ilta risk mgmtfinal [read-only]ilta.personifycloud.com/webfiles/productfiles/1940/ilta risk...
TRANSCRIPT
RISK MANAGEMENTWHAT’S HOT, WHAT’S NOT
ADAM HANSEN
DIRECTOR OF
INFORMATION SECURITY
GAIL BALLINGER
OFFICE ADMINISTRATOR
FIRM-WIDE BUSINESS
PAMELA HILL
MANAGING DIRECTOR
HYPERION GLOBALSONNENSCHEIN, NATH &
ROSENTHAL LLPCONTINUITY
O’MELVENY & MYERS LLPPARTNERS
The discussion in these slides is a theoretical analysis, does not represent the processes of any particular law firm and does not constitute legal advice in regard to any actual factual or legal circumstances.
AgendaAgenda
• Law firm risk defined• How practices, policies and processes have evolved to
address the changing landscape of operational and strategic risk– Completely unscientific rating of risk threats now vs. then
H h l d i l • How technology and operational management can either reduce or enhance a Firm’s risk profile
• Wh thi tt t tt h t l l• Why this matters to you, no matter what role you play
Unscientific Rating System How much more/less important is this issue in managing a
Firm’s risk profile than it was a few years ago?
Yikes!Yikes!
About the Same
No Problemo…
What is Law Firm Risk ManagementWhat is Law Firm Risk Management• Wide ranging definition and often nebulous to define clearly
or consistently across Firmsy• No brainers
– Managing legal ethics and professional practices of lawyerM i l t d l i l ti i t – Managing regulatory and legislative requirements
– Defining the approach to managing specific claims against the Firm– Operational control of high risk processes such as conflicts, docket and
financial managementfinancial management
• More strategically– Should provide enterprise-wide agreement on potential exposures,
h i i i i d li ithen ensure proactive mitigation processes and policies– Provides for proactive reputation management – Should support the strategy and goals of the Firm
Law Firm Risk ManagementLaw Firm Risk Management• Regardless of how you define it, the important point is that
operational risk is managed by pulling the all the pieces togetherp g y p g p g
Trained Staff and i l
Risk averse, regulated, standardized
consistently applied
Consistent use and deployment of risk mitigating
Why Should you Care?Why Should you Care?
Note how responsibility
always t ll seems to roll
downhill?
What’s in the Law Firm Risk LandscapeWhat s in the Law Firm Risk Landscape
– Strategic RiskStrategic Risk– Structure and Governance– New Business Intake ProcessingNew Business Intake Processing– Human Resources Management
Financial Management– Financial Management– Technology Usage
STRATEGIC RISKSTRATEGIC RISK
Strategic Risk – Mergers/LateralsRisks
• Evaluating the true financial situation of merging Firm• Past debt, previous contractual obligations and who owns it• Technical considerations of system integration, handling old equipment• Handling international compliance and regulatory issues• Malpractice insurance–prior acts coverage for Lawyers from
disbanded Firms• Incomplete information to complete conflicts checks• Inadequate implementation of ethical screens for incoming lawyers
Trends and/or Best Practices• Awareness has heightened, but have practices really changed?• Realization of the need for a more thorough vetting of businesses/
laterals along with more thoughtful consideration as to the true benefit laterals, along with more thoughtful consideration as to the true benefit of bringing them in – reputation, or can they really produce?
• Immediate implementation of ethical walls for incoming laterals, incorporating systems beyond the document management system
• Assessing potential positional or business type conflictsAssessing potential positional or business type conflicts
Strategic Risk – Partner or Practice ExitRisks
• Understanding the long-term financial implications• Practice implications (still provide this subject matter • Practice implications (still provide this subject matter
expertise internally?)• Lawyer exit process issues (moving docket or records, on-
going access to email/documents, recovering Firm g g / , gtechnology and data, monitoring downloads)
T d d/ B P iTrends and/or Best Practices• Policies and tools that support active monitoring of file access,
sets thresholds for reporting large downloads• Continued email or file access as an exception not a ruleContinued email or file access as an exception, not a rule• Better tracking of Firm technology• Wiping repurposed technology • Signed client waiver letters before relinquishing files/data/
Strategic Risk - ReputationalRisks• Lawyer, client or personnel malfeasance• Doing business in the age of Facebook and Above the Law Doing business in the age of Facebook and Above the Law • Managing Fast Finger Freddie and his immediate, mass
distribution channel for potentially embarrassing or compromising emails
• M i t ti l bli l ti fi ’ i h • Managing potential public relations fiasco’s in an era where salacious stories sell
T d d/ B P iTrends and/or Best Practices• Proactive evaluation of press via Google, Lexis, Twitter and
Facebook searches• Formal crisis communications and management planningFormal crisis communications and management planning• Educate personnel on communications, confidentiality and use
of Firm technology policies• Zero tolerance polices and follow through for abusers
Strategic Risk – Compliance/RegulatoryRisks
• Globalization - regulatory compliance outside the US• Inconsistent legal opinion on what compliance meansInconsistent legal opinion on what compliance means• General lack of risk management policy or process• Privacy/security compliance is still considered an “IT
issue”, missing many process or policy issues that must , g y p p ybe addressed
T d d/ B P iTrends and/or Best Practices
• Developing formal risk assessment and mitigation strategies
• U d t d l l i i IT d d i i t ti i t • Understand legal opinion , IT and administrative impact of these regulations
• Creative approach to mitigation technologies such as encryption, password use and access controlencryption, password use and access control
• Workforce training and education
Strategic Risk ConsiderationsStrategic Risk Considerations
A l d t ff H ti ht f Are lawyers and staff trained on issues such media relations and
compliance ..D
How tight are our for financial due diligence and lateral
hire conflicts checks?p
o these policies even exist?
