A wider angle

Most of the articles that appear in this column are concerned with the management of risks which could specifically give rise to the potential for complaints or for claims on a practice's professional indemnity insurance policy. However, there are many other risks which practices face – see, for example, the article on business continuity management (Journal, May 2003: see also box on page 34). Law firms are exposed, like other businesses, to a wide variety of risks, including health and safety, the detrimental effects of stress, loss of key staff, reputational risks, physical catastrophe and financial risk. Only some of these risks can be insured. Looking at high level (strategic) risks has been the focus of a series of corporate governance reports issued in the last few years. Listed companies in particular have been asked to review how well their directors understand the significant risks to the business and how these are being controlled.

Strategic risk review is the process by which those significant risks are identified and ultimately managed. Such a review is not about a business examining all of its day-to-day risks (sometimes termed 'operational' risks) in detail. To this extent, a review of strategic risk differs from the exercises that solicitors are used to conducting when dealing with managing risks associated with professional indemnity claims.

Analysing strategic risk involves focusing on the wider nature of risks to the success of a firm.

Why is this important to firms?

There are a number of benefits which flow from reviewing strategic risks:

Sharing knowledge A properly conducted strategic risk review will gather together examples of best practice and concerns from across a firm. Such concerns could be about the way in which the business is being run, how fees could be generated or lost, or how prepared the business is for particular events. This exchange of information is often lacking in organisations and can lead to gaps in business planning.

Case studyFirm L undertook a review of strategic risk and discovered that one department had undertaken extensive work to streamline its work processes in an effort to reduce the time spent on repetitive tasks. The head of the department had been concerned that without these measures, the firm’s fees would not remain competitive. This had been perceived as an exercise specific to that department. However, following the risk review, the lessons learned in that department were used to assist other departments with their own business planning.

Clarity of purpose A review will give a clear idea of where the firm currently is in relation to its overall risk management plan, where it requires to be in terms of risk management planning and by when.

Efficient use of resources One of the major advantages of a review is that a structured plan for tackling major risks will be produced. When undertaking a review of major risks, some firms are overwhelmed by the number of risks which they would like to address. Without prioritising these, it is hard for any risk control work to take place. Firms have limited resources with which to undertake risk management work of this nature and without care those scarce resources can be poorly deployed, leading to limited benefits.Some misconceptions

Some law firms still believe that strategic risk review is a process which is worthwhile only for multinational corporations and that it has limited application in a professional services firm. Much of the literature regarding strategic risk management does concern large organisations, but law firms, of various sizes, do undertake strategic risk reviews and derive benefits from them. Admittedly, there are different issues in law firms to those present in, for example, manufacturing organisations. Any strategic risk review requires to be sensitive to the needs of firms and understand how law firms operate. Before employing outside assistance with a strategic review it is important to ensure that the organisation does have experience in conducting exercises for law firms.

Another common misconception is that a strategic risk review is principally about listing "bad things that can happen". In fact, a properly conducted review will also consider the opportunities which are present should firms be able to correctly evaluate and control particular risks.

Case studyFirm B identified that one of their critical risks was turnover of highly qualified/experienced staff. This had been an unspoken concern in the firm for some time. A strategic review highlighted this as an immediate action point and forced the firm to consider ways in which to control this risk. This was deemed to be effectively an uninsurable risk. The firm had a difficulty in that their financial analysis demonstrated that promoting certain individuals to partner would be uneconomic and an unsatisfactory long-term fix. As a result, and after consultation, the firm implemented a flexible benefits programme designed to reward personnel by way of non-salary benefits not offered by rival firms. While reducing the risk of defection and associated loss of clients, Firm B was able to grasp the opportunity to deliver a benefits package across the firm that increased individuals’ satisfaction with their remuneration and made the firm attractive to prospective recruits.

Undertaking strategic risk review effectively

There are examples of firms setting about strategic risk reviews in an informal manner. Whilst informality is superficially attractive, it is often the case that, as a result, the firm fails to identify its significant risks or, having identified risks, has been unable to assess or prioritise these effectively. The result tends to be an extremely long list of "bad things that can happen", with no clear idea of how to prioritise them in a practical way and thereafter apply effective controls. If, ultimately, effective controls cannot be implemented by the firm, the review will have been nothing more than a paper-creation exercise.

