The reality for a number of firms is that up until now their risk teams have been wading through treacle to get their firms in shape. Now that the concept of effective risk management is universally recognised, the hard work begins for some: getting the appropriate level of support internally. To our survey question ‘What are the main barriers to implementing a risk management culture at your firm?’, the response ‘getting proper “buy-in” from fee-earners’ came up time and again.
Other linked responses include getting internal agreement to make sure that the resources and funding are there to manage risk adequately, and ensuring that fee-earners play their roles properly in ensuring compliance with the regulations and procedures that keep risk to a minimum.
Many firms feel that their risk management function is properly supported in terms of budget, profile and human capital. Just 12% reported that they felt firms generally needed more of these types of support. However, actually getting the partnership to check that client engagement procedures are followed correctly, supervise staff, properly assess the risk of strategic decisions such as a potential merger or receiving outside capital, or simply keep their BlackBerrys safe, is another matter.
Taking it seriously
This, according to TLT’s director of risk John Verry, is the perennial issue from a risk management perspective. ‘I’ve been round the houses a bit in the insurance industry, and you find that the problems are exactly the same for a number of firms. The main problem is a lack of acceptance on the part of partners to change, probably more than anything else.’
The difficulty is that risk has a bad reputation at many firms, usually unfairly. Some partners regard it as an unwanted cost on the business, particularly in leaner times, or, worse still, some kind of barrier to activity akin to over-protective health and safety regulations.
‘That’s not risk; that’s stupidity,’ Verry retorts. ‘A proper risk function looks at the danger, looks at the problem and assesses the likely impact. The business then decides what the appetite is like for that risk. Some lawyers can’t see the cost-benefit analysis of risk, that this function is saving the firm money, or better, actually making the firm money.’
Larger firms generally have adequate risk management resource, but the key issues are how firms actually use it, how it fits into the firm, and how importantly the management views the function. LB encountered ripples of discontent from risk managers at being viewed as a ‘support’ function, rather than being central to the strategic make-up of the firm. This relates to a frequent feeling of disenfranchisement among non-lawyer law firm staff that they are poorly used because the fee-earners either do not want to use them, or have no inclination to learn how to use them effectively. As one member of a support team at a leading firm once put it: ‘It’s like paying for expensive gym membership and never actually going. It’s a complete waste of money.’
What are the main barriers to implementing a risk management culture at your firm?
LB100 rank | Selected comments |
Top 20 | Pressure of work on lawyers. |
Top 20 | Partner buy-in. |
Top 20 | That it’s not just about insurance and that insurance will cure everything. |
Top 20 | Lack of awareness amongst partners and staff of the issues, or of the importance of the issues. It takes a significant investment in resources to conduct the required training and awareness-raising to make people understand that it is part of everyone’s role to manage risk. |
Top 20 | Ensuring consistent approach amongst all partners to supervision of work. |
Top 20 | Conflict between the need for speedy advice/documentation and a ‘no errors’ approach to legal services. |
Top 20 | Ever-changing regulatory environment. |
21-50 | Don’t understand its importance, seen as bureaucratic. |
21-50 | Communication, getting messages heard. |
21-50 | Mindset of senior individuals that procedures should not apply to them. |
21-50 | Insufficient resources to cope with ever-increasing regulatory/risk burden. |
21-50 | Investment in systems. |
21-50 | It’s perceived as interfering with the development of new business. |
51-100 | Previous success: we have been relatively effective at managing risk, with the unintended consequence that it is more difficult to demonstrate what might have happened. |
51-100 | Leadership: despite buy-in of all key managers, passive resistance in some quarters continues to send mixed messages at times. |
51-100 | Fee-earners too busy to concentrate on the issues. |
51-100 | Individually focused communication of risks. |
51-100 | Inadequate training. |
100+ | Lack of desire by lawyers to understand Solicitors Regulation Authority code. |
100+ | ‘It won’t affect me’ mentality. |
100+ | Fee-earners’ understanding of importance of how compliance rules and regulations reduce risk. |
100+ | Lack of linkage between awards and being compliant. |
Source: Marsh/Legal Business RM survey |
Team game
One issue that pervades throughout is that of acceptance of risk managers at a senior level, and whether non-lawyer risk managers struggle to gain sufficient acknowledgement by lawyers. The role of risk managers in industries outside the law is well known: plcs need a statement on risk in their annual reports. The risk director for a Financial Services Authority-regulated financial services company will most likely be a board appointment because of the statutory requirements that centre around risk. For many law firms, the risk manager still tends be a must-have accessory – something that all firms want when they see that another firm has its own risk specialist. You only have to look at the surge in popularity of legal process outsourcing agreements in 2009 to see how susceptible law firms are to the bandwagon syndrome (see ‘Piece of the action’, LB201, page 46). But there are reports of non-lawyer risk managers being given a hard time by their firm’s partners. The question is whether this is a failure of the firm or of the individual.
This hints at a much broader issue about the credibility of non-lawyer managers generally, which has emerged recently with the departure of non-lawyer chief executives from law firms such as Shoosmiths and Barlow Lyde & Gilbert (see LB201, page 12).
‘If there’s a failure of buy-in, it could be failure by either the firm or the individual, or both, depending on the circumstances,’ says Professor Stephen Mayson, an independent law firm consultant and director of the Legal Services Policy Institute at The College of Law. ‘Sometimes, the firm employs talented and experienced managers, and then denies them the authority to do the job they’ve been employed for – sometimes further exacerbated by the belief some lawyers have that they still know best anyway “because it’s my business”.’
