It's getting riskier out there.  Why?  As with most trends, several factors explain the recent surge in concern and heightened interest, but the biggest of these has been the long-building global economic downturn.  Like the fable about the grasshopper and the ant, when times are good, it can be difficult to think about potential rainy days.  When resources are plentiful and problems feel remote, investing in preparations for adversity often stays a low priority.  The irony, of course, is that the best time to address risk issues is when resources are abundant, rather than after or mid-crisis. 

Economic downturns spawn a well understood chain reaction as interdependent agents respond, causing direct and indirect consequences for law firms.  Outside of certain key practice areas, when business is bad for clients, the same is usually true for outside counsel.  In tight times, clients often put new pressures and new constraints on firms.  They might try to reduce legal spend by negotiating lower rates or fixed-fee arrangements; or they may consolidate service providers and end relationships with multiple firms. With client demand retracting, competitive interests put pressure on firms to respond.

Of course, clients are wrestling with their own constraints.  In this environment, they're more likely to sue outside counsel for malpractice.  According to an ABA report summarizing data from 18 insurance providers, during the last economic downturn (2000-2003), malpractice claims rose 60 percent compared to healthier times (1996-1999).  This doesn't necessarily mean that incidents of malpractice increased, just that the number of clients actually pursuing claims grew.

However, anecdotal evidence does suggest that attorneys themselves may be more likely to take risks or gambles in a down economy.  For example, firms sometimes wrestle with the problem of "lone wolf" attorneys - like a partner who takes on new matters for existing clients, outside his area of expertise.  Sometimes "rogue actors" will bypass new business intake processes and just bill work on the new matter to an existing matter number.  They may have no ill intent - a client may ask for a favor, or the attorney may be feeling pressure to maximize hours billed or meet other performance goals.  But attorney risk-taking can open firms to significant troubles.

Insurance providers know that a down economy amplifies risk.  That's one reason why rates go up during poor economic conditions.  Unfortunately for firms, there's a double penalty at work here.  Rate increases are driven not only by the expected rise in claims, but also because providers themselves earn lower market returns on invested premiums and seek to make up the difference by stepping up prices.

Additional Factors Driving Interest in Risk and Compliance
The economy may be the current catalyst, but the importance of risk management and compliance has been growing for several reasons, among those the following:

• Client sophistication - In the past, a conversation and handshake might have been sufficient to address client concerns.  Today, the rule is "trust but verify."  Clients are increasingly treating their firms more like vendors than outside partners, and they are taking greater interest in specifying not just what their firms do, but how they do it.  For example, it's not uncommon for RFP and outside counsel guidelines to lay out specific details about the records management and confidentiality controls firms are expected to put in place.  Clients have even commissioned third-party audits of firm ethical screening procedures before granting conflict waivers.
  
• Changes in the practice of law - Compared to ten or twenty years ago, today, law firms are generally larger, with a wider range of practice groups and a broader presence across state and even international borders.  Changes in information technology have created a whole host of new threats and potential problems, and these threats have become less theoretical.  As the ABA reports, firms have grown "less civil," "more litigious," and more willing to sue one another in malpractice actions.  Similarly, attorney mobility has risen dramatically.  Gone are the days when loyal attorneys would be expected to make their careers with a single firm.  Today, lateral movement is expected.  This mobility brings with it a whole host of risks including conflicts, data leakage, confidentiality, financial, public relations and other dangers.
  
• Regulatory requirements - As U.S.-based firms increasingly work internationally, they open themselves to new compliance requirements.  In Europe and other geographies, external forces play a much more active regulatory role than the U.S.  For example, in the United Kingdom, regulatory agencies wield a great deal of control and responsibility.  These institutions include the Solicitor's Regulatory Authority (the SRA, the equivalent of the ABA) and the Financial Services Authority (the FSA, the equivalent of the SEC).  Both organizations have the ability to audit firms.  The SRA addresses issues like client care and compliance with mandated confidentiality controls, and the FSA examines firm practices for treating and tracking price sensitive (insider) information. These audit rights have definitely raised concerns across U.K. firms and should be noted and addressed by U.S. firms working overseas.
  
