Travelers on why everyone needs to make time for risk management
This article was originally featured as an interview in the April 2018 issue of LPM. To read the issue in full, download LPM.
Paul Smith, senior risk management consultant at Travelers, says it might not be a part of your official job description, but everyone needs to make time for risk management.
With risk coming at law firms from every corner, failure to embed a risk aware and ready culture could only mean more trouble for business. Paul Smith, senior risk management consultant at Travelers, says there are two main areas of risk that firms should identify and plan around – operational and strategic risk.
Risk is scary, yes, but firms don’t have to go it alone, he says. “There are some simple steps firms can take to understand better what those risks are, how different risk factors affect the business and what they can do about them.”
When managing strategic risks, the starting point is a question for the firm’s leadership – ‘what are your objectives?’ says Smith.
“Risk is about the impact of uncertainty on objectives or outcomes – so you need clarity around the aims of the business before you can start to look for risks.”
Next, to identify and assess the most relevant threats to those objectives, firms need information. One way to get this, he says, is by horizon scanning. “Firms should constantly monitor the action and reaction of the market – systematically gathering information around sectors. You’re on the lookout for developments that may affect your business’s objectives, either as risks or opportunities.
“This is something we do at Travelers – reading news reports, articles, books, blogs and websites. We ask ourselves what the issues we identify could mean for lawyers and for us as an insurer.”
Once information is gathered it needs to be organised – one way is to group findings as political, economic, social or technological (Pest). “These elements drive the external business environment – and they cannot be responded to,” says Smith.
Building an accurate risk profile in such a way will be vital to a firm’s long-term strategy and daily operations – a Pest analysis is a good way to figure out how to control those risks, he adds.
And there’s plenty going on for law firms under each of the headings – political issues such as legislation and regulation are hot on the heels of the legal sector. Regulation isn’t going away, he says. The SRA might be pruning the code of conduct – which will bring its own challenges about interpretation and compliance – but the enforcement regime under GDPR takes effect from 25 May.
Regulation and compliance may be seen as a burden, Smith says, but these are messages from society about expected behaviours and following them can be framed in a positive way.
“Complying with the GDPR, for example, gets you thinking about how you manage data – what data do you hold, why do you hold it and for how long? By identifying and keeping only what is seen as relevant data, firms could reduce their exposure to a data breach and also save time and money.”
On the economic front, there’s uncertainty about the outcome of Brexit and where we are in the business cycle, he says.
“There’s a downturn roughly every decade, and the last crash was in 2008. Changes in the relationship with the EU and a contracting economy will have consequences. And the threats and opportunities they generate for a firm will depend on its exposure to those shifts.”
As for social issues, this means looking at demographics and changes in social attitudes – and these are already creating challenges. Millennials present a number of challenges for law firms, says Smith.
“Compared with previous generations, they have different attitudes to career development, long-term relationships with one firm and work-life balance. So we’re seeing initiatives around flexible working and new career paths, to keep people engaged, reduce turn-over and, in turn, reduce risk.”
He says the ‘T’ in the Pest analysis is certainly one of the most challenging of the four risk areas. “There’s obvious potential for technology to aid work – for example, by enabling remote working. But it comes with security issues – in particular, the need for people to be disciplined about cybersecurity when working away from base.”
To back up the Pest analysis, firms can perform a Swot analysis – looking at the firm’s strengths, weaknesses, opportunities and threats for further insight into factors that could affect the firm’s objectives.
A good final step in managing strategic controlled, only risk, Smith adds, is to scenario plan. Scenario planning will encourage firms to take an optimistic, realistic and pessimistic view into the future of the firm.
“You imagine three versions of the future and then construct timelines, explaining how each of the scenarios develops, and then look for evidence of one timeline or another playing out in real life. It’s a way of getting ahead of the risk curve – to be prepared for change, rather than reacting to it.”
While managing strategic risk is largely a matter for senior management, operational risk is different – ensuring the safe delivery of legal services is everyone’s responsibility, Smith says.
Firms should have clear messages from the top about the importance of risk management, backed up by risk management processes – everyone should know that they have a role to play in managing risk.
“It means risk training, good communications and accountability for risk decisions – not a blame culture but a just culture, one of ‘own up’, not ‘cover up’. And all of these elements help create and sustain a risk-aware culture.”
As part of that, Smith is keen for firms to prevent mistakes by fostering ‘discipline’ through “operating prudent procedures and working with others,” as defined by Atul Gawande, the American surgeon and writer on professional error.
Smith says: “We still see a large proportion of system and process errors leading to claims – missed time limits, instructions not being followed, drafting errors, problems flowing from poor due diligence and knowyour-client procedure.”
These human errors can create big consequences for a firm – dead time and loss of profit sorting a matter out, payments of deductibles and additional premiums. And ultimately, firms are at risk of a reputational hit if they take their eye off the ball, he says.
Smith and his colleagues work with insurers to pass on their experience and raise risk awareness. “We often find that we are validating what firms are already discussing internally, to alleviate concern where appropriate, but also to flag up where the main pitfalls are.
“Perhaps it’s also easier to get people to think about risk when the warning comes from outside the business. So, we help people get a different risk perspective on the way they work.”
Uncertainty can be mitigated – it takes careful analysis, planning and training of staff to be as fully prepared as possible. And in this market, it’s do or die.