Last year’s risk management and professional indemnity report with broker Marsh told a story of progress; firms felt risk culture had significantly improved in the ten years since Lehman Brothers’ collapse. However, risk remains a moving target and there is a feeling recent unpleasant episodes at a number of City law firms means much-touted improvements in culture have yet to include progress in professional ethics.
‘I’m a great believer in the risk team playing a key part in defining a firm’s culture,’ says Walkers’ chief compliance officer Angela Robertson. ‘Fundamentally, risk teams enforce types of appropriate behaviour, whether dealing with clients or third parties. So it being involved in defining culture is no different really. Currently risk teams don’t have a specific remit to do so though.’
‘Reputational risk from adverse publicity associated with regulatory fines or harassment/discrimination claims’ had an aggregate score of 5.8/10 for impact and potential in our risk profile chart (see below), with firms considering such an incident less likely and less impactful. ‘Sexual harassment claims against partners’ had a similar score of 5.7.
The individual cost of such incidents remains clear, with the death of Eversheds Sutherland partner Geraint Thomas in December 2018 a stark reminder of the impact harassment allegations can have on those accused as well as those allegedly suffering the abuse. However, it is also difficult to measure the impact of such incidents on a firm’s business reputation in the long term. Moreover, there are no conspicuous indicators that could indicate a firm’s susceptibility to harassment scandals in the first instance.
‘There are probably soft indicators,’ says director of risk and compliance at Pinsent Masons, Chris Andrews. ‘You can probably take comfort in the culture if the firm has one that is open to diversity in general. The likelihood is if a firm is comfortable with diversity then people are empowered to speak out. That’s a soft indicator.’
The absence of ingrained procedures for individuals to report misconduct would be a stronger indicator of a firm with fundamental concerns. Anonymous whistleblowing hotlines are one such measure, serving as an answer to the historical issue of individuals choosing against speaking out for fear of it impacting their careers.
‘There has been a tendency for firms to keep quiet and brush things under the carpet. They are now beginning to deal with things head on.’
Angela Robertson, Walkers
Emma Dowden, chief operating officer at Burges Salmon, remains positive that firms can mitigate against harassment and the resulting reputational damage: ‘You can set the framework and priorities to mitigate against it taking place,’ she says. ‘Things like training people to spot harassment or bullying would count as mitigation – a lot of that comes down to the culture of a firm.’
However, there is a sense that the analytical approach risk teams employ to mitigate against the threat of sexual harassment claims misses some of the fundamentals around the state of the profession’s ethics. Also, some risk leaders appear laid back on the topic, with one general counsel (GC) at a City firm making a glib analogy: ‘It’s easy to get a culture that prevents these things in a smaller firm; we don’t have policies against murdering people either.’
Dowden takes a more enlightened position. ‘Any system is only as good as its weakest link, whether in cyber security or in harassment.’ Such parallels can be helpful to understand how to deter certain types of behaviour, though the age-old trope of the careless associate leaving a BlackBerry on a train is not the same as the partner found to have sexually harassed a junior employee. However, the ethical disparity between the two is not currently reflected in the risk landscape. Meanwhile, flippant analogies between harassment and murder seem outdated given one top-25 firm in the Legal Business 100 cited ‘unwillingness to change’ as the primary barrier to implementing a risk culture at their firms (see box below).
In some areas, resistance to change is quite conscious, with risk teams hoping to avoid overly zealous measures aimed at preventing workplace harassment. ‘Do you look at your alcohol policy?’ asks Andrews. ‘Normally these things happen at Christmas parties and similar functions. So do you ban alcohol at the Christmas party? I don’t know. I’m against creating a sort of nanny-state organisation. You can never legislate against the idiot, but you can ensure people can voice their concerns.’
TLT’s director of risk Jon Green echoes the point, saying the sheer number of people at law firms can be a barrier to preventing all cases of harassment: ‘We have over 1,000 employees and law firms are a people business. You will always have issues relating to people. The focus should be to make people aware of policy – you need to be clear that certain behaviours are totally unacceptable. In a sense it’s like the cyber security issue: you need to say it and keep saying it to ensure the message gets across.’
With individual misconduct being hard to prevent, much of the emphasis has turned to how harassment and bullying issues are responded to by risk teams. Precedents already exist. An independent review of Baker McKenzie’s approach to sexual harassment, conducted by Simmons & Simmons, found ‘a number of shortcomings’ in October of last year, with an experienced partner accused of sexual assault staying at the firm for a time after the alleged incident and taking on management roles. Meanwhile, the clichéd response from firms of change ‘needing to come from the top’ creates difficulties when risk teams say the ‘board is uneducated on the value of risk management’ as a big obstacle to implementing a risk culture at top-100 firms. However, there is a sense such invidious issues are being handled more deftly by firms than they have been in the past.
