RISK MANAGEMENTWHAT’S HOT, WHAT’S NOT

ADAM HANSEN

DIRECTOR OF

INFORMATION SECURITY

GAIL BALLINGER

OFFICE ADMINISTRATOR

FIRM-WIDE BUSINESS

PAMELA HILL

MANAGING DIRECTOR

HYPERION GLOBALSONNENSCHEIN, NATH &

ROSENTHAL LLPCONTINUITY

O’MELVENY & MYERS LLPPARTNERS

The discussion in these slides is a theoretical analysis, does not represent the processes of any particular law firm and does not constitute legal advice in regard to any actual factual or legal circumstances.

AgendaAgenda

• Law firm risk defined• How practices, policies and processes have evolved to

address the changing landscape of operational and strategic risk– Completely unscientific rating of risk threats now vs. then

H h l d i l • How technology and operational management can either reduce or enhance a Firm’s risk profile

• Wh thi tt t tt h t l l• Why this matters to you, no matter what role you play

Unscientific Rating System How much more/less important is this issue in managing a

Firm’s risk profile than it was a few years ago?

Yikes!Yikes!

About the Same

No Problemo…

What is Law Firm Risk ManagementWhat is Law Firm Risk Management• Wide ranging definition and often nebulous to define clearly

or consistently across Firmsy• No brainers

– Managing legal ethics and professional practices of lawyerM i l t d l i l ti i t – Managing regulatory and legislative requirements

– Defining the approach to managing specific claims against the Firm– Operational control of high risk processes such as conflicts, docket and

financial managementfinancial management

• More strategically– Should provide enterprise-wide agreement on potential exposures,

h i i i i d li ithen ensure proactive mitigation processes and policies– Provides for proactive reputation management – Should support the strategy and goals of the Firm

Law Firm Risk ManagementLaw Firm Risk Management• Regardless of how you define it, the important point is that

operational risk is managed by pulling the all the pieces togetherp g y p g p g

Trained Staff and i l

Risk averse, regulated, standardized

consistently applied

Consistent use and deployment of risk mitigating

Why Should you Care?Why Should you Care?

Note how responsibility

always t ll seems to roll

downhill?

What’s in the Law Firm Risk LandscapeWhat s in the Law Firm Risk Landscape

– Strategic RiskStrategic Risk– Structure and Governance– New Business Intake ProcessingNew Business Intake Processing– Human Resources Management

Financial Management– Financial Management– Technology Usage

STRATEGIC RISKSTRATEGIC RISK

Strategic Risk – Mergers/LateralsRisks

• Evaluating the true financial situation of merging Firm• Past debt, previous contractual obligations and who owns it• Technical considerations of system integration, handling old equipment• Handling international compliance and regulatory issues• Malpractice insurance–prior acts coverage for Lawyers from

disbanded Firms• Incomplete information to complete conflicts checks• Inadequate implementation of ethical screens for incoming lawyers

Trends and/or Best Practices• Awareness has heightened, but have practices really changed?• Realization of the need for a more thorough vetting of businesses/

laterals along with more thoughtful consideration as to the true benefit laterals, along with more thoughtful consideration as to the true benefit of bringing them in – reputation, or can they really produce?

• Immediate implementation of ethical walls for incoming laterals, incorporating systems beyond the document management system

• Assessing potential positional or business type conflictsAssessing potential positional or business type conflicts

Strategic Risk – Partner or Practice ExitRisks

• Understanding the long-term financial implications• Practice implications (still provide this subject matter • Practice implications (still provide this subject matter

expertise internally?)• Lawyer exit process issues (moving docket or records, on-

going access to email/documents, recovering Firm g g / , gtechnology and data, monitoring downloads)

T d d/ B P iTrends and/or Best Practices• Policies and tools that support active monitoring of file access,

sets thresholds for reporting large downloads• Continued email or file access as an exception not a ruleContinued email or file access as an exception, not a rule• Better tracking of Firm technology• Wiping repurposed technology • Signed client waiver letters before relinquishing files/data/

Strategic Risk - ReputationalRisks• Lawyer, client or personnel malfeasance• Doing business in the age of Facebook and Above the Law Doing business in the age of Facebook and Above the Law • Managing Fast Finger Freddie and his immediate, mass

distribution channel for potentially embarrassing or compromising emails

• M i t ti l bli l ti fi ’ i h • Managing potential public relations fiasco’s in an era where salacious stories sell

T d d/ B P iTrends and/or Best Practices• Proactive evaluation of press via Google, Lexis, Twitter and

Facebook searches• Formal crisis communications and management planningFormal crisis communications and management planning• Educate personnel on communications, confidentiality and use

of Firm technology policies• Zero tolerance polices and follow through for abusers

Strategic Risk – Compliance/RegulatoryRisks

• Globalization - regulatory compliance outside the US• Inconsistent legal opinion on what compliance meansInconsistent legal opinion on what compliance means• General lack of risk management policy or process• Privacy/security compliance is still considered an “IT

issue”, missing many process or policy issues that must , g y p p ybe addressed

T d d/ B P iTrends and/or Best Practices

• Developing formal risk assessment and mitigation strategies

• U d t d l l i i IT d d i i t ti i t • Understand legal opinion , IT and administrative impact of these regulations

• Creative approach to mitigation technologies such as encryption, password use and access controlencryption, password use and access control

• Workforce training and education

Strategic Risk ConsiderationsStrategic Risk Considerations

A l d t ff H ti ht f Are lawyers and staff trained on issues such media relations and

compliance ..D

How tight are our for financial due diligence and lateral

hire conflicts checks?p

o these policies even exist?