Do we have a prioritized and Do we have
reasonable process for merging
Do we have of Intl regulatory
issues? Do we know what is being said about us in the
ether?
STRUCTURE AND GOVERNANCE
Structure and GovernanceRisks
• No centralized command and control structure for both l l d ti l i k tlegal and operational risk management
• No central point for development and execution of policies• No consistent, proactive analysis of risks the Firm should
accept or avoid accep o avo d • No consistent interpretation of new and emerging risks
Trends and/or Best Practices• Convergence as an overall risk management strategy - centralized
management • Owned by General Counsel or Risk PartnerOwned by General Counsel or Risk Partner
• Evaluates new risks and develops legal opinion on how to address• Develops policies • Manages malpractice insurance and liability processes
• Operational risk management• Operational risk management• Centralization of high risk processes (conflicts, docket, records)
Structure and Governance Risk Considerations
Does the Firm have documented, t d di d f Is someone assigned
to define and publish risk
standardized for managing legal and operational
risk, including formal threat assessment for new risks?
management ?
Are selected and deployed as
part of a risk management
strategy?
Do we have of new and
emerging risks?g g
New Business IntakeProcessing
New Business Intake – Case AcceptancepRisks• Resistance to rejecting new work, or taking on work from high-risk
clients to make budgetclients to make budget• Continued lack of due diligence on new clients• Inconsistent intake process and review committee• Understanding true capabilities/capacity for assuming new work• More sophisticated due diligence by clients regarding the Firm’s
compliance, business continuity, financial management processes
Trends and/or Best PracticesTrends and/or Best Practices• More rigorous due diligence on new clients - Google
searches, D&B, credit and reference checks AND• On existing clients opening new matters – aged A/R review, g p g g / ,
D&B• More thought to the types of matters and/or clients that
should be rejected• Formalized NBI committee requirement for engagement • Formalized NBI committee, requirement for engagement
letters
New Business Intake - ConflictsRisks
• Requires more sophisticated methods to thoroughly vet lateral hires and to assess risk related to mergers and acquisitionshires and to assess risk related to mergers and acquisitions
• Delay in establishing ethical walls for lateral hires• Work performed on matters before the conflicts check is
completep• Lack of diversity of clients, matters or geographic risks – all
the eggs in a one basket
Trends and/or Best Practices• Support through Business Process Management (BPM) technologies
(workflow), architected to require compliance with formal intake processesprocesses
• Integrated systems that improve efficiency and effectiveness• Conflicts checks on ALL incoming personnel• Assessing business or position type conflicts
Id ll h ff i d ffi i h h l lik l • Ideally, the more effective and efficient the process, the less likely work will be performed without a conflicts check!
New Business Intake Risk ConsiderationsNew Business Intake Risk Considerations
Have we updated Does the Firm have Have we updated our conflicts/intake
to reflect the realities of
Does the Firm have documented, standardized
?
today’s environment?
Are we using to to
enforce standardized processes?
Do we have of compliance to
conflicts policies?p
Human Resource Management
Human Resources – Training/PoliciesHuman Resources Training/PoliciesRisks
• Lack of on-going policy and process training for g g p y p gstaff and lawyers regarding high risk issues such as confidentiality, data privacy, social networking, technology usage, HITECH/HIPAA, health and ec o ogy usage, C / , ea a d safety training
T d d/ B P i Trends and/or Best Practices
• Noticeably increased interest in Emergency Action Plan development
• Recent pandemic heightened everyone’s awareness of infection control protocols and the need to develop policies to keep sick staff homeA f i i d b l l !• Awareness of training need, but not a lot else!
