Law Firm Risk Management:Can It Grow Profitability?Moderator: Adam HansenDirector of Information Security, Sonnenschein Nath & Rosenthal

Panel:Pat Archbold, VP of Risk Practice, IntAppDavid Cunningham, Managing Director, Baker Robbins & Company

Agenda• Risk Defined• Legal Risk Types• Business Benefits• UK vs. US Risk Environment• Risk Roles and Organization• Risk Management Approach• Future of Risk Management• Three Next Steps• Questions and Answers

Risk Defined

Risk is the uncertainty caused by the occurrence of an event that might affect the achievement of objectives.

• The management of a law firm’s risks involves decisions that are not simply about avoiding a negative impact but also about pursuing a positive (but un-guaranteed) impact on business opportunities.

• Consequently, effective risk management not only mitigates losses but can also positively contribute to the competitive standing of a firm.

• This tension between adverse risks and desirable business opportunities makes risk management an essential element of firm governance.

Legal Risk TypesRisk Types Example Risks Key Roles

IT Systems: Continuity, Recovery, Security, and Access Management.Data: Confidentiality, Integrity, Ethical Walls, Retention, Data Protection, Data Transfers, Hosting of Third-Party or Client Data.Third Party Suppliers: Maintenance/Support, Contracts and Outsourcing.

CIO, General Counsel

Financial Audit, Financial Internal Controls, Financial Transparency and Disclosure, Anti-Money Laundering, Counter-Terrorist Financing, Credit, Firm Investments, Currency, and Portfolio Risks.

CFO

Practice Management

Client Relations, Lateral, Professional Responsibilities (including malpractice, conflicts, records, and litigation support), and Professional Development Risks.

Practice Leaders, General Counsel, Directors of Conflicts, Records, Lit

Support, Library, and KM.

Strategic / Corporate

Firm Governance, Risk Management Governance, Reputational, Marketing, and Market Risks.

Managing Partner, Marketing Director, General Counsel

Operational Employment, Fraud, Damage to Assets, and Insurance Mediation Risks.

HR Director, COO, General Counsel

Environmental Natural Disasters, Epidemics, and Resource Access Risks. COO, Business Continuity Team

Business Benefits• Loss Prevention• Cost Savings• Departmental Efficiencies• Competitive Edge

– Growth in Lateral Talent– Growth and Retention of Clients– Quality of Client Relationships– Alternative Fee Arrangements

• Quality of Working Environment• Reputation

In the News…

(03/10/2009)

Top five risks identified as facing law firms (order of severity):

• Bankruptcy or acquisition of significant clients • IT security • Pressure on fees and the need for 'instant' advice leading to claims • Conflicts of interest •Errors made by staff/lawyers on complex, high-value transactions A firm’s responses to application questions about risk management and loss prevention programs are often among the most important qualitative information an insurer uses to gauge the risk it may pose, according to Stuart Pattison, a vice president at Chicago-based CNA, one of the nation’s largest commercial insurers.

A firm’s responses to application questions about risk management and loss prevention programs are often among the most important qualitative information an insurer uses to gauge the risk it may pose, according to Stuart Pattison, a vice president at Chicago-based CNA, one of the nation’s largest commercial insurers.

UK vs. US Risk Environment

In the News…

(03/13/2009)

“In a much-touted speech on Thursday (12 March), FSA chief executive Hector Sants outlined a break with light-touch, principles-based regulation, arguing the City should be ‘very frightened’ of the body.”

(05/21/2009)

“The Financial Services Authority (FSA) has brought charges of insider trading against two lawyers – including a current partner in the London office of Dorsey & Whitney – it has emerged.

The move marks a more aggressive stance from the FSA, which earlier this year secured its first successful insider trading prosecution…”

US News3/20/2009

The FTC Strikes Back: (Essentially) Everyone Should Be Complying With Red Flags Rules, Especially The Healthcare Industry

The FTC, with unusual frankness, emphasizes that no industry is exempt as a “creditor” …….The FTC also pulls no punches when identifying potential “creditors,” listing a wide range of industries and businesses, including physicians, lawyers, merchants”

Examples of business associates include third party administrators or pharmacy benefit managers for health plans, claims processing or billing companies, transcription companies, and persons who perform legal, actuarial, accounting, management, or administrative services for covered entities and who require access to protected health information.

