HR | IT | FINANCE | MARKETING | MANAGEMENT | RISK | KM
RISK AND COMPLIANCE ISSUE 09 | MARCH 2011
Saving the world, one firm at a time
Interview Disaster? Fraud? It’s all in a day’s work Olswang’s head of risk and compliance, Tom Arrowsmith, on why law firms need risk directors, and how they can help boost profitability Feature Running risk From client conflicts to conflict zones in Africa, risk management is about a lot more than just anti-money laundering Plus Good risk management means going beyond regulatory risk The challenges to law firms of outcomes-focused regulation Do you have the ability to deliver process efficiency and agility whilst solving the challenges your firm faces today?
LexisNexis® Streamline Business process workflow and rapid application development platform • Boost performance, capability and functionality • Create a truly connected enterprise • Optimise the potential of your firms’ existing technology and resources
For more information To find out more aboutLexisNexis Enterprise Solutions and to discuss your firm’s specific business requirements, please contact Natasha Langton - [email protected], telephone: +44 (0)118 960 2658 or visit www.lexisnexis.co.uk/enterprisesolutions
Enterprise Solutions
A division of Reed Elsevier (UK) Ltd. Registered office 1-3 Strand London WC2N 5JR Reg. in England No. 2746621 VAT Reg No. GB 730 8595 20.LexisNexis and the Knowledge Burst logo are trademarks of Reed Elsevier Properties Inc. © LexisNexis 2011 3 briefing on RISK AND COMPLIANCE www.legalsupportnetwork.co.uk
Where are all the risk directors?
Preliminary results from our 1980s. It’s outmoded and someone’s nose to give research into risk roles in needs to change. them a start. In it we have the top 100 firms show that Perhaps it’s the traditional Olswang’s head of risk and fewer than a third have a unwillingness to hand over compliance on why firms dedicated risk director (or key responsibilities to need risk directors, a feature- equivalent) role. the ‘support’ side of the length look at the threats At the moment, lawyer firm. Perhaps it’s because firms often aren’t looking at, partners often cover risk partners can’t see how risk and analysis of what the new management as just part is now a strategic issue that risks look like and how OFR of their remit. If this was covers every part of the firm. might affect your firm. the case in other regulated Whatever the reason, I hope you enjoy the issue. sectors, people would think perhaps you should stick Rupert White, head of we were still living in the this issue of Briefing under content and community
Interview: Tom Arrowsmith 04 Olswang’s head of risk and With deregulation compliance talks to Rupert White about tomorrow’s world of firm-wide comes the ability to risk management be innovative and spread Feature: Running risk 09 into new markets. Risk From client conflicts to conflict zones plays an important part in in Africa, Lucy Trevelyan finds that risk management is about a lot more than determining the feasibility just anti-money laundering of entering new Proactive measures, please 13 markets. Good risk management means more than just regulatory attention to detail, John H Verry, risk director for TLT LLP says Brian Lynch, risk practice group director of IntApp
Best outcomes? 14 This issue of Briefing was sponsored by: Colin McArdle at LexisNexis Enterprise Solutions outlines the challenges to law firms of October’s new outcomes- focused regulation model
How Briefing works Briefing features editorially independent interviews and feature articles as well as sponsored editorial. All sponsored editorial is marked as such, in the bottom left of the pages on which it appears. Become a Briefing sponsor
Want to get involved in Briefing? Click on the Our interview with purple W to find out more, or just call one of the Tom Arrowsmith LSN team on 0870 112 5058 was transcribed by:
ISSUE 09 | MARCH 2011 4 briefing on RISK AND COMPLIANCE www.legalsupportnetwork.co.uk
INTERVIEW Disasters, security, money laundering... Just another day in the office, then
Tom Arrowsmith, Olswang’s head of risk and compliance, talks to Rupert White about why law firms need risk directors and how teams like his can help firms do better business
The very top law firms are primary support role. of tomorrow. And the new there isn’t even a set title for it slowly but surely adopting a Risk isn’t really a ‘depart- regulation model from October – pretty much every firm calls cadre of dedicated, director- ment’ in the way that HR or 2011 – outcomes-focused the role something different. level people whose task is IT are – perhaps that’s why, of regulation, or OFR – might Whether the head of to oversee every aspect of the top 100 firms, only around push this further along, he risk should be a lawyer risk. They have the power to a third have a role that’s in says, as it demands firms have or someone with a legal make changes and enough any way like ‘risk director’. a compliance officer for legal background – a view put business nous to use that This doesn’t mean legal sees practice (COLP). forward by many – is matter power to help the firm win risk as unimportant, but as But who will fill those shoes? for debate, Arrowsmith says, business and stay ahead of risk directors are de rigueur in In many firms, the required as there are “benefits and the game. Does your firm other regulated sectors, law risk positions are currently disadvantages in having a have one of these people? firms look increasingly anach- held by the senior partner, the lawyer in the role and in having Olswang does, in Tom ronistic by comparison. chief executive or the general someone who isn’t necessarily Arrowsmith. He’s head of risk What you call these people counsel. But towards the top legally qualified – a non-lawyer management and compliance, isn’t important, Arrowsmith of the top 100, a new breed of manager will be able to bring and he represents a growing says, but whatever they’re dedicated risk chief is emerg- all kinds of different skills that movement of the responsibility called, they need to become ing. You can tell how nascent the lawyer won’t necessarily for risk management into a a central role in the law firms this job field is by the fact that have, particularly strategic and