Human Resources – Health and SafetyyRisks
• Workplace violence concernsp• Managing employee health/infection control within
the office• Outdated pay policies that encourage sick people Outdated pay policies that encourage sick people
to come into the office
T d d/ B P iTrends and/or Best Practices
• Noticeably increased interest in Emergency Action Plan development
• Recent pandemic heightened everyone’s awareness of infection control protocols and the need to develop policies to keep sick staff home
Human Resources - the Electronic AgegRisks
• Managing the human factor of technologies like g g gFacebook, Twitter
• Inherent risk of social networking technology and the HR problems it can create for the Firm
• Inappropriate use of Firm technology• Undefined user access control
T d d/ B P iTrends and/or Best Practices
• Mass paranoia! Lost sleep! • Creation of policies to keep up – social networking,
i it li f Fi privacy or security compliance, proper use of Firm technology
• Still working towards proactive monitoring of internet usage, access to confidential or restricted datausage, access to confidential or restricted data
Human Resources - PersonnelHuman Resources PersonnelRisks• Single points of failure in key staff and administrative
management• Risks associated to gaps via attrition or RIFs – less
experienced staff puts the Firm at higher risk• Privacy/security of the Firm intellectual property or Privacy/security of the Firm intellectual property or
proprietary information• Managing the cultural impact of globalization
T d d/ B P iTrends and/or Best Practices
• Managed through training and education on both sides• H1N1 heightened the awareness for the need for cross
t i i lth h f ll th h ith th l till training, although follow through with the lessons are still to be seen
• Conflicts, Google searches and ethical wall screening for staff, not just lawyersfor staff, not just lawyers
Human Resources Risk ConsiderationsHuman Resources Risk Considerations
Do we audit to ensure risk
Are we providing adequate training
Do we audit to ensure risk averse are being
followed?
on new ?
Are we using t to
enforce privacy and security requirements?
Do we have of new and
emerging risks?emerging risks?
Financial Management
Financial Management Risks
• Playing catch up with budget management tools to enable proactive management at the Firm and matter level exacerbated proactive management at the Firm and matter level, exacerbated by inconsistent application or monitoring of client cost allocation
• Subsequent risk for fixed fee or alternate fee arrangements• Complexities of proactively managing lawyer productivity –
i i ti d k f d l i l i origination and work performed analysis are always in arrears • Higher likelihood of fee disputes or clients inability to pay
Trends and/or Best PracticesTrends and/or Best Practices• Proactive process management - timing for budget/collections
management (asking smarter questions more often)• More sophisticated use of financial analytics tools• Better profiling of matter related costs to enable more relevant “cost
of doing business” information • Proactive lawyer productivity – still takes billers offline to do and
requires a type of inefficient forecasting• Lawyer productivity in the context of legal project management
Financial Mgmt Risk ConsiderationsFinancial Mgmt Risk Considerations
Have we updated budget and Have we developed budget and collections
management to reflect
Have we developed for legal project
management processes?to reflect
the realities of today’s
environment?
Are we using that
t l l j t support legal project management and Firm wide decision
support?
Do we have for the clients
and their concerns? support?and their concerns?
Technology Usage
Technology Usage – Privacy/ Confidentiality ec o ogy Usage acy/ Co de a y Risks
• Limited capability or process to monitor/audit who is looking at what
• Non-standardized, client driven encryption requirements• Use of shared computing resources• Knowledge management and the subsequent privacy/security • Knowledge management and the subsequent privacy/security
issues around an “open access” policy• Staying ahead of international legal and regulatory issues
Trends and/or Best Practices• Use of third party tools for auditing/monitoring access• Encryption protocols for data at rest, in transit, mobile devices• Processes/tools to wipe, instead of delete, data• Incorporating broader range of technologies such as copiers,
fax, digital dictation devices• Policies for strong passwords mobile device passwords Policies for strong passwords, mobile device passwords,
inactivity logout, education, virus protection
Tech Usage – Securing Mobile Workersg gRisks
• Difficulty in securing a mobile workforce including y g gthe devices, the data and the users
• Knowing what is connecting to the network• 76% of data breaches are from lost laptops PDAs 76% of data breaches are from lost laptops, PDAs
and flash drives
T d d/ B P iTrends and/or Best Practices• Device - encryption, strong password, remote data eraser, device
location• Data - encryption, no local storage, understanding data movementyp , g , g• User - enforce strong password and encryption• Educating on hazards related to unsecure or rogue access points,
VPN, Wireless – Bluetooth, WiFi, Clear text• Teach situational awareness stop writing down passwords! • Teach situational awareness - stop writing down passwords!
Tech Usage – BC/DR Risks
• Localized, but not enterprise recovery capability• Recovery of servers, not recovery of servicesRecovery of servers, not recovery of services• Privacy/data location concerns and cloud computing• Higher risk/higher impact of downtime with centralized or
highly integrated systemsN dh l k f d d f f d l d/• Non adherence or lack of understanding of federal and/or international regulations for BC/DR
Trends and/or Best PracticesTrends and/or Best Practices
• New tools make DR more affordable for any sized Firm, BUT
• Not enough attention paid to true business • Not enough attention paid to true business continuity, incorporating recovery of all the critical aspects of recovery
• Service recovery instead of system recovery• Service recovery instead of system recovery
Technology Usage Risk ConsiderationsTechnology Usage Risk Considerations
Does the Firm have documented, Have we updated
technology to reflect
standardized security, business continuity and disaster recovery
?
new risks and regulations?
Do our supppp
ort security, regulatory risks and service recovery?
Do we have of new and
emerging threats?emerging threats?
THANKS FOR COMING!THANKS FOR COMING!
• What questions do you have?What questions do you have?• What issues would you like to discuss?
• Adam Hansenh @ h i– [email protected]
• Gail Ballinger– [email protected]@
• Pam Hill– [email protected]