• Insurance requirements - As those ultimately on the financial hook when risk becomes reality, insurance companies have a significant interest in ensuring that firms take reasonable precautions.  Insurers often define standards in areas like client intake, such as engagement letter and conflicts requirements, and information management, such as retention and confidentiality practices.

So how should organizations respond to risk?  Part of the risk management challenge is that, based on emotion or not, it's very much human nature to be reactive.  This manifests itself in the way organizations prioritize risk and compliance.  There are three drivers that may ring true at many firms; consider how many risk issues in a given firm are "high priorities" because someone important has decreed them to be, an external rule mandates compliance or promises a hefty penalty for error or the firm has experienced a problem relating to the issue in the past.

This last point has driven many firms to address risk issues like confidentiality enforcement.  There's nothing like getting into an accident to compel a firm to invest in future prevention.  The problem with this approach, of course, is that the initial damage has already been done.  The firm may take steps to ensure "that doesn't happen again," while taking little notice of other risks that may be lurking on the horizon.

Getting More Rigorous About Risk Management
So what's the best way to identify and respond to future hazards?  Over the past several years, many firms have taken the right first step toward addressing how they're organized internally.  According to a 2008 Altman Weil survey, 85 percent of AmLaw 200 firms have appointed official general counsels.  That's up from 63 percent in 2004.  Firms without general counsels typically rely on one or more partners who are responsible for loss prevention, ethics and risk management.

The data speak to a growing trend to formalize responsibility for protecting the risk and related interests of the firm itself.  There's probably no better way to address a problem than to make it someone's explicit job to worry about it.  Another emerging trend at some firms is the expansion of responsibilities for groups with an inherent focus on compliance, like conflicts departments, to address broader compliance initiatives throughout the firm.  Similarly, organizations are focusing more energy in risk research, training and best practices, as evidenced by the growing popularity of legal-focused risk organizations, conferences, working groups and publications.

Employing Corporate Best Practices
Usually, law firms provide counsel to clients.  But risk management is an area where firms can benefit from the lessons and experience of the corporate world.  In response to Sarbanes-Oxley and growing regulatory requirements, many public companies adopted a formalized framework known as "governance, risk and compliance" or GRC.

GRC provides a general framework that organizations, including law firms, can leverage to understand and manage risk.  (For concrete examples of where GRC can apply at law firms, see "GRC in Practice" sidebar.)  It offers a structure firms can use to operate more efficiently, according to the business rules they choose to follow.  It consists of several components.  Governance refers to the expectations for how the organization should run and how individuals should carry out various activities.  A good way to think of this is as the business rules set by management.  Compliance includes the processes that demonstrate adherence to policies and rules (internal and external).  Think of this as reporting that provides verification.  Risk refers to the identification and evaluation of instances where loss or error might occur.  This is the process of classifying and prioritizing issues, not resolving them.

Looking at these issues, it's easy to see that they all interrelate and influence one another.  For example, an identified risk may result in a governance rule, which must be monitored to ensure compliance.  Or an external regulation might prompt a similar cycle.

But there is a missing piece from this ecosystem, and that's control. Controls refer to the actual steps taken to ensure that policies defined by governance are followed.  Controls can be implemented through policies, technology or processes like internal audits.

One example of a control is a policy that prevents partners who introduce a new matter from being able to unilaterally evaluate any identified conflicts.  Intake procedures themselves are controls against taking on "bad clients" or clients that might put firms in violation of a variety of rules.  Other examples of controls are processes by which firm policies must be affirmatively acknowledged by recipients, or technology that enforces confidentiality or monitors for abnormal behavior.  All of these approaches share the same goal of preventing lapses and helping to identify and correct errors when they do occur.

GRC does not propose a radical shift in the way that firms already act.  Rather, like other management models, it provides a systematic framework that gives firm leadership better visibility and control, while improving organizational performance.  In one sense, GRC is analogous to business intelligence, which provides similar monitoring, metrics and modes of analysis focused on the financial arena.

For most law firms, a good starting place for GRC initiatives is with compliance, addressing existing risk and governance needs.  One example of low-hanging fruit in this regard is ensuring that existing firm policies are read and acknowledged by all affected parties, and that the firm can easily generate reports to that effect.  As firms mature in their GRC initiatives, they can look to identify and address new issues.  It's in this regard that U.K. firms have developed strong best practices for spotting, evaluating and prioritizing risk.

