Risk Dimensions Newsletter Issue 5: December 2021

In the latest edition of our Risk Dimensions newsletter for solicitors, John Kunzler and Victoria Prescott from Marsh’s Risk and Error Management team discuss why enterprise risk management matters for law firms. We also have an article from David Reston, Paul Lewis, and William Glassey, partners at Herbert Smith Freehills, on determining the scope of a solicitor’s duty of care in light of the recent Manchester Building Society v Grant Thornton case.

Why enterprise risk management matters for law firms

Authors: John Kunzler and Victoria Prescott, Marsh

Enterprise risk management (ERM) requires the ongoing identification, evaluation, and treatment of key risks and opportunities an organisation faces in order to create assurances regarding its objectives. This process has become a topic for law firms, including in their discussions with clients, insurers, and regulators. These stakeholders are increasingly expecting practices to have embedded ERM as the foundation of their strategy to address evolving risks.

There are various definitions of ERM and differing methodologies, but the main aim of a framework is to:

Create a culture where an organisation’s objectives are clear, and that any risks that may have an impact on them are identified, understood, and actively managed.
Set controls and monitor their effectiveness.
Ensure there is communication about the techniques and that information concerning risks is shared to help build a culture of risk management.

Levels of materiality need to be kept in mind, as there is likely little point in senior management applying the process to every risk a firm faces, although local ownership and control of lower level risks makes good sense.

ERM involves a number of linked steps

Defining the intended risk culture is largely a top-down process, as illustrated below. Organisational objectives are outlined, and events that pose a risk to those goals are identified. The process is a repeating cycle similar to a quality improvement system. Scenarios a company could encounter can be modelled, while insurance and other options are used to control risks. The tone of the organisation is influenced by these steps, and likewise, this process influences the organisation.

Source: Adapted from “Organised Uncertainty” (2007) M. Power

Why ERM is relevant to law firms

According to the Marsh-sponsored “2021 Legal Business Risk Survey”, the top five risks for UK law firms are:

IT security breach with commercially sensitive information stolen.
Workforce availability affected by a pandemic.
Data privacy breach or destruction of data.
Financial systems compromised leading to direct loss from fraud/theft.
Reputational damage due to a firm’s connection with an unsavoury/unethical client.

Even though law firms have a strong understanding of risk, embedding a “business as usual” approach to ERM can build resilience to hazards in any practice, whether it be a high-street firm, in-house legal department, or global firm. Three of the top risks relate to cybercrime. While digital processes around confidential data and money transfer have increased in efficiency over the last two decades, they have also created new dependencies and pathways by which cyber breaches can occur. Unfortunately, law firms are attractive targets for cyber criminals, and although expectations around control and governance of risk have increased, they may not always be met by historic approaches.

For example, out of 40 law practices recently surveyed by the Solicitors Regulation Authority (SRA) on their experience of cybercrime, 30 reported they had been the target of a cyberattack, while 23 were targeted directly, resulting in the theft of £4 million of client money. The study also found that of the law firms polled:

38% were not using dual factor authentication.
25% did not encrypt laptops.
32% had no disaster recovery plan, and of those that did have a plan, only 30% stored the plan safely on systems that would be available after a cyberattack.
70% did not have a cyber insurance policy.

It seems likely that a major cyber incident at a law firm could be so damaging to its operations and reputation that clients, partners, employees, and other stakeholders could lose confidence in sufficient numbers to cause the firm to shut down. However, if an ERM process is followed, the risk of such an event happening can be mitigated.

Regulators pushing ERM-type strategies

In addition, law firms are being encouraged to adopt similar approaches to ERM by the SRA and other regulators. Section 2 of the SRA 2019 Code of Conduct, for instance, requires firms to:

Actively monitor their financial stability and business viability and also identify, monitor, and manage all material risks to their business.
Have effective governance structures, arrangements, systems, and controls in place to meet regulatory and legislative requirements.
Keep and maintain records demonstrating the fulfilment of their obligations.

Under s8 of this code, managers are responsible for a firm’s compliance with the code.

Addressing cyber risk specifically, the SRA’s Risk Outlook 2020/2021 voiced the need for firms to ensure they have the right controls in place to counter this hazard. The SRA encouraged practices to review risk assessments on how they might be exposed to cybercrime and consider the effectiveness of policies and procedures in the event of a major cyberattack, and update as necessary. Law firms were also urged to assess whether insurance coverage would adequately cover the costs of successful cybercrime

ERM is key concern of law firm clients

ERM adoption and understanding is widening among the corporate clients of law firms. The need for this has increased since the pandemic, with executives asking themselves if their risk framework provides sufficient foresight, and whether controls put in place will work under pressure. Even if unconcerned about their own governance, it is increasingly important that law firms — as advisors — understand these issues in order to continue to serve their clients well.

