ‘We are a specialist firm at the top of our field. We are subsidising the bottom-feeders.’
There may be more than a grain of truth in that comment but a more balanced view comes from another respondent, which hits at the heart of the matter: ‘It is reasonable having regard to the current market, but overall it remains a significant outlay for firms of any size and has increased exponentially. We are conscious of the continuing hard market and desire for insurers to reduce exposure to real estate claims.’