Law firms, like most businesses, must be willing to take risks if they wish to be successful and move forward. John Verry looks at the analysis of risk and suggests steps that firms can take to stay in control
For an organisation to manage its risk exposure, it must first identify its risk profile. Unless an organisation knows what risks it is confronted by, it is unable to manage its exposure effectively. Law firms are no different.
This profiling should involve three fundamental steps: identifying the risk, the analysis and then managing any resultant risks.
It is the analysis of risk that this article will focus on. Analysis is the most challenging part of the process as it dictates how risk is managed.
The analysis process examines two key areas: the likelihood of occurrence and of impact. All too often these analyses are done incorrectly.
The result is that a risk may be identified but then managed inappropriately. For example, there may be an over-reaction to risk, resulting in unnecessary bureaucracy. Alternatively, there could be a lack of reaction causing financial or reputational loss.
A key part of the analysis process is to create a risk register. Its objectives are to identify:
l The risks facing the firm;
l The likelihood and potential impact of each risk;
l The actions needed to minimise the risk to an acceptable level;
l The individual or management team responsible for the implementation and supervision of such actions; and
l To set out a timescale.
The identification process
Risk affects all areas of day-to-day operations, extending through human resources, IT and finance departments, as well as the operational risks attached to the supply of legal services. Thus, all areas of the firm need to be involved in this process.
The identified risks may be grouped together under the headings of, for example, operational, strategic, disaster, regulatory, IT and financial. It is recommended that the identification process is undertaken by the firm itself, rather than an external consultant. The persons best qualified to identify risks are those exposed to them.
It is very important to remember that a firm’s risk profile is always changing and that the identification process is continuous. The process must be such that it will identify and deal with new risks as they emerge.
Likelihood and potential impact
The analysis process is built around the two pillars of likelihood and impact. Having identified the risk, it is necessary to assess the likelihood of the risk occurring and, if it does, what the impact on the firm may be. This will have a direct bearing on how the risk should be managed and to what degree.
It is crucial that the firm does not over-react to risk. If it does, then this merely results in a waste of resources and will indeed engender hostility within the firm to risk management.
Likelihood and impact is commonly assessed in the register by utilising the traffic-light procedure: that is, red for high, yellow for medium and green for low risk. This helps a firm decide upon its risk appetite.
Every organisation must have a risk appetite – to achieve success and improvement, risks must be taken. Identified risks are a business opportunity. It is unidentified risk that is the threat. Impact is often measured in terms of financial loss, although it may manifest itself in different ways, such as criminal or professional sanctions.
Minimising the risk
Once the identification and analysis process has been completed, it is for the appropriate management function to decide how the risk is to be managed. If the risk is low and falls within the firm’s appetite, then little or no management may be required. The greater the degree of risk in terms of liability and impact, the greater the degree of management that will be required.
Any action that is needed should be identified in the risk register. This may mean that a process or procedure will need to be implemented.
Responsibility for actions
There should be an individual in the firm who is accountable for risk. That individual can delegate responsibility but not accountability.
It follows that the person responsible for an identified risk in the register should be the person to whom responsibility has been delegated. They in turn would report back to the individual who is accountable (the firm’s risk manager), and that reporting process may continue further to board or partner level.
As previously mentioned, those best able to identify and manage the risks are those exposed to it. Those with responsibility will take a subjective view of how that risk will affect their own area. The person accountable will take an objective view of how the risk could impact and how it should be managed as regards the firm as a whole.
Setting a time-scale
A timescale must be set and followed or little will happen. The risk manager will be responsible for ensuring compliance.
Other key points to consider in maintaining the risk register include:
l There may well be a need for more than one register. For example each department or work stream should maintain their own registers. What may be considered high risk in one department may not be high risk in another.
l Registers should be reviewed by department heads and the head of risk management at least once a year.
l Any new or emerging risk should be considered for inclusion.
l The register will be a focal point for the management of risk within the firm. It will provide evidence that the firm both understands its risk and is actively taking steps to manage the exposures effectively.
It will show an underwriter that the firm takes risk management seriously, as well as provide evidence to regulators of the firm’s compliance with rule 5 in the new Solicitors Code of Conduct.
John Verry is a director of broker Lockton
More from Analysis
-
OpinionIncreasing court fees? Now do the same for legal aid
Government says 10% hike is justified because costs incurred by HM Courts & Tribunals Service to facilitate access to justice have gone up.
-
FeatureWe have reached an inflexion point
A paradigm shift is under way whereby human rights laws which are binding on business will increasingly become the norm, says former ECtHR president Robert Spano. The consequences for lawyers will be profound.
-
FeatureSetting the bench mark
Three women who have reached the peak of their jurisdiction’s judiciary talk to Catherine Baksi about the challenges they have faced.
Partnership
Charity Explorer provides a reputable reference tool for solicitors, will-writers and their clients who want to leave a legacy or charitable gift.
Visit Charity Explorer
Whether you are looking for legal expert witnesses, legal training/CPD providers, international law firms, administration of estates, legal software suppliers, barristers chambers or any other general legal service, the Legal Services Directory will provide a suitable option.
Visit Legal Services Directory
No comments yet