Law firm risk teams organize to meet growing challenges says Intapp
For several years, industry experts have called for a move to a centralized risk-management function in law firms. As merger activity intensifies and law firms look to lateral hires and international expansion to drive continued growth, they are faced with more complex regulatory requirements and conflicts considerations. Current approaches – distributed, ad hoc, and largely manual — result in an inconsistent application of risk mitigation strategies and cannot scale to meet increasingly complicated demands.
It’s critical that a firm’s capacity for timely risk management activities does not stymie its growth efforts. In finding the most cost-effective, streamlined, and robust approach, firms have three levers to pull: head count, organizational structure, and technology. Employing the perfect number of people with analytical skills — organized effectively in the correct roles, and using modern automated tools — ensures risk management processes do not hinder a firm’s ability to hit its growth targets — while still meeting the complex ethical and regulatory requirements of the expanding firm and protecting its existing client relationships.
Intapp surveyed law firm risk leaders to understand how they organize their teams to support firm growth and meet their everincreasing risk and compliance requirements. A total of 44 risk leaders from U.S.-based firms responded, representing a wide range of firm sizes and geographies.
Implementing risk policies for better client service
Before a firm can organize its risk team and implement processes, it must first decide how it wishes to apply policies across its offices. Firms typically choose one of three possible strategies: A global approach, in which all firm offices (regardless of location) adopt the same policies, systems, and operating models; an international/regional approach, in which firm offices in different regions adopt their own policies, systems, and operating models; or a hybrid approach, in which some policies, systems, and operating models are uniform across all offices (e.g., conflicts clearance) and others (e.g., client due-diligence research) vary by region.
Survey respondents overwhelmingly indicated that firms now follow the global approach. This is a recent and significant change of perspective toward how law firms provide service to their clients. Typically, this shift means applying policies designed to meet the most stringent requirements of one jurisdiction across other regions where requirements are more lax. This increased diligence often translates to higher headcount.
However, many firms feel that applying the highest standard of care required in any of their jurisdictions makes good business sense, as they can seamlessly respond to client-service demands in new geographic regions. Regulatory requirements are constantly evolving, with countries moving at their own pace of change. By taking a global approach to risk management, firms are well-positioned to quickly respond to regulatory changes, and often already meet the standard of care required by new regulations.
Centralizing to ensure breadth and depth of responsibility
To support a global approach to risk management, firms must centralize certain activities that require specific expertise to enable the consistent enforcement of policies and provide sufficient scalability to meet firm demands. Indeed, most firms have moved toward a more centralized model, though there is still variability in the breadth and depth of risk research that these centralized teams perform. While some firms have uniform approaches to several aspects of risk management, many others apply different models to different processes. Here, we look at three possible models.
Conflicts clearance model
Conflicts clearance is one of the more heavily regulated and labor-intensive risk processes a firm performs. Firms typically break the conflicts process into three distinct stages: developing and executing search strategies, analyzing results, and making final clearance decisions.
To facilitate each of these stages, firms typically employ several dedicated conflicts staff members. Just over half of survey respondents indicated that their firms deploy a fully centralized model for conflicts clearance, with searches, analysis, and clearance all executed by a dedicated conflicts team. Other firms maintain a conflicts team to run searches and perform some analysis, but still rely on lawyers for further inquiry and final clearance. Notably, only a small minority of firms still employ a dedicated conflicts searcher role; this function has largely been combined with the more skilled conflicts analyst role.
We have seen many firms make the shift to a centralized decision-support model for conflicts clearance over the last several years. Nearly half of respondents indicated that their firm moved to its current model within the last five years.
Risk due-diligence model
European and Asia Pacific professional regulatory agencies mandate rigorous risk research for new clients as well as new business with existing clients. Know-your-client (KYC) and anti-money laundering (AML) regulations require firms to research identity, beneficial ownership, political sanctions, and negative news.
As the majority of firms have taken a global approach to risk management, it’s unsurprising that two-thirds of respondents indicated they maintain a centralized team to fully execute due-diligence activities on behalf of the firm. Firms are more likely to have adopted the centralized model for risk research earlier than for conflicts clearance, with less than one-third of respondents indicating that their firm moved to its current model within the last five years.
