With cyber risk exploding and storm clouds over the economy, it’s harder than ever to balance risk with commercial realities. Legal Business’ annual risk survey asks how law firms are coping.
While no major law firm has yet fallen prey to the sort of high-profile data breach that the mobile operator Talk Talk suffered in 2015, the threat is front and centre of every risk manager’s mind. For those polled in Legal Business’ ninth annual risk management survey with broker Marsh, ‘IT security breach/data management accident or breach’ was again regarded as the most significant risk to law firms in terms of the damage it could cause and the likelihood of it occurring (see table).
The fallout from the Talk Talk cyber attack is the latest high-profile reminder of the financial and reputational cost that large-scale organisations can incur. In Talk Talk’s third-quarter trading update, published at the beginning of February, the company conceded the attack would cost £60m in lost trading and exceptional costs, and had contributed to the loss of 101,000 customers.
While attacks by external hackers are more likely to capture the imagination, the risk of a data breach is probably more likely to come from a mundane human error at a law firm rather than a meticulously planned assault.
‘You need to take a holistic and a fresh look at what needs to be regulated, but there has been a lot of resistance.’
Jo Riddick, Macfarlanes
‘There is a tendency to view data breach as affecting only the firm’s online activities. However, a lost laptop or file of papers could be every bit as damaging, if the confidential information contained in it makes its way into the public domain,’ says Joe Bryant, a professional negligence partner at RPC. ‘Damaging not only to the firm’s bank balance in terms of fines and legal claims, but also reputationally. At the moment, perhaps there is too much focus on ensuring the adequacy of IT security and not enough on cutting out the silly mistakes.’
Protections being put into place by major firms to minimise the damage of such an event are already affecting their day-to-day operations significantly. This is most keenly felt in areas such as knowledge management, where law firms’ open-access approach to information is conflicting with a need to keep data secure.
| LEGAL RISK PROFILE 1: What impact would these situations have on your firm? | |
|---|---|
| Situation | Impact (mean score out of 5) |
| IT security breach/data management accident or breach | 4.2 |
| Financial loss (own or client) resulting from ‘vishing’ | 3.7 |
| Loss of firm’s biggest client | 3.7 |
| Unwittingly becoming involved with client fraud | 3.6 |
| Disaster/business continuity failure | 3.6 |
| Reputational damage to firm (eg from media, ex-employee, disaffected client) | 3.4 |
| Onerous outside counsel guidelines, imposed by clients | 3.3 |
| Failure to meet strategic plans | 3.2 |
| Currency fluctuations | 3.2 |
| Alternative business structures | 3.2 |
| Credit or other financial problems | 2.9 |
| Bankruptcy/acquisition of significant clients | 2.8 |
| Sanctions and sanctions-related issues | 2.8 |
| Loss of key partners/staff | 2.7 |
| Serious legal or commercial conflicts of interest | 2.7 |
| SRA’s outcomes-focused regulations | 2.5 |
| Employment claims from former partners/staff | 2.5 |
| Competition – including from alternative business structures | 2.4 |
| Poor performance of key lateral hire(s) | 2.1 |
| Inability to attract new partners/staff | 2.0 |
| Liabilities exceeding resources, including insurance (eg professional negligence claim in excess of policy limits) | 19 |
| LEGAL RISK PROFILE 2: What is the potential for these situations occurring at your firm? | |
|---|---|
| Situation | Potential (mean score out of 5) |
| IT security breach/data management accident or breach | 3.0 |
| SRA’s outcomes-focused regulations | 3.0 |
| Loss of key partners/staff | 2.8 |
| Currency fluctuations | 2.8 |
| Employment claims from former partners/staff | 2.6 |
| Failure to meet strategic plans | 2.5 |
| Reputational damage to firm (eg from media, ex-employee, disaffected client) | 2.5 |
| Credit or other financial problems | 2.4 |
| Alternative business structures | 2.4 |
| Serious legal or commercial conflicts of interest | 2.3 |
| Unwittingly becoming involved with client fraud | 2.3 |