‘Firstly, it’s about the way the complaint is handled,’ says Robertson. ‘An individual within a firm needs to feel there is a proper forum to complain, and that their complaint will be treated with sensitivity and there will be a proper investigation. Secondly, a firm shouldn’t act against an individual until it has a proper handle on the facts; and thirdly, there is obviously the aspect of ensuring that the firm engages with the regulators at the appropriate time.’
However, she points out risk teams might not even be aware of incidents of harassment within their firm. ‘I suspect risk teams haven’t been aware as there’s no obvious visible evidence. It’s not like a rogue email or a negligent piece of advice to a client. I know historically there has been a tendency for firms to keep quiet and brush things under the carpet that has changed now. Firms are beginning to deal with these things head on.’
Though it has risen up the risk agenda, reputational issues relating to harassment and bullying claims are perennially overshadowed by the imperative of meeting client demands. Client-related issues will always drive the risk agenda, but risk teams say clients are increasingly holding firms to account on workplace culture. However, the respective interests of serving clients and mitigating reputational risk can mean firms tie themselves in knots; namely with non-disclosure agreements (NDAs).
The pressure firms feel on NDAs is mounting, as Allen & Overy’s (A&O) grilling before a parliamentary select committee last year in light of employment partner Mark Mansell’s NDA drafted for film producer Harvey Weinstein shows. However, it is here the risk agenda puts firms in a difficult position. On one front they are expected to prioritise the agenda based on clients’ wishes, particularly in areas of data security, while on another they might be expected to explicitly go against clients’ desires as a way to mitigate reputational fallout.
‘Brexit is obviously there, but there’s also been a growth in geopolitical risk between the US and China.’
Chris Andrews, Pinsent Masons
‘NDAs have an important role; I am aware of what the parliamentary select committee said and it’s quite unrealistic,’ said one GC at a City firm. ‘Often employees want confidentiality. As a lawyer who has looked at the recent SRA [Solicitors Regulation Authority] guidelines, what are you meant to do if both clients want to enter into an agreement with a considerable payout? If that’s what the clients want, are you meant to just walk away from that?’
However, there is a feeling that given the right guidance, firms can navigate the impasse. ‘You can reconcile it,’ says Green. ‘There is very good guidance given from the SRA on this.’ In August of last year the SRA launched a public consultation on the use of NDAs in the legal industry, while in March of 2018 the regulator issued a warning on the use of NDAs. Clearly there are indicators: if the same client is using NDAs with a surprising regularity for markedly similar incidents, a firm would have to question its fundamental ethics if it kept acting on the agreements. However, cases are rarely this clear and many feel more guidance, whether regulatory or parliamentary, would lessen the ambiguity.
Some measures have been taken to provide clarity. As Legal Business reported in March, the government has proposed new legislation to prevent NDAs being used as gagging orders to stifle the reporting of sexual misconduct in the workplace. The move would enshrine in law that signatories of NDAs cannot be prevented from reporting crimes, harassment or discrimination to the police. However, though symbolic, the legislation seemingly only deepens existing law by outlawing acts that are already regarded as unenforceable. There are also concerns that determined lawyers will find ways to navigate their way around such legislation.
‘I have seen cases where penalty clauses and warranties have been used in place of gagging orders and I can see lawyers trying to work around this,’ says Professor Richard Moorhead, chair of law and professional ethics at University College London, and specialist adviser to the non-disclosure agreement select committee. ‘The devil will be in the detail of how the legislation is worded.’
‘There’s a lot of things that keep you awake at night,’ says Pinsents’ Andrews. ‘There are always cyber and IT-related risk issues, and Brexit is obviously there, but there’s also been a growth in geopolitical risk between the US and China; Chinese authorities are growing stricter as a backlash. These are all unknown unknowns.’
Not many would disagree with Andrews’ summary of the contemporary risk landscape. However, risk teams are looking at issues where they have agency.
However, at the margins there are moves firms can make to mitigate the inherent risk. ‘Service interruption to clients – disaster/business continuity planning proves partially successful’ notched an aggregate score of 5.9 on our risk profile chart, while Brexit scored 5.1 last year, when firms considered the likelihood of Brexit having an impact on their businesses at 2.8/5.
The disentanglement of decades of regulatory alignment might seem colossal, but risk teams are realistic about how much of their fate is in their own hands. ‘Fundamentally our position is about being able to provide services as we do now post-Brexit,’ says Dowden. ‘We are subject to the same questions as other businesses about when you activate your Brexit plans, but you don’t want to sink money into something you may never activate.’
