This post originally appeared on the EQMS website.
Jonathon Bray discusses the benefits of effective risk management in the context of SRA-regulated law firms. He argues that firms need to address their risk management culture, commitment and systems before the COLP and COFA roles go live in January 2013.
What is risk management?
Risk management is a bit of an esoteric subject. You could read entire books or attend multiple seminars becoming an expert on the topic (and COLPs in particular are encouraged to do so!). Suffice to say, a “risk” in the context of a typical law firm is something we all know when we see it. They are usually matter and client-specific, for example:
- high value matters
- novel or complicated law
- PI cases referred by CMCs
- group litigation
- client based in another jurisdiction who we never meet
- instructions from a serial complainer
- cases involving vulnerable clients
But let’s not stop there. What about risks that the business faces? Those that are regulatory, strategic and operational in nature, for example:
- ban on referral fees
- creaking IT system
- big brands and ABSs muscling into traditional work streams
- effect of COLP and COFA burden on firm’s profitability
- cash flow problems on the horizon
- changing demographics of local market
- separate business rules
- impending employment tribunal claim
- succession headaches
Why bother with risk management?
The short answer is that it is your regulatory duty. Principle 8 of the 2011 Code of Conduct states that you must:
“…run your business or carry out your role in the business effectively and in accordance with proper governance and sound financial and risk management principles…”
This obligation is expanded upon in Chapter 7 of the Code (“Management of your business”), and the tentacles of risk management can be found throughout the SRA Handbook.
Rule 8.5 of the Authorisation Rules places the risk management burden squarely on the shoulders of the COLP and COFA, although it is important to remember that the firm and its owners remain accountable for non-compliance at all times.
In the new age of self-reporting, the COLP and COFA are likely to be asked to explain the circumstances behind “material” compliance breaches and why existing systems did not prevent them occurring. A comprehensive, documented and well-used risk management procedure may save the firm and its compliance officers from some uncomfortable conversations with the regulator.
In addition, the SRA is now a “risk-based” regulator. Essentially, that means that it diverts its resources to where there are the greatest risk to clients. All firms have been risk-assessed by the regulator and assigned a rating of high, medium or low impact. High impact firms can expect to be closely supervised by their appointed relationship manager, whereas medium and low impact firms will benefit from a more “desk-based” approach (not to be confused with light touch). Most firms would no doubt prefer to be at the bottom end of that scale and good risk management can help to achieve that, or at least stop the firm from slipping into the higher impact category.
There are good business reasons for addressing risk management too. It makes sense that firms who manage their risks are more likely to enjoy:
- fewer complaints and claims
- reputation for quality
- repeat business
- preferential PII premiums
- less management time spent dealing with the regulator
- less risk of incurring regulatory sanctions
There really is no excuse not to take this stuff seriously.
What does risk management involve?
Managing risk should be second nature, not merely additional form filling. Most solicitors are familiar with to having to manage risk at the outset of a matter, for example by conducting a conflict check, anti money laundering checks and taking a common sense view about the risk presented by each new instruction. Some firms sensibly formalise this into their file opening procedures.
Unfortunately, too many firms see risk management as a one time thing rather than an ongoing assessment. Others relegate the task to a box-ticking exercise for the secretary to complete, which on its own says a lot about a firm’s culture.
Fee earners, in conjunction with their supervisors and the COLP, need to actively manage risk throughout the retainer. That might include:
- self-evaluation and regular file audits
- weekly or fortnightly case update meetings
- revisiting the case plan and costs position regularly
- trawling the cabinets for dormant and “mental block” files
These are all things that need to come naturally and happen automatically. Culture is perhaps one of the biggest challenges for the COLP, particularly if it needs to change.
Closely linked to the culture of the firm is the need for there to be a top-down commitment to risk management. This will help validate the COLP’s attempts to instil the risk management culture and implement new systems (see below).
Demonstrating commitment goes further than sending out a periodic email memo, however. It is more about leading by example and getting involved in the nitty gritty of risk management. It must be clear that risk management is a business priority, not simply a support function performed by the COLP.
Individual commitment can also be measured by file review, firm wide audit and appraisal.
Risk management systems should be part and parcel of the firm’s overall compliance plans. Systems need not be overly complex or burdensome (the simpler the better, is the general rule).
The important thing is that those systems should:
- properly reflect the way the firm does business
- comprehensively identify, assess and deal with risks as they arise
- be followed religiously (see culture and commitment, above)
A good starting point is for the COLP to conduct a firm-wide risk and impact assessment, using tools such as SWOT, PESTLE etc. It makes sense to make this a part of the firm’s overall business planning, and many firms see benefits in engaging all of the firm, or staff representatives, in this process.
Then the COLP might plot the workflows from instruction through to file retention and devise ways of managing risk throughout the process. How can risk management be systemised and highlighted at each stage?
Risk management systems that firms might consider:
- having clear, comprehensive and centralised policies and procedures
- setting up a regular risk management committee to oversee risk within the firm
- keeping a centralised risk register, a live document which sets out how each risk (whether matter-related or more strategic) is being managed, by whom and to what timescale
- regular file audits and team meetings (see “How Quality Circles can help the COLP and COFA”)
- putting in place appropriate supervision systems and informal policies conducive to reporting risk e.g. open door and “guilt-free” policies
- actively monitoring trends in compliance data to anticipate future risks
Risk management is part of the fabric of the 2011 SRA Code of Conduct. In order to ensure compliance with the rules by the time the COLP and COFA roles go live, there is an urgent imperative for firms to commit resources to risk management and take practical steps to address their culture, commitment and systems by 1st January 2013.