| Bankruptcy/acquisition of signifi cant clients | 2.2 |
| Liabilities exceeding resources, including insurance (eg professional negligence claim in excess of policy limits) | 2.2 |
| Financial loss (own or client) resulting from ‘vishing’ | 2.2 |
| Competition – including from alternative business structures | 2.1 |
| Sanctions and sanctions-related issues | 2.1 |
| Disaster/business continuity failure | 2.0 |
| Poor performance of key lateral hire(s) | 1.9 |
| Inability to attract new partners/staff | 1.9 |
| Loss of firm’s biggest client | 1.6 |
| Onerous outside counsel guidelines, imposed by clients | 1.6 |
| LEGAL RISK PROFILE 3: what is the potential of these professional negligence situations occurring at your firm? | |
|---|---|
| Professional negligence situation | Potential (mean score out of 5) |
| Errors made by staff /lawyers on complex, high-value transactions | 2.8 |
| Errors made by staff /lawyers on routine ‘bread and butter’ transactions | 2.6 |
| Lawyers advising outside their area of expertise | 2.3 |
| Inadvertently advising third parties | 2.1 |
| Insurance claims emanating from foreign offices | 2.0 |
| Infringement of regulations | 1.9 |
| Errors made by confusion caused by SRA’s outcomes-focused regulatory approach | 1.8 |
| Increased claims as a result of pressure on fees and the need for ‘instant’ advice | 1.6 |
Shared knowledge
‘The current focus of concern is the fact that law firms, unlike firms of accountants, tend to have default open-access (subject to barriers) document management systems,’ says Jo Riddick, general counsel (GC) and compliance officer for legal practice at Macfarlanes. ‘I suspect that those days are going to change. We are seeing a move to increased use of information barriers.’
The culture of shared knowledge and easy access to legal knowhow has been fundamental to UK law firms and is built upon the understanding that, since everyone shares the same duty of confidentiality, everything will be kept within the firm.
However, as firms expand and have more non-legal and temporary staff on the payroll, this level of confidentiality is harder to guarantee. Clients are also introducing increasingly strict guidelines regarding the introduction of information barriers (for a more detailed look at onerous counsel guidelines, see ‘Client relations: under pressure’).
Client relations: under pressure
The issue of onerous counsel guidelines cuts across every aspect of a law firm’s client relationship, including liability caps, internal security measures, or whether or not a firm can act for clients’ competitors. The issue has taken on an industry-wide importance, which was addressed in detail in the ‘Independence, representation and risk’ report commissioned by the Solicitors Regulation Authority (SRA) in 2015. One of the most acute areas of concern is caps.
‘In certain sectors in which we operate, it doesn’t matter how much you huff and puff, you won’t get a limitation on liability agreed,’ says Andrew Paton, risk management and professional indemnity partner at Pinsent Masons. ‘That is particularly true with financial institutions; they say no limit on liability. In other areas of practice, we put a limit of liability in the retainer letter and it goes through without comment.’
Nearly half (48%) of the respondents to our survey said that they achieved liability limitations over 75% of the time (see chart), while 30% said they managed it between 51% and 75% of the time.
These results do not, however, reflect the disproportionate level of risk posed by the banking sector, which is generally resistant to caps. Given the large value of most banking transactions, the fear is a law firm would not be adequately protected if faced with a successful and high-value claim. The question then is what, if anything, law firms can do about it.
‘Some say the SRA needs to step in and implement some protection for law firms against the rise of onerous “own counsel guidelines”, but we need to be very careful in seeking that because other market players don’t have that sort of protection,’ says Jo Riddick, general counsel (GC) and compliance officer for legal practice at Macfarlanes. ‘If they had to start implementing liability caps, UK firms might see the banks moving wholesale to US firms.’
Many firms simply accept that they have to stand behind their work if they want to accept the business.
