Why process discipline is worth its weight in gold
Piers Winton, executive director, professional indemnity, at Gallagher, explores how a culture of consistent and proactive policy adherence cultivates risk intelligence — while a culture of complacency leaves firms vulnerable to dangerous lapses
Recent headlines from Westminster offer a familiar lesson in organisational risk: when the outcome is decided first, process becomes a formality. Vetting is completed after the event, with the outcome already reached. Governance and compliance become performative rather than protective.
For law firms, this could sound uncomfortably familiar.
In professional service firms (PSFs), process is often spoken about in apologetic terms — as administration, compliance, or necessary bureaucracy to satisfy regulatory requirements. Yet the reality is much more important. In a well-run firm, process is not there to slow down decisions and progress for its own sake: it is there to ensure that decisions are tested before they harden into commitments. It creates space for healthy challenge and debate, allowing awkward questions to be asked. At its best, it protects firms from the consequences of uncontrolled momentum.
Why this matters for SME firms
For SME firms in England and Wales, agility is often a strength. Smaller firms can make decisions quickly, respond to clients faster and avoid the layers of approval that can slow larger organisations down. But speed has both advantages and disadvantages. In any business where relationships are close and authority is concentrated, it can become easy for trust to replace verification and for confidence to replace scrutiny.
This is where the process begins to matter most.
A conflict check, an anti-money laundering (AML) query, a source-of-funds concern, a payment verification call, a supervision note, a hiring approval, none feel dramatic on their own. They are routine and procedural. These steps can seem irritating when a senior person or client wants to move quickly.
But routine controls are rarely designed for routine days. They exist because of the day something is missed, assumed or rushed.
The real danger is not that a firm lacks policies: all firms have them. It’s that those policies quietly lose authority when they become inconvenient. A senior fee earner requests that a file be opened before all checks are complete. A long-standing client expects an exception. A new hire is waved through on the basis that ‘everyone knows them’. A payment released because the matter is urgent and legitimate. In each case, the same pattern appears: the decision is made first, and the process is expected to catch up afterwards.
Once that starts to happen, the issue is no longer administrative. It is a governance problem.
Strengthening governance
Good governance is often misunderstood as something formal and distant, the preserve of boards, committees, and annual reviews. In practice, governance is the discipline of making sure the right questions are asked by the right people at the right time. It ensures risk information reaches decision-makers before a firm becomes committed, not after commercial pressure to proceed is too great.
That is why procedural failures tend to be warning signs. A missed control today may become a regulatory issue tomorrow. A weak challenge culture in one department may become a supervision problem elsewhere. An informal exception for a trusted client may later appear as poor judgment, inadequate oversight, or, in the worst case, a breach that could have been prevented.
From an insurance and risk perspective, the picture sharpens here. Claims and losses do not arise only from complex legal advice or unusual events. More often, they come from ordinary controls not being followed consistently. A firm does not have to suffer a major cyber attack or dramatic fraud to discover weak governance. It may be enough for someone to bypass a payment check, overlook a conflict, fail to escalate a concern, or assume someone else signed off a risk.
What makes these situations damaging is that they rarely begin with bad intentions. They begin with familiarity, pressure and misplaced confidence. People believe they are being commercial, pragmatic or efficient. But efficiency without control is not resilience, it’s exposure.
The culture piece
Culture sits at the heart of this. Every firm says standards matter, but the real test is what happens when standards become inconvenient to a powerful person, an important client, or a commercially attractive opportunity. Staff quickly notice whether process is genuinely universal or selectively applied, and they notice who gets exceptions, who gets challenged and when silence is rewarded more than judgment.
That is how culture shifts, not through dramatic statements but through small repeated signals. If people absorb that procedures are mandatory for junior staff but flexible for senior staff, the control environment erodes long before anyone names it. Over time, ‘just this once’ becomes habit. By the time a firm sees consequences in a claim, complaint, regulatory issue, or difficult renewal, the problem is no longer a single lapse. It is the culture that permitted it.
This is why insurers look beyond written policies. Insurance can absorb some losses, but cannot substitute for discipline. Underwriters increasingly want to see that controls are real, understood, and consistently applied. A firm with documented procedures but weak adherence presents a very different risk from one where leadership, supervision, and behaviour align.
The lesson is not to create more bureaucracy, but to protect the authority of existing procedures. The key points are simple:
-
Vetting before commitment, not after
-
Documented exceptions rather than informal workarounds
-
Meaningful supervision rather than nominal oversight
-
A culture where challenge is part of professionalism, not obstruction.
In the end, process should not be seen as the opposite of good business. It is how a firm demonstrates that it can move quickly without becoming careless, remain commercial without compromising standards, and grow without losing control of its own risk.
The information provided in this article is for general informational purposes only and does not constitute legal, financial, or professional advice. While we have made every effort to ensure the accuracy and reliability of the information presented, readers are encouraged to consult with qualified legal, insurance, or risk management professionals to obtain advice tailored to their individual needs and circumstances.
Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.