ISSUE 09 | MARCH 2011 5 briefing on RISK AND COMPLIANCE www.legalsupportnetwork.co.uk
INTERVIEW TOM ARROWSMITH cont. commercial approaches. outside legal might have an you’re going to have the is responsible for everything “[But] do I agree that there advantage, he says: “You’re professional risk and compli- from anti-money laundering should be a head of risk, actually more likely to be able ance people and the people (AML) to information security mandated to look into every to take a black letter law prob- who are former lawyers.” risk is that they can see how area of risk they think neces- lem and turn it into some kind But there still needs to be risk relates deeply to strategy. sary in the firm and [be able of practical business solution. someone whose role is to Everything a law firm (or any to] have that discussion? Yes, It’s not the fault of the lawyers, ‘own’ risk. While this is the business) does in business definitely.” but they’re going to find it a case in everyday practice in has a risk edge to it – new lot trickier because they won’t law firms, it’s only when there ventures doubly so. “When you’re Powering faced with a compliance question like [setting] up a Whether the risk “Moving any new office, there chief is a lawyer are so many or a manager, kind of business different people they need a good who need to grasp of IT. “IT is operation become involved completely funda- forward often in that [from the mental, because IT director to the you can’t run any does start with a BD people and decent system or HR]. What you appreciate exactly risk team.” need is someone how things work who can take a within your team global view of unless you’ve all the different got a very good things that need view of how the to happen to get IT works [in the that international firm] – how the office in place and systems actually who can always operate, how a new client gets necessarily have the underly- is a real dedicated risk chief be thinking one or two steps taken in and through to the ing understanding of how law that a firm can deal with risk in ahead and thinking: ‘What end of a matter.” firm systems work.” its every guise in a proper way. could go wrong here? There’s Arrowsmith says that the This doesn’t mean that an underlying set of tasks that head of risk in a firm should lawyers can’t be great risk you need to do to move any take a lot of the responsibility heads. In fact, Arrowsmith Risk is strategy kind of business operation for putting in place workflow says, they can and should forward, and often that does systems in the firm, and at play a vital role in any risk The problem firms often have start with a risk team. That’s every stage in the client’s mat- team. “The former lawyers, now is that risk is often seen what I’ve found.” ters “there should be thought the people with experience of in silos – IT directors, facili- This firm-wide risk approach given to risk management, actual client work, are going to ties directors and COOs, for needs to be connected to a and risk managers should be well placed to understand example, owning areas of risk good firm-wide risk culture – have input into that process”. the practical realities of that – whereas, as risk special- which is the other large-scale “It’s not just an IT process,” work.” He might say this, ist Mike Gorick says in our thing a good risk chief should he explains. “You need a of course – before joining feature, everyone in a firm be responsible for, Arrowsmith decent overview of risk and Olswang in 2005 he’d trained co-owns its risk. So risk is like says. At Olswang, he says, to understand what could go as a barrister. IT or finance, in that it’s a firm- people are not only required wrong.” “The best way to run a wide infrastructural issue. to read the firm’s manuals Which is another reason compliance team is to have A good strategy reason to and updates, they also have that those with a background the right mix of people, so have a single risk chief who ‘tick box’ requirements to say
ISSUE 09 | MARCH 2011 6 briefing on RISK AND COMPLIANCE www.legalsupportnetwork.co.uk
INTERVIEW TOM ARROWSMITH cont. they’ve read, understood and tiator,” Arrowsmith says. “I’ll wrong. “Why not, as a risk “If you can try to approach will adhere to them. It’s vital happily speak to the clients and compliance team, help to every element of risk and to get this kind of active risk directly if there’s, for example, advise the different [internal] compliance from the perspec- behaviour, because it’s not AML issues, and ask how we teams who have to sign up to tive that risk management good enough just to dissemi- can help.” What he means is, all kinds of supply contracts makes good commercial nate information – you have to for example, when a client is on what’s in those contracts?” sense, it’s good business logic create a risk-led culture that trying to do business interna- But this isn’t about trying and it’s a sensible way to go binds people to those instruc- tionally and they run into an to lever a team of ‘no’ people about things, that will help. tions and helps them see that AML hurdle, “is there any way into every corner of the firm. “Don’t try to sell risk and as good for business. that we can quickly call them Arrowsmith says the risk team compliance obligations as Even better is to build risk up and try to lend our exper- has to approach pretty much something you have to do awareness into key perform- tise”? everything from the position because the regulator requires ance indicators, Arrowsmith it – try to explain that it’s the says. “That produces [a right thing to do because it culture of risk and