Do we have a prioritized and Do we have

reasonable process for merging

Do we have of Intl regulatory

issues? Do we know what is being said about us in the

ether?

STRUCTURE AND GOVERNANCE

Structure and GovernanceRisks

• No centralized command and control structure for both l l d ti l i k tlegal and operational risk management

• No central point for development and execution of policies• No consistent, proactive analysis of risks the Firm should

accept or avoid accep o avo d • No consistent interpretation of new and emerging risks

Trends and/or Best Practices• Convergence as an overall risk management strategy - centralized

management • Owned by General Counsel or Risk PartnerOwned by General Counsel or Risk Partner

• Evaluates new risks and develops legal opinion on how to address• Develops policies • Manages malpractice insurance and liability processes

• Operational risk management• Operational risk management• Centralization of high risk processes (conflicts, docket, records)

Structure and Governance Risk Considerations

Does the Firm have documented, t d di d f Is someone assigned

to define and publish risk

standardized for managing legal and operational

risk, including formal threat assessment for new risks?

management ?

Are selected and deployed as

part of a risk management

strategy?

Do we have of new and

emerging risks?g g

New Business IntakeProcessing

New Business Intake – Case AcceptancepRisks• Resistance to rejecting new work, or taking on work from high-risk

clients to make budgetclients to make budget• Continued lack of due diligence on new clients• Inconsistent intake process and review committee• Understanding true capabilities/capacity for assuming new work• More sophisticated due diligence by clients regarding the Firm’s

compliance, business continuity, financial management processes

Trends and/or Best PracticesTrends and/or Best Practices• More rigorous due diligence on new clients - Google

searches, D&B, credit and reference checks AND• On existing clients opening new matters – aged A/R review, g p g g / ,

D&B• More thought to the types of matters and/or clients that

should be rejected• Formalized NBI committee requirement for engagement • Formalized NBI committee, requirement for engagement

letters

New Business Intake - ConflictsRisks

• Requires more sophisticated methods to thoroughly vet lateral hires and to assess risk related to mergers and acquisitionshires and to assess risk related to mergers and acquisitions

• Delay in establishing ethical walls for lateral hires• Work performed on matters before the conflicts check is

completep• Lack of diversity of clients, matters or geographic risks – all

the eggs in a one basket

Trends and/or Best Practices• Support through Business Process Management (BPM) technologies

(workflow), architected to require compliance with formal intake processesprocesses

• Integrated systems that improve efficiency and effectiveness• Conflicts checks on ALL incoming personnel• Assessing business or position type conflicts

Id ll h ff i d ffi i h h l lik l • Ideally, the more effective and efficient the process, the less likely work will be performed without a conflicts check!

New Business Intake Risk ConsiderationsNew Business Intake Risk Considerations

Have we updated Does the Firm have Have we updated our conflicts/intake

to reflect the realities of

Does the Firm have documented, standardized

?

today’s environment?

Are we using to to

enforce standardized processes?

Do we have of compliance to

conflicts policies?p

Human Resource Management

Human Resources – Training/PoliciesHuman Resources Training/PoliciesRisks

• Lack of on-going policy and process training for g g p y p gstaff and lawyers regarding high risk issues such as confidentiality, data privacy, social networking, technology usage, HITECH/HIPAA, health and ec o ogy usage, C / , ea a d safety training

T d d/ B P i Trends and/or Best Practices

• Noticeably increased interest in Emergency Action Plan development

• Recent pandemic heightened everyone’s awareness of infection control protocols and the need to develop policies to keep sick staff homeA f i i d b l l !• Awareness of training need, but not a lot else!

Human Resources – Health and SafetyyRisks

• Workplace violence concernsp• Managing employee health/infection control within

the office• Outdated pay policies that encourage sick people Outdated pay policies that encourage sick people

to come into the office

T d d/ B P iTrends and/or Best Practices

• Noticeably increased interest in Emergency Action Plan development

• Recent pandemic heightened everyone’s awareness of infection control protocols and the need to develop policies to keep sick staff home

Human Resources - the Electronic AgegRisks

• Managing the human factor of technologies like g g gFacebook, Twitter

• Inherent risk of social networking technology and the HR problems it can create for the Firm

• Inappropriate use of Firm technology• Undefined user access control

T d d/ B P iTrends and/or Best Practices

• Mass paranoia! Lost sleep! • Creation of policies to keep up – social networking,

i it li f Fi privacy or security compliance, proper use of Firm technology

• Still working towards proactive monitoring of internet usage, access to confidential or restricted datausage, access to confidential or restricted data

