In July, the Gazette looked at risk management in law firms. Here, two experts explain how an analysis of your software and a review of case management systems can help in assessing IT risk
Risk is something we live with all the time. It is present to some degree in just about everything we do. We manage risk automatically because we are good at it (usually). It is part of life.
But while most law firms have procedures in place to deal with issues like conflict of interest, it is fair to say that most do not look at risk in a holistic manner. To manage risks effectively, a business first needs to know what risks it faces. If you do not discuss these regularly at a high level, how can the business claim to be tackling risk management effectively?
Most law firms in today's world use technology to a very high degree. It is surprising, then, that most do not know what their ten biggest technology risks are. Knowledge of the risks that a business faces grants it the ability to make informed decisions about what to do about them.
Businesses should decide to accept risks. The business that does not accept risk is in trouble, but the decision to do so should be an informed one, and it should only be made by a body entrusted to make such decisions.
Buying insurance for technology risks does not happen much at the moment, but that is not to say that by adopting a technology security standard such as ISO 27001 you could not reduce your professional indemnity insurance premium.
The outcome of a risk analysis of technology in your organisation should also drive any decisions to implement technology controls. These do not have to be technical in nature - investing a great deal of money in the latest firewall is not necessarily the way to solve all your problems. Security controls can be simple, such as a policy statement.
A risk review of technology is almost guaranteed to throw up some surprising issues. Do you have policies in place? Are they sufficient? Are they enforced? Does everybody follow them, or are senior management and 'special ones' somehow outside their scope? How do you know if the policies are being followed? Are your existing technical controls up to date? Are you using out-of-date software? Do your technology staff have inappropriate access to sensitive documents? Is your technology suffering because of too many changes?
Risk management does not have to be rocket science, although it is often presented that way. Most of the information required is already in the organisation. It is just that there is nobody tasked to do risk management, and those who have an understanding of the issues are not asked the right questions.
Martin Hawkins was the technology risk and security manager at City firm Clifford Chance for 16 years, and is now a consultant
More from News
-
NewsStruck-off solicitor’s anonymity bid in appeal is dismissed
Judgment was reserved following the appeal hearing at the Royal Courts of Justice.
-
NewsSix new appointments announced for the Court of Appeal
Incoming cohort are all barristers and silks.
-
NewsLaw Society announces death of former president
Society says Robert Bourns was respected for his kindness, thoughtfulness and dedication.
Partnership
Charity Explorer provides a reputable reference tool for solicitors, will-writers and their clients who want to leave a legacy or charitable gift.
Visit Charity Explorer
Whether you are looking for legal expert witnesses, legal training/CPD providers, international law firms, administration of estates, legal software suppliers, barristers chambers or any other general legal service, the Legal Services Directory will provide a suitable option.
Visit Legal Services Directory
No comments yet