compli- assists your relationship with ance]. You can set standards, the client, and it assists with such as a percentage level of ARROWSMITH’S ANGLE ensuring that we get paid at the engagement letter cover- the end of a matter and that age less than ‘X’ is just not everybody ends up happy.” acceptable. We’ve been doing that now for quite some time, “[Our risk management and it feeds into the way that skills] could be a What clients want [partners] look at their apprais- als at the end of the year. differentiator. That’s what “You can conduct AML “That is definitely the most checks strictly because of the effective way of doing it that we do for a living, so there’s Proceeds of Crime Act and I’ve ever come across.” no reason why we can’t add the money laundering regula- If a firm isn’t tracking how tions, but you can also do it well the risk directives and value in that way.” because you should want to directions are being adopted know who your client is. You across the firm, Arrowsmith should want to know what says, “and if you’re not they’re about, who’s pulling double-checking that it’s hap- the strings, and you should pening in reality, then, first, you want to appreciate what it is don’t know what’s really going “That’s what we do for a of “not putting unnecessary that they want to achieve out on and, second, you arguably living, so there’s no reason at barriers in front of any kind of of a particular matter.” have not achieved anything by all why we can’t add value in progress”. You should want to know putting that policy in place in that way.” “If the firm’s looking to do everything not because it’s the first place”. And the risk team can bring something, work with them to investigative, he says, but a lot to the table internally, too. try to work out how it can be because this knowledge will An example Arrowsmith gives done. Be flexible about it.” give the firm a key insight into Risk as client winner of this is in helping the firm This is the upside of the how the client will judge that with supplier contracts, from job of the risk manager that their needs have been met. Good risk management within courier companies to file stor- really should come out more This is becoming ever more the firm is mainly being driven age: “The risk and compliance often – because they know of an issue because it’s the by clients, but this has a hid- team has a vested interest in (or they should know) that clients that are demanding den potential advantage to the seeing what goes into those almost every area of business ever more concentration on firms that can grasp the busi- supplier contracts”, he says, is strategically related to risk, and risk across a variety ness benefits of risk thinking. because those contracts will risk, they need to work with of vectors, especially informa- “There’s definitely an extent to only come back to haunt colleagues to help grow the tional risks like confidentiality which it could be a differen- the risk team should they go firm, not to stifle it. and information security.
ISSUE 09 | MARCH 2011 7 briefing on RISK AND COMPLIANCE www.legalsupportnetwork.co.uk
INTERVIEW TOM ARROWSMITH cont.
Clients are now turning they’ve got in their current you won’t complete the Ultimately, Arrowsmith has increasingly to procurement manuals meets the ‘indicative outcomes, even though you’re two key pieces of top-level people to work with their behaviours’ demanded under doing something which was advice for risk heads who suppliers, including law OFR. “Provided they do that, substantially similar to what will be dealing with these firms – which can be the bane that’s a good indication that you’ve done previously.” new challenges and this new of the BD person’s life, as the outcome is going to be How can a firm deal with regulatory environment: use we found out in our Briefing accomplished.” this fundamental insecurity? real examples of compliance on marketing and BD – but The difficulty, he says, with Turn the rulebook into a series or risk failures to drill the issue this has another effect on law ‘outcomes’ is that “there’s of conversations, he says. into people, and use technol- firms: it has started to push actually less clarity than there “We’re going to have to do a ogy to help automate risk risk in many previously minor was previously. Lawyers do lot of education and training, mitigation wherever possible. areas (to a law firm’s mind) prefer clarity – and directors of and explain to people that “You should use the IT high up the agenda, such as risk up and down the country what they need to do is they system to tell you where information security, business these things aren’t being continuity and data protection, done properly,” he says. For Arrowsmith says. “They’re example, new client inception very sensible and they want should prompt AML steps, to make sure we’re doing and it should be a chance to everything that we can to “It’s going to be very have a look at the credit risk maintain confidentiality and to difficult to categorically associated with the client. protect their data.” It should also be a broader say whether something chance to look at how to engage with the client in terms Ups and downs of OFR is compliant or not with of risk and business – engage- the new code. It’s very ment letters and terms of Closer to home, from October business, for example. “That law firms will have a whole much an ‘after the event’ all begins with IT,” Arrowsmith new world of regulation to says, “because these are deal with in OFR. The problem analysis.” effectively IT processes, taking is that no one quite knows a matter from the beginning of exactly what it will be yet. Tom Arrowsmith, head of risk and compliance, Olswang its life at the firm to the end.” What we do know is that it And risk education, pos- won’t be based on a prescrip- sibly the most important tive book of ‘must do’ lists thing, needs to focus on real and, most urgently, it might examples that