Time for Law Firms to Adopt Risk Management

Risk management has been a hot topic in the corporate community for about 10 years, springing mostly from scandals such as Enron, Worldcom and more recently the financial crisis of 2008. The devastation that these events wrought forced boards of directors to devote significant resources to managing risk and to keep abreast of what is happening in the world at large.

When one looks at law firms, we see that attention is paid to risk management only in the micro-sense; controls are put in place to prevent lawyers and staff from stealing trust funds, there are some controls over who has access to certain documents, and rules about taking documents outside the office. What is often lacking is risk management in a broader context and few, if any, firms have a dedicated person who (either part-time or full-time) continually looks at risk items that affect the firm and reports on these risks.

There is a long list of risks that most firms never look at on an ongoing basis, for example:

Is there someone at the firm who understands and is monitoring the UK’s Legal Services Act and what risks that legislation has for the firm down the road in terms of innovative delivery of legal services? Canada is not an island and eventually these innovations will take root here.

Does someone at the firm fully understand LPOs and is that person monitoring the growth of LPOs and how that will affect the firm? Is there an opportunity for the firm?

Has someone at the firm reviewed the KM system and identified any weaknesses and how they impact on the firm? Is there an opportunity here for the firm?

What are the security risks to the firm’s IT and is there a better way to manage IT? Will a better system reduce costs and create better opportunities for the firm? Can IT become a source of income?

Is there someone at the firm identifying the risks of the firm simply continuing to operate as business as usual?

How does a lack of innovation affect costs, clients, retention of lawyers and the ability to attract new talent?

What are the risks to the firm when the economy shifts or when law becomes more globalized?

What stress tests are done against the firm to determine what happens under different conditions? The events at Dewey & Leboeuf (and Toronto’s Goodman & Carr a few years back) are a prime example of the kind of shocks that may destroy a law firm.

Throughout history, law firms have managed to muddle through each crisis. This has reinforced an attitude that the risk management processes which our clients employ are not necessary for a law firm.

However, that’s the same attitude that the milkman and iceman held 100 years ago. We can also see it today with home phones, record stores, CDs, the postal system and the fax machine – all of which are on their last legs.

Why would law firms be immune?


  1. Should technological failure, i.e., systems down be part of the risk assessment? I don’t suppose it would make sense to have access to a land line phone or a fax machine if everyone else has ridden themselves of theirs. Or, maybe could could read a print book to pass the time, oh yes, they probably got rid of those as well.

  2. Yes, systems down should be part of the risk assessment – in other words you need redundancies so that a power/tech failure does not disrupt your business or your records.