The collapse of KWM, cyber threats and Brexit have all come together to cause unease among City law firms. Our annual risk survey asks if risk managers can help avoid a domino effect.
There is little debate about what is dominating discussion among law firm managers right now. Not article 50 and not Donald Trump’s latest whim. The subject gripping law firm risk for our tenth annual risk management survey with broker Marsh is the events leading up to 4.40pm on 17 January 2017 – the moment the European and Middle East operation of King & Wood Mallesons (KWM) went into administration.
‘I have been in this business for 38 years and although I have seen hard markets, there is always some insurance available.’
Sandra Neilson-Moore, Marsh
While the post-mortem is already underway (see ‘Shattered’), the demise of KWM’s regional business is a fitting bookend to the early years of our risk report, which began in 2008, two years before Halliwells dissolved amid the banking crisis, two major events that pushed law firms to create fully-functional risk management operations.
‘Most of the firms I have spoken to were surprised that it happened so quickly,’ says Sandra Neilson-Moore, managing director of the FINPRO practice at Marsh. ‘A lot of firms have picked up partners and other staff from KWM. The consensus in City circles seems to be that this part of the firm was poorly managed, under-capitalised and not supported from within.’
While there is little schadenfreude around, there are observations about the handling of KWM by its senior management from risk experts when pressed. One senior risk manager at a top-25 firm says in law firms, every partner has a vested interest in the business, and in KWM’s case there was a disconnect between management and the rest of the partnership. ‘The partnership should be in a position to have enough information about the firm and how it is being managed in order to counterbalance some of the decisions.’
System error: data management and legal technology still the main threat
There is little surprise again this year that technology and cyber security issues feature as the biggest concerns for risk managers in our survey (see risk profile charts). Such is the level of preoccupation with technology issues among risk teams that we broke down IT risk into four sample areas for our risk profile chart: IT security breach/data management accident or breach; IT system failure; financial loss (own or client) resulting from ‘vishing’; and phishing and ‘Friday afternoon’ fraud, all of which scored highly for both impact and potential.
2016 saw this issue pushed further up the risk agenda: it was a standout year for developments in legal tech, with some of the world’s largest and most sophisticated law firms taking their commitment to artificial intelligence (AI) and tech to another level. Firms such as Dentons, with Nextlaw Labs; Mishcon de Reya with Mishcon Discover; and Slaughter and May’s partnership with Cambridge-based Luminance to name three (for more on the City elite embracing cutting-edge AI, see ‘The arms race’).
Dentons’ UKEMEA general counsel (GC), Andrew Cheung, says there are some interesting risk issues for law firms around innovation, both in the failure to keep up with competitors as a risk, as well as law firms moving into other areas, which are either traditionally non-legal or are in legal and technology.
‘Dentons is a leader in the area of AI,’ he says. ‘We are both investing into our venture capital fund as well as engaging with different products directly. This raises all sorts of interesting questions about liability, about the structure of law firms and how they work, and the role of lawyers, which all need to be thought through carefully.’
Justine Cowling, head of risk management at DLA Piper, sums up the insidious nature of IT breaches. ‘That human risk is just one click of a button from one of your employees that could do so much damage despite everything else you’ve done. We are training hard on that. Before you might receive an email and it was obvious that the message was likely to be fraudulent, now those emails are looking real, so we’re driving home the details so every one of our people is aware.’
‘It’s the ever-changing nature and sophistication of IT, and something new is always on the horizon,’ agrees Emma Dowden, chief operating officer at Burges Salmon. ‘With an incoming piece of legislation, you can identify what you need to do and feel like you’ve addressed that requirement. You’re never in that position with IT systems. It feels to risk managers like you’re always in catch-up mode.’
Sandra Neilson-Moore, managing director of the FINPRO practice at Marsh, says social engineering fraud is also becoming a troublesome issue for firms that she speaks to. Individuals within firms are regularly being taken in by instructions, purported to be from the managing partner or some other senior figure, to pay money out of the firm.