have come be impossible, at least in the would prefer more clarity”. need to really consider what out of the firm, “where things early days, to guarantee that “It’s going to be very difficult the outcome of their actions have gone wrong, risks which the firm will not have done to categorically say whether will be. We may well be on the firm has actually felt and something that gets it into something is compliant or the phone a lot more than we experienced” – war stories, in trouble for non-compliance. not with the new code. It’s used to.” other words. “[OFR] is going to be a top very much an ‘after the event’ But OFR isn’t all bad news. If you can present real priority at the moment for analysis.” “There’s going to be a wel- examples, he says, “it’s very, every single head of risk. In In essence, the Solicitors come amount of flexibility to very difficult for the lawyers to reality it’s going to require a Regulation Authority appears it,” he says. “It won’t be nearly say ‘that can’t happen here, root and branch review of to have introduced a measure as huge as the current code, and isn’t relevant to us’”. l all existing procedures, but of risk into the world of risk, so it will bring a welcome not necessarily [to] amend which would be ironic if it sense of proportionality”, every single procedure,” wasn’t so serious. “There’s he says, and it should be Interview transcribed by Arrowsmith says. What risk a level of certainty which has easier for mere humans to Voicepath – fast, secure, heads will have to do is been taken away,” Arrowsmith understand, which is “very onshore legal transcription for decide whether or not what agrees. “There’s a risk that sensible”. over 200 clients nationwide
ISSUE 09 | MARCH 2011 Business Services Forum For Channel Island Law Firms
Tuesday 17 May 2011 The Club Hotel, St Helier, Jersey
Exclusive half-day conference for C-level, directors, senior managers and managing partners in Channel Island law firms
Speakers:
Professor Richard Susskind OBE on legal trends and future planning Simon Thompson former Global Chief Operating Officer, Linklaters on driving efficiency Matthew Doyle Director of Operations UK, Latham & Watkins on managing business information
For more information on pricing, discounts and how to register • Go online at legalsupportnetwork.co.uk/channelislands • Call Samantha Irvine on 0870 112 5058 • Email [email protected]
Sponsored by: 9 briefing on RISK AND COMPLIANCE www.www.legalsupportnetwork.co.uklegalsupportnetwork.co.uk
FEATURE
Running risk Lucy Trevelyan looks at the world of the risk director. From client conflicts to conflict zones in Africa, she finds that risk is about a lot more than money laundering
Risk is everywhere in legal you’re not’ thinking? And, of respondents said clients dentiality and data protection business, but as a busi- whoever does the job, are risk are showing greater concern are issues about which clients ness services role in law heads really looking at every about risk management and are particularly concerned – firms, rather than a partner aspect of risk? mandating more stringent prompted, perhaps, by recent responsibility, it’s still rela- A decade ago, says Martin measures. Nearly half (47%) high-profile cases of data tively new. Does that need Baker, risk management said their clients see risk losses. “These cases didn’t to change, as a new regula- partner and MLRO at Taylor management as a key priority. involve law firms, but law tory environment rolls in? Or Wessing, the concept of risk A fifth (21%) said clients saw firms do have a lot of sensitive have law firms already found management in law firms just risk management as a way of data – clients are more tuned the right way to run risk? didn’t exist – but it has moved differentiating the firm. in to these issues and are In a law firm, you can’t to the top of the agenda over In other words, one in concerned about them.” be too paranoid – risk can the past four years or so. five risk people say clients Kim Hobbs, co-head of risk rear its head anywhere, from The demand for more believe that the way a law and compliance consultancy cleaners spilling things into stringent risk management firm handles risk may define Compliance Check and prac- PCs to receptionists leaving strategies has come from whether it wins their business. tice manager for north London client letters on display; from clients. By itself that fact isn’t However, 74% of risk chiefs firm Curwens, says that, when failures in conflict checking surprising, but clients are also polled said that lawyers saw working on strategic risk to partners leaving laptops concerned about a much risk management as “neces- management, it’s essential to on trains. All these things can broader spread of risk vectors sary but inconvenient” – sup- calculate senior management’s and do happen, and they can than firms might even have port staff figured only slightly collective attitude to risk and devastate a firm’s reputation realised existed or mattered. better – and only 21% of them to educate them on the need and, ultimately, its bottom line. According to the UK edition thought lawyers and staff saw for risk management. But who does this vital job, of the 2011 Law Firm Risk it as a “key priority”. It can only “A framework can [then] be and are they right people? Is it Survey Report – a survey be described as scary that 5% developed that the team can the case that only lawyers can of risk heads from the 100 of risk people thought lawyers embrace, and that everything be true risk chiefs in law firms, largest UK law firms by the saw risk management as builds upon. This task will or is that just old-fashioned Risk Roundtable Initiative, an “unnecessary”. almost certainly demand a ‘you’re either a lawyer or IntApp-backed initiative – 90% Baker says breach of confi- great deal of time up front
ISSUE 09 | MARCH 2011 10 briefing on RISK AND COMPLIANCE www.legalsupportnetwork.co.uk
Running risk cont.