Human Resources - PersonnelHuman Resources PersonnelRisks• Single points of failure in key staff and administrative

management• Risks associated to gaps via attrition or RIFs – less

experienced staff puts the Firm at higher risk• Privacy/security of the Firm intellectual property or Privacy/security of the Firm intellectual property or

proprietary information• Managing the cultural impact of globalization

T d d/ B P iTrends and/or Best Practices

• Managed through training and education on both sides• H1N1 heightened the awareness for the need for cross

t i i lth h f ll th h ith th l till training, although follow through with the lessons are still to be seen

• Conflicts, Google searches and ethical wall screening for staff, not just lawyersfor staff, not just lawyers

Human Resources Risk ConsiderationsHuman Resources Risk Considerations

Do we audit to ensure risk

Are we providing adequate training

Do we audit to ensure risk averse are being

followed?

on new ?

Are we using t to

enforce privacy and security requirements?

Do we have of new and

emerging risks?emerging risks?

Financial Management

Financial Management Risks

• Playing catch up with budget management tools to enable proactive management at the Firm and matter level exacerbated proactive management at the Firm and matter level, exacerbated by inconsistent application or monitoring of client cost allocation

• Subsequent risk for fixed fee or alternate fee arrangements• Complexities of proactively managing lawyer productivity –

i i ti d k f d l i l i origination and work performed analysis are always in arrears • Higher likelihood of fee disputes or clients inability to pay

Trends and/or Best PracticesTrends and/or Best Practices• Proactive process management - timing for budget/collections

management (asking smarter questions more often)• More sophisticated use of financial analytics tools• Better profiling of matter related costs to enable more relevant “cost

of doing business” information • Proactive lawyer productivity – still takes billers offline to do and

requires a type of inefficient forecasting• Lawyer productivity in the context of legal project management

Financial Mgmt Risk ConsiderationsFinancial Mgmt Risk Considerations

Have we updated budget and Have we developed budget and collections

management to reflect

Have we developed for legal project

management processes?to reflect

the realities of today’s

environment?

Are we using that

t l l j t support legal project management and Firm wide decision

support?

Do we have for the clients

and their concerns? support?and their concerns?

Technology Usage

Technology Usage – Privacy/ Confidentiality ec o ogy Usage acy/ Co de a y Risks

• Limited capability or process to monitor/audit who is looking at what

• Non-standardized, client driven encryption requirements• Use of shared computing resources• Knowledge management and the subsequent privacy/security • Knowledge management and the subsequent privacy/security

issues around an “open access” policy• Staying ahead of international legal and regulatory issues

Trends and/or Best Practices• Use of third party tools for auditing/monitoring access• Encryption protocols for data at rest, in transit, mobile devices• Processes/tools to wipe, instead of delete, data• Incorporating broader range of technologies such as copiers,

fax, digital dictation devices• Policies for strong passwords mobile device passwords Policies for strong passwords, mobile device passwords,

inactivity logout, education, virus protection

Tech Usage – Securing Mobile Workersg gRisks

• Difficulty in securing a mobile workforce including y g gthe devices, the data and the users

• Knowing what is connecting to the network• 76% of data breaches are from lost laptops PDAs 76% of data breaches are from lost laptops, PDAs

and flash drives

T d d/ B P iTrends and/or Best Practices• Device - encryption, strong password, remote data eraser, device

location• Data - encryption, no local storage, understanding data movementyp , g , g• User - enforce strong password and encryption• Educating on hazards related to unsecure or rogue access points,

VPN, Wireless – Bluetooth, WiFi, Clear text• Teach situational awareness stop writing down passwords! • Teach situational awareness - stop writing down passwords!

Tech Usage – BC/DR Risks

• Localized, but not enterprise recovery capability• Recovery of servers, not recovery of servicesRecovery of servers, not recovery of services• Privacy/data location concerns and cloud computing• Higher risk/higher impact of downtime with centralized or

highly integrated systemsN dh l k f d d f f d l d/• Non adherence or lack of understanding of federal and/or international regulations for BC/DR

Trends and/or Best PracticesTrends and/or Best Practices

• New tools make DR more affordable for any sized Firm, BUT

• Not enough attention paid to true business • Not enough attention paid to true business continuity, incorporating recovery of all the critical aspects of recovery

• Service recovery instead of system recovery• Service recovery instead of system recovery

Technology Usage Risk ConsiderationsTechnology Usage Risk Considerations

Does the Firm have documented, Have we updated

technology to reflect

standardized security, business continuity and disaster recovery

?

new risks and regulations?

Do our supppp

ort security, regulatory risks and service recovery?

Do we have of new and

emerging threats?emerging threats?

THANKS FOR COMING!THANKS FOR COMING!

• What questions do you have?What questions do you have?• What issues would you like to discuss?

• Adam Hansenh @ h i– ahansen@sonneschein.com

• Gail Ballinger– gballinger@omm.com@

• Pam Hill– phill@hyperiongp.com