The risk debate: Silver linings playbook

The decade since the fall of Lehman has seen some dramatic changes to the profession, not least law firms’ risk teams. Ten years since Legal Business first collaborated with broker Marsh to create our annual risk management and professional indemnity survey, progress has been made but the threats to the key players within the industry have become more ominous.

We gathered together leading risk experts from some of the UK and international firms most affected by increased regulatory scrutiny, geographical cohesion, data security and PR disasters to reflect on the evolution of law firm risk management and look ahead to see how the landscape could develop over the next ten years.

***

Mark McAteer, Legal Business: 86% of respondents to our survey said the risk management culture of law firms has improved over the last decade. Does anyone disagree?

Justine Cowling, DLA Piper: There is an organic understanding and appreciation now from partners that we can help them to win business. They feel more confident if they have spoken to the risk team in advance of taking a particular action than if they do not. That, alongside us growing our teams, has really helped our culture.

‘Perceptions have changed as to what risk means. Partners used to think risk was all about business intake.’
Angela Robertson (right), Taylor Wessing

Andrew Cheung, Dentons: In a self-serving sense, it would be great to see you publish that it is top-quality risk managers and general counsel that have caused this improvement in risk culture. However, in reality, a lot of it has to do with legal sector disruption over the last ten years. Client disruption and regulatory disruption are two big factors, as well as disruption caused by technology. These have forced law firms and lawyers to rethink legal service delivery and, fundamentally, what it means to be a lawyer. I believe that this, more than anything, has transformed the perception of risk and compliance in law firms from business prevention to business as usual.

Angela Robertson, Taylor Wessing: Perceptions have changed as to what risk really means because, up until relatively recently, partners used to think risk was all about business intake; it was about conflict and money laundering, doing your client’s due diligence. As that put barriers in the way of taking on new clients and matters, it did not necessarily go down well. When I set up a team in Clifford Chance back in 2000, it was a business intake team. When you look at how things have changed since there is more dimension to the role.

Roger Butterworth, Bird & Bird: We have become effectively an in-house legal department, almost a firm within a firm, which is different and it is recognised as that.

Nicola Gillespie, Linklaters: We also have dedicated risk partners in each of our offices who work closely with the central risk team. We are seen much more as peers now. Linklaters was one of the first law firms to set up a risk management function, starting with a small team in about 2000 of only three people. I remember having an early discussion with our board about engagement letters. It’s fair to say that there was limited interest. By contrast this year at our recent annual partners’ conference, we had our managing partner talking about the importance of engagement letters – and that was unprompted, without anyone in the risk function asking for the subject to be referred to. I have seen a huge evolution in the approach to risk over the years, with partners now driving forward initiatives.

‘We have moved towards “do whatever the client asks”, which has its dangers, but people are now appreciating that you have to look after the firm.’
Roger Butterworth, Bird & Bird

Nicole Bigby, Bryan Cave Leighton Paisner: We have now started to support a lot of the client-facing work. Partners recognise that we have a deep understanding and practical experience of how to implement all sorts of regulatory changes. We see that now across tax evasion, money laundering, sanctions, GDPR, and broader systems and regulatory controls approaches where we have a huge amount of experience.

Debbie Jukes, Eversheds Sutherland: What that allows you to do as well is to partner the fee-earning teams. All those areas that you mention we have worked closely with our fee-earning teams who are out there selling these services to clients. We have the benefit of having experienced resource in technical areas you could never buy in and they have the experience of implementing advice practically. For me that is a real win-win. That partnership is something I have been working on very closely over the past year. It pays such dividends.

Mark McAteer: Do you think one of the reasons why there has been this cultural shift is partners now prefer going to their clients and saying, ‘I need to talk to my risk team about this before I can go ultra vires’?

Andrew Clark, Allen & Overy: There is certainly more of that. What has changed is really the client piece and the fact that we are so much more focused on connecting the work we do to clients and client relationships. If all of our work is centred on clients there is little problem selling risk or the value of the risk part of the firm. Once you move away from that it becomes more difficult. The challenge for us all going forward is that we are covering all those important bases but are we being successful in ensuring risk awareness is permeating across the culture of the firm.

‘Client and regulatory disruption have forced law firms to rethink legal service delivery.’
Andrew Cheung, Dentons

Nicola Gillespie: I wonder also if one of the factors in the growth of a risk management culture in law firms is that many partners have grown up with it in the way that previous partners had not. There will have always been a risk and compliance or in-house legal function during their time at the firm.

Roger Butterworth: When I started out people used to say, ‘Look after yourself first, look after the firm second and look after the client third,’ which was meant as a bit of a joke but there is a reason for it. We have moved towards ‘do whatever the client asks’, which has its dangers but in a proper way people are now appreciating that, yes, you have to look after the firm.

Mark McAteer: Is there still a struggle for a lot of firms as they get larger to create a consistency in risk management?

Andrew Clark: There are certain things you can do: you can have global risk management policies; you can have anti-corruption and anti-money laundering, share dealing, whistleblowing policies and so on, but there is an element that also has to be done locally. You are not able to police every contract or other commitment the firm is entering into in all of its locations. The danger is that things fall between the gaps because the more we do on risk management, the more that is expected, and the more that is assumed.

‘There is always a time lag in claims – the challenge is anticipating where the claims may come from and what bear traps others have encountered.’
Alison Matthews, Shoosmiths

Juliet Tainui-Hernandez, Norton Rose Fulbright: It is a multi-faceted attack. I do not think it is just down to the risk team and it is not just down to the management. The longer we have the risk management function in place the better it gets, because each year you can add something additional, and then we just turn the screws slightly. We are partnering now with our fee-earning teams to drive training.

