Reducing Your Exposure: Seven Steps to a Law Firm Risk Management Program

  • September 16, 2009
  • Peter Blair

Risk management is now, more than ever, critical to effective business management, to surviving difficult times and to flourishing as economic conditions improve.

Yet the reality of risk management is that only the minority of firms consider their risks in a systematic way. Fewer still place the management of risk at the heart of the firm, incorporate risk management into the firm’s strategy; and use their risk management systems, experience and expertise as selling points which will be valued by their clients. Instead, the management of risk is often seen as a necessary evil - a cumbersome and needlessly bureaucratic exercise.

There are seven key steps to ensuring that your firm is best placed to deal with the risks it is facing and is not caught out by the regulatory rules requiring risk management.

  1. Show it matters. Create a Risk Management Committee that meets at least quarterly, is chaired by the managing partner, and has as its members a number of the firm’s leadership team.

  2. Audit the systems and processes in place. Whether through legislative compulsion, best practice or historical accident, almost every firm will have a miscellany of risk-based documents and processes, perhaps around conflict checking or evacuation procedures. They will give you a good insight into the level of understanding about risk there is in the firm.

  3. Assess the risks facing the firm under four main categories: regulatory, operational, professional and financial. Support this process by interviewing members of the firm at all levels, representatives of clients and key suppliers.

  4. Gather the risks identified during the analysis stage into a single Risk Register. Prioritize each risk using a two dimensional scoring system that reflects the likelihood of the risk occurring and the impact on the firm should it occur.

  5. Create a scenario for each identified risk and then analyze the risk in that context. That will support the identification of the actions to be taken should the risk occur and the actions that can be taken to mitigate the possibility of the risk occurring.

  6. Appoint and train a single Incident Management Team to take overall charge should a major incident occur and ensure its creation and membership are circulated throughout the firm.

  7. Regularly test every area of the firm’s responses to risk, sometimes on a pre-warned basis and at other times without the knowledge of all but a select few. The results of each test should then be examined under the oversight of the Risk Management Committee.

From a guest post by Peter Blair of Geotrupes Consulting at the blog An Inside Take from the Outside.