Risk management fit to face global threats (part two)
by Chris Marston, chief executive of LawNet
Originally published in Solicitors Journal, April 2020
TIP ONE: Create the Right Environment
The link between risk management and good business practice
Excellent risk management should be the natural outcome when a business has highly effective management that is focused on the right issues.
It is not simply regulatory compliance, nor the use of a management system, but the beating heart of a well-managed, future-focused firm. It’s a culture, where staff understand and embrace the processes and procedures that lead to good risk management and appreciate the learning and improvements that can come through internal and external audits.
Establishing and embedding that culture is essential. It’s important to avoid creating a box-ticking mentality because if staff instincts are not finely tuned then risks may well be missed.
At the heart of this lies the need for technical and experiential training, to equip staff with the necessary understanding to make risk mitigation an integral part of their daily work. Interestingly, most of the staff taking part in our research said they could see that risk management was a vital business tool.
However, our research also showed that junior and admin staff were more likely to see compliance as the most important aspect of risk management. It’s an attitude that persists across the sector, with fear of the SRA and the need to satisfy regulatory requirements often dominating attitudes, with less attention paid to reputational and financial risks.
Indeed, our research found that almost 40% of law firm staff rate financial impact as the least serious result of poor risk management, but ensuring staff recognise the importance of strong financial management is a vital factor in building a robust risk management culture.
WHERE TO SET YOUR SIGHTS:
- Aim for a broad risk picture incorporating regulatory, reputational and financial issues
- Work to a recognised quality standard such as ISO9001 or Lexcel
- Understand the key risks that apply specifically to your practice and your clients
TIP TWO: Build meaningful processes
Real cultural change demands a made-to-measure approach
Risk management should be a natural process for both individuals and the firm itself. The key lies in committing to risk management in such a way that it becomes integral to the firm’s day-to-day activity, rather than something to be thought about separately.
To achieve that, the right working practices must be in place, with process development and consistency of process, but most importantly they must reflect the way people work, to make it a natural part of the everyday. Where risk management is built into workflows, it must be provable as well as do-able.
Effective management systems should be focused on delivering results that make risk mitigation the natural outcome, and many firms have demonstrated that well-considered IT systems can support great results in risk management.
An example would be a case management system that integrates effectively with the firm’s processes to ensure that any client on-boarding involves the right risk assessments, conflict checks and identity checks before work starts. The added benefit of such an approach is that the firm’s case management system provides the necessary audit trail to support review and future improvements.
Regulatory compliance and fear of the SRA is high, as demonstrated in our research findings, yet a poorly checked client has the potential to bring a firm down. The checking doesn’t just relate to whether they are who they say. That is vitally important, but equally is being sure the client has the wherewithal to pay their bills, that the work type is a match for your firm and that it’s a client with whom you want to do business.
If they are downright difficult, slow to pay, challenging advice or refusing to confirm instructions, experience shows they are more likely to be behind a complaint at a later stage.
When it comes to complaints and claims, it is essential that firms are open to the benefits of sharing and learning from mistakes, as this is the route to improving processes in the future. In our research, we found relatively few firms were sharing these issues throughout the firm, at just 14%, although some 60% were sharing at departmental level and around a quarter are sharing anonymously.
WHERE TO SET YOUR SIGHTS:
- Sources of funds, especially in property transactions, and identity checking
- New regulations as they emerge, such as Anti Money Laundering
- Embracing learning opportunities from complaints and claims and going beyond technical learning to embrace practical, firm-specific experiential learning
- Ensuring existing or planned systems support risk management
- Testing and continuous improvement of all systems through file reviews, client surveys and audits
TIP THREE: Secure fraud fault lines through systems and staff
Holistic approach should match the right processes with safeguards on human interactions
As custodians of client funds and conduits for important and sensitive transactions, solicitors are an obvious target for cyber-related fraud, whether by small timers or sophisticated, organised criminals, who are determined to overcome barriers and risk controls that might previously have been thought to be adequate.
It makes cybercrime and information security a priority, as highlighted in the SRA’s latest Risk Outlook and reflected in our own research, with cybercrime and fraud ranked the biggest threat by 40% of our member firms.
And that’s with good reason, with analysis of the top 200 UK law firms by Crowe, KYND and the University of Portsmouth’s Centre for Counter Fraud Studies in 2019 revealing a range of vulnerabilities, including:
- 91% of firms were exposed to the risk of having their website addresses spoofed and used to send spam, phishing or otherwise fraudulent emails
- 5% of firms were running at least one service, such as an email server or webserver, with a well-known vulnerability that could be exploited by hackers
- 79% of firms had at least one domain registered to a personal or individual email address, representing a significant threat to business continuity and domain ownership
The changing face of commercial business has brought many opportunities: in how we communicate, the technology that helps us in our daily work, and the way in which data is stored and used. However, these same opportunities also open the door to risk, through hackers and fraudsters.
The range of scams keeps evolving and we’re getting used to a new lexicon including phishing, vishing, malware and social engineering crime. Yet, research undertaken by global insurance broker Marsh, who manage our LawNet professional indemnity scheme, found that almost 70% of the companies they surveyed do not assess their suppliers and/or customers for cyber-risk.
Penetration testing by outside agencies can help test defences – of both technical systems and staff – and good process can be recognised through accreditation such as Cyber Essentials Plus. This, with its external assessment, is an excellent first stage and we have been recommending this to member firms as a way of supplementing the information security provisions in our ISO9001 LawNet Quality Standard. For bigger firms the next stage may be ISO27001 certification, a more sophisticated information management standard.
Advances in technology may provide hope for the future in the fight against fraudsters, but the challenge of keeping pace with these criminals will always remain. The route to fraud prevention today lies through a two-pronged approach that places equal importance on process and training.
Sophisticated electronic threats are only one part of the picture. Risk management is all about how people interact with their work, process and environment, and fraud generally occurs because of human lapses.
Best practice demands across-the-board awareness, so everyone can see risk management is high on the agenda. One of the most important ways to do that is through sharing knowledge and experiences of attempted fraud and by discussing and analysing claims.
If your firm suffers a loss, learn from the experience: change processes, introduce training initiatives and bring in outside help to firm up defences for the future. We find firms sharing experiences in this way across the LawNet network and this is helping them be better informed and able to implement best practice.
WHERE TO SET YOUR SIGHTS:
- Processes to protect and guard client data against being stolen
- Improve staff awareness and client payment processes to manage against funds being stolen or transferred in error
- Assess both your supply chain and individual customers for cyber-risks
- Have clear risk assessment processes so staff can easily identify and communicate risk situations to colleagues
- Keep up to date with the latest fraud tactics and share any real cyber-fraud experiences to increase awareness
- Use targeted learning to encourage staff to question anything that is out of the ordinary
- Regularly use penetration testing of people and processes, as well as technical systems