‘It is a top priority for all firms and they are looking at systems, support and response providers and penetration testing constantly,’ she says. ‘Many more are now considering (and purchasing) cyber security insurance. This insurance needs a lot of work though, as it is far from broad enough when compared to what is available in the professional indemnity insurance marketplace.’
But, as one law firm risk leader sums up, one of the reasons that tech and data management consistently tops the risk agenda is that it is an issue as difficult as nailing jelly to a wall.
Says Simon Callander, GC of Addleshaw Goddard: ‘The profile is raised by a number of big corporates being hacked by breaches, by the information commissioner being more active in this area. There is a danger for us all that we have a wholesale focus on IT as the main issue, when actually it’s information security.’
The main focus from the sorry demise of a high-profile City institution, SJ Berwin & Co, as far as risk managers are concerned is the lessons to be learned from the largest legal collapse in Europe to date. The first lesson is the importance of comprehensive financial management, according to Dentons’ UKEMEA GC, Andrew Cheung. He says it is not just about looking out for big issues; if a firm fails to get the small things right – such as managing debt, managing lock up, managing bad debts – they can easily become intractable problems for law firms, which generally have limited reserves of working capital and cashflow.
‘A lot of risk management is focused on detail, but we need to lift our eyes every so often and look at the big risks.’
Simon Callander, Addleshaw Goddard
‘Firms have been looking at difficult financial headwinds since the financial crisis,’ he says. ‘They have been careful to ensure their businesses are robust, that they’re making the difficult management decisions they need to make to ensure they have sufficient business and marketing resilience. We’re seeing that through nearshoring and innovation, which law firms have never embarked on before.’
Then, as far as Addleshaw Goddard GC Simon Callander is concerned, there is also an issue of risk managers not seeing the wood for the trees. ‘A lot of risk management is focused on detail, but we also need to lift our eyes every so often and look at the big risks out there. It’s interesting when you look at some of the survey results in terms of analysing the impact of certain risks [see the legal risk profiles, opposite]: losing key partners and staff, and losing big clients, do not score that highly. Those are the things that can have a really big impact on you. If you lose revenue generators, whether that be partner/teams or clients, that has an immediate effect on your bottom line, and starts to put you in danger in terms of keeping hold of and attracting the best people.’
‘Ultimately with Brexit, it’s unknown. You hear “we need to do Brexit planning”, but what are you actually planning?’
Emma Dowden, Burges Salmon
An early concern is whether the demise of SJ Berwin will have a ripple effect on City law, notably creating any sense of nervousness in the market and lessening the appetite of professional indemnity (PI) insurers to provide cover to law firms for fear of similar problems.
‘PI renewal meetings begin in the next few months. If I was an underwriter I’d want to have a very close understanding of the firm’s structure, its governance, its financial stability and ensure that I know from a relationship perspective what I’m insuring,’ says Angela Robertson, director of risk and general counsel at Taylor Wessing. ‘I would have thought it was inevitable it would have some impact there.’
However, Justine Cowling, head of risk management at DLA Piper, does not believe the KWM situation will have much impact on many firms’ cover. ‘It might put a bit more scrutiny on the accounts aspect because the problems at KWM should have come out in previous [professional indemnity insurance] renewals,’ she notes.
Others argue as well that the effects of KWM can be isolated because insurance premiums are related to previous claims experience, not shocks to the market. Says Cheung: ‘It wasn’t a claim that sunk KWM, it was bad financial hygiene. It might have a knock-on effect on our policies for management liability and employment practices liability cover, but those are rock bottom as it is. They didn’t change when you had the collapse of Dewey & LeBoeuf or others.’
