Reaping the returns of risk management
In April, the professional indemnity season may seem comfortably distant, something to pick up closer to that October renewal date.
But faced with ever increasing costs, every firm needs to be looking at how to get the best deal for professional indemnity, and that takes commitment. It’s not enough to say ‘well, we have checked the boxes for compliance’, or for a quality standard; yes, those are vital, but they’re only a small part of the story. To keep your insurance premiums under control, it’s about creating the right blend of culture, process and customer service, all wrapped up in a risk management strategy.
And whilst the cost of your premium may be the thing that exercises your mind when PII comes to mind, taking a more robust approach to risk management is something that will pay benefits all year round, such as helping you to choose clients who will keep cash flowing, filter out inefficient suppliers, attract and retain excellent employees, keep the bank happy, and increase your bottom line, as well as helping to tackle fraud.
It may sound like big talk, but certainly I am seeing returns like this in firms across our network, as well as reduced PII premiums through our group scheme. The scheme is a robust barometer, as it involves more than £1bn of cover, the largest group placing in the market. This combined placing gives members the benefit of their collective buying power, whilst still paying a premium which reflects their own firm's risk profile.
Last year’s premium as a percentage of fee turnover fell to an average 2.3% across our network - a reduction of more than 7% on last year's equivalent measure. Around 40% of our members paid a rate of less than 2%, and almost three quarters paid less than 3% of their fee turnover. That’s achieved in part because of the compulsory ISO 9001 Quality Standard our firms must hold to be part of the network, but it was also the result of a real drive on risk management, which we see in granular detail through our supporting services in this arena.
This year, fraud and cybercrime has been the hottest topic. The range of scams keeps evolving and we’re getting used to a new lexicon of things to worry about – such as phishing, vishing and social engineering crime - so we can’t afford to stand still. If you’re unsure about any of the terms, take a look at the glossary on the Cyber Risk Insurance Forum.
KPMG produces a regular fraud barometer, with the latest figures published in January 2016 putting the total cost of fraudulent activity in the UK at £732million, up from £717million in 2014, with businesses persistently targeted by fraudsters, to the tune of £176million.
The Solicitors Regulation Authority has reported more instances of firms falling victim to fraud, particularly in the conveyancing sector. My banking contacts support this, saying there’s been an exponential rise in firms affected by fraud. Some allow malware to infect computer systems, opening the door to hackers who can use keystroke tracking programmes to obtain confidential financial data. Others have fallen prey to scam emails, disclosing their internet banking log-in details to criminals. On other occasions, firms have succumbed to highly skilled fraudsters using sophisticated 'vishing' telephone scam techniques to extract internet banking credentials. We are taking action to help firms within our network tackle this rising threat, by introducing a support package to enable them to understand and assess the risks to their own practice and implement quality standards, such as the Cyber Essentials Plus standard.
Research undertaken by global insurance broker Marsh, who manage our LawNet professional indemnity scheme, found that 69.4% of the companies they surveyed do not assess their suppliers and/or customers for cyber-risk. And despite being ranked a tier one threat by the UK National Security Strategy, 26.4% of the UK companies surveyed did not consider cyber-risk to be material enough to even get on their risk register. Just 16.6% placed it as a top five risk, with the remainder placing it outside their top 10.
This was a cross-sector research exercise by Marsh, but I would not like to place a bet on the figures being significantly different were the research applied solely to the legal sector, and indeed Marsh have been actively raising awareness of the specific risks faced by the sector, issuing guidance last year.
As custodians of client funds and conduits for major transactions, solicitors are an obvious target for cyber-related fraud, whether by small timers or sophisticated, organised criminals, who are determined to overcome barriers and risk controls that would previously have been more than adequate.
It’s a massive problem, and one which is set to plague us over the coming years, and not just in terms of attacks on internal systems. In recent weeks, we have seen a professional indemnity insurer announce its withdrawal from the solicitors’ market – citing the increased likelihood of fraud involving client accounts as a key factor in its decision, as well as ‘unsustainable’ premium rates amongst its competitors. Elite Insurance accounted for 2.62% of the market share for 2014/15, down from almost 4% the year before. That may seem small fry, but just 12 insurers wrote more PII business for solicitors’ firms in 2014/15.
Inevitably, as insurers withdraw from the market, others will try to seize an opportunity, so there’s the worry of ensuring that the insurer one ends up with is bona fide – one has only to look back a few weeks to the headlines when financial regulators imposed fines of £15.5m on five individuals who took part in unauthorised solicitors’ professional indemnity insurance schemes. The schemes left 1300 firms exposed and the broker, Bar, is now in liquidation, but was censured by the FCA for encouraging solicitors to ‘enter into contracts of insurance on the basis of materially inaccurate and misleading information’.
While it is undoubtedly a regulatory 'must-have', PII is so much more than a commodity purchase, and we see our stable relationship with our scheme broker and our underwriters as fundamental. Firms should be wary of insurers who offer attractive premiums to attract the business, but are highly reactive to claims. Our own insurers take a long term, balanced relationship view and work, along with their panel solicitors, in a constructive way with our members when claims arise.
