Managing risk in pandemic times
Perfect time for law firms to reassess risk governance frameworks
This article was first published by CBA National in June 2020.
Law firms face exposure to a wide variety of risks. But not all risks are equal. We see this with the COVID-19 pandemic, which is having a pervasive impact on many aspects of law firm operations and is placing renewed emphasis on risk management practices.
Specifically, law firms are scrambling to balance several concerns: operational stability, growth, innovation opportunity and stakeholder expectations. Meanwhile, they're managing risk in a fluid environment.
There is no "one-size-fits-all" approach to risk governance. Law firms need to respond to risk in a way that is appropriate for the scale of its operations and adjusted to the scope and severity of exposure.
Here are a few considerations to keep in mind in the current environment.
Identifying different kinds of risk
Law firms face multiple risks, some of which they can control more than others. Some of them are:
- systemic risks, which could be caused by stress events like the current COVID-19 pandemic.
- reputational risks, which can arise from negative media reports, and are often exacerbated by the viral nature of social media.
- data security risks, which result from a privacy breach or loss of data.
- operational risks, which could stem from day-to-day employee activities, processes and use of systems.
- third-party risks, which can get layered beyond traditional firm supplier arrangements, thereby creating potential fourth-party risks.
Risk governance isn't designed to eliminate the risks that law firms encounter. Instead, it is meant to monitor and mitigate the risks to a tolerable level. The practices involved can evolve, over time, to include top-down oversight in the form of a board or management committee; ownership by senior leadership supported by firmwide accountability; ongoing measurement and monitoring to remain relevant and responsive; and periodic review of the firm's risk profile (as many firms are currently doing in light of COVID-19).
Most importantly, law firms benefit when risk governance principles become embedded in the firm's culture and operating style. Risk governance becomes increasingly necessary as law firms scale up, because it provides a means for firms to balance strategic objectives, while delivering quality service, promoting operational efficiency and maintaining financial prudence.
Effective risk governance frameworks
It's no secret that there is always an element of uncertainty in business. So, while risk governance frameworks assist law firms in mitigating risks to a tolerable level, they also allow for a proactive response. This is about asking "what if?" rather than "what now?" Selecting and implementing the right risk management framework helps firms to identify, monitor and execute key controls across the organization that are aligned with critical risk mitigation. By bringing the risk and controls lens into the oversight model and day-to-day service delivery, law firms are better equipped to manage the cost of control while reinforcing a culture of risk-informed decision-making.
There are key benefits to doing it right. First, it will limit costly surprises. Firms will be in a better position to direct resources to areas that will have the highest impact. And it will boost firmwide resilience and risk response.
The impact of COVID-19
COVID-19 has brought with it elevated risk for businesses globally, and law firms are no exception. In the short-term and long-term, there is much to worry about – business continuity; firm liquidity and cost management; changing regulation and economic support; and changes in the workforce dynamic. Meanwhile, firms must maintain continued client confidence, enable and equip their lawyers and staff, and support partnership structures. Law firm leaders will have to ask themselves the following questions:
- What will the firm's client base look like in the future state? How will their needs differ from today and what new risks does that create for the firm?
- Which growth and innovation opportunities should the firm continue to pursue to remain relevant and to manage strategic risks as the firm scales up to pre-COVID-19 operating levels?
- Do we need to update the business continuity and disaster recovery plan in response to the pandemic? Are there other potential risks to identify?
- How does the firm manage liquidity risk and the disruption in cash flows?
- Will changes in regulation and political policy create new sources of risk?
- How is a remote workforce impacting the firm from a data security risk perspective?
- How does the firm retain and recruit for top talent while responding to systemic risks?
· There are no quick and easy answers to questions like these. But therein lies a new reality that needs to be addressed. What's more, there are opportunities for law firms to use a period of reflection as a catalyst to revisit risk governance principles. It will help them emerge from the crisis with a more robust risk management foundation.
Now is the time
Risk management is best viewed as an evolving practice; it is never static. As business evolves, a law firm's risk governance frameworks require reassessment. Unforeseen events such as COVID-19 emphasize the need for firms to adopt proactive risk management approaches. Now is an excellent time to assess how your law firm currently responds to risk: Is it reactive or proactive? Does it have a risk management framework and is it embedded within the firm culture? Is senior leadership focused on evolving and improving the firm's risk response? During the COVID-19 pandemic and beyond, the importance of effective governance and risk management has never been more apparent.