the quarterly magazine of ILTA 41Peer to Peer

Despite the growing awareness, complexity and consequence of risk, risk management is still challenging to define in the legal environment. Each person involved has a different perspective of the situation, probability, severity and the

consequent priorities and scope of responsibilities.

Risk Management IssuesRecent events highlight a variety of issues. A number of law firms, for example, have been in the news because private information was leaked to the public. This type of event, as well as multiple search engine rollbacks (after private information was uncovered through internal searches) and HIPAA compliance initiatives, have caused firms to focus on data security, confidentiality and control across systems. Ongoing management of ethical walls, legal holds, data transfer agreements and data from lateral lawyers add to the need for secure systems.

For practice leaders, fixed fee engagements and requirements to “know your client” are creating a stir around how assertively a firm manages engagements. For general counsels, an increased likelihood that clients will “go bad” in these troubled economic times puts pressure on validating the client’s business integrity upon intake and monitoring it throughout the life of the engagement. Regulatory compliance obligations are so complex

Trends Shaping the Future of Legal Risk Managementby Dave Cunningham and Meg Block

www.iltanet.org42 Peer to Peer

that a management team — the general counsel, IT and content specialists — is needed to set the course.

Beyond these recent hot buttons, the traditional areas of risk including records, conflicts, new business intake, finance, employment and IT disaster recovery, are areas where investments in people and technology continue to be sustained. The pressure to deal with risk effectively is increasing as more assets are vulnerable and the consequences are more severe. For now, risk management efforts are focused on the events that create risks to the firm’s data, image and profitability, and many of these revolve around the IT department.

Risk Management ThemesHildebrandt Baker Robbins recently conducted a study to gather the insights of general counsels, IT leadership, professional liability insurers, risk directors and risk vendors, and their input has given us a unique viewpoint of risk management issues and trends. Jim Jones, Co-Managing Director of Hildebrandt Baker Robbins and facilitator of the General Counsel Forum and five general counsel roundtables held each year, also contributed his perspective.

We observed the following trends that are shaping risk management:

Partnership of Risk Leadership and IT Leadership: •While risk management in law firms is quite fragmented, general counsels and IT leadership are increasingly working together at the center of related activities. This partnership reflects how much law firms depend on technology and electronic information, with technology both creating and mitigating risks. As products that address risk issues come to market, general counsels will be more likely to drive technology decisions, furthering a joint risk management role with IT.

Data Confidentiality: •Protecting the confidentiality of information has already emerged as a leading issue for the legal community. While the improper use of information in written and spoken form is critical to control, it is the electronic form of information that dominates IT’s agenda. The volume of data, as well as varying ownership and location, complicate compliance with preservation orders, ethical walls, HIPAA regulations and other expectations of security. In 2010, the widespread adoption of enterprise search and the maturity of software to automate data confidentiality, as well as concerns about law firm data security breaches, are expected to accelerate the tackling of compliance and privacy issues. Some firms are considering how digital rights management (DRM) can be applied, and, over the longer term, others are considering working toward meeting the ISO 27001 information security standard.

Engagement of Professional Liability Insurers: •Law firm insurers are active in risk discussions and periodic assessments, yet they’ve not traditionally been aggressive in exploring new boundaries in risk mitigation. Recently, progressive insurers have increased investments in education for the market and have made funds available to help law firms hire third-party resources to improve risk management and compliance. Some law firms are attempting to negotiate discounts to their premiums by improving their own handling of risks and compliance. While the insurance underwriting process is expected to remain at a high level in most situations, the insurers are eager for law firms to develop coordinated risk management programs.

Practice Risk: •Partners are finding themselves at the center of one of the fastest changing risk areas: client and engagement risk. There is increasing need to identify and control these risks. Pressure

“The legal market is conservative when it comes to risk management, and firms often view the proactive identification of risks, along with the subsequent setting of policies and compliance expectations, as activities that cause more peril than they resolve.”

the quarterly magazine of ILTA 43Peer to Peer

Trends Shaping the Future of Legal Risk Management

from clients for alternative fee arrangements (e.g., fixed, capped or contingency) increases the likelihood that some clients will become “bad clients,” especially in this rough economy. In addition, the increased outsourcing of legal processes is forcing lawyers to adopt principles of project management, including scope definition and budgets, scope change control and status communications. “Know-your-client” obligations are being given more serious consideration, with some firms re-validating clients from time-to-time and some contemplating teaming experienced project managers with partners to lead matters.

Client Sophistication with Risk Requirements: •The continuing formalization of client relationships has created a noticeable increase in questions from corporate legal departments about law firms’ risk handling capabilities. Questions in RFPs are common, and a few law firms have been audited for risk mitigation protocols by their largest clients. Based on current trends, we are expecting risk questions to become more specific and sophisticated over the next two years.

Outsourcing of IT Risk: •Law firms have made huge investments in IT recovery capabilities as they understand the effort and diligence necessary to maintain redundant systems and data. IT has increasingly viable options to lean on third parties for the expensive and not-so-often-used recovery capabilities. These transitions to outsourcing have the potential to notably reduce costs and save staff time.

From Implicit to Explicit Risk Mitigation: •The legal market is conservative when it comes to risk management, and firms often view the proactive identification of risks, along with the subsequent setting of policies and compliance expectations, as activities that cause more peril than they resolve. While the expectation for explicit policies and education is growing in general, specific IT policies and the automation of assessment and compliance (for risks such as data confidentiality and system change management) are still exceptions. We expect that to change in the next two years.

Centralization of Risk Management Responsibilities: •Responsibilities for risks are as fragmented as the risks themselves. A slowly emerging practice is to create a multifunction risk team that includes business leaders across the firm and some representatives from practice groups. The charters for these committees include governance, risk and compliance (GRC). Governance refers broadly to the rules, processes or laws by which organizations are operated, regulated and controlled. An organization’s perception of and tolerance for risk rest on the backbone of its governance. Risk management comprises the plans, policies and procedures designed to control activities in order to accept, avoid or minimize risk. To understand whether risk management controls are being followed, compliance, the organization’s behavior relative to those controls, must be monitored and measured.

Internal Assessments: •An elemental aspect of professional risk management is the ability to create a sustainable education and compliance environment. While periodic external audits are appropriate, an internal assessment capability ensures day-to-day analysis of progress and improvements. Some larger firms have hired director-level risk leaders to facilitate this process, although these roles still have limited purview to reach across the firm to identify risks. As the multi-disciplinary risk teams mature, the internal assessment process is expected to be high on the agenda.

From Loss Prevention to Competitive Advantage: •The main focus of risk management in law firms has been minimizing losses from malpractice claims. The newly developed ISO 31000 risk management standard offers a more positive perspective; it notes that risk management is not only the mitigation of loss, but also the improvement of “efficiency in operations, environmental protection, financial performance, corporate governance, human health and safety, product quality, legal and regulatory compliance, public acceptance, and reputation.” By addressing risks represented by the topics discussed above, law firms can find ways to create business advantages.

It took ten years for general counsels and risk partners to be commonplace in law firms, and we expect that some of these trends will also take years to become the norm. In the interim, IT’s proactive participation in understanding and addressing risks helps to ensure that consequences for risk events do not fall disproportionately on IT’s shoulders. ILTA