White Paper

What should good Risk Management look like?

IN CONVERSATION WITH RISK LEADERS 

WHAT SHOULD GOOD RISK MANAGEMENT LOOK LIKE? 

 

WILBURY STRATTON RESEARCH PROGRAMME 2024

As part of our 2024 research programme exploring critical topics in the global legal market, we spoke to executive-level risk management stakeholders from across the sector to understand how firms’ approach  to risk management can set them up for  success – or leave them unnecessarily exposed. Respondents included General Counsels,  Chief Risk Officers, COOs and CAOs,  as well as thought leaders in the legal and wider professional services space.

Our thanks to everyone who kindly participated in this research.

 

EXECUTIVE SUMMARY

Risk management is increasingly high on firms’ agendas. Across the  market, executive leaders are grappling with what risk management  should mean and how they can best protect their firm from exposure.

There is substantial disparity in how risk is conceptualised and managed in the legal sector, and a range of opinions on what should properly come under the remit of a risk management leader. However, our research has allowed us to draw some broad conclusions on what it means to do risk management well, and best practices around structuring and running a fit-for-purpose risk management function. We explore some of the key themes in this paper.

 

BEST IN CLASS RISK MANAGEMENT IS CHARACTERISED BY:

  • Centralised oversight of all risks that pertain to the firm.    
  • An established and fully professionalised function that is proportionate to the firm’s  operations.    
  • Embedded risk management behaviours throughout the firm.    
  • Visible buy-in from the leadership.    
  • A high level of accountability devolved to the senior risk management team.    
  • Diversity of experience and skillsets in the risk management group.

 

IMMATURE RISK MANAGEMENT IS CHARACTERISED BY:

  • A narrow framing of the risks that are pertinent to the firm.    
  • A lack of appetite for a professionalised leadership remit and function.   
  • A reactive approach to risk management with limited or no strategic oversight.    
  • Weak regional risk management capabilities.    
  • Under-resourced teams.     

  • High attrition and difficulty attracting and retaining high-quality risk management talent.

     

WHAT IS DRIVING MORE SOPHISTICATED RISK MANAGEMENT PRACTICES?

Our research identified three main factors that are driving the conversation around risk management:

1. Response to a regulatory or ethical breach or claim against the firm.  
Many of the early adopters of a professionalised risk management function did so as a result of a claim against the firm or a serious compliance breach. While high-profile claims are uncommon, sources in the market refer to firms reaching a ‘critical mass’ of near misses that spurred the leadership into taking risk management more seriously.

2. Increasing demands from regulators, insurers, or clients.  
Regulatory burden is commonly cited, particularly by UK firms, as a key driver in building risk management capability. A good current example of this is enterprise risk: while there is substantial  scepticism from some UK firms about the value of enterprise risk, the prevailing view is that the SRA is increasingly focused on enterprise risk management The concept must therefore play an increasingly prominent role in firms’ risk management practices.

Even where firms have little appetite for professionalising risk management, pressure from insurers is driving an awareness of the need to adapt, with issues such as AML being pushed onto the agenda by insurers’ own risk positions. Several risk leaders also cited client demands as a key factor. The driver is twofold: firstly, clients with a sophisticated risk culture  expect firms to have a good handle on their own risk management practices, creating a commercial imperative to build a professional function. Secondly, clients are becoming more “combative” which opens firms up to more  potential suits if their risk management practices are less than watertight.

3. A practical requirement arising from organic or inorganic growth.   
Growth creates a level of complexity that necessitates both increased headcount and more sophisticated risk management practices. This is particularly  true where firms have grown extensively via M&A and/or are focused on growth in emerging markets. hile for most firms, risk management capabilities have been built in response to growth, some firms are now taking a proactive approach that bakes  risk management requirements into the firm’s strategic growth ambitions.

 

A SHIFTING LANDSCAPE

Risk considerations are undoubtedly becoming more important, but there is still no consensus as to what ‘risk management’ should properly include. 

For some firms, risk management remains limited  to strictly legal, regulatory or reputational matters: the ‘classic’ areas of conflicts, litigation, compliance and so on. At the other end of the scale, some firms now operate within a sophisticated multidisciplinary risk framework that encompasses not just these classic risks but also strategic, operational,  financial, technology and people risk. 

This disparity is reflected in how different firms are choosing to structure their risk management group – if indeed they have one at all. At the most basic level, we can expect to see a General Counsel who is responsible for managing claims and complaints, overseeing external advisers and managing relationships with insurers and regulators, plus headcount dedicated to regulatory compliance and clerical/administrative support.  

A non-professionalised GC role; partners clearing their own conflicts; compliance treated as a ‘tick box’ exercise: these are key indicators of an immature risk management culture and are not uncommon across the market globally. However, there is growing consensus that this  model not only leaves firms exposed to claims or compliance breaches: it also fails to capitalise  on the business and commercial advantages that a professional risk management group can deliver.

Leading firms are showing that risk management can move beyond risk mitigation to become a true business enabler. In contrast to the traditional view that sees risk management as a cost centre, an established and properly resourced function  can add significant value in the following ways:

  • Freeing up fee-earner time to focus on client matters.    
  • Driving efficiencies that deliver a better experience for the firm and its clients, for example by enabling smoother client intake processes and seamless management of cross-border matters.    
  • Supporting and enabling the firm’s strategic ambitions as a trusted advisor.    
  • Providing a view on all the strategic and operational risks that pertain to the firm, enabling a holistic strategy for mitigation across all offices globally.