Some fear this reluctance could cause complacency over Brexit, particularly in firms outside the City. ‘A lot of firms, like medium-sized firms and US firms, have sat on their hands expecting a transition deal,’ says CM Murray partner Zulon Begum, who is advising firms on restructuring their LLP offices in Europe. ‘I don’t think many senior people at law firms after the referendum in 2016, or even by the time of the Lancaster House speech, thought there would be no deal.’
While recent developments as Legal Business went to press have made a no-deal Brexit less probable, clarity is elusive, with a prolonging of the current uncertainty beyond March looking likely. Other geopolitical risks have made their presence felt, with the US taking an increasingly belligerent tone on the international stage.
‘Geopolitical risks have always been around, but they have gone to the top of the list in light of increasing trade wars,’ says Dentons GC Andrew Cheung. ‘The issues of trade wars between the US and China, and tensions with Russia and Iran where we have offices, are things we have had to become increasingly cognizant of.’
Superstition ain’t the way
But away from the thorny issues of workplace harassment and political tension is the risk mainstay of data security and technology adoption, where risk teams have more control. With the pace at which firms acquire and use new technology increasing, risk teams are dovetailing IT departments to mitigate. Meanwhile, it is entirely plausible the dominance of IT and cyber on the risk agenda displays the profession’s lack of awareness and comes at the cost of other legitimate concerns.
‘IT security breach with commercially sensitive information stolen’ scored 7.0 overall on our risk profile chart, second only to ‘data privacy breach or destruction of data’ as the most impactful and most probable risk to law firms. Migration towards cloud-based data holding is considered both a source of risk and a response to it.
‘We would endorse the view that on-site data is more dangerous than moving towards the cloud,’ says Macfarlanes GC Jo Riddick. ‘The worry for some is the lack of control with a third party holding that data. But if you do your due diligence, that provider will be more experienced, and more suited and qualified to hold that data. They also may have more relevant resource than you do.’
‘Some firms don’t understand how IT and cyber risk is evolving, which is why their perception of these issues makes it appear so risky.’
David St John, Marsh
The risk teams Legal Business spoke with all displayed a cautious optimism around cloud migration, while head of compliance at Norton Rose Fulbright Juliet Tainui-Hernandez said the firm was moving towards the cloud: ‘We are currently at the very nascent review stages of moving towards the cloud. Ultimately, we’re in favour of that, but that’s not to say they are not significant risk issues that arise. Certain reassurances would have to be built into any cloud solution.’
However there is a sense that the issues around cyber security and IT bring out legal’s more superstitious mindset. According to David St John, managing director of the lawyers practice at Marsh, the persistence with which cyber and IT dominates the risk chart is partly due to a lack of understanding.
‘With IT and cyber, it’s mostly perception. Some firms don’t truly understand how IT and cyber risk is evolving, which is why their perception of these issues makes it appear so risky.’
Dowden shares St John’s sentiments: ‘I was persuaded by IT, which said that the cloud gets a lot of bad press and is misunderstood. Best-in-class providers will have better specialists and invest more money into security than any firm could. When people jump on the cloud as something that is risky, it’s a wrong analysis – people are rushing to a superstitious judgement.’
Risk teams have increasingly sought to collaborate with IT departments over cloud migration and wider tech adoption. Andrew Clark, GC at A&O, stresses the need for strong ties between risk and IT. ‘Risk has to be embedded into the entire process of tech use and adoption. At A&O we have our head of innovation come into our risk committee meetings for example.’
Meanwhile, the predominance of cyber-related risk comes at the expense of other challenges to the orthodoxies of legal, with a number of issues noticeably still low on the risk agenda. One such issue is the presence of alternative and New Law providers: ‘Competition from New Law business models significantly impair growth and retention of business’ had a low aggregated score of 4.6 on the risk profile chart, with firms considering it the third-least impactful and likely threat to their business.
‘I am slightly surprised the survey doesn’t reflect greater concern around the risk from New Law and the Big Four accountants,’ says John Kunzler, head of financial and professional liability at Marsh. ‘However, it would be a big leap as a client of a top-50 law firm to move from that service model to a provider with no track record, so it is understandable.’
Firms, of course, could be deliberately downplaying their anxiety regarding alternative providers. However, if there’s one area where legal’s lack of attention is completely authentic, it’s on diversity and discrimination. ‘Discrimination claims’ featured low on the risk profile chart, with an aggregated score of 5.4. Though recent commitments to gender diversity have been welcomed, the industry still has a woeful record on social mobility and racial diversity, making firms’ susceptibility to discrimination claims higher than risk teams might want to believe.