Situation | Impact (mean score out of 5) |
---|---|
IT security breach/data management accident or breach | 3.9 |
IT system failure | 3.8 |
Disaster/business continuity failure | 3.7 |
Unwittingly becoming involved with client fraud | 3.7 |
Financial loss (own or client) resulting from ‘vishing’ | 3.5 |
Serious legal or commercial conflicts of interest | 3.3 |
Reputational damage to firm (eg from media, ex-employee, disaffected client) | 3.2 |
Loss of key partners/staff | 3.2 |
Liabilities exceeding resources, including insurance (eg professional negligence claim in excess of policy limits) | 3.2 |
Phishing and ‘Friday afternoon’ fraud | 3.2 |
Inability to attract new partners/staff | 3.0 |
Failure to meet strategic plans | 2.9 |
Loss of firm’s biggest client | 2.8 |
Bankruptcy/acquisition of significant clients | 2.8 |
Credit or other financial problems | 2.7 |
Poor performance of key lateral hire(s) | 2.7 |
Competition – including from alternative business structures | 2.6 |
Onerous outside counsel guidelines, imposed by clients | 2.6 |
Brexit | 2.4 |
Other global political factors | 2.3 |
Sanctions and sanctions-related issues | 2.2 |
Currency fluctuations | 2.0 |
Employment claims from former partners/staff | 1.9 |
Situation | Potential (mean score out of 5) |
---|---|
IT security breach/data management accident or breach | 3.0 |
Competition – including from alternative business structures | 2.9 |
Onerous outside counsel guidelines, imposed by clients | 2.8 |
Brexit | 2.8 |
IT system failure | 2.7 |
Financial loss (own or client) resulting from ‘vishing’ | 2.6 |
Bankruptcy/acquisition of significant clients | 2.6 |
Other global political factors | 2.5 |
Reputational damage to firm (eg from media, ex-employee, disaffected client) | 2.4 |
Loss of firm’s biggest client | 2.4 |
Phishing and ‘Friday afternoon’ fraud | 2.4 |
Unwittingly becoming involved with client fraud | 2.3 |
Loss of key partners/staff | 2.3 |
Failure to meet strategic plans | 2.3 |
Poor performance of key lateral hire(s) | 2.3 |
Disaster/business continuity failure | 2.2 |
Serious legal or commercial conflicts of interest | 2.2 |
Inability to attract new partners/staff | 2.1 |
Sanctions and sanctions-related issues | 1.9 |
Employment claims from former partners/staff | 1.8 |
Currency fluctuations | 1.8 |
Liabilities exceeding resources, including insurance (eg professional negligence claim in excess of policy limits) | 1.7 |
Credit or other financial problems | 1.4 |
Professional negligence situation | Potential (mean score out of 5) |
---|---|
Errors made by staff/lawyers on complex, high-value transactions | 2.7 |
Errors made by staff/lawyers on routine ‘bread and butter’ transactions | 2.6 |
Increased claims as a result of pressure on fees and the need for ‘instant’ advice |
2.5 |
Conflicts of interest | 2.3 |
Lawyers advising outside their area of expertise | 2.1 |
Inadvertently advising third parties | 2.1 |
Infringement of regulations | 1.8 |
Insurance claims emanating from foreign offices | 1.7 |
Errors made by confusion caused by SRA’s outcomes-focused regulatory approach |
1.7 |
Neilson-Moore says there may be a reaction in the management liability insurance market if there are any claims against the former leaders of the firm (a group of around 200 former KWM employees, including lawyers, have already instructed employment law firm Herrington Carmichael to handle a claim that relates to KWM’s failure to enter a formal redundancy consultation process) but does not believe it will have a substantive effect on insurers’ appetite for covering law firms in what remains a soft market (see box ‘Benign times’). She says these types of failures remain rare and do not usually result in an uptick in PI claims.
‘Premiums are driven by claims experience, in the main. If the firm has a reasonably stable and benign claims experience, there will be insurers bidding for that firm’s business. This will keep premiums low. I wouldn’t say that the failure of KWM is indicative of the financial fragility of firms generally, it is indicative of the financial fragility of that firm.’
She adds: ‘I have been in this business for 38 years this June and although I have seen a couple of very hard markets in that time, there is always some insurance available, even if one has to make it oneself, through captives and group programmes.’
Sum of all fears
While the local collapse of KWM has dominated headlines since the end of last year, two wider geopolitical events combined to make 2016 one of the most tumultuous for global business in recent memory: the decision by the UK public to withdraw from the EU and the election of Donald Trump as the president of the United States. Deal flows have seized up and restarted again, currencies have swung violently and the rabbit-in-the-headlights effect on global business has been felt by external legal advisers.