However, Mayson notes: ‘The managers don’t always help themselves by being insufficiently sensitive to the psychology of lawyers and the dynamics of decision-making in professional services businesses. The failure more often than not relates to a lack of communication and mutual respect, and there isn’t an organisational structure or mandate that’s going to secure them without some effort and maturity on all sides.’
Lawyers’ belief that they are best suited to running their own business is a problem that Verry has seen before. ‘I’ve been a lawyer for many years, so they can’t give me the “you don’t understand the pressures I’m under” excuse, as I can say: “I understand them only too well and if you listened to me you probably wouldn’t be under those pressures.” You can talk to them on an equal footing. Lawyers can be very, very difficult to deal with unless you are one of them. I think that is very sad, because I know non-lawyer risk managers who are excellent at their jobs.’
Marsh’s European practice leader for solicitors’ professional indemnity, Sandra Neilson-Moore, argues that non-lawyer risk managers need a grounding in the law to succeed. ‘I think that at a minimum non-lawyer risk managers should have a law degree,’ she says. ‘I don’t have a legal degree, but I have passed several legal courses, and that’s just for the job of dealing with the professional liability part of risk. You can’t really analyse the risk of practising law without knowing about practising law.’
What is the size of your risk team?
Access all areas
Inevitably, lawyers will have to get on with it, as law firms move more towards becoming businesses and more people come in from outside the profession. The ‘eureka’ moment comes with proof that the management team is formidable when lawyer and non-lawyer specialists mix.
This is certainly a concept that Emma Dowden, director of best practice and operations at Burges Salmon, believes in. She joined the firm from Hamptons International, and previously PricewaterhouseCoopers, and finds it hard to acknowledge this perceived lack of buy-in from the partnership, as it’s not something she has encountered to any great extent. She strongly believes that the individual needs to break through any resistance themselves.
‘We have a code of conduct that puts all partners in the firing line. They need to understand that they can’t tolerate mavericks operating outside the risk circle.’
John Verry, TLT
‘I would suggest that it’s about turning people around and asking yourself “what can I do as a risk leader to demonstrate value to clients and the firm?”’ she says. ‘You then start breaking down those barriers as you meet them with proof and delivery. I think sometimes you can worry too much about perceived barriers of access to leadership, or use that as an excuse not to tackle some of the issues.’
Dowden’s success at achieving widespread acceptance as a non-lawyer risk manager at Burges Salmon is perhaps rare, but not unique. For every horror story, there are the successes. DLA Piper’s chief risk officer Julia Graham, for example, has achieved proper board-level status both inside and outside the firm, and is widely acknowledged as a trailblazer for her profession within the legal industry.
Effective communication is key, Neilson-Moore says: ‘If you are just ticking boxes and talking about risk maps, partners will just tune you out. You need to speak to them in their own language.’
Carrot or stick?
However strong the underlying risk management infrastructure is at a law firm, it is only as good as the individuals implementing the policies. There is no point having a risk function if nothing is done about continual breaches, problems or threats to a firm. What happens if a specific partner or team categorically refuses to comply with risk management procedures? While in other industries this may be dealt with swiftly and decisively, many partners are allowed to get away with it because they are thought to be making the firm too much money. In a partnership structure, it becomes difficult to stand up to individuals and sanction them for not acting in the interests of the firm. But you have to have some teeth in policing risk management, or else it becomes a waste of time.
‘We have a code of conduct that puts all partners in the firing line,’ Verry says. ‘They need to understand that they can’t tolerate these mavericks operating outside the risk circle.’
This begs the question as to whether the carrot or the stick should be used to ensure the success of a risk management culture within a firm. It’s the million-dollar question, and one of the more emotive issues for risk managers. Seventy-two per cent of respondents answered yes to the question: ‘Do you believe that the remuneration structure of a law firm should recognise the contributions made by individuals specifically in the area of risk management?’ Comments made by firms included: ‘It is a truism that what gets measured and rewarded gets done’; and: ‘In our firm, it is part of the remuneration package for partners and is an element in promotion criteria. I can see the “nudge” effect this has.’
For others, if promoting risk management cannot be rewarded, non-compliance should at least be punished. One top-100 firm, in addition to agreeing that positive behaviour should be rewarded, added: ‘Or at least penalties for consistently causing problems in this area that lead to financial repercussions for the firm.’
Mayson says: ‘Risk management is as much a cultural issue as it is a process and systems one. And arguably one of the most powerful drivers of culture is what the firm records, reports and rewards – or at least is perceived to value and reward.’ He adds: ‘Compliance and the proportionate management of risk should certainly be encouraged, and failures of risk management leading to adverse consequences must be dealt with. But the notion of punishment for failure to comply strikes me as too much of “nanny knows best” – unless, of course, there’s been a breach of professional ethics or standards as well.’
‘My personal view is that there’s got to be reward and incentive for everything,’ Dowden says. ‘With that comes responsibility for not taking those things seriously, and it’s all about linking that in. People have got to know that’s important for the firm, it’s inherent in the culture, and it’s important to the leadership of the firm, because if it’s not present in those areas I would see that it could get disregarded.’
Neilson-Moore recounts a tale told to her by one US underwriter, who described a firm where staff who fail to follow compliance rules don’t get paid. Everything stops dead. Fee-earners are not allowed to bill clients, and partners don’t draw their profit points.
‘I’m not sure about the reward bit,’ she says of the wider issue of encouraging risk compliance. ‘Compensation and reward is a tangled enough mess as it is, without saying “because you have been a good boy or girl and do risk management, then we will give you more money”. I think that’s a bad place to go, but I do think that there should be controls.’
The trick then, it seems, is to ensure that risk management is inherent in the fabric of the firm, and then follow that up with procedures such as performance reviews and appraisals and have systems in place that reward positive behaviour. Do that, and you’re 90% there. LB