While our annual risk and professional indemnity report in conjunction with Marsh Specialty charted the movement of environmental, social and corporate governance (ESG) concerns up the law firm risk management agenda in 2022, this time around ESG is all-consuming. So much so that insurers and brokers are making it a key component of discussions with corporate clients.
The increase in the level of interest in ESG and the role it plays in risk management discussions has been significant. In last year’s survey, 73% of respondents said that ESG is now firmly part of their firm’s risk management agenda. That figure has now increased to 77%, with just 6% of respondents saying that ESG does not currently fall within the risk management remit. One might argue that even that is too high a proportion of leading law firms, given that ESG is front and centre of the corporate landscape today.
Certainly, the insurers and brokers that indemnify law firms want to see that their clients have placed ESG concerns at the top of their risk management agendas, to make them viable options for coverage. Last year, 51% of those surveyed said that their firm’s ESG strategy was influencing their interactions with insurance brokers or insurers, meaning it is a topic for discussion at insurance strategy meetings. This year, 82% said, ‘Yes, we are discussing this at our insurance strategy meeting’, while another 6% responded: ‘Yes, it is starting to inform who we partner with for insurable risk matters’. It is therefore no surprise that questions around ESG policies and compliance are central to this year’s risk management report, especially when firms themselves consider ‘Raising awareness of ESG or setting targets’ as one of the most pressing issues for their clients (see table, below).
While the results of our survey are spread across the tables and graphs in this report, we spoke to four senior individuals about some key findings. This includes Amanda Butler, head of risk management at our current Law Firm of the Year, Shoosmiths; Paul Haggett, general counsel for Burges Salmon; Clare Hughes-Williams, a DAC Beachcroft partner specialising in professional negligence and professional indemnity insurance issues for law firms; and Angela Pearson, global general counsel at Ashurst. Below is a selection of their responses.
Why does Environmental, Social and Governance (ESG) Matter to Your Insurer?
Good practice in ESG is a partnership between risk management and reporting. As an insurance broker, our role is to support organisations to effectively analyse, evidence and communicate their material risks and roadmap for adaptation and resilience. In many instances it’s unrealistic for change to happen overnight, but there is no excuse for being poorly prepared. Legal firms have a critical role to play in ensuring the methodologies used and ESG targets selected are defensible and in line with peers and regulator/stakeholder expectations. Firms have a duty of care to advise that operational change (eg, net zero, adaptation and resilience plans) are based on verified expert-driven analysis (eg, carbon accounting) and industry accepted scenario modelling (eg, for physical and transition risk). This is particularly important as not all models are equal and organisations run the risk of having to re-state numbers, or discordant results if the analytical methodology is poorly chosen. Laying robust risk management foundations is essential in readiness for the fast emerging accountability that insurers, investors, financiers, regulators and ultimate customers demand. ESG is here to stay and as risk management professionals, Marsh Advisory is already collaborating closely with legal firms to support clients, and this is only set to increase over the coming months and years.
Dr. Bev Adams
Consulting director, Marsh Advisory
To what extent are ESG considerations giving rise to risk management concerns and influencing discussions between law firms and insurers/brokers?
Amanda Butler, Shoosmiths: ‘This is interesting because I don’t necessarily think that all insurers and brokers are asking a lot of questions. This is likely to increase moving forward rather than something that is on the table now. If you ask brokers about ESG, “environmental” is certainly increasing from a risk management perspective – particularly greenwashing, ie holding out credentials that you don’t actually have; having the right clients by making a commitment to net zero; and client demands on you for net zero.
On the “social” side, diversity & inclusion is more than a buzzword – you need to demonstrate what D&I looks like in your practice and how that sits alongside your insurers and brokers. Insurers have as much of a reputational risk as law firms do.
“Governance” sits above all – you must check that the right structure is in place to ensure all aspects come together. We have had this on our agenda for some time. It is going to become more of a reputational risk issue for insurers to be mindful of the types of companies they are insuring.’