With this in mind, we introduced questions to our survey this year relating to Brexit and ‘other global political factors’, where risk managers could give their views on the potential of these issues having an effect on their firms and how severe those effects could be.
‘With clients obviously wanting to get value for money, the quid pro quo has to be a fair limitation of liability.’
Justine Cowling, DLA Piper
Typically, ‘IT security breach/data management accident or breach’ and a new factor introduced this year – ‘IT system failure’ – scored very highly for both impact and potential. Cyber security and data breaches are consistently the most serious issues keeping risk managers awake at night (see box, ‘System error’). However, other fears have also come to the fore.
Responses to our new question on Brexit were mixed, if anything, lukewarm. Only 9% of respondents believed invoking article 50 would have material negative effects on their business, while over half said it would not. In the legal risk profiles, Brexit scored highly for potential but relatively low for impact and the same was true for other global political factors.
The comments from risk managers about these issues were equally mixed. Dowden feels there is still too much in the air to draw any meaningful conclusions.
‘It was an uncertain political year and a somewhat unexpected 2016, but ultimately with Brexit, it’s unknown,’ she says. ‘You hear all this “we need to do Brexit planning”, but what are you actually planning?’
Dentons’ Cheung, European GC at the largest law firm in the world by headcount, has mixed feelings over Brexit: ‘In some respects, law firms stand to benefit immensely from the changes that could be brought by Brexit because of its wholesale legal and regulatory impact. But it impacts on reduced investments, reduced deals and a shifting of focus for the financial institutions away from London into Europe. Then that’s going to potentially have a longer-term influence on firms that are more reliant on M&A and banking work.’
Andrew Clark, GC at Allen & Overy, also sees threats emerging. ‘We’re concerned that we can continue to operate in those countries as a branch of the UK LLP. Or, in the event of a requirement for an alternative structure, that this will not impact or handicap our ability to advise our clients in the jurisdictions in which they operate.’
Neilson-Moore observes: ‘All of these things have to be addressed, but (for Brexit at least) most firms have had people looking at what would need to be done if it happened for quite some time.’
Other issues are more pressing, notably ‘onerous outside counsel guidelines, imposed by clients’ fell significantly in terms of impact but rose considerably in terms of potential, while ‘serious legal or commercial conflicts of interest’ increased noticeably in terms of both impact and potential.
Onerous outside counsel guidelines touch every aspect of a law firm’s client relationship, including liability caps, internal security measures, or whether or not a firm can act for clients’ competitors. But the main concern in recent times has been liability caps. As can be seen from our questions relating to limiting liability, respondents have been more successful at limiting liability with their clients than they were last year (although 11% say they never limit liability with clients).
Neilson-Moore says she is not surprised to see this getting more attention inside the major firms. ‘The one surprise is that 11% of your respondents never limit their liability to their clients. Why not?’
The feeling is that firms are finally getting to grips with this issue after giving ground in the wake of the crisis. As in many circumstances, for law firms it is about knowing where and when to pick your battles.
‘There are large parts of the market where we can limit liability and we have success doing so,’ says Cheung. ‘The difficulty I have is it’s the areas of work which carry the highest values of potential liability exposure, and generally for the lowest amount of fees, which become transactional areas. The banking and financial sector is the big one: a £40,000-£50,000 opinion can become a £1bn-worth risk. It’s not so much that we have success in limiting liability with the majority of our clients, it’s where we’re able to limit liability.’
‘The PII market is relatively benign, but none of us must get complacent. Inevitably these things change.’
Andrew Clark, Allen & Overy
‘It’s positive that law firms are able to have that kind of discussion with clients now,’ adds Cowling. ‘The accounting firms have been very good at it for years and, once you start the conversation, you realise it’s just another sensible business conversation. With clients obviously wanting to get value for money all the time, the quid pro quo has to be a fair, proportionate limitation of liability.‘
Risk managers are upbeat about their firms’ handling of outside counsel guidelines, particularly limitation of liability, although conflicts remain a persistent issue.
