Northamptonshire Law Society
Risk Dimensions Newsletter Issue 5: December 2021 In the latest edition of our Risk Dimensions newsletter for solicitors, John Kunzler and Victoria Prescott from Marsh’s Risk and Error Management team discuss why enterprise risk management matters for law firms. We also have an article from David Reston, Paul Lewis, and William Glassey, partners at Herbert Smith Freehills, on determining the scope of a solicitor’s duty of care in light of the recent Manchester Building Society v Grant Thornton case.
Why enterprise risk management matters for law firms Authors: John Kunzler and Victoria Prescott, Marsh Enterprise risk management (ERM) requires the ongoing identification, evaluation, and treatment of key risks and opportunities an organisation faces in order to create assurances regarding its objectives. This process has become a topic for law firms, including in their discussions with clients, insurers, and regulators. These stakeholders are increasingly expecting practices to have embedded ERM as the foundation of their strategy to address evolving risks. There are various definitions of ERM and differing methodologies, but the main aim of a framework is to: • Create a culture where an organisation’s objectives are clear, and that any risks that may have an impact on them are identified, understood, and actively managed. • Set controls and monitor their effectiveness. • Ensure there is communication about the techniques and that information concerning risks is shared to help build a culture of risk management. Levels of materiality need to be kept in mind, as there is likely little point in senior management applying the process to every risk a firm faces, although local ownership and control of lower level risks makes good sense.
ERM involves a number of linked steps
Defining the intended risk culture is largely a top-down process, as illustrated below. Organisational objectives are outlined, and events that pose a risk to those goals are identified. The process is a repeating cycle similar to a quality improvement system. Scenarios a company could encounter can be modelled, while insurance and other options are used to control risks. The tone of the organisation is influenced by these steps, and likewise, this process influences the organisation.
Why ERM is relevant to law firms
According to the Marsh-sponsored “2021 Legal Business Risk Survey”, the top five risks for UK law firms are: • IT security breach with commercially sensitive information stolen. • Workforce availability affected by a pandemic. • Data privacy breach or destruction of data. • Financial systems compromised leading to direct loss from fraud/theft. • Reputational damage due to a firm’s connection with an unsavoury/ unethical client. Even though law firms have a strong understanding of risk, embedding a “business as usual” approach to ERM can build resilience to hazards in any practice, whether it be a high-street firm, in-house legal department, or global firm. Three of the top risks relate to cybercrime. While digital processes around confidential data and money transfer have increased in efficiency over the last two decades, they have also created new dependencies and pathways by which cyber breaches can occur. Unfortunately, law firms are attractive targets for cyber criminals, and although expectations around control and governance of risk have increased, they may not always be met by historic approaches. For example, out of 40 law practices recently surveyed by the Solicitors Regulation Authority (SRA) on their experience of cybercrime, 30 reported they had been the target of a cyberattack, while 23 were targeted directly, resulting in the theft of £4 million of client money. The study also found that of the law firms polled: • 38% were not using dual factor authentication. • 25% did not encrypt laptops. Source: Adapted from • 32% had no disaster recovery “Organised Uncertainty” plan, and of those that did (2007) M. Power have a plan, only 30% stored the plan safely on systems that would be available after a cyberattack. • 70% did not have a cyber insurance policy. It seems likely that a major cyber incident at a law firm could be so damaging to its operations and reputation that clients, partners, employees, and other stakeholders could lose confidence in sufficient numbers to cause the firm to shut down. However, if an ERM process is followed, the risk of such an event happening can be mitigated.
8
www.northamptonshirelawsociety.co.uk
