Law Firm Risk Management:Can It Grow Profitability?

Moderator: Adam Hansen

Director of Information Security, Sonnenschein Nath & Rosenthal

Panel:

Pat Archbold, VP of Risk Practice, IntApp

David Cunningham, Managing Director, Baker Robbins & Company

Agenda• Risk Defined

• Legal Risk Types

• Business Benefits

• UK vs. US Risk Environment

• Risk Roles and Organization

• Risk Management Approach

• Future of Risk Management

• Three Next Steps

• Questions and Answers

Risk Defined

Risk is the uncertainty caused by the occurrence of an event that might affect the achievement of objectives.

• The management of a law firm’s risks involves decisions that are not simply about avoiding a negative impact but also about pursuing a positive (but un-guaranteed) impact on business opportunities.

• Consequently, effective risk management not only mitigates losses but can also positively contribute to the competitive standing of a firm.

• This tension between adverse risks and desirable business opportunities makes risk management an essential element of firm governance.

Legal Risk TypesRisk Types Example Risks Key Roles

IT Systems: Continuity, Recovery, Security, and Access Management.Data: Confidentiality, Integrity, Ethical Walls, Retention, Data Protection, Data Transfers, Hosting of Third-Party or Client Data.Third Party Suppliers: Maintenance/Support, Contracts and Outsourcing.

CIO, General Counsel

Financial Audit, Financial Internal Controls, Financial Transparency and Disclosure, Anti-Money Laundering, Counter-Terrorist Financing, Credit, Firm Investments, Currency, and Portfolio Risks.

CFO

Practice Management

Client Relations, Lateral, Professional Responsibilities (including malpractice, conflicts, records, and litigation support), and Professional Development Risks.

Practice Leaders, General Counsel, Directors of Conflicts, Records, Lit

Support, Library, and KM.

Strategic / Corporate

Firm Governance, Risk Management Governance, Reputational, Marketing, and Market Risks.

Managing Partner, Marketing Director, General Counsel

Operational Employment, Fraud, Damage to Assets, and Insurance Mediation Risks.

HR Director, COO, General Counsel

Environmental Natural Disasters, Epidemics, and Resource Access Risks. COO, Business Continuity Team

Business Benefits• Loss Prevention

• Cost Savings

• Departmental Efficiencies

• Competitive Edge– Growth in Lateral Talent

– Growth and Retention of Clients

– Quality of Client Relationships

– Alternative Fee Arrangements

• Quality of Working Environment

• Reputation

In the News…

(03/10/2009)

Top five risks identified as facing law firms (order of severity):

• Bankruptcy or acquisition of significant clients

• IT security

• Pressure on fees and the need for 'instant' advice leading to claims

• Conflicts of interest

•Errors made by staff/lawyers on complex, high-value transactions

A firm’s responses to application questions about risk management and loss prevention programs are often among the most important qualitative information an insurer uses to gauge the risk it may pose, according to Stuart Pattison, a vice president at Chicago-based CNA, one of the nation’s largest commercial insurers.

A firm’s responses to application questions about risk management and loss prevention programs are often among the most important qualitative information an insurer uses to gauge the risk it may pose, according to Stuart Pattison, a vice president at Chicago-based CNA, one of the nation’s largest commercial insurers.

UK vs. US Risk Environment

In the News…

(03/13/2009)

“In a much-touted speech on Thursday (12 March), FSA chief executive Hector Sants outlined a break with light-touch, principles-based regulation, arguing the City should be ‘very frightened’ of the body.”

(05/21/2009)

“The Financial Services Authority (FSA) has brought charges of insider trading against two lawyers – including a current partner in the London office of Dorsey & Whitney – it has emerged.

The move marks a more aggressive stance from the FSA, which earlier this year secured its first successful insider trading prosecution…”

US News

3/20/2009The FTC Strikes Back: (Essentially) Everyone Should Be Complying With Red Flags Rules, Especially The Healthcare Industry

The FTC, with unusual frankness, emphasizes that no industry is exempt as a “creditor”…….The FTC also pulls no punches when identifying potential “creditors,”listing a wide range of industries and businesses, including physicians, lawyers, merchants”

Examples of business associates include third party administrators or pharmacy benefit managers for health plans, claims processing or billing companies, transcription companies, and persons who perform legal, actuarial, accounting, management, or administrative services for covered entities and who require access to protected health information.

08/06/2009Dept. of Heath and Human Services45 CFR Parts 160 and 164

Who’s Ultimately Responsible for Risk Management?

2007Single Individual: 36%

2009Single Individual: 63%

Risk Roles and Organization• Firm Internal Roles

– General Counsel

– Directors of Loss Prevention, Conflicts, Records

– Professional Responsibility Partners/Ethics Partner

– CIO or IT Director

– Directors of Security, Business Continuity

– Business Departmental Directors

– Partners / Lawyers

– Committees

• External Roles– Insurance Underwriters/brokers

– Clients

– External Assessors

Risk Management Becomesa Department in Law Firms

Risk and IT Speakin Different Languages

DR,Malware, VPN,

LDAP, SharePoint,SLAs, Five-9s, P2P

Engagement Letters,Vicarious Disqualification, Rule 1.10, Advanced Waivers,

Consider: Matter Centricity + Search= Exposure

Consider: Consider: Matter Centricity + Search= ExposureMatter Centricity + Search= Exposure

Future Org Chart?

Risk Management Approach

• Successful Risk Management Environment– Communicate and Consult

– Establish the Context

– Promote Self Assessment

– Monitor and Review

Risk Management Approach

• Risk Assessment Process

• Risk Treatment Process– Identify Options– Evaluate and Select Options– Prepare and Implement Treatment Plans

Future: Risk Register/ERM

Like-lihood

Conse-quence

Risk Priority

Level of Risk

Likelihood Rating

Consequence Rating

Adequacy of Existing Controls

The Consequence of an Event Happening

The Risk:What can

Happen and How Can it

Happen?

#

Future: Client Requests2009Clients have asked firm for additional protections: 86%

2007Clients have asked firm for additional protections: 61%

Intake and Insider List Management

Workflow software to manage intake processes

Matter designated“confidential”

“firm confidential”“price sensitive”

Tracks access, locks across systems, hides matter

names

Next Steps: Integrate Risk and TechnologyManagement

Insider List Management

Next Steps: Leverage Risk Management Budgets

Next Steps: Plan for Certification

Adam Hansen

Director of Information Security, Sonnenschein Nath & Rosenthal

ahansen@sonnenschein.com

Pat Archbold

VP of Risk Practice, IntApp

pat.archbold@intapp.com

David Cunningham

Managing Director, Baker Robbins & Company

dcunningham@brco.com

SRA Rule 5:

http://www.sra.org.uk/solicitors/code-of-conduct/215.article

Marsh UK Risk Study-Insurance Journal:

http://www.insurancejournal.com/news/international/2009/03/10/98539.htm

KornFerry Evolution of Law Firm Risk Management Article:

http://www.insurancejournal.com/news/international/2009/03/10/98539.htm

UK Conflicts Rule Changes Article-Legalweek

http://www.legalweek.com/legal-week/analysis/1156494/conflicts-comfort

Red Flag Rules Article:

http://www.securityprivacyandthelaw.com/2009/03/articles/recent-legislation-1/the-ftc-strikes-back-essentially-everyone-should-be-complying-with-red-flags-rules-especially-the-healthcare-industry/

HITECH Act Update, DHHS:

http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf

Risk Roundtable

www.riskroundtable.com

West Legal Education, Practice Area Ethics and Professional Responsibility

http://westlegaledcenter.com/home/homepage.jsf