According to Callander, the legal industry needs to become more robust on issues. ‘It’s a dangerous assumption that one: the market will always be there; and two: it will be there at prices that we think are affordable. It’s a fallacy to think it’s not an issue.’
Benign times: the climate for professional indemnity insurance
Although risk managers believe that market-changing events will have little noticeable effect on the price of professional indemnity insurance (PII), the market remains soft. While our survey results show the level of respondents feeling the PII market is reasonably priced is unchanged (70% again), the cost of coverage has changed slightly, with fewer respondents seeing an increase in the cost of the first £10m (14% versus 19% in 2016) but double the number seeing an increase in the total cost of insurance (14% versus 7% last year).
The consensus among risk managers at the larger firms is that the cost of insurance has remained flat. There are reductions, but they are not as dramatic as they were, unless there is a need for a premium correction, according to Sandra Neilson-Moore, managing director of the FINPRO practice at Marsh.
This is borne out from talking to risk specialists within firms. Says Andrew Cheung, EMEA general counsel (GC) at Dentons: ‘It’s remained fairly steady. What we’re seeing now is the outcome of difficult deals that were entered into in the frenetic period leading to the financial crisis. It raises the interesting question that when times are good and people are at 110-120% capacity, there is in those periods of time the ability to take on significant amounts of liability, which is only realised in a harder market.’
Justine Cowling, head of risk management at DLA Piper, wonders whether people are taking the opportunity of easy terms to purchase more insurance, which would explain why the total cost of insurance went up for more respondents this year. ‘You build those good relationships with insurance in a soft market and then you know at some point it will harden, and then you can continue those relationships at that point in time.’
Angela Robertson, director of risk and GC at Taylor Wessing, agrees that whereas the relationship between law firm and insurer was a distant one in the past, that has changed to become much more of a partnership. ‘There’s quite a lot of competition between insurers – there have been new insurers entering the solicitors’ professional indemnity market. If that continues, we shouldn’t see much impact on premium.’
Simon Callander, GC at Addleshaw Goddard, agrees that overall there is a lower level of claims than the market has experienced in the past 15 years or so. ‘You’re probably at the point now when you’re out of the path of the financial crisis and claims that might have run as a result of that. It’s also because people have got better at managing their risk.’
One issue that has inflated premiums is the increase in Insurance Premium Tax, from 6% at 1 October 2015 to 10% at 1 October 2016. Many of the firms will have been affected by this and would have noticed a difference as a result. However, the main factor behind the increase in premiums is an adverse claims record – strange, then, that there’s widespread reporting from risk experts that claims against law firms, and top 100 law firms in particular, are down.
‘I would say that there’s been a decrease in claims,’ says Cowling. ‘There have been some articles reported in the legal press that suggest that there are still some significant claims against law firms, but they are less common.’
‘What I wouldn’t be surprised to see is slightly fewer claims, but some of those claims increasing in size and complexity,’ adds Cowling. ‘More complex work, more involved transactions, brings along larger exposures. The market is still seeing a lot of pressure around fees, given the current economic climate, and that aligned with clients who are extremely demanding, in terms of quality and price, means that law firms will have to continually adapt and innovate.’
‘We did not notice any significant change in claims against top-100 firms one way or the other,’ says Neilson-Moore. ‘The incidences of high-value claims are greater than they were ten years ago, perhaps, but the change year to year is not dramatic. We would need another big shift of some kind in the economic or risk landscape to see any dramatic change.’
Ultimately, however, the belief is that a sustained run of benign conditions for the PII market must eventually come to an end, whether triggered by an event, such as the collapse of KWM, or not. Says Allen & Overy GC Andrew Clark: ‘The PII market is relatively benign, but none of us must get complacent. Inevitably these things do change and you have to be ready. We do that by having strong relationships with underwriters and potential underwriters so that they know our business, which means we have a lot of options in the future.’