[but later] decisions about risk “It is going to be a significant able to achieve management in specific areas exercise for many firms.” that objective will be simpler.” Many City law firms are unless they are Baker says risk is or should concerned that the SRA may part of the senior governance GC roles: “Some firms take be “a standing item on every not be correctly focusing its structure of the firm”. The SRA the view that. in the case agenda, and that’s before the resources or demonstrating a has clarified its intentions a of general counsel, there Solicitors Regulation Authority full understand of the needs touch, he says, by saying it will should be some separation of [SRA] starts getting involved of City firm clients, as distinct not look solely to the COLP for functions”. with the new outcomes- from those of high street firms. delivery of the ‘required out- focused regulation [OFR]”. To worry about whether comes’, and that the overall the consumer is protected responsibility will remain with Risk and the board “is absolutely right”, he says, the senior management body OFR your head? “but for a practice dealing with of the firm. But that’s an issue around sophisticated multinational But can risk managers GCs – if risk management is OFR – which will see the clients, [clients] will let you really ensure board buy-in moved to a dedicated support SRA’s detailed rulebook know if they think they are for a pervasive firm-wide role, there’s no reason it can’t replaced with a risk-based not getting the right level of risk strategy without having be at board level. approach founded on ‘out- service. If you don’t provide someone on that board? Penningtons’ risk and comes’ and behaviours – is what they want, you won’t get Frank Maher, partner at compliance manager, Marcus right at the top of Shepherd, says most law firm risk that if risk chiefs managers’ agenda. are not embedded The SRA board at board level, recently approved “Risk is at the heart there must be the final draft of good communica- its handbook, due of strategy. If you are tion between the to be published 6 two camps, and April 2011, which opening in a new country that risk manage- sets out the new or practice area, or ment must always regulatory arrange- be prioritised with ments to support taking on a high-risk the resources the introduction of available. “This OFR in October. client, it affects risk.” prioritisation Baker says needs to be he thinks OFR Frank Maher, partner, Legal Risk LLP closely linked with is the right way what the business forward for law strategy is.” firm regulation, It is critical too, but that the jury is out on instructed again”. Legal Risk LLP, says risk is at he says, that risk heads work whether enough time has The new regime has also the heart of strategy. “If you with all support departments, been given the sector. “The attracted criticism because of are opening in a new country or they simply won’t be need to establish robust audit the strict requirements for the or practice area, or taking on effective. trails to demonstrate compli- compliance officer for legal a high-risk client, for example, If risk managers operate at ance is concerning a lot of risk practice (COLP) role, which it affects risk, hence the need board level, Gowans says, managers.” each firm must have in place for the risk culture to be it’s easier for them to ensure He says there is real con- by March 2012. embedded into everything the a risk management culture is cern about the uncertainty and Osborne Clarke’s risk firm does.” embedded in the firm from the cost of compliance – extra partner, Andy Gowans, says But whether risk chiefs top down. His firm’s risk team costs will arise in recruitment, there is concern at many should be a member of the includes an equity partner, in partner time and in devising firms that “potential COLP board is open to debate, he former practising litigation and introducing procedures. appointees are unlikely to be says, especially if they’re in and regulatory lawyers, risk
ISSUE 09 | MARCH 2011 11 briefing on RISK AND COMPLIANCE www.legalsupportnetwork.co.uk
Running risk cont.