Paul Haggett, Burges Salmon: ‘There is no doubt that we take ESG very seriously and so do our clients and insurers. We have just renewed our professional indemnity insurance from the 1 April and in the meetings leading up to that, ESG was one of the key issues discussed with insurers at their request – it was a key issue in terms of making sure they were happy to insure us. What is less clear is whether ESG has a hard edge to it in terms of giving rise to claims against firms. Whether it is fertile ground for claims to be made is not as clear yet. ‘
Angela Pearson, Ashurst: ‘When you talk to insurers it is on an annual basis – what was of interest last year will be different to this year. Last year they were interested in hearing about wellbeing and supervision in the workplace with hybrid working, and our policy in relation to what was happening re Ukraine and sanctions. This year I haven’t had those conversations yet as we only renew in October. I don’t want to crystal ball gaze. Some GCs might have their renewals already. If I were to guess, with the publication of the Law Society’s Guidance on climate change there will be a greater emphasis this year from insurers on what firms are doing to manage climate risk and also on the risk of generative AI (such as ChatGPT).’
To what extent, in your view, should ESG considerations be a factor in clients instructing law firms and law firms accepting clients?
[In the survey, 71% said ‘Yes, we have had clients who clearly set ESG requirements before they will instruct us’, while 66% said they already score/assess potential/existing clients on their ESG policies, which could affect whether they act/continue to act and on what terms.]
Amanda Butler: ‘As a law firm should you be be careful in how you approach a client in terms of who they are and what they stand for? There has been debate as to whether everyone is entitled to representation. Of course, we are in a jurisdiction where everyone is entitled to legal representation, and firms will make their own decisions re ESG considerations and to what extent (if any) they will impact their clients. Some firms are moving away from acting for those with a large carbon footprint as they can see certain pressures – it is not for me to comment as to whether they are right or not.
‘I can see clients asking lots more questions about what firm policies are. They are trying to dig that little bit deeper – they want to see statistics and trend analysis. It is also taking a slightly different path in that it isn’t just who they want to be represented by, but also the supply chain. It is the wider procurement piece – and it is coming further up the agenda each year.’
Paul Haggett: ‘It is increasing. Certainly when we take clients on, our team comes to me with anything that comes up in adverse media searches and Worldcheck searches – and we have a look at them. The challenge is that some clients – the classic example being clients operating the water sector – look as though they have a bad record but are still clients we are and should be happy to act for. It all must be balanced with a fair amount of common- ense. The pressure from clients, insurers and our people means it is something we have to take account of.’
Clare Hughes-Williams, DAC Beachcroft: ‘The legal profession can play a pivotal role in supporting ESG and most firms, including my own, are focusing on their ESG credentials for this reason. Firms know that this is an important issue that matters to many clients. ESG is a critical focus for a number of clients and the insurance sector is a good example of this. Firms need strong credentials to ensure that they have sustainable relationships with their large clients.’
Angela Pearson: ‘There are two points here, what clients are asking us and what we are doing in relation to our own client selection. Clients are rightly concerned about the ESG credentials of their law firm supply chain. Clients are taking ESG seriously and we are too, ensuring that we are responding and meeting their requirements, but also our own ESG goals. We are being put through our paces on panel pitches and when firms are equally matched, ESG credentials could be a deciding factor.
ESG considerations are a factor in law firms accepting clients, but the leading firms have been doing this for years. One of the recent positive developments, since the Ukraine war, is that law firms have developed more refined criteria for client selection. They are generally more willing to make tough decisions on whether a particular client or type of work is consistent with their values or not.’
What has been keeping risk managers at law firms awake at night during the past 12 months, and why?
[Note that in the survey, the key issues include lack of progress towards targets for diversity and inclusion; reputational damage due to firm’s ESG approach or connection with unsavoury/unethical client or client activity; and re-assessing risks due to changes in the external business environment see table.
On the risk profile register, ‘IT security breach with commercially sensitive information stolen’ remains one of the top threats to law firms in terms of both impact and potential, while supply chain concerns and reputational damage caused by an incorrect ESG approach also featured high up the register.]
Enterprise Risk Management for Law Firms
In a volatile and complex world, understanding and managing uncertainty is crucial to success. A comprehensive and fit for purpose Enterprise Risk Management Framework has never been a more important priority for organisations.
Enterprise Risk Management (ERM) constitutes an essential element of good corporate governance, supporting the achievement of organisational objectives and protecting stakeholder value through managing and reducing uncertainty in an organisation.
Through the provision of a common framework for managing risk and bringing together expertise in key areas of risk, ERM can significantly change an organisation’s outlook. Wherever your organisation is on its risk management journey, as a global leader in risk management, Marsh is able to provide advice and support to meet your goals and support success.
