Reaping the returns of risk management

Faced with ever-increasing costs, every firm needs to be looking at how to get the best deal for professional indemnity insurance (PII), and that takes commitment. It is not enough to say, 'well, we have ticked the boxes for compliance', or to hold a quality standard. Yes, these are essentials, but they are only a small part of the story. To keep your insurance premiums under control, create the right blend of culture, process, and customer service, all wrapped up in a risk management strategy.

And, while the cost of y our premium may be the first thing that comes to mind when thinking about PII, taking a more robust approach to risk management is something that will pay dividends all year round, such as choosing clients who will keep cash flowing, filtering out inefficient suppliers, attracting and retaining excellent employees, keeping the bank happy, and increasing your bottom line, as well as helping to tackle fraud.

It may sound like big talk, but I am certainly seeing returns on a vigorous attitude to risk in firms across our network, as well as reduced PII premiums through our group scheme. The scheme is a robust barometer as it involves more than £1bn of cover, the largest group placing in the market. This combined placing gives members the benefit of collective buying power - offering insurers a number of firms with a fairly positive risk background and who all share a similar profile and risk management culture - while still paying a premium that reflects their own firm's risk profile. Group schemes also offer a degree of stability in underwriting, which comes from pooling lots of money with one insurer, smoothing out fluctuations due to both market conditions and individual history. Firms also benefit from low brokerage fees.

Across our network, last year's premium as a percentage of fee turnover fell to an average of 2.3 per cent at last year's renewal; a 7 per cent reduction on the previous year's average percentage of fee turnover. Around two-fifths of our members paid a rate of less than 2 per cent, and almost three-quarters paid less than 3 per cent of their fee turnover. This has been achieved in part due to the compulsory ISO 9001 quality standard our firms must hold to be part of the LawNet network, but it is also the result of a real drive on risk management, which we see in granular detail through our supporting services.

Evolving scammers

This year, fraud and cybercrime has been the hottest topic. The range of scams keeps evolving, and we are getting used to a new lexicon of things to worry about, such as phishing, vishing, and social engineering crime - we cannot afford to stand still (if you are unsure about any of the terms, take a look at the glossary on the Cyber Risk and Insurance Forum: https://bit.ly/SJCRIF).

Also, KPMG produces a regular fraud barometer, with the latest figures published in January 2016 putting the total cost of fraudulent activity in the UK at £732m, up from £717m in 2014, with businesses persistently targeted by fraudsters to the tune of £176m. Recent reports revealed that 48 international firms, some based in the UK, had been targeted by a Russian cybercriminal aiming to steal information on mergers for insider trading, with New York and London firm Cravath Swaine & Moore confirming its systems had been breached, and since reinforced.

The Solicitors Regulation Authority (SRA) has reported more instances of firms falling victim to fraud, particularly in the conveyancing sector. My banking contacts support this, saying there has been an exponential rise in firms affected by fraud. Some allow malware to infect computer systems, which opens the door to hackers, who can use keystroke-tracking programs to obtain confidential financial data.

Others have fallen prey to scam emails, disclosing their internet banking login details to criminals. On other occasions, firms have succumbed to highly skilled fraudsters using sophisticated 'vishing' telephone scam techniques to extract internet banking credentials. We are taking action to help firms within our network tackle this rising threat by introducing a support package to enable them to understand and assess the risks to their own practice and implement quality standards, such as the Cyber Essentials Plus.

Registering cybercrime

Research undertaken by global insurance broker Marsh found that 69.4 per cent of companies surveyed do not assess their suppliers and/or customers for cyber-risk. And, despite being ranked a tier-one threat by the National Security Strategy, one in four of the UK companies surveyed did not consider cyber-risk to be material enough to even get on their risk register. Just 16.6 per cent placed it as a top five risk, with the remainder placing it outside their top ten.

This was a cross-sector research exercise by Marsh, but I would not place a bet on the figures being significantly different were the research applied solely to the legal sector, and indeed Marsh has been actively raising awareness of the specific risks faced by the sector, issuing guidance last year.

As custodians of client funds and conduits for major transactions, solicitors are an obvious target for cyber-related fraud, whether by small-timers or sophisticated, organised criminals, who are determined to overcome barriers and risk controls that would previously have been more than adequate.

It is a huge problem, which is set to plague us over the coming years, and not just in terms of attacks on internal systems. In recent weeks, we have seen a professional indemnity insurer announce its withdrawal from the solicitors' market, citing the increased likelihood of fraud involving client accounts as a key factor in its decision, as well as 'unsustainable' premium rates among its competitors. Elite Insurance accounted for 2.62 per cent of the market share for 2014/15, down from almost 4 per cent the year before. That may seem small fry, but just 12 insurers wrote more PII business for solicitors' firms in 2014/15.

Inevitably, as insurers withdraw from the market, others will try to seize an opportunity; there is, consequently, the worry of ensuring that the insurer the firm eventually signs with is bona fide - one only has to look back a few weeks to the headlines when financial regulators imposed fines of £15.5m on five individuals who took part in unauthorised solicitors' PII schemes. The schemes left 1,300 firms exposed, and the broker, Bar Professions Ltd, is now in liquidation, but was censured by the Financial Conduct Authority for encouraging solicitors to 'enter into contracts of insurance on the basis of materially inaccurate and misleading information'.

