The legal market is conservative when it comes to risk management, and firms often view proactive risk identification and policy setting as more perilous than helpful. However, recent events related to data breaches, regulatory compliance, and client issues are driving increased focus on risk management from general counsels, insurers, and clients. Key trends include greater partnership between general counsels and IT leaders on risk issues; heightened attention to data confidentiality and security; engagement of professional liability insurers in risk discussions; and growing client sophistication in evaluating law firms' risk handling capabilities. Over time, firms may transition more risk responsibilities to centralized teams and formalize previously implicit risk mitigation.
Trends shaping the future of legal risk management by dave cunningham and meg block 2010
1. Trends
Shaping the
Future of
Legal Risk
Management
by Dave Cunningham
and Meg Block
D
espite the growing awareness, complexity and
consequence of risk, risk management is still
challenging to define in the legal environment.
Each person involved has a different perspective
of the situation, probability, severity and the
consequent priorities and scope of responsibilities.
Risk Management Issues
Recent events highlight a variety of issues. A number of law firms,
for example, have been in the news because private information
was leaked to the public. This type of event, as well as multiple
search engine rollbacks (after private information was uncovered
through internal searches) and HIPAA compliance initiatives, have
caused firms to focus on data security, confidentiality and control
across systems. Ongoing management of ethical walls, legal holds,
data transfer agreements and data from lateral lawyers add to the
need for secure systems.
For practice leaders, fixed fee engagements and requirements
to “know your client” are creating a stir around how assertively a
firm manages engagements. For general counsels, an increased
likelihood that clients will “go bad” in these troubled economic
times puts pressure on validating the client’s business integrity
upon intake and monitoring it throughout the life of the
engagement. Regulatory compliance obligations are so complex
Peer to Peer the quarterly magazine of ILTA 41
2. “The legal market is conservative when it
comes to risk management, and firms often
view the proactive identification of risks, along
with the subsequent setting of policies and
compliance expectations, as activities that
cause more peril than they resolve.”
that a management team — the general counsel, IT and content • Data Confidentiality:
specialists — is needed to set the course. Protecting the confidentiality of information has already
Beyond these recent hot buttons, the traditional areas emerged as a leading issue for the legal community. While
of risk including records, conflicts, new business intake, the improper use of information in written and spoken form
finance, employment and IT disaster recovery, are areas where is critical to control, it is the electronic form of information
investments in people and technology continue to be sustained. that dominates IT’s agenda. The volume of data, as well as
The pressure to deal with risk effectively is increasing as more varying ownership and location, complicate compliance with
assets are vulnerable and the consequences are more severe. preservation orders, ethical walls, HIPAA regulations and other
For now, risk management efforts are focused on the events that expectations of security. In 2010, the widespread adoption of
create risks to the firm’s data, image and profitability, and many enterprise search and the maturity of software to automate data
of these revolve around the IT department. confidentiality, as well as concerns about law firm data security
breaches, are expected to accelerate the tackling of compliance
and privacy issues. Some firms are considering how digital rights
Risk Management Themes management (DRM) can be applied, and, over the longer term,
Hildebrandt Baker Robbins recently conducted a study to gather others are considering working toward meeting the ISO 27001
the insights of general counsels, IT leadership, professional information security standard.
liability insurers, risk directors and risk vendors, and their input
has given us a unique viewpoint of risk management issues and • Engagement of Professional Liability Insurers:
trends. Jim Jones, Co-Managing Director of Hildebrandt Baker Law firm insurers are active in risk discussions and periodic
Robbins and facilitator of the General Counsel Forum and five assessments, yet they’ve not traditionally been aggressive
general counsel roundtables held each year, also contributed his in exploring new boundaries in risk mitigation. Recently,
perspective. progressive insurers have increased investments in education
We observed the following trends that are shaping risk for the market and have made funds available to help law
management: firms hire third-party resources to improve risk management
and compliance. Some law firms are attempting to negotiate
• Partnership of Risk Leadership and IT Leadership: discounts to their premiums by improving their own handling
While risk management in law firms is quite fragmented, general of risks and compliance. While the insurance underwriting
counsels and IT leadership are increasingly working together process is expected to remain at a high level in most situations,
at the center of related activities. This partnership reflects the insurers are eager for law firms to develop coordinated risk
how much law firms depend on technology and electronic management programs.
information, with technology both creating and mitigating risks.