‘For us it’s more straightforward because a number of our financial services clients simply say you can’t limit liability – that’s it,’ says John Verry, risk director at TLT. ‘So if you want the client it then becomes a business risk and it’s a business decision as to whether or not you want to take them on. I can harp on for hours about the dangers of taking somebody on and not having sufficient insurance, but ultimately, if you want a business, you’ve got to take some risks.’
Despite this, there is a sense that the banks in particular are not treating their advisers in a consistent manner. One common complaint is that they will agree to liability caps with the accountants because they need the imprimatur of a Big Four firm and therefore have less leverage. The legal market, however, is much more fragmented, giving the banks a much stronger negotiating position. For risk managers, it is therefore about the lawyers opening up a dialogue with the client and persuading them that it is in their interests to allow some caps.
‘Insurers expect their firms to be prudent in this area and not expose them to loss, particularly if doing multi-industry projects,’ says Emma Dowden, chief operating officer at Burges Salmon. ‘If you think about large projects, you’ll find that other professionals are limiting their liabilities and lawyers are not, so they can be very exposed. It’s about an education and a conversation with clients, and saying of course it has to be set at an appropriate level for the size and risk and quantum of the transaction, but that liability should be capped at a mutually acceptable level.’
Lawyers therefore have to take control of the matter from an early stage. This doesn’t just apply to liability caps, but also to other demands, such as whether or not you can act for competitors.
‘Is a client who is trying to stop you from acting with competitors going to help or harm themselves in the longer term?’ asks Addleshaw Goddard GC Simon Callander. ‘They’ve obviously come to you because you have market knowledge and experience that they want to take advantage of. You come to a firm because it has experienced people, with relevant insight who bring different and better ways of doing things. No lawyer wants to undermine their client’s competitive position, but in certain circumstances, by limiting firms’ exposure to the market place, one could potentially degrade that experience and knowledge, creating a suboptimal position.’
Whichever way the early-stage negotiations go, the key is to ensure that there is a consistent firmwide approach and a high degree of oversight from the risk management teams.
‘We have a small sub-team within risk that takes the lead on reviewing all outside counsel guidelines that come in from across the international firm,’ says Justine Cowling, head of risk management at DLA Piper. ‘That way we know that the feedback the team is giving, as to whether we can or can’t accept aspects, is being given consistently. Different firms take different approaches and some firms leave it to the partners. The risk of that is people not properly understanding the real cost at which they might be accepting that work.’
‘We already have an increasing number of information barriers that we implement within our document management system,’ adds Riddick. ‘We’re looking at potentially moving to a part-closed or a wholly-closed system. But knowledge management departments are still saying there are huge benefits to having an open access system, so there are tensions between risk and knowledge management.’
While putting in information barriers and limiting document access to specific teams and lawyers reduces the risk of exposure, it brings complications.
‘Sometimes firms will deal with cases that are so confidential that all of the information has to be completely ringfenced from the rest of the firm,’ says Bryant. ‘While necessary to maintain client confidentiality, this can make for operational problems; even tasks such as conflict checking can be rendered virtually impossible if all of the information on various cases is locked away.’
Information barriers can also gum up the system, reducing the efficiency and effectiveness with which lawyers can service clients’ needs.
‘You’ll find that other professionals are limiting their liabilities and lawyers are not, so they can be very exposed.’
Emma Dowden, Burges Salmon
‘There is definitely a tension there,’ adds Emma Dowden, chief operating officer at Burges Salmon. ‘I manage both the IT and knowledge management function so I see that directly. We start from the premise of an open system unless there is a need for it to be locked down. The irony is that if it’s locked down, they won’t see it, so they don’t know what they’re missing out on. If they’re searching for things it might just be that they’re unable to find some crucial information that might enhance their learning. That tension is definitely increasing, and in an age where everyone is hungry for access to information and market intelligence, that can be hard to reconcile. It is a balancing act, but you can never compromise security.’