An effective risk review must follow some sort of structured process. That process must address the four principal cornerstones of risk management:

IdentifyIdentify the significant risks to the firm. The process by which these are identified must be sound: a list of risks identified only by one person may not be particularly valid or address the concerns of other individuals within the firm.

Analyse Any identified risk must subsequently be analysed. Two principal issues are important in any analysis: who analyses and using what criteria? One of the most significant problems in risk assessment is the method of analysis. This is because individuals think about risk in different ways and no two people necessarily have the same notion of what is "risky". Any analysis of an identified risk has to be able to stand up to examination following the review. This may involve obtaining the views of a number of individuals in relation to that risk, in order to avoid one person's prejudices unduly influencing the assessment of the risk.

Case studyFirm M had conducted a strategic risk review. The review had principally involved two of the partners who had each undertaken their own identification of strategic risks facing the firm. An assessment of the risks was made according to whether the risk was perceived to be “high”, “medium” or “low”. This was then shared with the rest of the partners. This caused various disagreements. Some of the other partners complained that pertinent issues had been ignored or, where identified, had been assessed as being “low risk”, where, in fact, they were of significant importance. One of the issues was whether the firm’s failure to invest in a case management system for the conveyancing department had been correctly identified as a low priority issue. Because of this an “agree to disagree” mentality developed which resulted in the review stalling without achieving Firm M’s objectives but after wasting considerable amounts of partner time.

Control Once the risks have been analysed, some decision on improvements to risk control methods requires to be taken. This can only effectively be done once the analysis shows the most important unchecked risks to the practice. Controls can then be applied to the most pressing matters first. At this stage, an individual requires to be assigned responsibility for managing particular risks and timescales require to be decided upon for action. It should be borne in mind that many of the controls on the risk identified will not be related to insurance, since many of the strategic risk issues facing law firms are not capable of being transferred to the insurance market.

Case studyFirm S identified business continuity as a strategic risk issue. By using a structured risk analysis involving a number of key personnel, the partners were able to assess that the current controls on the identified risk were inadequate. This led to Firm S allocating funds towards, and setting a completion timescale for, better business continuity planning. The partners in Firm S were able to satisfy themselves within six months that this particular risk could now be reassessed as being “low risk”. The process that had been used meant that it was obvious to all concerned what the specific problem was and that it had now been addressed.

Monitor The final stage of the risk management process is to review both the effectiveness of the risk controls implemented as well as the identification and assessment of the risks. The risks faced by the firm will change over time and the firm will have to make a decision as to how the exercise is reviewed and by whom. It is at this stage that the benefit of having a structured process of identifying and evaluating individual risks becomes apparent. The framework can then be used repeatedly to review the major risks on a continuous basis.

In fact, it is probably misleading to talk of a strategic risk "exercise" - for the best managed practices it will be an evolving process and repeatedly revisited. To ensure that the process is successful, its importance requires to be communicated to all the firm’s personnel. There must be commitment to the process from across the entire practice and enthusiastic individuals should be involved in it. And the alternative to investing time in this type of risk management process? The response "We never saw that one coming" is seldom a desirable sentiment in managing any business.

Risk: business continuity management

Many organisations worry about how they would cope with a major catastrophe, such as fire, resulting in the loss of a key office. Planning for such an event is often referred to in a variety of ways and the terms “emergency planning” or “disaster recovery” are often used to describe a variety of different things. It is suggested that a better way to approach such risk planning is to think in terms of planning for business continuity: there are many events which, although not a full scale disaster, could still seriously affect a firm if not handled correctly.

Business continuity planning is the formulation of a detailed strategy incorporating pre-emergency planning, incident handling and post-event recovery, applicable to a variety of threats to the operation of the business.

Charles Sandison is a former solicitor in private practice and is a Consultant to the Financial and Professional Risks Division (FINPRO) at Marsh (e-mail: charles.sandison@marsh.com). He has experience of advising firms in relation to strategic risk management issues.

The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.

Marsh Ltd is a member of the General Insurance Standards Council (GISC).