Risky business – managing law firms risks
Our webinar series entitled 'Working with the SRA's Standards and Regulations' kicked off this week. Our first webinar covered all areas risk management and started by looking at the challenges faced by law firms, including:
- A lack of understanding about the role of risk management
- Recognising what risks law firms face
- Difficulty in assessing risk levels, likelihood, consequences, and working out which risks to focus on first
- What mitigating risks involves.
Everything you and your firm does involves risk of some sort or another, and therefore all areas of the SRA Standards & Regulations need to be considered, in particular, the following parts that cover justifying decisions and actions, having effective systems and controls, risk management, and compliance officer duties:
- Code of Conduct for Solicitors 7.2
- Code of Conduct for Firms 2.1, 2.2, 2.4, 2.5, 9.1 and 9.2.
What is risk?
One key question you need to ask and answer at the start of the risk management process is, “What is risk?”; it is only then that you can move on.
Depending on where you look you will find different definitions of risk, but as we are talking about risk management it makes sense to use the definition used by the Institute of Risk Management - “risk is the combination of the probability of an event and its consequences. Consequences can range from positive to negative”.
Once you understand what risk is, you can start to look at the types of risk and decide what your approach to it will be, for example, your attitude to risk indicates your long-term view to risk (risk-averse or risk aggressive), whereas your risk appetite indicates your short-term willingness to take a risk:
- Hazard risks (theft, health & safety breaches, etc.)
- Control risks (project management, etc.)
- Opportunity risks (relocation, expansion, etc.)
Using a Risk Register
The management of identified risks can be achieved by using a risk register, which will normally record risk activities, including:
- Recognition of risks
- Rating of risks
- Ranking against risk criteria
- Responding to significant risks
- Resourcing controls
- Reaction planning
Maintaining a living and breathing risk register will not only help you to manage the risks you and your firm face, but it will also help you to show the SRA and your professional indemnity insurer that you take risk management and compliance seriously.
What types of risks are you likely to want to put in your risk register?
Whatever risks you put in your register they must reflect your firm, so don’t just look at what other firms have put in their register as these may not be relevant to your firm; the following risks are a good start for you:
- Cashflow issues
- Misappropriation of client monies
- Lack of independence
- Involvement in money laundering
- Breach of confidentiality
- Lack of competence
- Inadequate systems and controls
- Poor standard of service
- Reputational damage
- Business continuity issues
A good place to find what the SRA sees as keys risks for law firms is in its Risk Outlook; you should consider adding these if they are relevant.
Each risk you identify will require a mitigation plan (steps for eradicating/reducing the impact of any risk that materialises), for example, having a business continuity plan (BCP) in place that allows for recovery from events such as:
- Fire
- Flood
- IT failures/attacks
- Terrorist attack
Many firms have a BCP but never/hardly test it; it is no good having a plan that looks good but does not work when required, so testing is crucial!
A good question was posed by an attendee after a discussion about the SRA’s firm-wide AML risk assessment template - “Much of what the SRA say is, “it’s up to you how to comply”, yet templates are issued. You say use them, so how best is it to proceed?” - our response to this was that it is up to firms to decide how to comply, but this should take account of any guidance the SRA has issued, including templates, etc. In our view, if the SRA provides templates they should be used, but if you choose not to use them you should document why just in case you are challenged in the future.
Five steps for good risk management
- Put in place effective risk management policies, systems and procedures
- Train all staff on risk management (keep it simple!)
- Create and maintain a ‘living’ risk register
- Operate and test a business continuity plan
- Review the SRA’s Risk Outlook
Risk management should not be seen as ‘ticking a box’ for your regulator; it will be your lifeline in a time of crisis!
Risk management was discussed in our recent four-part webinar series ‘Working with the SRA’s Standards & Regulations (STaRs)’ which ran throughout February.
The webinars examined some key areas of risk that law firms are exposed to and how the Standards and Regulations apply to them.
You can still watch them here on demand.
Alternatively, you can request a free demo of our Risk and Compliance software here.