James Crask
Managing director, strategic risk consulting, Marsh Advisory, UK
Amanda Butler: ‘There are two things that remain high on the agenda. Firstly, cyber risk – I don’t think there is anyone who wouldn’t mention cyber because it is an ever-changing landscape and the legal, regulatory and insurance implications are significant. What is good practice today will no doubt be out of date tomorrow. Cyber is still sitting in pole position as a risk issue.
‘Second is the constant change and pace of change of regulatory obligations – whether it is the SRA and supervision in a hybrid workspace, or whether it is about anti-bullying and harassment or the potential positive obligation on disclosure.’
Paul Haggett: ‘There are two or three things – one that has been going on for several years now – the possibility of a cyber attack. Like most firms, our technology is being improved as time goes on to be more effective at preventing them but that is the longstanding issue that has troubled me.
The more immediate issue is the topic of today – the new stance the SRA has introduced on bullying – it hasn’t provided the guidance it promised, so there is a lack of clarity on the definitions of bullying. The new rule – 1.5 in the code for solicitors, imposes an obligation on managers to challenge behaviour that doesn’t meet the standards. It will be interesting to see where that goes. The issue is partly a generational one – so far from what I have read about the Dominic Raab report – peoples’ views of what counts as bullying really varies. At one end of the spectrum, you have a robust conversation about the quality of a poor piece of work, and a full-on rant at the other.
Another issue keeping me awake (I’m a light sleeper) is whether one of our clients been sanctioned as a result of events in Russia. Then trying to extrapolate ahead to predict what developments internationally could leave law firms in similar positions. Another worry might be a client that has got into bother as the net widens outside Russia to people who have facilitated activities in Russia.’
Clare Hughes-Williams: ‘We are aware of firms that have historically undertaken work for Russian clients since the outbreak of war in Ukraine and the introduction of the new sanctions regime. Some have sought guidance from the regulator and other agencies in relation to money that they held for such clients, and others have been the subject of unannounced reviews by the SRA. As a result of these concerns, firms have audited the files maintained for such clients and reviewed their policies and procedures. Firms are acutely aware of the penalties and associated reputational damage that breaches of the sanctions regime can attract.
An associated cause for concern, particularly for litigation firms, has been the SRA’s focus on Strategic Litigation Against Public Participation (SLAPPs) and it’s public knowledge that a number of firms have received regulatory monitoring visits, as the SRA seeks to implement the guidance issued in its latest Warning Notice. ‘
Angela Pearson: ‘I expect you will hear many people say cyber. The second will be digitalisation of legal services. Both of those are linked. In recent years digitalisation in legal services has accelerated, which creates a huge opportunity to improve client experience and diversify the services and products we provide. But it also increases risk, particularly if you’re relying on third-party collaborations and technology tools. No firm is an island these days when it comes to the delivery of legal services. In digital services, those firms that will excel are those that collaborate well with innovative business partners to find new ways to solve client problems. However, law firms must be increasingly vigilant to manage risk effectively across increasingly complex supply chains, to guard against, say, a cyber attack that may expose the law firm and client data.
‘The challenge for me as GC is to help the firm maximise those business opportunities while ensuring our client’s data is protected and we comply with our regulatory obligations. Law firms are innovating and learning on their feet – considering how we integrate AI in to how we work, but also being mindful of the risks that need to navigated. Cyber is the number one risk for most businesses, including law firms. So our cyber team spend a lot time fostering a risk-aware culture in the firm to ensure, for example, we can spot a rogue phising email.
‘The SRA has amended its conduct rules to create an express obligation for individuals and firms to treat colleagues fairly and with respect, and not subject them to bullying, harassment or discrimination and for managers to call out such behaviour. This is now making “speaking up” a regulatory duty. This is likely to increase internal reporting and the already heavy burden on COLPs (Compliance Officer for Legal Practice) in having to determine if such conduct is a serious breach to be reported to the SRA. Even with the updated SRA guidance, it will be a difficult task in many situations.
‘From my perspective – we are remaining laser focused to ensure that our hybrid working environment doesn’t give rise to claims which still means that supervision is key. Ensuring that all those good practices we put in place during the pandemic when we were supervising remotely are continued as people go back and forth during the working week will stop those kinds of claims occurring. Insurers anticipate there will be a rise in claims because of the hybrid working environment. A lot of professional negligence claims are caused by getting the law wrong or poor drafting. This can be mitigated by a strong culture of supervision.’
To what extent does the partnership model used by law firms inhibit adequate policing of partner behaviour?
