What to include in your firm’s risk register

A risk register can be a useful tool for actively assessing and managing your law firm’s most significant risks. Sam Pye, solicitors’ PI technical lead at Miller, highlights the key things to consider

Sam Pye|Solicitors' PI technical lead at Miller|

There is no ‘magic art’ involved in creating a risk register, and like most risk tools, it will only be as good as the thought that goes into it. A real danger is that it is either reactive, focusing on risks that have already occurred, or inadequate attention is given to the most significant risks.

Although unable to help you predict the future — ie what new risks lie around the corner — at their best, a risk register can help you to prepare for a range of major risk types and improve your business’ resilience to such risks.

Categories of risk

Most risks typically fall into the following categories, and this can provide a structured way of thinking about what risks exist within your firm:

  • Governance
  • Regulatory
  • Strategic
  • Operational
  • Financial

You could also use a risk map format, such as this.

Try to avoid confusing the category of risk with the consequence. Most risks have a financial consequence, ultimately.

While the above categories can act as a starting point, many firms may find it more useful to use more specific categories, such as:

  • Regulatory breaches (SRA, ICO)
  • Business continuity/disaster planning risks
  • Fraud risks, cyber & information security – this could be internal, or more likely, external factors
  • Resourcing risks (the term resourcing has been used rather than staffing to avoid confusion with many of the errors and omissions risks that arise from operational matters) — this is more about having and retaining the right talent, the risk of teams leaving, keeping staff trained up to meet emerging needs and etc
  • Matter management risks — each department should consider the most significant risks from the perspective of the lifecycle of a matter, taking into account claims, complaints, system and process vulnerabilities and gaps
  • Supplier risks (reliance on third-party services, etc)
  • Financial resilience
  • Business strategy risks — does your strategy make you highly exposed to radical market changes? Are you particularly reliant on one sector or client(s)? Are you at a stage in your strategic lifecycle where you are financially vulnerable? Are you keeping an eye on the competitive environment? Is your succession plan robust?

Quantifying risk

Risk has both direct and indirect consequences. A regulatory breach will likely have a resource cost, a potential reputational impact, and possible fine. Indirectly it may also lead to a withdrawal of business by certain clients, and in an extreme case, could lead to solicitors being struck off (which could then impact your ability to undertake certain work) or the firm being closed down.

Risk is normally quantified by assessing the likelihood of it occurring, on a scale of one to five.  One is very unlikely and five is highly likely — and the potential severity if it did occur, usually measured in financial impact, or the inability to continue to operate key functions for a period of time. The longer or more severe the outage, the higher the impact rating (again on a scale of one to five). The two scores are multiplied for each risk to generate an overall risk score.

For a risk register to be of any use, you must be rigorous in how you quantify the risk. Pre 2020, although it was well known in academic circles as one of the most significant risks, the pandemic risk did not feature highly on most business risk registers. There is an argument about to what extent firms can really prepare for catastrophic events — and while the Covid pandemic was far from catastrophic for most firms, particularly given government support schemes — there is no doubt that some were much better prepared than others.

Take a robustly commercial view of the real risk exposures you face as a business. This is often best done in a small group training session, facilitated by an external expert provider.

Risk controls and gap identification

 Many risks will already have a variety of controls in place. These can range from:

  • Workflow systems and reporting channels that proactively identify and help manage risk outliers
  • Awareness training
  • In-built checks and supervision
  • Process testing
  • Feedback and continuous improvement loops
  • Policies and procedures that exclude the taking of certain risks

Where a high-risk item does not have robust risk control or mitigation in place, that should be a trigger for action, allocated to one named person, and a time for resolution set. This should be managed for the top 10-20 risk issues and followed up at regular intervals.

While it is fine — indeed positive — for individual departments to have their own risk register subset, neither the master risk register nor any subset should have more than 10-15 priority risks on it. Otherwise, it becomes meaningless or unmanageable.

If you would like to discuss any points covered in this article, or anything connected to your PII policy, please contact: 

Samantha Pye

Telephone:      +44 20 7031 2305

LPM Conference 2024

The LPM annual conference is the market-leading event for management leaders in SME law firms

SMEs vs Big Law: The tech race

Navigating tech advancements as an SME law firm