Angela Robertson: It is definitely moving on. Part of it is down to the perception that since risk teams started evolving they have tended to be UK-based with smaller teams in some other jurisdictions to take account of time differences. Because that was largely regulatory driven, ie UK regulatory driven, there has been scepticism on the part of some of the international offices. Part of it is just this perception that the UK is seeking to drive everything and it is difficult to break that down, unless there is a client focus.

Mark McAteer: The last ten years was about establishing the risk culture centrally. Is the next main challenge to establish that more systemically across the board?

Nicole Bigby: It is the balance. Our position is not dissimilar to the challenge that many of our in-house teams and clients have. They are being asked to do more continuously with less. We have expanded and have done a huge amount of work internally with the board to be very clear about what we do and do not do. So we have a very clear mandate. But also we are quite clear with the business about where there are issues where it makes time and good sense for my team to be involved and where the issues are immaterial. Things need to come to me only when they are material, because otherwise you are everything to every man and every woman. That is not manageable.

‘The really significant risks are information security risks: that we do not take care of data or we are shown not to have taken care of data.’
Jo Riddick, Macfarlanes

Roger Butterworth: I agree. They have to be trusted to sometimes work it out themselves and make the right decision.

Nicole Bigby: Yes, and have a measure of self-responsibility and be resilient.

Mark McAteer: GDPR and associated data threats across the board have created even more pressure this year. We know that IT and data security is a top-ranking issue every year. Has it been noticeably different in the last 18 months?

Roger Butterworth: Yes, absolutely. It has happened to one law firm here unfortunately. It can happen to any of us and if you have something that looks like a data incident you have to drop everything else, track it down and deal with it.

Justine Cowling: We have considered it important that our clients and community know about the cyber incident which affected us – how the malware operated and the extensive damage it caused in a very short period of time. But it would have been a lot worse if we had had client data taken, which we did not. Due to the incredible sophistication of the incident, while we had a good indication, we could not confirm that with 100% certainty within the first 72 hours. So that makes life interesting given our new reporting obligations.

People know already that we were not targeted – we were collateral damage, which demonstrates that this is also a geopolitical risk that as law firms we are all facing and all organisations are facing. On the upside, it gives us now more than ever the ability to say that we need to put security first in everything we do. It is not just about storage of data and making that secure, but about how we control data.

‘You cannot police every contract. The danger is things fall between the gaps because the more we do on risk management, the more that is assumed.’
Andrew Clark, Allen & Overy

Jo Riddick, Macfarlanes: The really significant risks for all of us are information security risks: that we do not take care of data or we are shown not to have taken care of data. They exist today as much as they will do on 25 May. We can do everything we like about accountability and transparency, chopping down retention periods and cutting HR and marketing data – which we are all doing – but the fundamental risks are exactly as they are now: that we do not take care of client confidential and personal data and that exposes us, not just to the regulators, but crucially to our clients and reputationally. That is the big one.

Nicola Gillespie: What concerned me, Justine, is that our technology team told me that DLA Piper’s IT security was excellent. If that was the case then that does make us all think we must be exposed.

Justine Cowling: A number of other firms’ IT people called us within 48 hours to say: ‘We are set up in exactly the same way.’ The legal sector needs to learn here. We need to up our game and start looking at other sectors, including the financial sector to see what they do.

Andrew Carpenter, Marsh: Talking to the cyber insurers, they are more concerned about a firm’s response. The assumption is that you have protections in place and you are looking after your data, but your reputation is key. How you respond to the incident is what is important. It is important to you, from a reputational perspective, for keeping your client. From their perspective, as an insurer, it is responsiveness, and containing and resolving the incident. How are you going to implement your business continuity plan or how are you going to respond to something like that? Who are you going to bring in? Who is your PR consultant? Is your senior management team ready to deal with this?

‘The assumption is you have protections in place and are looking after your data, but your reputation is key. How you respond to the incident is what is important.’
Andrew Carpenter, Marsh

Jo Riddick: The issue is giving out information when you do not know what is happening. Being silent is the very worst thing in the world you can do.

Stephen Morton, Marsh: Your risks do not fit the natural silos of insurance products. A big cyber breach can cover reputational damage; it can pull in the management; you suddenly have a professional indemnity issue with clients. It covers all of those elements. So the policies will evolve, but the first step is joining up and making sure that those liability policies you hold – employment practices, management liability, crime, cyber and professional indemnity – respond effectively.

Mark McAteer: With all these risk issues coalescing, are insurance premiums going to go up?

Andrew Carpenter: There was talk of premiums going up. Since the start of the year, my perception is that reserves are being reviewed and rating models re-evaluated. So placing the first £10m or £20m of professional indemnity insurance cover is not necessarily straightforward. There is still little competition in the market for it. There are very few insurers writing it and some meaningful claims are there. You cannot get away from it, but a lot of the claims relate back in time. There are not that many that are current work related. There is a sense the financial crisis is still sorting itself out.

Alison Matthews, Shoosmiths: There is always a time lag in relation to claims – the challenge is in trying to anticipate where the claims may come from and what bear traps others have encountered.

‘The longer we have the risk management function in place the better it gets, each year you add something, and then we just turn the screws.’
Juliet Tainui-Hernandez, Norton Rose Fulbright

Andrew Carpenter: There is a time lag. That is giving insurers an ability to look at their rating models. There is still capacity out there. There is less than last year but there is still capacity and competition. There may be an adjustment going on but it is not a massive, seismic change. I would not say it is doomsday out there at all.

Nicola Gillespie: That is next year, isn’t it..?

Andrew Carpenter: I do now know, but insurers are taking a long time to make a decision about pricing. It is pricing by committee. You need time to complete your renewals.

Mark McAteer: Thank you all for your time. LB

mark.mcateer@legalease.co.uk

Click here for the Risk survey in full