How embracing failure can be the path to success
Putting an emphasis on sharing mistakes and learning from experience can strengthen firms' approach to risk management, advises Peter Riddleston
A cultural blueprint that embeds excellent risk management, strong compliance, and robust quality management within a firm will bring a range of business benefits, including fewer claims and hence reduced professional indemnity insurance premiums. But to achieve that outcome, firms must be prepared to embrace failure and place learning from mistakes at the heart of their strategy.
Let’s start with an example of what I mean. Conveyancing continues to top the claims charts for all the wrong reasons. According to figures compiled by the Solicitors Regulation Authority, half of all claims during the period from 2004 to 2014 were for residential or commercial conveyancing, with a massive £767m paid out. And when one looks at the top ten reasons behind claims, failure to properly identify the client is top of the list, according to data previously published by global insurers QBE.
To tackle the underlying issues, firms need to ensure that processes and people’s learning keep pace. For example, a conveyancing transaction can easily be tipped into a higher category of risk where a property is empty, where there are questions over source of funds, or where the solicitor doesn’t meet the client face to face. For staff to respond automatically to such triggers, there needs to be effective, targeted training backed up by responsive processes. To achieve this, the firm must square up to the level of risk that their work presents and be prepared to initiate solutions.
At the heart of this is how we interact with failure and learn from it. Professor Amy Edmondson of Harvard Business School argues in the Harvard Business Review that organisations tend to have an ingrained attitude, where failure is perceived as ‘bad’ and an individual or a situation tends to be ‘blamed’ for the failure, which blocks people from sharing problems as they arise. If an organisation is to be successful, employees must feel safe in reporting failure, and creating such an environment requires strong leadership and a culture where people feel open to learning from their own failures and those of others.
It’s about understanding what happened and why, rather than focusing on who did it. Failure needs to be consistently reported, however serious or incidental, and each instance systematically analysed with the aim of finding root causes and then developing process and learning improvements.
Production-intensive organisations are more likely to have faced up to failure and the blame game and replaced it with a community-based attitude to problem solving. Team members on a Toyota assembly line are encouraged to stop production if they spot a problem, to enable the diagnostic process to start immediately. By comparison, Edmondson found few hospitals systematically analysed medical errors or process flaws to learn lessons, despite human lives being at risk. This reluctance to admit mistakes may reflect hierarchies that impede learning, bolstered by fear of malpractice claims.
Such examples from other sectors can be valuable, and are transferable to our sector, which brings me to the crux of how we can best learn to manage risk: not by ticking the box for compliance, but by being open to learning from experiences – within our own firms, from the broader profession, and other sectors – and then ensuring we share and reinforce that learning.
Collaborative learning solutions
Over recent years, we have focused on supporting firms within the LawNet network to develop an all-embracing risk management culture, founded on continuous improvement. In our experience, tackling the underlying reasons for claims will deliver broad business benefits across the firm and has the potential to help lower PII premiums.
At the heart of this must be holistic risk management training, including key areas such as anti-money laundering, equality and diversity, bribery, and cyber crime, and any identified priorities for the individual firm. But it’s not just tackling the right topics, it’s the approach, and some of the areas we see being tackled by firms to drive this forward include:
Address professional resistance to sharing
Lawyers are often reluctant to admit mistakes, feeling it diminishes their professional standing. Leadership must tackle this head on, by demonstrating that openness is the path to greater professionalism and that a refusal to share knowledge and learn from what went wrong inhibits risk management. Similarly, there can be a tendency in many law firms, and indeed many other businesses, not to share key management information, but the success of risk management lies in sharing the risk analysis and identified solutions as widely as possible.
Constantly test and review processes
Being open to the possibility of mistakes will enable you to test new processes and systems more effectively. And once a process is working, it needs to be subjected to regular review. Let’s take as an example the mounting challenge of cyber crime. We know that fraudsters are finding ever new ways to target the large sums of money handled by the profession, and firms must make sure they keep up to date. For example, criminals are hacking into the electronic communications between solicitor and client by using technology that scans through millions of emails to identify data patterns that may reference valuable financial transaction information. Once a target has been identified, and the relevant email account has been hacked, the fraudsters send scam emails instructing the transfer of funds, whether purporting to be from the client or the firm. If your staff aren’t aware of this, and you don’t update your processes to ensure both client and firm can verify and validate email instructions, then you leave the door wide open.
Deal with specifics, not generic assumptions
Critical to success is coming up with solutions that are firm specific and directly address the root cause of any problems. And it’s important to drill down below strategic level to understand how risks affect specific departments and work types. A good starting point is to analyse the firm’s records of complaints and problems. Record keeping is key to this, and firms must be prepared to share this knowledge internally, and not be afraid to look at specific problems. It is far more effective to use one’s own experiences to drive change than to work with assumptions.
This drill-down, firm-specific approach, based on actual experience and risk analysis, will help create a more nuanced approach to processes and provide a valuable guide to training needs.
Put experiential learning at the heart of development
Ensuring processes take account of new risks, and keep abreast of new scams, is essential, but equally important is how staff are informed and educated to keep pace with those changing processes. It’s not enough to deliver a one-off technical lesson and consider the box ticked.
There are some excellent online risk management training programmes, such as VinciWorks, but they need to be backed up with hands-on experiential learning. Making people retrace the steps of scenarios where things went wrong can go a long way to preventing such things happening again. The experiences may be from your own firm, or drawn from elsewhere – for example, our members tell us how much they value being able to share and learn across the LawNet network, whether peer to peer or when they attend training sessions – or from trainers who bring knowledge from elsewhere in the sector. The key to experiential learning is practice and repetition; individuals must be encouraged to consolidate their learning, with follow-up checks to ensure the learning has got through and is being applied.
Step beyond compliance
New legislation often triggers process change, and while it’s important to ensure that nothing is overlooked, the firm’s existing processes should be measured for compliance and developed to suit, rather than placing a new layer of compliance on top like a sticking plaster.
Firms will need to revisit their AML processes and training because of the new AML Regulations 2017, which will implement the EU’s Fourth Money Laundering Directive. But not every part of the regulations will have the same level of relevance to every firm, depending on the type of clients they act for.
Similarly, the CPD system of continuing competence requires each lawyer to measure their own ability to provide a competent service to clients and this must be embedded in the firm’s risk management. If someone hasn’t acted to identify and satisfy their learning needs, then it should raise a flag as a potential risk management problem.
Preparing to meet the challenge of the General Data Protection Regulation (GDPR) is another example. Common data breaches reported to the Information Commissioner’s Office include loss or theft of paperwork or unencrypted devices, or sending messages to the wrong recipient, whether by post, fax, or email. Brexit will not exclude firms from complying with this challenging new layer of data protection, and reviewing existing systems and past breaches against the new requirements is a good starting point.
To achieve a true cultural shift in risk management requires an acceptance of the inevitability of some failure and an agile approach to change. As Edmondson says, a firm that catches, corrects, and learns from failure before others do is the one that will succeed.
Peter Riddleston is learning and quality director at LawNet