 

THE RISE OF THE CHIEF RISK OFFICER

Linked to the development of risk management as a business enabler, the Chief Risk Officer (CRO) role is increasingly common in law firms. Influenced by the financial services and consultancy sectors, the  adoption of the CRO was initially spearheaded by the verein firms  but is now going mainstream across the legal sector. Fundamentally, the role of the CRO is to oversee all the risks that pertain to the firm  and to be a trusted advisor to the leadership on risk matters.

How the role should be formulated and positioned is the subject of lively debate. The majority of firms currently have the CRO reporting into the General Counsel, including firms with sophisticated risk management capabilities. A key advantage of this model is that the GC can leverage their credibility with the other partners to drive the risk agenda. Some risk leaders have also argued that most of the critical risks in law firms are fundamentally legal risks, which the  GC is best placed to advise on.

Set against this is the argument that assurance cannot be truly independent if all three lines  of defence are housed in a single function.  This is a central contention for having the  CRO as a peer to the GC. Another advantage  of a separate CRO is that the role can be on the exco in its own right, thereby  raising the profile of risk management in the broadest sense. 

Opinion is similarly split as to whether a CRO should be legally qualified. This question ultimately comes down to culture. If a firm is biased towards having  lawyers in leadership positions, a CRO with  a legal background will more easily bridge  any perceived credibility gap with the partners. If firms already have a culture of more diverse leadership, they will be more receptive to risk  leaders who are not legally qualified. There  is an emerging trend for hiring non-lawyers  into risk leadership positions: firms are tapping into a broader talent pool of professional risk managers who can bring technical expertise  and a strong understanding of best practices.

 

A PROPORTIONATE FUNCTION

There is no ‘one size fits all’ model when it comes to structuring a risk management function: risk management must be proportionate and responsive to the needs of a specific firm.

The question firms should be asking themselves  is: what do we need our risk management  group to do? Notably, some firms do not seem to have properly considered this question. Instead, they opt either for a “this is how we’ve always done it” approach that  fails to innovate in line with emerging regulatory or business requirements; or they import an off-the-shelf model that does not meet the actual requirements of the firm. There is no business case for platinum standard risk management practices if they aren’t proportional to the firm’s needs.  

For example, the trend for offshored or nearshored resourcing models have proven a costly experiment for some. A similar argument can be made for 24/7 ‘follow the  sun’ risk and compliance coverage: the model only makes sense if the business requires global coverage, so its applicability to more regionally specific firms is limited. A note of caution though: while risk management must be responsive to the firm’s needs and risk appetite, a firm’s risk position should not be used to justify poor  risk management practices.

The appropriate structure will therefore look different for each firm, but the following broad observations hold true across the market:

  • Centralisation can drive efficiencies by reducing duplication and enabling platforms and technology to be standardised across the firm. This in turn creates better continuity of practice and higher service standards for global clients.    
  • However, it is crucial to maintain regional expertise and ensure timely coverage to all offices. It is good practice to have a network of regional general counsels, and regional compliance officers who have specific regulatory expertise and can be the point of contact for the local regulator.   
  • Regional teams should be properly integrated and have strong leadership, even if a firm’s regional/international footprint is relatively small.    
  • Risk should not be owned by any one function but there should be central coordination (most likely the Office of the General Council or Chief Risk Office). Function-specific risks – technology, people, financial – should be owned by the relevant business services leader  but interface closely with the risk management group where appropriate.

 

BROADEN THE TALENT BASE & VALUE YOUR PEOPLE

The market for high-calibre risk management talent is competitive.  Risk leaders spoke of their challenges in attracting and retaining talent and the issue is particularly acute in the USA. Based on our conversations, we suggest a twofold solution: firstly, broaden the talent base from which to hire and develop risk professionals; and secondly, raise the profile of risk management so the group becomes an attractive proposition for high-quality talent.

Many firms still regard a legal background as a prerequisite when considering candidates. Clearly, some roles will demand a legally  qualified professional; but leading firms are increasingly realising the value of a much more diverse approach to hiring and developing non-legal risk management and compliance talent. Market leading firms are all hiring people with a range of skillsets and training  them up to be highly skilled professionals. Key skillsets are problem solving, a solutions-oriented mindset, attention to detail and the ability to tell a story around risk. Some firms have also introduced risk management intern programmes that are reportedly yielding good results.

But arguably the most important element of building – and maintaining – a successful team is to create a culture where risk professionals feel valued. Top talent will not want to join a firm where risk management is seen as essentially an administrative function, or where the risk team lacks impact. The aim is to create a virtuous circle by empowering the risk team to make decisions and therefore demonstrate value; the profile of the group is thus raised internally, fostering a higher level of trust from the partners and enabling further empowerment. An empowered, accountable and strategic risk management group is an attractive proposition for high-calibre professionals at all seniority levels, and a clear differentiator in a competitive talent market.

 

THANK YOU

Do the topics in this discussion resonate? For more information about this report, or for a confidential discussion on how Wilbury Stratton can support you with your strategic organisational or talent requirements, please contact: 

EMILY O’ROURKE
Research Partner, Legal 
eo@wscl.com
 

 

 

Share:

Related Insights