08/06/2009Dept. of Heath and Human Services45 CFR Parts 160 and 164

Who’s Ultimately Responsible for Risk Management?

2007Single Individual: 36%

2009Single Individual: 63%

Risk Roles and Organization

• Firm Internal Roles– General Counsel– Directors of Loss Prevention, Conflicts, Records– Professional Responsibility Partners/Ethics Partner– CIO or IT Director– Directors of Security, Business Continuity– Business Departmental Directors– Partners / Lawyers– Committees

• External Roles– Insurance Underwriters/brokers– Clients– External Assessors

Risk Management Becomesa Department in Law Firms

Loss Prevention Director

Global Conflicts

Manager

Global New

Business Manager

Global Strategic Records Manager

Global Loss Prevention Technology

Manager

Global Loss Prevention Compliance

Manager

Global RM Operations Manager

Global RM Compliance

Manager

Global RM Education Manager

Technology Staff – located in different offices but support the Firm globally

Each office has a local Records staff

Conflicts Staff – all located in HQ office

Compliance Staff – all located in HQ office – handles audit letters, ARDC registration, reporting of attorney lobbying activities, reporting of corporate transactions that have a tax implication to the IRS,etc.

New Business Staff- all located i n

HQ office

Global Docket/Calendar/Court

Services Manager

Each office has a local Docket staff

Local Records Managers

RM Education Assistant

RM Operations Assistant

RM Compliance Assistant

Risk and IT Speakin Different Languages

DR, Malware, VPN,

LDAP, SharePoint, SLAs, Five-9s, P2P

Engagement Letters,Vicarious Disqualification, Rule 1.10, Advanced Waivers,

Consider: Consider: Matter Centricity + Search= ExposureMatter Centricity + Search= Exposure

Consider: Consider: Matter Centricity + Search= ExposureMatter Centricity + Search= Exposure

Future Org Chart?

Risk Management Approach

• Successful Risk Management Environment– Communicate and Consult– Establish the Context– Promote Self Assessment– Monitor and Review

Risk Management Approach

• Risk Assessment Process

• Risk Treatment Process– Identify Options– Evaluate and Select Options– Prepare and Implement Treatment Plans

Risk Identification

Risk Analysis Risk Evaluation

Risk Assessment Process

Future: Risk Register/ERM

#

The Risk:What can Happen and How

Can it Happen?

The Consequence of

an Event Happening Adequac

y of Existing Controls

Consequence Rating

Likelihood Rating

Level of Risk

Risk Priority

Conse-quence

Like-lihood

Future: Client Requests2009Clients have asked firm for additional protections: 86%

2007Clients have asked firm for additional protections: 61%

Intake and Insider List Management

Workflow software to manage intake

processes

Matter designated

“confidential”“firm

confidential” “price

sensitive”

Tracks access, locks across systems,

hides matter names

Next Steps: Integrate Risk and TechnologyManagement

Insider List Management

Next Steps: Leverage Risk Management Budgets

Next Steps: Plan for Certification

Adam HansenDirector of Information Security, Sonnenschein Nath & Rosenthalahansen@sonnenschein.com

Pat ArchboldVP of Risk Practice, IntApppat.archbold@intapp.com

David CunninghamManaging Director, Baker Robbins & Companydcunningham@brco.com

SRA Rule 5:http://www.sra.org.uk/solicitors/code-of-conduct/215.article

Marsh UK Risk Study-Insurance Journal:http://www.insurancejournal.com/news/international/2009/03/10/98539.htm

KornFerry Evolution of Law Firm Risk Management Article:http://www.insurancejournal.com/news/international/2009/03/10/98539.htm

UK Conflicts Rule Changes Article-Legalweekhttp://www.legalweek.com/legal-week/analysis/1156494/conflicts-comfort

Red Flag Rules Article:http://www.securityprivacyandthelaw.com/2009/03/articles/recent-legislation-1/the-ftc-strikes-back-

essentially-everyone-should-be-complying-with-red-flags-rules-especially-the-healthcare-industry/

HITECH Act Update, DHHS:http://www.federalregister.gov/OFRUpload/OFRData/2009-20169_PI.pdf

Risk Roundtablewww.riskroundtable.com

West Legal Education, Practice Area Ethics and Professional Responsibilityhttp://westlegaledcenter.com/home/homepage.jsf