The issue of tough counsel terms differs slightly from liability caps in that it is an issue that is increasing. Firms are reporting more clients are adopting a panel-based process or formal process with their own terms supplanting those of the law firms. Firms have noticed this particularly on information and security but also across a whole range of areas, with clients actively auditing firms across multiple locations.
‘Firms probably have onerous outside counsel guidelines as much under control as they are ever going to,’ argues Neilson-Moore. ‘They have repeat clients and clients in the same industries, and so they will be well rehearsed in what they can and cannot accept from these clients.’
Callander concludes: ‘Lawyers are very good at advising their clients when they’ve got into inappropriate situations that they should negotiate themselves out. They’re very bad when it comes to dealing with them themselves and negotiating with clients, when often they fear that will put them in a negative competitive position. We need to have a degree of integrity and tell our clients when things are problems for us.’
Complacency breeds failure
In response to our survey question: ‘What are the main barriers to implementing a risk management culture at your firm?’, one response from a top-25 firm was particularly revealing: ‘Belief that we have in place all we need as we have had no recent issues.’ The years since the global financial crisis have seen substantial growth in risk management teams within major law firms and a concerted effort by those firms to foster a proactive approach to risk management. Could it be the case that complacency has set back in?
LB100 rank | Selected comments |
---|---|
Top 25 | ‘Individual acceptance of each person in the firm of the need for/benefits of compliance’ |
Top 25 | ‘Push to provide quick advice on the cheap’ |
Top 25 | ‘Lack of clear rules and detailed guidance from SRA, as well as a constantly-changing regulatory landscape’ |
Top 25 | ‘Belief that we have in place all we need as we have had no recent issues’ |
25-50 | ‘Lack of sustained senior management engagement’ |
25-50 | ‘Emphasis on providing evidence of return on investment’ |
25-50 | ‘Need to facilitate innovative and international work, without jumping through risk hoops’ |
25-50 | ‘Client demands for speedy service meaning processes that protect info and financial assets can be scrimped’ |
51-100 | ‘Keeping training and communications fresh and up to date’ |
51-100 | ‘Getting busy lawyers to understand the context in which risk can arise’ |
51-100 | ‘Unwillingness to accept change’ |
51-100 | ‘Acceptance of bad behaviours of those who bring in large revenues’ |
51-100 | ‘Reliance on large clients – lawyers wanting to do anything and everything for that client regardless of rules’ |
100+ | ‘Getting buy-in from partners and staff’ |
100+ | ‘Lawyers wanting to do current work without global thinking’ |
100+ | ‘Lack of resourcing needed to fully embed a risk management culture into the DNA of the business’ |
100+ | ‘Individual stubbornness’ |
Andrew Carpenter, managing director at Marsh, believes risk teams will head off this danger. ‘Over recent years, significant investment has been made by the top 25 firms to develop their risk teams and to create a risk culture unique to the firm. In my experience, firms are reviewing their businesses in response to changing economic environment and client requirements, and are involving the risk teams in this process to ensure risks are considered and managed.’
Cheung is less sanguine on the complacency point, noting that there has not been any incidence of large fines against law firms for misconduct or failure to comply and there is an element of regulatory burnout.
‘Significant investment has been made by the top 25 firms to develop their risk teams and to create a risk culture.’
Andrew Carpenter, Marsh
‘There’s regulatory and change fatigue that is turning people off all of this. As firms have invested in more sophisticated risk functions, there’s a sense this is an area that’s going to be managed by specialists. There’s a bit of an abrogation of day-to-day responsibility.’
Dowden, however, argues that the task of keeping fee-earners engaged in the risk process lies with the risk teams themselves: ‘You have to paint a compelling story and explain to the firm why these things are important. It’s about winning hearts and minds.’
And for every Legal Business 100 firm that has a robust risk culture and well-established systems in place, there is another firm that is failing. ‘Complacency is dangerous,’ says Robertson. ‘If it’s not an area you’re willing to invest in, it can have catastrophic consequences. I hear of big-name firms in the top 100 that have virtually non-existent risk teams, so we’ve still a long way to go.’ LB
mark.mcateer@legalease.co.uk, madeleine.farman@legalease.co.uk