Risks and rewards
While security can be improved by simply investing in effective IT infrastructure, it will be redundant if the end-users are careless or negligent. Human failings are much harder for risk managers to tackle and there are significant barriers in the way of achieving the ultimate goal: a culture of personal responsibility and risk management that permeates the entire firm. Unsurprisingly, the more geographically diverse the firm, the harder this is to instil, which is why internationalisation is seen by our respondents as among the biggest barriers to implementing a risk management culture (see selected comments).
This comes as no surprise to Sandra Neilson-Moore, managing director of the FINPRO practice at Marsh, who says that increased involvement in the professional liability claims of satellite offices should be top of the agenda of centralised risk teams at large firms this year. ‘These are increasing in number and severity, and the central office of the firm does not in many cases have control of the handling of such matters,’ she says. ‘We have been seeing situations where individuals in the local office (and the local insurer) take over the handling of the claim to the exclusion of the global insurers and this could jeopardise the response of the main global policy.’
‘This is where you must have a consistency across your international network: a consistency of message supported by a consistency in risk training,’ says Justine Cowling, head of risk management at DLA Piper. ‘We’ve built a risk partner network so that we can cascade and embed messages quickly and effectively. Risk team members visit offices to carry out risk audits in order to discuss risks to the business at all levels and test what is going on as well as deliver face-to-face training. But it’s about seeking to be consistent, because every office is as important, no matter how big or small, or what revenue might be generated.’
‘A brand takes a long time to build and can be damaged in an instant. It’s everyone’s responsibility to really consider why the brand is important to them.’
Justine Cowling, DLA Piper
‘As you expand internationally, there is undoubtedly added risk,’ adds Callander. ‘Aside from the financial risk that you’re taking in setting up new offices and setting up overseas, there are risks inherent in different jurisdictions with different norms and approaches. But with those risks comes opportunity as well. The key point to remember is that you don’t get opportunity without risk and the key is how to mitigate it.’
Back to basics
That balance of opportunity and risk is even harder to achieve when faced with a challenging economic outlook, since the financial wellbeing of the firm is as much of a risk as a poorly-worded contract. The rocky start that the global economy has endured in 2016 has not gone unnoticed by risk managers. Financial pressure on partners is, according to those polled, another of the top barriers to implementing a risk management culture and this pressure looks likely to increase in 2016.
The pressure to cut corners can lead to problems from the onset: ‘Engagement terms remain a big issue,’ says Neilson-Moore. ‘Firms should step up their efforts to ensure a high percentage of compliance with internal rules regarding engagement terms, including getting agreement to limitation of liability, where circumstances permit.’
‘In a more testing environment the risk processes and the protocols you have in place will be pushed a bit further, not least in terms of whether they are business-aligned enough,’ says Callander. ‘Are you facilitating risk management in a supportive way or seen as preventing business winning because you are a compliance block? You can create the most beautiful architecture with all of the policies and procedures, but if you don’t create a culture that understands risk from a commercial perspective, it will fail.’
The temptation to cut corners will increase for lawyers as they try to keep pace with an ever-demanding market. According to those surveyed and interviewed by Legal Business, it is the basic stumbling blocks, such as pressure of work and deadlines, the lack of communication with the clients and/or internally, and poor record-keeping that are among the biggest causes of professional malpractice claims (see chart).