As products that address risk issues come to market, general • Practice Risk:
counsels will be more likely to drive technology decisions, Partners are finding themselves at the center of one of the
furthering a joint risk management role with IT. fastest changing risk areas: client and engagement risk. There
is increasing need to identify and control these risks. Pressure
42 www.iltanet.org Peer to Peer
3. Trends Shaping the Future of Legal Risk Management
from clients for alternative fee arrangements (e.g., fixed, capped • Internal Assessments:
or contingency) increases the likelihood that some clients will An elemental aspect of professional risk management is the
become “bad clients,” especially in this rough economy. In ability to create a sustainable education and compliance
addition, the increased outsourcing of legal processes is forcing environment. While periodic external audits are appropriate,
lawyers to adopt principles of project management, including an internal assessment capability ensures day-to-day analysis
scope definition and budgets, scope change control and status of progress and improvements. Some larger firms have hired
communications. “Know-your-client” obligations are being director-level risk leaders to facilitate this process, although
given more serious consideration, with some firms re-validating these roles still have limited purview to reach across the firm
clients from time-to-time and some contemplating teaming to identify risks. As the multi-disciplinary risk teams mature,
experienced project managers with partners to lead matters. the internal assessment process is expected to be high on the
agenda.
• Client Sophistication with Risk Requirements:
The continuing formalization of client relationships has • From Loss Prevention to Competitive Advantage:
created a noticeable increase in questions from corporate The main focus of risk management in law firms has been
legal departments about law firms’ risk handling capabilities. minimizing losses from malpractice claims. The newly developed
Questions in RFPs are common, and a few law firms have been ISO 31000 risk management standard offers a more positive
audited for risk mitigation protocols by their largest clients. perspective; it notes that risk management is not only the
Based on current trends, we are expecting risk questions to mitigation of loss, but also the improvement of “efficiency in
become more specific and sophisticated over the next two years. operations, environmental protection, financial performance,
corporate governance, human health and safety, product
• Outsourcing of IT Risk: quality, legal and regulatory compliance, public acceptance,
Law firms have made huge investments in IT recovery capabilities and reputation.” By addressing risks represented by the topics
as they understand the effort and diligence necessary to discussed above, law firms can find ways to create business
maintain redundant systems and data. IT has increasingly viable advantages.
options to lean on third parties for the expensive and not-so-
often-used recovery capabilities. These transitions to outsourcing It took ten years for general counsels and risk partners to
have the potential to notably reduce costs and save staff time. be commonplace in law firms, and we expect that some of these
trends will also take years to become the norm. In the interim,
• From Implicit to Explicit Risk Mitigation: IT’s proactive participation in understanding and addressing
The legal market is conservative when it comes to risk risks helps to ensure that consequences for risk events do not fall
management, and firms often view the proactive identification disproportionately on IT’s shoulders. ILTA
of risks, along with the subsequent setting of policies and
compliance expectations, as activities that cause more peril
than they resolve. While the expectation for explicit policies
and education is growing in general, specific IT policies and
the automation of assessment and compliance (for risks such as
data confidentiality and system change management) are still
exceptions. We expect that to change in the next two years.
• Centralization of Risk Management Responsibilities:
Responsibilities for risks are as fragmented as the risks
themselves. A slowly emerging practice is to create a
multifunction risk team that includes business leaders across the
firm and some representatives from practice groups. The charters
for these committees include governance, risk and compliance
(GRC). Governance refers broadly to the rules, processes or laws
by which organizations are operated, regulated and controlled.
An organization’s perception of and tolerance for risk rest on the
backbone of its governance. Risk management comprises the
plans, policies and procedures designed to control activities in
order to accept, avoid or minimize risk. To understand whether
risk management controls are being followed, compliance,
the organization’s behavior relative to those controls, must be
monitored and measured.
Peer to Peer the quarterly magazine of ILTA 43