Facing down risks
Chris Marston explains how a holistic risk management strategy can ensure firms are ready to meet change
The global impact of the coronavirus pandemic has changed the colour of our days, both at work and home, more than we could have conceived even a month ago.
As I write (mid-March), the situation will be dramatically different by the time this issue lands on your desk. In times of crisis, it’s vital that risk management remains at the forefront of our thinking. Firms will need to continue serving their clients, so it will be business as usual – albeit in exceptional circumstances.
While law firm leaders may be worrying about how to supervise staff working remotely, or how to ensure they continue to fulfil their regulatory requirements, these concerns should have been planned for well in advance of today.
Our member firms must have a business continuity plan in place as part of our ISO9001 LawNet Quality Standard, and this is a good place for all firms to start. However, this cannot be a one size that fits all, because identifying the unique set of vulnerabilities facing your firm in any given situation is essential.
LawNet’s quality standard requires firms to test their plan annually – ensuring it is up-to-date and relevant – and include an evaluation of the potential risks for their firm, and ways to avoid or reduce them.
Of course, it’s unlikely any of our firms could have anticipated a scenario playing out as the coronavirus has over recent weeks; nonetheless their planning will have sharpened their thinking and made them well placed to tackle what happens next.
Importantly, having been required to identify the key people responsible for implementing the plan, they will have been straight out of the gate, rather than spending time working out who will do what.
This helps to deliver swift, clear communication from leadership teams about expectations and processes. It also enables firms to demonstrate that the health and wellbeing of staff and clients is a priority.
Being ready to ask what support is needed by staff, clients or suppliers, and ensuring the issues are addressed early on, can mitigate concerns and better manage your resources.
In the current crisis, it’s critical that firms are alive to the risks arising from people working in different conditions – and probably remotely. There will be an increased risk of fraud, with heightened tensions around the coronavirus. Staff are likely to be distracted and more susceptible to fraudsters.
Consultancy firm RSM has reported that phishing emails purporting to be from (among others) the World Health Organization (WHO) are on the increase with criminals trying to collect valuable personal data.
Specific areas of work may be more vulnerable. For example, one of our earliest actions in the current coronavirus crisis was to send out guidance to members on the risks relating to conveyancing transactions. This tackled issues such as the higher risk of non-completion or withdrawal.
Allied to this, those who are vulnerable or unwell may not be able to move at the point of completion; third parties, such as removal companies, may be unable or unwilling to undertake their work.
Although most scenarios are effectively covered by contractual provisions, firms should be reinforcing risks and rights with clients and highlighting how and where exposure may be mitigated, such as through insurances.
It’s not just about conveyancing, although that is always a top priority because of the large sums involved. Whatever the circumstances, firms need to carry out risk assessments in all areas of work and ensure any guidance to staff or advice to clients takes identified risks into account.
But as we all know, risk management is not just for tackling major crises such as a pandemic. The consequences of poor risk management reach into every aspect of practice, affecting professional indemnity insurance (PII), professional reputation, staff morale and beyond.
Yet too often risk management is viewed as a burden, ‘ticking the box’ for compliance or quality management purposes, rather than an opportunity where gains can be made to deliver a return on investment.
A firm can become more agile and able to deal with new threats as they arise if they put a robust risk management strategy at the top of the agenda, and ensure their people are fully engaged, through the right blend of culture, process and customer service.
A sound risk management culture will help you reduce claims and keep your PII premiums manageable. It should also deliver far-reaching, tangible benefits that pay out all year round. It should help ensure you choose clients who will pay on time, that you filter out inefficient suppliers, and that you recruit and retain the best employees.
Furthermore, it should help tackle fraud – particularly in the form of cybercrime – which remains a key focus for firms. So there should be a direct impact on your bottom line; and strong processes will help to keep your insurers and bankers happy.
While holistic risk management is likely to involve additional resources, you should see a corresponding return on investment, so firms should have systems in place to measure the value of their risk management.
In our most recent research, we found only 20 per cent of firms were analysing associated costs, despite a third having higher numbers of staff dedicated to risk management than two years previously.
We have seen many significant legal and regulatory changes over the past few years and these continue, but any risk management strategy must be built on an expectation of shifting sands (and viruses) if a business is to be equipped to respond.