‘Clients are extremely active on the diversity and inclusion side in particular,’ says Dowden. ‘And law firms will always prioritise what their clients want them to do.’ However pressure from clients will need to be matched by law firms being proactive for the sake of it rather than as a reflex to client demand. The feeling from Marsh is that the attitude of ‘it won’t happen to us’ is still the prevailing superstition at firms. ‘I suppose they think it’s never going to happen at their businesses,’ says Kunzler. ‘And if it does happen, they think it’ll be a one off.’
Undoubtedly, technological and cultural pressures are widening the risk landscape. Regulators and clients alike are demanding progress from the profession on a number of fronts where scrutiny is already felt and the potential costs of inaction are significant. For risk teams, the workload has never been greater, and one risk and compliance officer in the City gives a candid forecast: ‘Top priority will be simply surviving in a world where regulators’ and clients’ demands are so complicated. Clients seemingly want us to be in-house legal teams. Sometimes they come to us because of our expertise in giving counsel and they know about this from us serving competitors, but then they ask us not to work for competitors and it’s like, “get real”.’
LEGAL RISK PROFILE 1: What impact would these situations have on your firm?
LEGAL RISK PROFILE 2: What is the potential for these situations occurring at your firm?
LEGAL RISK PROFILE 3: what is the potential of these professional negligence situations occurring at your firm?
* Average number of individuals involved in each area of risk management either full-time or part-time
In your opinion, what are the biggest underlying causes of professional malpractice claims generally?
Average total insurance cover
What are the main barriers to implementing a risk management culture and structure at your firm? (Selected comments)
Lack of appreciation that being clearer about our risk culture and risk appetite will allow our people to take more risk and make better strategic decisions
Inadequate IT systems
Unwillingness to change
Board is uneducated on the value of risk management
Lack of understanding as to the tangible benefits obtained by managing our risk more professionally
Client pressure (both in relation to speed of response and onerous contractual terms)
Lack of sanction for non-compliance
The size of the firm makes it difficult to educate everyone quickly and ensure that they stay up to date with the changes
Pressure of fee-earning targets
Changing existing working practices to meet current regulatory requirements
Pressure on fee targets leading to taking on wrong type of client
Geographical dispersal of offices meaning that coverage is patchy with available risk team
The SRA having a poor reputation so that fee-earners instantly dismiss anything coming out from the SRA
Seen as challenge to entrepreneurial lawyers
Some senior partners don’t sufficiently promote risk management
‘Them’ and ‘us’/fee-earners and business services split
Having the correct staff who see their work as important when working with law, accounting and what is connected
What have been the greatest successes your firm has achieved in implementing a risk management culture and structure? (Selected comments)
Ensuring a full-service risk and compliance team to support all our people in their daily management of risk, and in particular with risk lawyers based across our regions, has helped us ensure maximum participation from within our business
Risk registers more visible
Creating stakeholders within teams
Risk is now discussed as an agenda item at the board
The adoption and initial implementation of internal practice standards to provide a clear framework against which to monitor
Implementation of a centralised client inception function
Increasing the size of the risk and compliance team to make it better able to deal with the ‘business as usual’ enquiries and longer-term projects
Involvement of partners in risk decisions
New e-learning platform for compulsory training
Engendering competition between departments on compliance KPIs
Openness and a no-blame culture
Gaining and embedding ISO 27001 and 9001
Improved awareness of the necessity and merits of scoping work in engagement letters
Almost universally adopted automation of our letter of engagement has led to higher quality of letters and they are sent out more swiftly
Procedures for regular assessment of risk management issues
GDPR readiness programme
Properly staffed risk and compliance team
The principal has recently undertaken MeToo and anti-harassment training in the US
What new risk procedures have you implemented in the last year or so?
New bitesize guidance on working practices on matters where there is a high or no-liability cap in place
Risk is now discussed as an agenda item at the board
Revised data policy and internal and external privacy policies
New processes to take into account changes in AML legislation
The risk registers have been revised so there is greater visibility of the risks faced by the firm
Three new ISO certifications – 9001, 27001 and 22301
Speak-in-confidence reporting service for staff to raise concerns, coupled with review of all existing HR policies
Appointment of IT security analyst
Revised SAR compliance
Rebooted our conflict procedures and conflict committee
Enhancing AML processes
Extensive GDPR preparation
Interim AML risk assessments to show ongoing monitoring
Automation of a scope letter for engagements (under retainer)
Mainly relating to implementation of GDPR, also business continuity improvements
Client acceptance process
Independent risk report commissioned
New data protection tech, eg Dark Trace AI
A major thrust of our work has centered on data protection with the introduction of new policies and procedures, many of which have been very wide ranging