The number of law firms appointing specialist risk managers has risen sharply. What lies behind this trend? Jon Robins investigates

It is ironic that in a profession as notoriously risk-averse as the law – where some might say practitioners spend every waking hour filling their clients with dread over the perils of modern commercial life – the practice of risk management has not been taken more seriously within firms themselves. But apparently that is all changing.


A survey by the Liverpool-based law firm Legal Risk has revealed that the appointment of risk specialists is rising sharply, and almost one-third (29%) of the top 100 firms now employ dedicated staff to deal with risk, compared to 7% in 2004. This was accompanied by a similarly dramatic drop in the number of firms placing responsibility for risk management in the already busy hands of a partner – from 69% in 2004 to 16% last year (see [2006] Gazette, 2 February, 4).

So what is driving this sudden realisation of the need to identify and manage risk? Of course, as Legal Risk partner Frank Maher points out, there are numerous compelling reasons for promoting the role of the specialist risk manager. He lists a few: ‘An awareness of regulation, whether that is money laundering or insurance mediation, Law Society inspection visits from the practice standards unit, as well as clients asking in the tender process what your risk management systems are. Clients don’t just want to know if you are insured if things go wrong – they don’t want it to go wrong in the first place.’ Proper risk management is no longer ‘just the preserve of the big firms’, he reckons.


The survey echoes the results of recent research from accounting giant PricewaterhouseCoopers (PwC). Just before Christmas, it released its annual survey on financial management in law firms, which found that more than 80% of the top 25 firms had now formalised risk-management procedures, doubling the previous year’s figure.


But what does it mean to have – or not have – proper ‘formalised’ procedures? According to the report’s author, Alistair Rose, leader of PwC’s professional partnership advisory group, their consultants have ‘long been advocates’ of firms improving their act when it comes to dealing with life’s uncertainties. They encourage firms ‘to adopt many of the risk- management practices introduced by corporates’.


So far, Mr Rose reckons firms have largely focused on what he calls ‘obvious’ risks, such as accepting inappropriate clients and threats to business continuity, as opposed to looking at risk in a wider sense by ‘identifying and mitigating any risk that potentially poses a threat to a firm’s competitive, financial, regulatory and reputational position’. This is what Mr Rose calls a ‘risk register’ approach, which identifies unacceptable levels of risk.


Mr Rose says there is a tendency within the legal profession to ‘re-badge’ a partner and assign him to risk management. ‘It was always a part-time rather than a full-time job,’ he adds.


UK/US firm DLA Piper Rudnick Gray Cary takes the management of risk very seriously. Two years ago, it appointed Julia Graham, operational risks manager at Royal & SunAlliance (RSA), to head the firm’s risk strategy. She now has a staff of 12 – soon to be 15 – risk managers, and manages the firm’s risk at a global level. ‘A lot of people are surprised to learn how big the team is,’ says Ms Graham, who spent 25 years at RSA. ‘But that is not because we are a badly managed firm. We are an entrepreneurial and exciting practice, but Nigel [Knowles, joint chief executive officer] believes in investing heavily in good risk management.’


What does ‘risk’ mean to DLA? Ms Graham breaks it down into six separate categories, with one or two members of staff responsible for each area. There is ‘strategic’ risk, identifying the challenges of the firm as a whole; ‘group risk’, reflecting the firm’s presence in 20 different jurisdictions around the world; ‘operational risk’, which covers issues such as health and safety, security, business continuity and buying insurance; ‘financial risk’, which is the responsibility of the chief financial officer, as well as being on the risk management team’s radar; ‘legal and regulatory risk’, making sure the firm is compliant with rules and regulations; and ‘business risk’, which is the core of what the risk management team does, and takes up some 70% of their time.


‘Risk’ means different things to different firms. City firm Lovells also has a register of risks, identifying ‘where the risks are and who manages them’. Risk manager Nicole Munro explains: ‘We have a responsible person for each risk. We have approximately 100 risks.’


By contrast, Ian Thomas, assistant partnership secretary at magic circle firm Allen & Overy (A&O), splits the role in two ways. Firstly, there is the work done by the business acceptance unit, staffed by about ten analysts, which handles work such as ‘know your client’ and identification evidence for anti-money laundering checks, and conflict searches. Then there is the work that is done under the auspices of the A&O partnership office. Mr Thomas explains: ‘We deal with more general risk management issues, such as the Market Abuse Directive, policies on dealing with inside information, and general compliance with the conduct rules, together with general good practice, for example, engagement letters, and what to do if a client may be engaged in an unlawful activity.’


One striking cultural shift revealed in the Legal Risk survey was that more than one-third of firms now routinely limit their liability contractually, with apparently little or no resistance from clients. The old notion that solicitors fear losing work by even raising the issue appears to be subsiding. Less than one in ten firms did not limit liability contractually at all, compared to the 80% recorded in a 1999 City of London Law Society survey.


The trend is also observed in the PwC research , which found that 41% of firms routinely limited their liability on client assignments in the last year, compared to 29% in the previous year. ‘Under legislation as currently drafted, accountants cannot limit liability under contract in audits, but everywhere else we limit liability wherever we can,’ reports Mr Rose. ‘Most professionals do, but lawyers have not. However we are seeing quite a change in the last few years.’


Ms Munro comes from an accounting background and found it ‘quite strange’ that law firms were reluctant to protect themselves. She has met with little client resistance while at Lovells. ‘Surprisingly, a lot of clients are not querying it too much and once the position is explained, they’re perfectly happy with it,’ she adds. It is easier to limit your liability if you have ‘lots of small clients rather than multinationals, who don’t like being limited in anything they do’, reflects DLA’s Ms Graham. ‘There is a trend, but you could hardly call it an avalanche,’ she adds.


Does rigorous risk management deliver tangible financial benefits? As Mr Maher points out, professional indemnity cover is usually the third largest law firm overhead after salaries and property costs. ‘Professional indemnity is part of the job of the risk manager and, inevitably, what they are doing is going to impact upon premiums,’ he adds.


Robert Farrant, risk and compliance manager at the Cambridge office of regional firm Mills & Reeve, says: ‘Insurers don’t say how they calculate your premiums but obviously if your claims record gets worse, that will determine the premium. It is a negative issue. Insurers want to know that you are doing it and, if not, why not.’


So what is keeping risk managers busy? ‘We have 30,000 new matters starting every year and that works out to 600 a week,’ Mr Thomas says. ‘So we have to be extremely diligent with, for example, conflict checking, and that has been brought into focus by the Market Abuse Directive.’


It is the clients that drive the growth in risk management, replies Ms Graham. ‘If you deal with lots of regulated clients, there is definitely a convergence of regulation in the banking and financial services world,’ she reckons. ‘I can’t work in a vacuum, and I have to recognise what my clients want me to do.’


Jon Robins is a freelance journalist