|
What are the main barriers to implementing a risk management culture at your firm? |
|
|---|---|
| LB100 rank | Selected comments |
| Top 25 | ‘Internationalisation.’ |
| Top 25 | ‘Financial pressures on partners.’ |
| Top 25 | ‘Risk is the only business services function without representation on the board.’ |
| Top 25 | ‘When people care only about themselves to the exclusion of the team.’ |
| Top 25 | ‘Misconception that risk is simply about regulation/compliance and lack of appreciation that it can inform the firm’s strategy and support its strategic objectives.’ |
| 25-50 | ‘True buy-in of senior management.’ |
| 25-50 | ‘Proportionality – ie uncertainty as to the extent that we need to go to in order to adequately protect ourselves.’ |
| 25-50 | ‘Lack of clarity in the Solicitors Regulation Authority’s outcomes-focused approach – hard to “lay down the law”.’ |
| 25-50 | ‘Under-investment in technology.’ |
| 25-50 | ‘Clients and personnel increasingly operating in a virtual world involving threats to data security.’ |
| 51-100 | ‘Inertia.’ |
| 51-100 | ‘Availability of appropriate risk technology and risk/compliance resources.’ |
| 51-100 | ‘Difficulties associated with firm culture change.’ |
| 51-100 | ‘Cost.’ |
| 51-100 | ‘Lack of a sophisticated, informed perception of what the risks are at present.’ |
| 100+ | ‘Focus on fee-earning totally and only truly addressing risk at firefighting stage.’ |
| 100+ | ‘No one wants a role in risk.’ |
| 100+ | ‘Time pressures for delivery of service to client.’ |
| 100+ | ‘“Someone else will do it, not me.”’ |
| 100+ | ‘Assumption that what we have is adequate.’ |
‘The speed with which people are working and the pressures to deliver are certainly affecting the ability to spend time checking work,’ says Cowling. ‘Note-taking is also being affected. Previously, lawyers religiously took detailed attendance notes so that if something odd arose, perhaps years later, you could piece it all back together. If those notes aren’t there, the lawyer now appears to be easily blamed and clients will assume that their lawyer should have advised; it may be that the lawyer did advise them of the risks, but just that there might not be a note to show it.’
The need for greater care in basic disciplines is, for many risk managers, a key step towards a better risk profile. The challenge, however, is in ensuring that basics such as getting the engagement letter right and doing appropriate client checks are not rushed. At Macfarlanes, Riddick points to the book The Checklist Manifesto: How to get things right as a good aid in overcoming mistakes. Written by a Boston surgeon, Atul Gawande, it details the pre-surgery routine that he followed prior to every operation. When his methods were implemented across eight US hospitals in 2008, deaths dropped by 47% and major surgery complications dropped by 36%.
Gone vishing
The pressure to get things done quickly is also playing into the hands of fraudsters, particularly those using increasingly sophisticated ‘vishing’ scams. These typically use hijacked or cloned internal e-mail accounts to try to convince lawyers and support staff to part with crucial information over the phone or transfer funds into a different bank account. Of those surveyed, ‘financial loss (own or client) resulting from vishing’ is seen as the second most high-impact risk after a data breach. It’s also something that the Solicitors Regulation Authority (SRA) has warned about, announcing in March 2015 that it receives four reports a month of solicitors falling victim to such scams. As fraudsters become more sophisticated, their e-mails become increasingly convincing.
‘Firms should step up their efforts to ensure a high percentage of compliance with internal rules regarding engagement terms.’
Sandra Neilson-Moore, Marsh
‘I wouldn’t say they are necessarily professional, but I would say that they can be subtly persuasive,’ says Callander. ‘When you take a step back, and with perfect 20/20 hindsight, you can spot the tell-tale flaws. However, when they pass over a desk in the normal course of a busy day when you might be rushing off to meetings, the temptation is to deal with e-mails and move things on, so we need to help people not to miss things.’
So far it’s primarily been smaller high-street firms, particularly those transferring funds for real estate transactions, which have typically succumbed to such frauds. One example was Karen Mackie, a sole practitioner who had her practice closed down and her practising certificate suspended by the SRA in 2015 after she was conned into transferring £734,000 of client money to a group of fraudsters posing as her bank’s security team.
Preventing such frauds at larger firms should be easy enough if they have appropriate internal measures in place.
‘It’s getting the basics right. You don’t give out that information ever. The procedure you have there is that one person cannot give all of the detail,’ says John Verry, risk director at TLT. ‘It’s no longer bubbling away in the top ten of risk. It’s right up there at the top. It’s basically war with fraudsters and those trying to get into the system, be they crypto lockers, vishing, phishing… they know we’ve got large pots of money and they want it.’