‘professionals’ and someone not convinced it’s necessary. look towards the legal regula- instant and unguarded with IT systems and projects Mike Gorick, associate at tory areas more than any other statements of fee-earners, or experience, as well as non- The Compliance People, is of ‘business’ regulations that others in the firm, to go out, qualified staff with conflicts- the opinion that every member apply – and this is the wrong which might damage a law checking experience. of a firm ‘owns’ the firm’s risk, way to look at it. firm’s reputation”. He also calls on expertise and this needs to be instilled “The risk manager should Firms should have internal from heads of HR and finance, with training. But the buck still have an oversight and respon- rules and procedures about he says, and external auditors stops with the partners and sibility for all compliance, not what can and can’t be bring an “outsiders’ view and the MLRO. just that which applies to legal said using a firm’s Twitter a wealth of experience in risk “Risk should be overseen transactions and the code of account (often called a social management for law firms and at the top. Too often the risk conduct. This is a tall order, media policy), he says, but other professions”. management appointee used and medium and large firms the difficult part is how one But Gowans has mixed to be someone at a lower may require a full-time senior addresses the risks arising feelings as to whether there is from employees using their a need for more ‘professional’ personal Twitter accounts to risk people (ie from business blog about business-related rather than law) in law firms. issues, and unintention- While they can bring “excellent ally disclosing client details or skills and valuable perspec- “Twitter is a significant risk, price-sensitive information. tives from other professions and I think sooner or later “It’s a significant risk, and I and industries”, he says, “I think sooner or later a law firm would be concerned that a law firm is going to get is going to get caught out.” ‘importing’ a non-lawyer risk New risks have taken over professional as the sole risk caught out.” from the old spectres because management function may be firms have done well to deal unrealistic for many firms”. Martin Baker, risk management partner and MLRO with the old enemy, money To be effective, he adds, Taylor Wessing laundering. Compliance the risk management strategy problems still arise though, needs to be embedded at the Maher says, because of core of a firm’s culture, which insufficient attention paid takes time “and is intrinsically to ongoing monitoring and difficult for someone without procedures where additional ‘insider’ status and credibility level, perhaps a good secre- appointment.” But, he says, measures are required to be to achieve”. tary who really knows the firm. this can pay for itself. taken, such as clients that Paul Howard is Wragge But it’s difficult for them to be aren’t face-to-face, and politi- & Co’s first general counsel seen as having the authority cally exposed persons (PEPs). with particular responsibility they need, or [even attain that New risks, new rules Also currently moving up the for risk management strategy, authority] as they have come regulatory agenda, Maher and represents the opposing up through the ranks.” Whoever carries the risk says, is compliance with view. A retired Wragges Sometimes, he says, management yolk, they’re sanctions legislation, an area partner, he believes it would delegating authority to an continually facing new types of very much in the public eye be far more difficult to do his external source, especially if risk. Increasingly sophisticated with UN sanctions and recent job had he not been with the that source is authoritative, technology creates a new events in Libya and Egypt. firm for many years. “[For] all may be much more effective batch of possible terrors – so- Closer to home, business the things you get involved than an in-house person cial media and data protection continuity is another area in – confidentiality, conflicts, without any clout. are topics currently climbing increasingly seen as a legal issues – you need to OFR comes, in essence, the list of risk management significant risk – with extreme understand the legal practice from the financial services bête-noirs. weather, technical failures really well.” Wragges doesn’t sector, which now looks at risk Baker at Taylor Wessing and reputational risk issues have a risk manager on the in a very ‘holistic’ way. In legal, says that Twitter is a particular all capable of interrupting any board per se, and Howard is Gorick says, lawyers tend to concern, because “it allows business. Disasters are sadly
ISSUE 09 | MARCH 2011 12 briefing on RISK AND COMPLIANCE www.legalsupportnetwork.co.uk
Running risk cont. big news at the moment, but for risk managers, because Clarke says, even the more ‘normal’ ones, outsourcing pushes risk that firms that such as snow or flooding, outside the wall of the firm don’t realise they are involved its own resources to carry should fall to the risk chief. and creates a real need for a in outsourcing will be affected out a particular mandate, the Risk managers can make firm-wide approach to risk. in unanticipated ways. SRA will view the engagement good business continuity Outsourcing is only going to “Many payroll services, of specialist lawyers from a co-ordinators or controllers, get more front-of-mind after document archiving and different firm, or lawyers from Shepherd at Penningtons the SRA announcement in deeds storage, company a firm in a different jurisdiction, says, because during incidents November 2010 that it will be incorporations, process servic- as within the definition of they don’t have direct respon- assessing the impact on the ing and IT services hosted on ‘outsourcing’.” sibility for recovery, so they’re legal profession and its clients external servers may all involve Under current SRA rules, able to focus on coordination the main regulatory issue with and communication. outsourcing concerns client confidentiality, data secu- Outsourcing and risk