Having looked at Risk Management Systems in large law firms, I was asked to see how a sensible and pragmatic system could be built into a smaller law firm.
Large firms have the resources to install large systems to manage, address and mitigate all the risks facing the firm. There will often be a number of people responsible within the firm for various types of risk, and it is likely that there will be various consultant used - especially in the field of business continuity. Smaller firms do not have this luxury and so need to find a way to address risk without this task getting in the way of the main business.
Firstly, however, why bother at all? Surely risk management is just common sense, isn't it? Well most things are a matter of common sense, but having a systemic approach can ensure that all aspects are considered and that the firm can demonstrate its commitment to risk management both to the regulator and to prospective clients, who are becoming more and more concerned about risk. It is worth noting SRA rule 5.01(1)(i) which says "...you must make arrangements for the management of risk". While this is a marvellously vague phrase, it is worth considering how your firm would be able to demonstrate that it has made such arrangements.
So - what to do? I will not suggest that your firm goes down the Lexcel route - not unless you have some spare time and might like to employ a couple of new members of staff. There are some simple steps which can be taken that will not have too great an impact on the running of the firm:
- Appoint one person to have responsibility for risk (the "Risk Manager" or "Risk Partner"). Sensibly this will be the Managing Partner - who might want to delegate some tasks to more junior staff;
- Make sure that everyone in the firm knows who the Risk Partner is;
- Write some policies with regard to Conflicts, AML and other risks - and make sure that legals staff in particular are in no way confused about contact details and protocols. Writing the policies will be a good investment of a comparatively short period of work. Some standard policies may be available online;
- Have a Risk Register - a central list of all risks facing the firm. This can be a complex database or an Excel spreadsheet - personally I prefer the spreadsheet approach;
- Consider all kinds of risk - Professional, Regulatory, Reputational and Operational - and spend a little time thinking about the risks facing the firm in each area;
- Score each risk for the possibility of it happening and the impact should it happen - this will give a "score" to each risk. Don't spend too long on this step - all risks will be dealt with, the score simply gives the priority;
- Think about each identified risk in the priority already agreed. Think about what your firm would do if it happened and what it could do to reduce the possibility of it happening.
- Write this down! Do the tasks identified in the previous step to reduce risks happening!
- It sounds like a lot of work - but the eight steps above could be spread over a good period of time. The important thing is to address risk in your firm in a systematic manner, and examine the Register annually for new risks.
One of the easiest ways to start is though scenario planning. Think of an incident - or select one of your high priority risks from the Register - and spend a couple of hours (possibly over a glass of wine at the end of a day) talking through the scenario. Imagine there is a fire in the building, or that a former client has posted a blog full of (false) claims about the firm's mistakes. What would you do; who would take decisions; can everyone contact the people they need to; can the firm contact those outside agencies and suppliers necessary?
Small law firms face almost all the same risks faced by "Big Law". By addressing risk before an incident occurs, your firm can be sure of survival, be more likely to come out of the incident well, and be able to demonstrate a professional approach to regulators and clients alike. In this difficult PII climate - a solid risk system is likely to help with negotiations.