Cyber insurance
Whether firms are adequately protected by their insurance policies should they fall victim to a fraud depends on the nature of the fraud and the nature of the loss. The consensus is that, for a vishing scam, a firm’s normal professional indemnity (PI) cover should protect against the loss of client money, although not the law firm’s own money. Should the firm lose client information through a data breach, then a number of bespoke cyber insurance products are on the market. The best of these policies would provide cover for critical areas, such as business interruption and crisis management, as well as access to experts that could handle the PR fallout, and might possibly help pay out in the event of fines from regulators such as the Information Commissioner.
It is this danger of reputational loss that poses one of the largest and most unquantifiable threats.
‘If a cyber attack has happened, the technical solution obviously has to be put in place,’ says Callander. ‘The key to how you really recover though, is how you manage your stakeholders – your clients, staff, the media and your reputation. Immediate access to solutions, advisers who know what they’re doing and funds to ensure it is done straight away is going to be the key. It will be interesting to see how the market develops and prices that sort of cover.’
Claims management
Seventy percent of our respondents felt that their PI policies were reasonably priced. This sense of a benign PI market is coupled with the fact that the number of High Court cases brought against solicitors in 2015 dropped to 221, down from 418 in 2014, according to data compiled by RPC. While there are several claims still being held over from the 2008/09 financial crisis, the legal limitation period has meant that these are starting to diminish.
There is also the hope that legal costs can be reduced through new dispute resolution procedures, such as the trial adjudication scheme for professional negligence claims, which was launched in February 2015 and will be receiving another marketing push this spring.
Outside influences: regulation
Law firms that specialise in personal injury claims are only too aware of the huge business risks that can come from statutory or regulatory changes. This came to the fore in the UK government’s 2015 autumn statement, when it announced plans to end the right to claim compensation for minor whiplash injuries and also its intention to push more cases through the small claims court, with the goal of cutting legal costs and reducing the demand for lawyers. Shares in the Australia-listed law firm and personal injury specialist Slater and Gordon subsequently fell from just over A$1.9 down to A$0.69, and are currently languishing at A$0.59.
The chance of something similar happening in other corners of the industry has not escaped the attention of risk managers.
‘There is a perception out there that lawyers make loads of money, but an awful lot of them don’t and some of the margins are really quite thin,’ says John Verry, risk director at TLT. ‘The threat of additional regulation and government legislation can have a substantial impact on these margins, affecting sections of the legal profession, such as personal injury. These are the things that worry me.’
Major corporate law firms have yet to suffer something on this scale, but legislative changes are affecting the way they conduct business. The nearest matter on the horizon is the government’s introduction of a mandatory PSC Register in April, which will force companies to declare shareholders with more than a 25% stake, or ‘persons of significant control’. This ties in with the EU’s fourth money laundering directive and will force law firms to declare client details that might otherwise have been kept confidential.
‘We may be approached by people who want information from our client due diligence records and there is criminal liability if we don’t respond to notices,’ says Jo Riddick, general counsel and compliance officer for legal practice at Macfarlanes. ‘Notices may seek information which hitherto we had seen as strictly confidential, such as information about our entity clients’ beneficial ownership. We’ll need to make sure that our clients are aware that, if we’re required by law to respond to a notice, we will have to do so and that will override the duty of confidentiality.’
Less extreme, but still relevant, is the confusion over the Solicitors Regulation Authority (SRA)’s outcomes-focused regulation (OFR), a principles-based approach to regulation that was introduced in 2011 to replace the more prescriptive oversight that occurred previously. Sixty-five percent of those surveyed this year stated that they still did not believe that OFR processes are completely effective and understood within the firm. Of the risk managers that Legal Business spoke to, the consensus was that this didn’t matter too much as it was the job of the risk teams to clear up any confusion on behalf of the lawyers.