[92% of respondents say they are confident that their firm has adequate systems to identify unacceptable conduct by partners, while only half have ongoing assessment of partner capability, including cognitive impairment testing, while another 42% only do this when a problem is reported]
Amanda Butler: ‘I am not sure the model is the factor, it depends on the individuals, how much they understand and enforce regulatory behaviours, and the quality of the partnership deed. Where it can be quite challenging is where partners are not challenging others’ behaviours. It will be interesting with the introduction of the SRA of anti-bullying and harassment policies to see how that will be policed in some environments where perhaps historically some partners have “got away with it. It is more down to individuals within a partnership and how they have made behaviours part of their partnership deed, culture and reward structure. Like a lot of things, it isn’t necessarily the individual – it is putting things on the right footing to start with. It is about the right people demonstrating the right behaviours.’
Paul Haggett: ‘It depends on how much firms mitigate against that risk. I have been a partner in the firm for many years and was a litigation partner before I switched to GC. One of my key roles is to keep in touch with partners and keep my eyes and ears open and to have an “access all areas pass”. That does mitigate some of the risks inherent in partnership model. If you allow partners to just get on with it without any oversight that is difficult. With proper mitigation steps, the partnership model can be policed and this particular risk can be effectively mitigated.’
Clare Hughes-Williams: ‘All partnership agreements provide firms with powers to sanction partners whose behaviour falls below the standard that the firm expects. I have represented many law firms who were in the unfortunate position of having to take steps to sanction partners and all have done so effectively, using the powers that exist in their partnership deed. In extreme circumstances, this can result in the expulsion of the partner in question but often the penalties involve financial sanctions, for example the withholding of bonuses.
‘The question of partner capability is a more nuanced issue and traditionally this has not been monitored adequately by law firms. It is often difficult to monitor such issues or to challenge senior colleagues but increasingly firms are implementing internal file audits which will begin to address this issue by identifying problems and then enabling firms to either support the colleague or take steps if that is required.’
Angela Pearson: ‘It certainly isn’t my experience – culture is the greater factor. Partners know what behaviour is tolerated and rewarded. In my firm, good leadership and collaboration are keys to success. I do not think the partnership model is inhibiting partner behaviour. Look at the law firms that have listed – are we saying that partner behaviour is better because they have a company structure? The SRA’s emphasis on workplace behaviours has certainly made firms focus on workplace culture and evolve and improve their working practices.’
What, in your view, is most likely to give rise to a serious professional negligence situation at a law firm, and why?
[Most popular scenarios to feature in the survey include: Procedural oversights – failing to complete key steps in a process; Process completed with simple errors (eg typographical/wrong date entered); and Internal process failure (eg lost document/wrong attachment) – see chart]
Amanda Butler: ‘It can be pressure of work – people being so keen to get the work complete they forget the basics – such as people taking on a litigation matter and launching into the nitty gritty, they forget to check the limitation.
‘Second is a slightly different angle, hybrid working – perhaps more junior lawyers not having the same oversight from senior lawyers that they would have from sitting next to each other in the office. The supervision, conversations listened to and learning from other people than if you are working remotely.’
Paul Haggett: ‘One of the SRA’s main requirements is to maintain independence – one of its key principles. I have seen situations where an external lawyer has got too close to a client. It is a very tricky thing to maintain a balance – particularly in the “bet the bank” type situations. It is very easy to go along with what the clients wants and not think as to what is lawful or sensible.
More generally in terms of professional negligence claims – pensions work can give rise to large claims. Mistakes which happen in a pension fund context have the potential to create losses that are completely disproportionate to the nature of the mistake. I am sure all firms with pensions practices struggle with this.’
Clare Hughes-Williams: ‘Most claims arise out of simple mistakes or oversights, and they are rarely caused by lack of knowledge of the relevant law. Having said that, some large claims we have seen have arisen because the solicitor has been “dabbling” in an area outside their field of expertise.
Property transactions remain the biggest cause of claims and a substantial proportion of those claims arise because of a drafting error or a failure to advise the client on the terms of the contract. These claims can result in significant losses and, unless the property lawyer made detailed notes of the advice they gave, can be difficult to defend from an evidential perspective.’