Taking a sensible approach

While the SRA has not endorsed any particular ERM model, the facets of the most widely used templates closely align with their governance and risk management principles. The ERM approach is appropriate for board level and locally owned risks of any kind, provided care is taken to focus on key risk scenarios so that no single decision-making body is overwhelmed with reviewing risks. In terms of providing a record for firms of how all the obligations and advisory statements on hazards have been translated into approaches and action in a consistent way, the ERM process also makes sense.

If you have any questions about ERM, please contact your Marsh adviser.

Determining the scope of a solicitor's duty of care

Authors: David Reston, Paul Lewis, and William Glassey, Herbert Smith Freehills

A decision handed by down the Supreme Court earlier this year now provides the leading authority on the so-called SAAMCO principle (established in South Australia Asset Management Corporation v York Montague Ltd [1997]). The SAAMCO principle essentially says that where a professional adviser is responsible only for providing information on which a decision will be taken, rather than advising on the merits of a transaction overall, the adviser will be responsible only for the consequences of the information being wrong – not all the financial consequences of the transaction.

The decision has wider implications regarding the proper approach to determining the scope of duty and the extent of liability of professional advisers in the tort of negligence. As such, the outcome and reasoning of this decision is significant for solicitors facing claims for economic loss due to alleged negligent advice.

The decision: Manchester Building Society v Grant Thornton [2021]

In Manchester Building Society v Grant Thornton UK LLP, the Supreme Court found that a mutual building society’s claim for damages for economic loss fell within the scope of its auditor’s duty of care in giving (admittedly) negligent advice regarding the accounting treatment of interest rate swaps.

The Supreme Court said that the descriptions "information" and "advice" should be dispensed with as terms of art in this area. Instead, in determining the scope of duty, the court’s focus should be on the purpose to be served by the duty of care assumed by the adviser, judged on an objective basis by reference to the purpose for which the advice is being given. In this case, the purpose of the auditor’s advice was to provide technical accounting advice as to whether the mutual building society could use hedge accounting in order to implement its proposed business model within the constraints of the regulatory environment. As a result of the auditor’s negligent advice, the building society adopted the business model, entered into further swap transactions and was exposed to the risk of loss from having to break the swaps, when it was realised that hedge accounting could not in fact be used. The building society was also exposed to the regulatory capital demands which the use of hedge accounting was supposed to avoid. That was a risk which the auditor’s advice was supposed to allow the building society to assess, and which their negligence caused the building society to fail to understand. Accordingly, the Supreme Court found that the losses suffered by the building society when breaking the swaps were within the scope of the duty owed by the auditors.

What does this mean for solicitors?

The case now means that, in practice, when looking at a case of negligent advice given by a solicitor (or, indeed, any professional adviser), a court should look to see what risk the duty was supposed to guard against and then look to see whether the loss suffered represented the fruition of that risk. The counterfactual test, as to whether the loss would have been suffered if the advice given had been correct, should be regarded only as a tool to cross-check the result in most cases.

By focusing on the purpose to be served by the duty of care, the court is likely to place greater emphasis in future cases on understanding the purpose and commercial rationale for which a party has sought legal advice and identifying the potential risks from which the party was relying on a solicitor to protect it. This may lead to an increased evidential burden on the parties, potentially increasing the time and costs of disclosure and witness evidence, where engagements are not documented properly and fully.

The decision highlights how it is even more important for solicitors to ensure, at the outset of a new instruction, that there is clear agreement as to what advice is being sought; how that advice and work will be used by clients and what is not within the scope of the instructions.

Marsh comment:

“The importance of carefully and clearly scoping retainer letters, at the outset of each and every matter, is a theme that our Risk and Error Management Team has highlighted on many occasions via our presentations and webcasts, for example, Retainer Letters - Part One. The Supreme Court’s decision in Manchester Building Society v Grant Thornton [2021] reinforces the need for all solicitors to take this task seriously. We recommend that file audits go beyond basic confirmation that there is a retainer letter, and include specific queries on the scope of retainer letters. We also recommend that additional training is provided when lack of detailed scope is identified.”

Article

Risk Dimensions Newsletter Issue 5: December 2021