Approaches to research
For both conflicts and risk due-diligence research, nearly every respondent indicated that their firm uses a software system to facilitate review, with Intapp Intake and Intapp Conflicts being the most widely used systems. A handful of firms have built their own in-house solutions; one firm indicated it still relies on email communications to manage the process.
Most respondents indicated that their firms conduct external due-diligence research, to varying degrees. For instance, nearly every firm performs corporate-tree research, but at differing service levels. Firms may conduct corporate-tree research for new clients or for all new business, and they may choose to research only the parent company or all intermediate parents, boards of directors, and shareholders. The depth of research will have implications for the size and structure of the risk team.
Client terms model Client terms model
Client mandates issued through outside counsel guidelines and other client terms documents are a growing concern for firms — but there’s no industry consensus for how best to approach these issues. Firms are split between centralized management of client terms and a hybrid approach that relies heavily on lawyer involvement.
Interestingly, responsibility for the management of client terms is regularly spread across many different stakeholders, with a firm’s general counsel often being involved directly. Firms also frequently employ dedicated risk lawyers, finance teams, and IT staff to tackle this process.
The majority of firms have not yet invested in software to manage client terms. Relative to the conflicts and client due-diligence functions, management of client terms is less mature and more distributed, making it ripe for effective change. Several respondents indicated that investing in software for client terms is a key project at their firm for the coming year.
Understanding staffing strategies
Firms employ a wide variety of risk personnel to perform these activities, with differing levels of engagement across each process. Firms may choose to staff their risk teams as a single function —overseeing conflicts, risk research, client terms, lifecycle maintenance of clientmatter information, and other various risk activities — or they may opt for multiple functions to oversee each area.
In practice, firms typically opt for a hybrid of these two models. Every firm surveyed maintains blanket risk and compliance personnel (titles include general counsel, risk director, compliance manager, and others), and these staff are often involved in many of the abovementioned activities. All but one firm surveyed also employs other specialized staff to perform certain activities. Firms are most likely to employ dedicated conflicts staff, but, at many firms, these roles are also responsible for broader risk research beyond conflicts.
The time to embrace innovation is now
Our survey results indicate that although firms have largely chosen a global approach to risk management — moving toward more centralized organizational models — their approaches to the multiple functions under the risk management umbrella does vary.
Although most firms moved toward centralization more than five years ago, fewer firms have invested in dedicated staff for this specific purpose, instead relying on blanket risk and compliance personnel or conflicts staff to perform risk research. Inversely, the move to a centralized conflicts model has been somewhat more recent, but firms have invested heavily in specialized staff for this purpose. The centralization of client terms management trails the pack; only a handful of firms maintain dedicated staff for this purpose.
So what’s next? Though historically the legal market has been largely underserved by software vendors, the pace of innovation is accelerating. Over the past several years, technology has emerged to automate many risk management processes that had traditionally been manually executed. And as the legal industry begins to embrace innovations that enable a faster pace of adoption, such as AI and cloud delivery models, firms must continue to re-evaluate their operating models.
If AI can prepare conflicts reports in mere seconds, what will become of the conflicts searcher role? Will a team of regulatory experts prove critical once firm software proactively deploys new regulatory-compliance capabilities via the cloud? Although it’s true that roles may shift, there’s no shortage of work to be done. As one example, conflicts clearance used to be limited to incoming business and lateral hires, but with the introduction of automation technology, firms now have the resources to expand the scope of conflicts checks. Many firms today require conflicts checks before entering into business development activity (introductory client meetings, RFP responses, pitches, marketing events, publication, social media), issuing of subpoenas, hiring incoming administrative staff (paralegals, secretaries, administrators), and starting new vendor relationships.
Tomorrow’s legal risk team may not look like today’s do. The centralized model for risk management is here to stay, but the particular roles on the risk and compliance team will likely continue to shift. As technology advances at a quickening pace, firms must examine how their risk personnel can be best utilized to administer technology, lend expertise, and expand the breadth and depth of the firm’s work.