The most pressing priority for firms and clients ranked in order by firms
| Firm priorities | Client priorities | ||
|---|---|---|---|
| 1 | Re-assessing risks due to changes in the external business environment | 1 | Re-assessing risks due to changes in the external business environment |
| 2 | Inadequacies in supply chain risk management | 2 | Raising awareness of ESG or setting targets |
| 2 | Running crisis management exercises and testing plans, including cyber events | 3 | Failing to meet carbon emission targets |
| 4 | Assessing risk control effectiveness and developing improvement plans | 4 | Failure to meet workforce representation and participation goals |
| 4 | Failure to meet workforce representation and participation goals | 4 | Improved use of risk data to inform decision making and action |
| 4 | Improved use of risk data to inform decision making and action | 4 | Inadequate preparation for ESG reporting requirements |
| 4 | Inability to meet stakeholder requirements (eg, investors, insurers, customers) | 4 | Increasing prevalence or severity of climate/natural catastrophe events |
| 4 | Increasing prevalence or severity of climate/natural catastrophe events | 4 | Liability concerns associated with ESG legal actions |
| 4 | Raising awareness of ESG or setting targets | 4 | Running crisis management exercises and testing plans, including cyber events |
| 4 | Reputational damage from perceived ‘green washing’ | 10 | Assessing risk control effectiveness and developing improvement plans |
| 11 | Assessing that the transfer and retention of cyber risk, with associated insurances, is appropriate | 10 | Assessing that the transfer and retention of cyber risk, with associated insurances, is appropriate |
| 11 | Failing to meet carbon emission targets | 10 | Difficulties achieving ethical standards overseas |
| 11 | Lack of community engagement | 10 | Financially modelling the implications of risks |
| 14 | Difficulties achieving ethical standards overseas | 10 | Inability to meet stakeholder requirements (eg, investors, insurers, customers) |
| 14 | Enterprise risk management framework and governance | 10 | Inadequacies in supply chain risk management |
| 14 | Financially modelling the implications of risks | 10 | Reputational damage from perceived ‘green washing’ |
| 14 | Liability concerns associated with ESG legal actions | 17 | Lack of community engagement |
| 18 | Inadequate preparation for ESG reporting requirements | 18 | Alignment of risk management with insurance |
| 19 | Business continuity management framework and governance | 18 | Risk culture and staff participation/engagement in risk |
| 19 | Supply chain | 18 | Supply chain |
| 21 | Alignment of risk management with insurance | 18 | Business continuity management framework and governance |
| 21 | Risk culture and staff participation/engagement in risk | 18 | Enterprise risk management framework and governance |
Ranked – top 3 events you consider might significantly impact on your firm’s objectives
| Operational/systems | Client related | Financial | Employment issues | External/regulatory |
|---|---|---|---|---|
| 1. IT security breach with commercially sensitive information stolen | 1. Innocent involvement with fraudulent/money laundering/sanctioned client | 1. Failure to achieve planned strategic outcomes | 1. Inability/failure to attract high quality new partners or staff | 1. Failure to satisfy new or existing regulatory framework and keep up-to-date with new requirements (inc. AML) |
| 2. Supply chain/third-party service provider failure/breach | 2. Acting where there is a conflict of interest | 2. Impact to the business from exiting the EU or other geopolitical events | 2. Loss of ‘star’ team or key partners | 2. Clients in-source more work |
| 3. Workforce availability affected by a pandemic | 3. Reputational damage due to firm’s ESG approach or connection with unsavoury/unethical client or client activity | 3. Financial failure of debtor clients or providers | 3. Sexual harassment/ discrimination/misconduct allegations | 3. New sanctions or tariffs restrict ability to undertake key work areas |
Ranked – top 3 events you consider have the highest probability of occurring at your firm
| Operational/systems | Client related | Financial | Employment issues | External/regulatory |
|---|---|---|---|---|
| 1. Data privacy breach or destruction of data | 1. Reputational damage due to firm’s ESG approach or connection with unsavoury/unethical client or client activity | 1. Financial failure of debtor clients or providers | 1. Lateral hire failing to properly integrate into firm culture/policies/practices and/or causing claims | 1. Increased competition from new law/ AI legal tech businesses |
| 2. IT security breach with commercially sensitive information stolen | 2. Loss/insolvency of a major client | 2. Impact to the business from exiting the EU or other geopolitical events | 2. Inability/failure to attract high quality new partners or staff | 2. English law and jurisdiction clauses increasingly removed from contracts for global businesses |
| 3. Supply chain/third-party service provider failure/breach | 3. Acting where there is a conflict of interest | 3. Unexpected reduction in work | 3. Loss of ‘star’ team or key partners | 3. Clients in-source more work to undertake key work areas |