Alongside, there’s the continuing uncertainty around the Solicitors Regulation Authority’s professional indemnity requirements. The SRA has announced an intention to reduce the cost of regulation, and thereby the cost of legal services to consumers. It has argued that a lower minimum cover limit would reduce premiums and increase flexibility, and has even mooted the idea of scrapping a minimum level altogether.
After failing with its earlier attempt, the SRA presented revised proposals, to which the Law Society responded swiftly, arguing that such a cut in indemnity insurance cover could damage firms and destroy confidence in the legal profession. For now, we must await the outcome of detailed proposals and further consultation.
It all adds up to PII continuing to be a red-hot issue; it’s no wonder that so many firms try to ignore it for much of the year. But there are many gains to be made for any business that is prepared to put a true risk management strategy at the top of the agenda, making sure people are truly engaged and embrace risk management as part of the everyday. It makes a firm more agile and able to deal with new threats as they come along.
- Tackle the cyber-crime issue up-front: This is critical. The end result of cyber-crime for a firm of solicitors is likely to be the theft of client money. Last year, we encouraged our members to set out their cyber-security policy for serious threats, and this was submitted alongside their PII proposal form. It was well-received by underwriters and this year, insurers are likely to insist on it across the sector, having experienced the first rash of claims. Be ahead of the curve and offer details of your security policy, rather than waiting to be asked. No one is immune, so demonstrate that you understand this and if you’ve experienced, but withstood, attempted scams, say so.
- Demonstrate good practice and seek recognition: If you’re working hard to improve risk management, your insurer should recognise your efforts. Each year, we look to see a correlation between progress made and premium paid for our firms. Last year we saw the rate against fee income fall for half of our members, who demonstrated exemplary progress over the previous year. Premiums fell by as much as 14% where risk management to avert claims was recognised and rewarded.
- Face up to your past: Show you’ve been working to change things if you have been previously hit by a bad claim, or a number of small ones. Set out the steps taken to tackle what caused the claim and show that you’ve thought about other potential risks and taken action. A big claim may still need to 'wash through' over several years, but it’s likely to stem future rises.
Optimise, not minimise your cover: The SRA currently imposes a minimum cover level of £2m, or £3m for LLPs and limited companies, but as I’ve already mentioned, this could change. If it does, and you think there’s an opportunity to cut your cover and reduce your premium, just think it through carefully before you do. LawNet imposes a minimum limit, and our network members must carry at least £10m cover, but they’re not looking to get that cut, as they understand the collateral risk. Larger commercial clients may be reluctant to give instructions if you reduce the level of protection against something going wrong; or firms may not refer work if insufficient cover is in place. What’s important is having the right level of cover for the type and value of work your firm undertakes and the clients you serve.
How firms are harnessing risk management to bring business benefits
At Ashton KCJ in the east of England, they say that being seen to be doing things correctly is a selling point, particularly as clients are increasingly concerned about the impact of cyber-crime on their data and funds. As managing partner Edward O'Rourke says: “The cost and impact of getting it wrong could be devastating for our business. But there are much wider benefits, such as attracting and retaining high calibre staff, who want to work for firms where they can see risk is being managed properly, particularly if they’re looking to take an ownership stake in due course.”
For Mogers Drewett in the south west, it’s showing a real financial return and demonstrating that simple changes can have far-reaching impact. For example, a robust evaluation of clients before taking matters on is leading to lower lock-up, fewer bad debts and better client retention. “Risk management drives everything we do,” says managing partner Steven Treharne, “and our procedures have been evidenced on the bottom line.”
At FBC Manby Bowdler in the West Midlands, they’ve come up with a dedicated compliance team that is attracting sector interest as a model. Initial resistance by fee earners to share client relationships with the team have long been overcome, and, as managing partner Kim Carr says: “We felt we had to embrace a risk management culture to make our firm safer and our clients safer, and we’ve seen a real return on investment as a result.”
“It’s about making risk management a part of the culture, part of the day-to-day, from induction of new starts to the end of the client matter,” says Martyn Trenerry of Mullis & Peake LLP. “Joining LawNet and having to achieve the ISO 9001 standard was a turning point for us, as we found it embedded the right culture and reached into every aspect of our business. We’re seeing greater client engagement, greater staff engagement, less claims, less opportunity for financial loss. We get better deals on our PII, but also with our suppliers and at the bank.”
Ron Davison of Gamlins Law in North Wales agrees: “One of the major issues is getting staff to believe they should not be fearful of regulation. We now try to make compliance happen without people noticing, focusing on what’s really right for our firm. There is no one size fits all.”
“Risk management needs to be embraced as a management tool, not just a hoop to jump through,” adds Alison Lee, Biscoes Law. “That attitude has given us much more consistency in the quality of our work and how it’s delivered.”
Hear the firms talking about their experiences: click here.
This article was originally published in Solicitors Journal on 12th April 2016 and can be viewed here.