In response to their regulated environment, U.K. firms have invested heavily in risk management.  One best practice that many of these firms have adopted is the use of centralized risk registers.  The basic concept is intuitive - make a list of everything that can go wrong, the cost and implications of each incident and the likelihood of occurrence.  Use that data to inform decisions about where the firms should invest time, money and energy in preventative efforts.  Of course, there's more to it than that.  The accompanying sidebar, "Building a Risk Register," provides more detail on how this approach can be put to work in your organization.  Even with minimal investment, a structured approach to threat identification and evaluation can deliver significant benefit.

Role of Technology
Approaches like the risk register and GRC framework can provide firms with greater visibility across their organization and a clearer sense of the actions they should take to improve performance.  Another trend illustrated by both U.S.- and U.K.-based firms is the use of technological controls and tracking to further augment their compliance efforts.  There are several ways in which software can deliver benefit by removing reliance on manual controls in favor of systematic automation including the following:

• Moving policy management from paper-based to electronic systems
  
• Integrating automated policy acknowledgment and tracking into existing workflows
  
• Enforcing confidentiality controls across all applications
  
• Providing aggregate compliance reporting to management
  
• Creating real-time, event-based alerts and notifications
  
• Tracking activity in response to regulations
  
• Automating risky manual business processes like user account de-provisioning in order to remove information access privileges for all departing attorneys and staff

There are many approaches firms can take to improve their risk profiles, but apart from all the specific trends and tactics, the best single strategy an organization can pursue is to foster a risk-aware culture.  Ideally, every attorney and staff member should understand why risk issues are so important to the firm, and individuals should know not only what's expected of them in terms of governance and compliance, but also the reasons behind the rules and the implications of failure.  By cultivating a sense of ownership and a culture of vigilance, firms can make fast progress in addressing the specific issues at the top of their particular risk register.

SIDEBAR
GRC in Practice
The GRC framework, used in the corporate world, can be best illustrated by concrete examples from the legal world.

Governance: Firm policies and business standards

• Legal practice standards
• Outside counsel guidelines
• Confidentiality
• Records retention and disposition
• Anti-harassment
• IT acceptable use
• Time & billing practices

Compliance: Demonstrating adherence to policies and rules

• Regulatory rules/client requirements
• Records management reports
• Confidentiality audits
• Jurisdictional rules
• CLE tracking
• IRS disclosures
• Lobbying disclosures

Risk: Categories of threat and danger

• Legal policy violations
• HR violations
• Regulatory violations
• IT disruption/disaster
• Client/business climate
• Malpractice
• Reputation

SIDEBAR
Building a Risk Register
Building a risk register starts with the identification of all potential risks.  Best practices advise casting a wide net and soliciting input from multiple stakeholders across a variety of departments.  Items can always be removed from consideration, but it's important to unearth as many outlying potential problems as possible, as the most dangerous risk is often that which is unknown.  A good way to do this is to have managers solicit input from their reports and feed data upwards through the organization.  For example, an IT stakeholder might be worried about a complex issue that's difficult to understand, but poses a real and significant danger to the firm and a non-trivial chance of manifesting.  That might be overlooked if only attorneys build the list.

With a list in hand, firms can assign attributes and weights to each risk.  Management can then review a weighted report and use this information to make informed decisions.  Factors that can help weigh risks include the type of risk, the likelihood of occurrence and the severity of the impact.

When defining scales, firms should take care not to classify more than four or five distinct "steps" that present clear and distinct differences.  There's much more that goes into managing the process, and decision support software exists than can help, but there's nothing preventing firms from getting started with just pen and paper.  The process itself should prove informative and awareness-raising.

About our author :: :: ::

Pat Archbold manages IntApp's risk practice group and focuses on helping law firms address issues including client confidentiality, regulatory compliance and risk management.  Prior to joining IntApp, Pat served as regional vice president of sales for Open Text Corporation's legal business solutions division.  He has more than 15 years of legal industry experience, including leadership positions with a legal consulting organization and West Publishing.  He can be reached at pat.archbold@intapp.com.