‘It’s incumbent upon the risk teams to support the lawyers,’ says Emma Dowden at Burges Salmon. ‘It’s our specialist area so they look to us to communicate those changes and train them out effectively.’
One of the SRA’s key goals with OFR is to encourage greater levels of responsibility within law firms and the lawyers themselves, and this is part of its push towards a pragmatic form of regulation. Recent proposed moves to further simplify the SRA Handbook and cut red tape have been well received. ‘I am all in favour of anything that shifts away from prescriptive rules and towards a common-sense regulatory response,’ confirms Sandra Neilson-Moore, managing director of the FINPRO practice at broker Marsh.
‘They’re talking about simplifying matters and that is absolutely right,’ says Verry. ‘If you look at the solicitor’s client accounts rules, basically what a lot of it boils down to is: don’t steal your client’s money, which is already a criminal offence. They could simply say if you’re found guilty of a criminal offence, you can get struck off. Do you need 60 pages of accounts rules as well?’
The bigger business risk is linked to the fact that law firms are facing greater competition from unregulated advisers and therefore regulated solicitors are at a competitive disadvantage. According to the Institute of Paralegals, there are approximately 6,000 unregulated paralegal law firms in the UK, compared to 10,100 solicitors firms. Given the rate of growth, it is likely that the number of unregulated firms will overtake the regulated market in the next decade.
Corporate firms see this as a significant risk, with some suggesting that the SRA needs to update its definition of legal activities reserved for regulation, otherwise law firms will have to adapt their structure accordingly.
‘The regulated law firm entity could essentially be the smaller entity conducting just reserved activities, broadly litigation, probate and the conveyancing that needs to be done on a regulated basis,’ says Riddick. ‘A lot of the M&A and commercial work could actually be done on an unregulated or less-regulated basis by solicitors, who would in effect be self-regulating for brand reasons. We’ve been saying that you need to look at the reserved activities, and you need to take a holistic and a fresh look at actually what needs to be regulated, and start with a plain sheet of paper, but there has been a lot of resistance to change.’
‘The scheme is focused purely on solicitors cases and has sprung up as a way of handling lower-value claims against solicitors as cost-effectively as possible,’ says Bryant. ‘In cases that might otherwise run on towards trial at significant cost, the parties can appoint an adjudicator from a chosen panel of barristers to give a very summary view that should result in the issues being brought to a head earlier and cheaper.’
‘You can create the most beautiful architecture, but if you don’t create a culture that understands risk commercially, it will fail.’
Simon Callander, Addleshaw Goddard
For insurers, often the legal costs are the most expensive part of any process, so any opportunity to bring those down is likely to be welcomed. However, while the volume of claims might be decreasing, the value of the claims is generally considered to be on the rise. This is of particular concern for the many firms who keep their premiums low by increasing their excesses, in some cases up to £1m. In an era of increased personal responsibility and self regulation, as promoted by the SRA’s shift towards outcomes-focused regulation (see box, ‘Outside influences’), the increased financial cost of getting it wrong could help determine how lawyers behave.
‘It may be seen as a useful management tool for causing lawyers to understand that the mistakes they make have potential to create meaningful damage to the business,’ says Andrew Paton, a partner responsible for risk management and PI issues at Pinsent Masons. ‘If your excess is £50,000 and lawyers know that the worst that can happen is that the firm only has to pay £50,000, that may create a different culture in the business than if they know the firm has to pay £1m. I’m not afraid to tell people that we have to pay the first £500,000 of any claim because I think people need to know.’
This sense of personal responsibility is also vital for protecting the firm’s reputation, which in the event of a major crisis, even the best form of cyber insurance would struggle to save.
‘A brand takes an awfully long time to build and can be damaged in an instant,’ says Cowling. ‘That is why it’s everyone’s responsibility to really consider why the brand is important to them, and ask what we can do individually and collectively to cultivate it.’
The hope among risk managers is that everyone takes that message on board. LB