While it is undoubtedly a regulatory 'must-have', PII is so much more than a commodity purchase, and a stable relationship with broker and underwriter is fundamental. Firms should be wary of insurers who offer attractive premiums to attract the business but are highly reactive to claims. Our own insurers take a long-term, balanced relationship view and work, along with their panel solicitors, in a constructive way with members when claims arise.

SRA requirements

Alongside this, there's the continuing uncertainty around the SRA's professional indemnity requirements. The regulator has announced an intention to reduce the cost of regulation, and thereby the cost of legal services to consumers. It has argued that a lower minimum cover limit would reduce premiums and increase flexibility, and has even mooted the idea of scrapping a minimum level altogether.

After failing with its earlier attempt, the SRA presented revised proposals, to which the Law Society responded swiftly, arguing that such a cut in indemnity insurance cover could damage firms and destroy confidence in the legal profession. For now, we must await the outcome of detailed proposals and further consultation.

It all adds up to PII continuing to be a red-hot issue: it's no wonder that so many firms try to ignore it for much of the year. But there are many gains to be made for any business that is prepared to put risk management strategy at the top of the agenda, making sure people are truly engaged and embrace risk management as part of the everyday. It makes a firm more agile and able to deal with new threats as they come along.

Case studies

East of England regional firm Ashtons Legal says
that being seen to be doing things correctly is
a selling point, particularly as clients are increasingly concerned about the impact of cybercrime on their data and funds. As the managing partner, Edward O'Rourke, says: 'The cost and impact of getting it wrong could be devastating for our business. But there are much wider benefits, such as attracting and retaining high-calibre staff, who want to work for firms where they can see risk is being managed properly, particularly if they're looking to take
an ownership stake in due course.'

For Mogers Drewett in the South West, the firm is showing a real financial return and demonstrating that simple changes can have a far-reaching impact. For example, a robust evaluation of clients before taking matters on is leading to lower lock-up, fewer bad debts, and better client retention. 'Risk management drives everything we do,' says the managing partner, Steven Treharne, 'and our procedures have been evidenced on the bottom line.'

FBC Manby Bowdler in the West Midlands has come up with a dedicated compliance team that is attracting sector interest as a model. Initial resistance by fee earners to share client relationships with the team has long been overcome, and, as the managing partner, Kim
Carr, says: 'We felt we had to embrace a risk management culture to make our firm safer and our clients safer, and we've seen a real return on investment as a result.'

'It's about making risk management a part of the culture, part of the day-to-day, from induction of new starts to the end of the client matter,' says Martyn Trenerry of Mullis & Peake. 'Having to achieve the ISO 9001 standard was a turning point for us, as we found it embedded the right culture and reached into every aspect of our business. We're seeing greater client engagement, greater staff engagement, fewer claims, less opportunity for financial loss. We get better deals on our PII, but also with our suppliers and at the bank.'

Ron Davison of Gamlins Law in North Wales agrees: 'One of the major issues is getting staff to believe they should not be fearful of regulation. We now try to make compliance happen without people noticing, focusing on what's really right for our firm. There is no one-size-fits-all.'

'Risk management needs to be embraced as a management tool, not just a hoop to jump through,' adds Alison Lee of Biscoes Law. 'That attitude has given us much more consistency in the quality of our work and how it's delivered.' SJ

To hear the firms talk about their experiences visit https://bit.ly/SJPIIvids

 

Pocket notes   ?? Tackle the cybercrime issue up-front: this is critical. The end result of cybercrime for a firm of solicitors is likely to be the theft of client money. Last year, we encouraged our members to set out their cyber-security policy for serious threats, and this was submitted alongside their PII proposal form. It was well-received by underwriters and, this year, insurers are likely to insist on it across the sector, having experienced the first rash of claims. Be ahead of the curve and offer details of your security policy, rather than waiting to be asked. No one is immune, so demonstrate that you understand this and if you’ve experienced but withstood attempted scams, say so; ?? Demonstrate good practice and seek recognition: if you’re working hard to improve risk management, your insurer should recognise your efforts. Each year, we look to see a correlation between progress made and premium paid for our firms. Last year we saw the rate against fee income fall for half our members, who demonstrated exemplary progress over the previous year. Premiums fell by as much as 14 per cent where risk management to avert claims was recognised and rewarded; ?? Face up to your past: show you’ve been working to change things if you have previously been hit by a bad claim, or a number of small ones. Set out the steps taken to tackle what caused the claim and show that you have thought about other potential risks and taken action. A big claim may still need to ‘wash through’ over several years, but it is likely to stem future rises; and ?? Optimise, not minimise your cover: the SRA currently imposes a minimum cover level of £2m, or £3m for LLPs and limited companies, but, as I have already mentioned, this could change. If it does, and you think there is an opportunity to cut your cover and reduce your premium, think it through carefully before you do. LawNet imposes a minimum limit, and our network members must carry at least £10m cover, but they’re not looking to get that cut, as they understand the collateral risk. Larger commercial clients may be reluctant to give instructions if you reduce the level of protection against something going wrong, or firms may not refer work if insufficient cover is in place. What is important is having the right level of cover for the type and value of work your firm undertakes and the clients you serve.

 

Chris Marston is chief executive of LawNet