rity and data protection. But, New business and risk Gowans says, the business, be both for those that are strategic and market risks are But risk is also, as Maher outsourced and those not? far wider. pointed out earlier, about Firms considering outsourc- strategic goals, and making Financial risks: How ing, he says, should consider sure the firm succeeds and financially stable is a multitude of risk factors, makes profit. John H Verry, outsourcing business, and are ranging from the information risk director for TLT LLP, says they insured for mistakes on security risks to reputational the imminent threat of alterna- Andy Gowans, Osborne legal process outsourcing? ones, from financial risks down tive business structures and Clarke’s risk partner, to plain old people problems. competition in the market in outlines some of the Strategic/competitive risks: For firms of all sizes, risk general are points also preying risk issues around Is there a threat from the is a big issue that will only on the minds of risk heads. outsourcing client eventually going direct become more pressing as the “The legal profession is not to the outsourced provider in legal market, and the way it giving enough credence to Project and execution risks: an LPO arrangement? is regulated, changes – and it the potential impact of new Properly define the services touches every role in a firm. players; strategic risk is a key to be outsourced – vital for Reputational risks: Is there One thing is clear: the role area. With deregulation comes setting out a meaningful a danger of a perception of a risk chief can no longer the ability to be innovative service level agreement with that a firm offering LPO be restricted to areas which and spread into new markets. the provider of outsourced services is moving to the the management board Risk plays an important part services. ‘commodity’ model, and sees as appropriate. It must in determining the feasibility of aiming for lower-value work? instead be a proactive and entering new markets.” Human resource risks: If something goes wrong at all-encompassing role, with Verry says the proposed How will the personnel to be the outsourcer’s end, what is intense and ongoing liaison changes to the professional outsourced be treated, and the reputational blowback to with business services and indemnity arrangements for what will the morale impact the firm? legal staff. Every decision the profession also trouble made by management and him: “Removing financial support department heads institutions from minimum ideally needs to be scrutinised terms cover this year will have of outsourcing and offshoring the potential for third party for risk issues, and it is hard a big impact potentially on a arrangements, through a access to confidential informa- to see how this can happen firm such as mine.” “thematic review”. tion, which could be covered unless the leader of a firm’s Who does the firm’s work The SRA says it will take a by the review. risk team – whether he or she will be a big part of future broad view of what constitutes “There is also some indica- is a lawyer or a manager by business – and outsourcing ‘outsourcing’ – so which tion [in the SRA’s move] that background – has a seat at and offshoring are big issues means, Gowans at Osborne where a firm does not have the top table. l
ISSUE 09 | MARCH 2011 13 briefing on RISK AND COMPLIANCE www.legalsupportnetwork.co.uk
ANALYSIS RISK MANAGEMENT
Proactive measures, please Good risk management means more than just regulatory attention to detail, says Brian Lynch, risk practice group director of IntApp
Heading into 2011, the rules industry-specific regulations require attention to risk due compliance knowledge, and for risk management within now want to share risk with diligence to ensure that firms IT should highlight innova- law firms are changing. their law firms. have proper controls in place. tive methods to protect the Information risk in particular Whereas firms typically In the face of regulatory, enterprise. has taken centre stage in law advise their clients on the best client and insurer pressure, l Document and firms, as new regulations, methods to minimise risk therefore, prudent firms communicate protocols clients and insurers have exposure in any negotiation, should continue expanding Developing and perpetuating asserted risk management clients are now demanding risk management efforts a culture of risk awareness demands, and have moved to their firms also reduce their with investments in staff, ensures an organisation works a ‘trust but verify’ approach. own exposure. Many govern- technology and management as one to prevent avoidable This October, outcomes- ment agencies, for example, attention. The alternative – breaches or unsafe behaviour. focused regulation becomes l Use technology to free the Solicitors Regulation up risk staff to focus on Authority’s method, a higher-value policies and departure from its current “Waiting for procedures rules-based approach. This is issues to crop Information risk management both freeing and taxing. has become too unwieldy for Currently, requirements up is not a manual processes. Technol- are well-described, albeit not ogy can monitor for abnormal altogether useful. In the new strategy for behaviours or ensure access model, mandatory outcomes success.” controls are in place. are described, with optional l Explore separate cyber supporting indicative behav- insurance policies Brian Lynch, IntApp iours. Within the revised Code Data breaches can be very of Conduct, firms are required expensive. PII may cover this, to “have effective systems and but it will affect the renewal controls in place to enable cost. Smart firms are shifting you to identify risks to client their risk to a distinct policy. confidentiality and to mitigate now require ISO 270001 waiting for issues to crop up Effective risk management those risks”. Though the term certification from firms. and responding reactively – is results in a more attractive “effective” is currently unde- Beyond IT-specific risk not a strategy for success. firm, to regulators, clients and fined, the SRA will