Change is an inevitable part of life – even dramatic, unprecedented change such as the coronavirus pandemic. It is how we prepare, respond and adapt that will ultimately determine our success. So how can you enhance your risk management strategy?
Create the right environment – The link between risk management and good business practice is vital. Robust risk management should be the natural outcome for a business which has a highly effective management focused on the right issues.
It’s about creating a culture where staff understand and embrace the processes and procedures that lead to good risk management and appreciate the learning and improvements that can come through internal and external audits.
Establishing and embedding that culture is essential. Avoid creating a tick-box mentality because staff instincts need to be finely tuned to identify potential risks.
Technical and experiential training is key, equipping staff with the necessary understanding to make risk mitigation an integral part of their daily work.
Most of the staff taking part in our research acknowledged risk management as a vital business tool. However, junior and administrative staff were more likely to see compliance as the most important aspect of risk management. Fear of the regulator and satisfying regulatory requirements often dominates attitudes in the sector, with less attention paid to reputational and financial risks.
Build meaningful processes – Real cultural change demands a made-to-measure approach. Risk management should be a natural process and the key lies in it becoming integral to the firm’s day-to-day activity.
To achieve that, processes must reflect the way people work every day. Where risk management is built into workflows, it must be provable and doable. Effective management systems should be focused on delivering results that make risk mitigation the natural outcome. Many firms have demonstrated that well-considered IT systems can support great results in risk management.
Regulatory compliance and fear of the Solicitors Regulation Authority (SRA) is high (as our research found), yet a poorly checked client could bring down a firm.
The checking doesn’t only relate to whether they are who they say, but also ensuring the client has the wherewithal to pay their bills; that the work type is a match for your firm; and they are a client with whom you want to do business.
If they are difficult, slow to pay, challenge advice or refuse to confirm instructions, experience shows they’re more likely to complain later.
When it comes to complaints and claims, firms must be open to the benefits of sharing and learning from mistakes. This is the route to improving future processes. Our research revealed relatively few firms (14 per cent) sharing these issues throughout the firm, although some (60 per cent) were sharing at departmental level.
Secure fraud fault lines through systems and staff – A holistic approach should match the right processes with safeguards on human interactions. As custodians of client funds and conduits for important and sensitive transactions, solicitors are an obvious target for cyber related fraud.
This is highlighted in the SRA’s latest risk outlook; and reflected in our own research: cybercrime and fraud were ranked the biggest threat by 40 per cent of our member firms.
And that’s with good reason: recent analysis of the top 200 UK law firms by Crowe, KYND and the University of Portsmouth’s Centre for Counter Fraud Studies (2019) revealed a range of vulnerabilities, including:
- 91 per cent of firms were exposed to the risk of having their website addresses spoofed and used to send spam, phishing or otherwise fraudulent emails.
- 80.5 per cent were running at least one service, such as an email server or webserver, with a well-known vulnerability that could be exploited by hackers.
- 79 per cent of firms had at least one domain registered to a personal or individual email address, representing a significant threat to business continuity and domain ownership.
The range of scams keeps evolving and we’re adapting to the new lexicon of cybercrime. Yet research undertaken by global insurance broker Marsh (who manages our LawNet professional indemnity scheme) found that almost 70 per cent of the companies they surveyed do not assess their suppliers and/or customers for cyber risk.
Penetration testing by outside agencies can help test defences. Good process can be recognised through accreditation such as Cyber Essentials Plus, and we have been recommending this to member firms as a way of supplementing the information security provisions in our ISO9001 LawNet Quality Standard. For bigger firms, the next stage may be ISO27001 certification (a more sophisticated information management standard).
The route to fraud prevention today lies through a two-pronged approach that places equal importance on process and training.
Advances in technology may provide hope for the future in the fight against fraudsters, but the challenge of keeping pace with these criminals will remain as fraud generally occurs because of human lapses.
Sharing knowledge on attempted fraud and discussing claims will help. If your firm suffers a loss, learn from the experience by changing processes, introducing training initiatives and bringing in outside help to strengthen defences.
We find firms sharing experiences in this way across the LawNet network and this is helping them be better informed and able to implement best practice.
Chris Marston is chief executive at LawNet lawnet.co.uk