Navigating new frontiers in law firm risk management
Jessica Clay, Julie Norris and Lucinda Soon review transformations in risk management considerations in law firms
In 2023, developments in respect of AI, workplace culture and economic crime created new and emerging challenges for law firm risk management, with the spotlight in these areas set to continue into 2024 and beyond.
The recent advancement and fast-paced trajectory of generative AI and the proliferation of large language models (LLMs) will require agile and progressive leadership across all sectors to protect us from harm while enabling us to reap the benefits it can provide. How firms start to grapple with this challenge is no exception.
On 1 November 2023, the SRA published its corporate strategy for 2023 to 2026, citing “supporting innovation and technology” as a key strategic priority. Part of the SRA’s relevant work includes establishing a regulatory sandbox to provide a safe testing environment for law firms and tech partners to deliver legal services through innovative products and tech-based approaches.
The SRA sets ethical and professional conduct requirements which will extend to the safe use of AI. It’s important to highlight that the SRA’s ethical Principles are overarching and universally applicable. These Principles are not limited to legal practitioners but also extend to all individuals employed within a firm, including those in tech and innovation roles. These Principles will apply to how AI is used within firms and in the delivery of services to clients.
The SRA Codes of Conduct also include requirements such as ensuring that individuals and firms provide competent services to clients and keep their skills up to date. For those with management responsibilities in firms, there is also a requirement to ensure the same in relation to those they supervise. While this is not yet specifically in relation to technological competence, there is no reason why this existing requirement would not entail a need to understand the AI tools being used and the associated risks. Finally, firms must identify, monitor and manage all material risks to their business, of which generative AI is arguably becoming a frontrunner.
When considering law firm risk management, it is essential to consider the question of how to use AI safely and effectively in the same way you would when making any other key decision: assess the risk and be accountable by ensuring all key decisions are underpinned by an ethical framework for decision-making. This is all set out in the SRA’s most recent report on the use of AI in the legal market.
Finally, the following will stand a firm in good stead when it comes to the use of generative AI:
- do not input any confidential or commercially sensitive information into an open AI large language model.
- scrutinise and verify the information the model generates as we know that these AI models can produce incorrect content which appears to be convincingly accurate.
In another important development last year, the SRA introduced new standards into its Codes of Conduct in respect of fair treatment, requiring individuals and law firms to treat those they work with fairly and with respect, and not to bully, harass, or discriminate unfairly against them. Partners in law firms have an additional obligation to challenge behaviours that do not meet the new standard, while firms must ensure the standard is met by all employees.
The new standards are broad and far-reaching. It is clear that the SRA expects firms to monitor and address workplace culture and environmental risks that may give rise to a regulatory concern and to do everything that they reasonably can to look after the wellbeing of colleagues. Importantly, the SRA is now in a stronger position to take enforcement action for serious failings by a firm to address these types of risk.
For firms, consistent dialogue between HR, the firm’s general counsel, compliance officer for legal practice (COLP) and the risk & compliance team is paramount for ensuring effective monitoring and risk management in the workplace. It is likely that the SRA is already investigating an increasing number of reports in relation to the new standards, but it is too early to say with any certainty what level of enforcement action the SRA will decide to take for serious breaches.
Firms should ensure policies are updated in line with the new Code requirements and follow this up with a programme of training for partners and staff. Firms might also need to have additional policies in place which clearly set out how the firm expects partners to challenge inappropriate behaviours they observe and the channels available to staff to escalate concerns to HR, the COLP, the managing partner or other senior partner in their team.
The new standards also highlight the importance of keeping accurate contemporaneous records and carrying out robust internal investigations when concerns of a more serious or repeated nature are raised. Such measures will assist firms in their decision making on whether concerns reach the seriousness threshold such that they require reporting to the SRA. In addition to responding promptly and effectively to incidents that have already arisen, it is clear that the SRA now expects firms to take a more proactive approach in ensuring workplace risks are properly managed before any such issues arise.
Tackling economic crime
Just over a year after its first reading in the House of Commons, on 26 October 2023, the Economic Crime and Corporate Transparency Act received Royal Assent. This Act contains several provisions which will strengthen the SRA’s powers to regulate matters relating to economic crime.
First, the Act removed the statutory limit on the amount of penalty that the SRA may direct an individual or law firm to pay in cases relating to economic crime. Specifically, where the SRA considers that an individual or firm has failed to prevent or detect economic crime, or that their failure to act had the effect of inhibiting the prevention or detection of economic crime, it can now impose an unlimited fine. The situations in which the SRA will be able to exercise this new power are wide-ranging owing to the definition for economic crime being broadly defined under the Act.
This Act also enables the SRA to proactively request information from those it regulates in relation to economic crime. Currently, the SRA’s powers of disclosure of information or documents are limited to when such disclosure is necessary for the purposes of an investigation. The new provisions mean the SRA will have the power to require persons to disclose information and produce documents even when it is not at the point of investigating a matter, as long as it considers such disclosure necessary for it to perform its regulatory functions relating to the prevention or detection of economic crime.
Finally, the Act introduces a new regulatory objective into section 1 of the Legal Services Act 2007, the effect of which is that the SRA and other approved legal regulators must act in a way which “promotes the prevention and detection of economic crime.” This new objective underpins the extended powers that have been granted to the SRA and provides the reason upon which they are deemed necessary.
The impact of these new provisions will certainly play out in 2024. The SRA is likely to expect firms to have adequate policies, controls and procedures to both manage the risks of, and detect, economic crime.
Jessica Clay is a partner, Julie Norris is a partner, and Lucinda Soon is a legal director at Kingsley Napley