Ask the experts

I have been asked to review our internal systems and procedures, but I am not sure where to start. Can you advise me on how I should go about this?

A meaningful review of systems and procedures should start with consideration of what purpose those systems and procedures are intended to achieve, and how effectively they are satisfying those objectives. The other key question is whether they are tackling the right/most relevant concerns. It’s therefore a good idea to take the time to identify and evaluate the risks facing your business.

Analysing claims and complaints can help identify any underlying trends or common factors. Claims or complaints which may not appear to be linked in any obvious way may all emanate from a particular branch office, or arise from the lack of an adequate diary reminder system, a lack of supervision and review procedures, or an out-of-date set of styles.

Audits and supervisory reviews can also identify nascent problems which are not being adequately addressed by existing systems and procedures, or it may be that the systems you have in place are not being effectively implemented.

These methods alone are unlikely to identify all the relevant risks of which you should be aware. A “risk register” is one of the most useful tools for evaluating the effectiveness of existing systems and procedures. It will record and grade the risks for your business, identify gaps in existing controls, and help prioritise action.

As a small firm, do we really need a risk register? Will it not be an expensive and time-consuming exercise?

There is nothing to say that you “must” have a risk register – nor is it the only way to identify and evaluate risks affecting your practice. It is, however, a fairly straightforward and practical way of recording both risk priorities and the preventative systems and procedures you have in place, or require to implement, to address those risk priorities. It is also easy to maintain and update in future.

Creating a risk register need not be an over-complex or time-consuming process. While some organisations may prefer the input of an external consultant, it is equally something that can be undertaken in-house without too much difficulty.

Developing a risk register

1. Identify your risks. Start the process by listing as many relevant risk issues as you can think of. Consult with a wide range of colleagues or, if you don’t have many due to the size of your firm, consider discussing with some trusted peers.

2. Assess each risk. Only when you have fairly comprehensively identified a range of risk issues should you start to assess each risk in terms of the probability of occurrence, and the impact if the risk actually does occur. An overall risk rating (high, medium, low) is generated by multiplying the likelihood and impact scores together. By way of example, the extract risk register shown below identifies three risks which have been categorised as “medium” and “high” risks, based on their combined probability and potential impact on the business.

3. Evaluate existing risk mitigation strategies. You should be able to identify a risk mitigation strategy for every high and medium-rated risk, and evaluate the adequacy of existing controls. The risk register provides a structured framework which will help you identify risk, and record where you have no (or inadequate) risk mitigation in place for a significant risk. It should also prompt you to identify strategies to address these gaps, and allocate responsibility and a timeframe for the remedial action.

Our firm is considering acquiring another practice. Are there any insurance or risk management issues that we should be considering?

Claims arising from work previously undertaken by the target firm could impact significantly on the merged entity’s professional indemnity cover, depending on how the deal (and the PII arrangements) are structured. Marsh can provide guidance notes on the PII issues which require to be considered prior to entering into a merger or acquisition.

The due diligence in an acquisition or merger situation should include a review of the claims and complaints history. Practices can have apparently healthy balance sheets, and a strong book of business, yet if this has been achieved at the expense of rigorous compliance and risk management procedures, the risk of reputational damage and potentially costly claims may outweigh the benefits of the deal. Many of the comments made in response to the first question – concerning reviewing a firm’s systems and procedures – are particularly relevant in these circumstances.

Calum MacLean and Marsh

Calum MacLean is a non-practising solicitor, formerly in private practice, who works in the FinPro (Financial and Professional Risks) National Practice at Marsh, global leader in insurance broking and risk management.

The information contained in this article provides only a general overview of subjects covered, is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insureds should consult their insurance and legal advisers regarding specific coverage issues.

Marsh Ltd is authorised and regulated by the Financial Services Authority for insurance mediation activities only.