conduct an areas, clients are demanding There are some key steps insurers. A commitment to risk audit of any firm it deems may that firms have controls and firms can take to ensure management will also drive have fallen short of this mark. monitoring in place to protect consistent compliance and business development, and This isn’t the only area of them from severe reputational effective risk mitigation: insurers will reward less risky compliance to which law firms harm. Robust risk manage- l Assign staff dedicated clients with lower premiums must pay more attention. ment has become the new to managing risk – and forward-thinking firms ACS:Law fell foul of the standard of care. By dedicating manpower to are finding that the proper Data Protection Act in late Insurers are also exercising predicting, identifying and miti- combination of technology 2010 following a massive their buying power and looking gating risk, firms can move to and process help them benefit leak of personal information. for ways to mitigate risk a more predictable, proactive from those advantages. ACS:Law ultimately closed and reduce claims. Profes- approach. because of the debacle. sional indemnity insurance (PII) l Align risk and IT Click for more on law Regulators are not the only regularly ranks as one the top management functions firm risk management ones exerting new pressure. expense items for firms. In the Risk managers should arm with IntApp Major corporations subject to underwriting process, insurers their IT colleagues with
SPONSORED EDITORIAL ISSUE 09 | MARCH 2011 14 briefing on RISK AND COMPLIANCE www.legalsupportnetwork.co.uk
ANALYSIS FUTURE REGULATION
Best outcomes? Colin McArdle at LexisNexis Enterprise Solutions outlines the challenges to law firms of outcomes-focused regulation
This October will see new risk job roles, such as compli- opportunities and diver- with a risk-based approach to regulation for legal service ance officer for legal practice sity’ policy that is available to work, and provide complete providers, creating alterna- (COLP) and compliance officer clients. Alongside these risks audit trails to demonstrate tive business structures and for finance and administration lie processes around conflict evidence of the process transforming the sector. (COFA), will become manda- of interest, confidentiality and and the results obtained for There is rationale behind tory and are aimed at enabling disclosure, and law firms need compliance purposes – vital in these regulatory changes: firms to deliver those require- to put in place safeguards, an outcomes-focused world. promoting diversity, increasing ments to be proactive. including information barriers, Evidence of a risk-based competition, improving access Law firms have a lot of that comply with common law, approach to compliance also to justice and ultimately processes to turn into a such as ethical walls and files gives firms the capability protecting consumer interest. self-assessment process. and security settings. to identify and quantify the The Legal Services Act A good example is risk potential of a client or requires the Solicitors Regula- on-boarding a new client as matter as part of a workflow, tion Authority to support the part of demonstrating client Automating compliance which can substantially act by encouraging transpar- care – a key focus area of reduce professional indemnity ency and accountability in OFR. Firms need to conduct Manually executing and insurance (PII) premiums. legal services providers. To anti-money laundering (AML) monitoring these processes Using technology to this end, the SRA has devel- checks, establish proof of takes a great deal of time and automate compliance-related oped an ‘outcomes-focused identity, ensure that the client is very heavy on admin – and processes is the only fail-safe regulation’ (OFR) approach, has funding in place and is is costly and prone to human solution for law firms. Such in an attempt to move away aware of all relevant options, error. Adoption of workflow an approach aligns regulatory from the prescriptive mode and have templates for all technology, however, to compliance with risk manage- to a more qualitative way types of client care letters and automate business and legal ment and overall business of measuring professional inform the client in writing of processes, can deliver real strategies, minimising the conduct and legal service the complaints procedure. risk-led, compliance-related financial and reputational risks delivery. The onus of compli- Legal services providers also advantages to firms. of non-compliance. ance rests squarely with the need to assign practitioners Such technology aggregates Ultimately, the goals of the legal services providers – they with the right experience to data from various sources SRA are not different from face potential risks of severe the client and closely monitor and can deliver useful risk those of law firms: ensuring financial penalties in the event service delivery for quality. data about the firm quickly firms are run in accordance of non-compliance. These challenges will be and easily. For example, with proper governance The challenge for legal compounded for firms that AML checks are immensely and sound financial and risk services providers is that these outsource the delivery of their time consuming and tedi- management principles, to new regulations are open to legal services. The SRA can ous tasks – but through give legal service customers interpretation, increasing the request access to records or automating the due diligence the best possible service. risk of non-compliance. Firms entry to third party premises in process, they can, to a large need to self-assess, self- relation to outsources activities extent, become foolproof and Email LexisNexis certify and proactively report or functions at any time. routine. This enables firms to about how technology on their state of compliance Legal service providers also undertake client screening can mitigate firm risk to the SRA. Creation of new need to publish an ‘equal and ongoing monitoring in line
SPONSORED EDITORIAL ISSUE 09 | MARCH 2011