This article was originally published in Legaltech News.
A 2020 survey of general counsels (GCs) indicated that GCs believe the legal function is the primary corporate function responsible for identifying and managing risk within their organizations. But how well are they managing the risk generated by their own suppliers? That’s an important question, since choosing the wrong law firm or managing the “right” firm poorly exposes clients to additional risk.
Different law firms present different supplier risk profiles along different lines, including business continuity risk, cyber risk, as well as risk around environmental, social and governance (ESG) issues. GCs need to identify and manage these “law firm risks” just like they do any other sort of risk facing the organization. Unfortunately, sometimes when law firms help GCs mitigate risk it blinds GCs to the fact that those very same law firms may increase risk in other ways.
Here are some warning signs legal departments should be on the lookout for to identify risks created by their own suppliers.
Warning sign no. 1: Lack of inclusion
In 2020 and 2021, we have seen a couple of very large and prestigious law firms forced to confront serious allegations about the culture of their organizations, including top leadership. When such allegations are true, the unprofessional behavior they describe may have already kicked off an exodus of firm talent, including both associates and partners, who want to distance themselves from that behavior. In the worst-case scenario, a few key rainmakers leave and cause a domino effect that threatens the continued existence of the firm.
This is a reminder that corporate legal departments (CLDs) expose themselves to potential unnecessary risks when they use law firms that have no sincere commitment to diversity and inclusion. People who feel included generally do not sue their employer for discrimination or make other allegations that impair firm reputation, service delivery, and ability to attract and retain talent.
Warning sign no. 2: High employee turnover
You should have a good idea of how your firms are doing with regard to business success. You will not always be able to determine this, but there are certain noticeable red flags to look for, including high employee turnover.
In fact, law firms themselves believe that “inability to retain high-potential associates” is one of the top business risks facing their organizations and, arguably, the top risk that they are in a position to mitigate (see p. 3 of this report). When a firm (or a practice group within a firm) has a substantially higher turnover rate than similar firms, that could be for lots of reasons—but none of them are good. Maybe the firm cannot afford to pay its employees fairly, or simply refuses to. Maybe it does not treat them well, fails to offer interesting work, or burns people out with too much work.
In the end, it probably doesn’t matter why—if the associates (and certainly the partners) are voting with their feet, the client should consider doing so as well. Apart from the basic stability issues raised by high turnover, it can impair representation because when associates leave, most of their knowledge of active legal matters and of the client organization leaves as well. It could be months until any replacements get up to speed, and law firms aren’t shy about billing for the extra “get up to speed” time. The billing guidelines in many organizations prohibit such charges, but most CLDs do not have the kind of sophisticated invoice review operation needed to identify and reject them.
Warning sign no. 3: No formal succession plan
Many law firms have not adequately planned for the departure of key partners, either through retirement or death. This is problematic because the client needs to know, like, and trust the successor partners for a proper transition.
It takes years, not months, to groom those successors and transition that relationship. When law firms wait until the end and try to hand all the client relationships off at once, it impairs service delivery and frustrates clients. A lot of clients just end the relationship altogether, which not only makes the firm less profitable but diminishes its overall strategic position in the marketplace (again, see p. 3 of this report). Even if your CLD isn’t one of those that leaves, the fact that others are leaving means you are dealing with a firm that is less than it was a few years ago.
Warning sign no. 4: Poor information security
An American Bar Association survey revealed that only 31% of law firms have cybersecurity incident response plans in place. Even among larger firms, with 100-plus attorneys, only 65% have a plan. Given that, perhaps it is not surprising that in 2020 there were several cybersecurity incidents involving law firms, including the exposure of 756GB of contractual and personal information and fee agreements, as well as other confidential data. Indeed, nearly one-fifth of law firms have shown signs of compromise.
But the issue could be even larger: How many firms got hacked or otherwise allowed sensitive data to be exposed, without even knowing it? The weaker a firm’s security, the less likely it is to even know a problem occurred.
Furthermore, when a firm with insufficient cybersecurity expertise does suspect an issue, it may take longer to confirm whether the issue is real. In the meantime, the firm may hesitate to let clients know about the matter, for fear of alarming the client and/or damaging firm reputation unnecessarily.
Of course, exposure of sensitive data is not the only concern. What if your firm is subject to a ransomware attack that prevents it from accessing the electronic records it needs to represent you? This is another serious issue that could impede the firm’s ability to service your CLD effectively.
What to do next
Now that you know some ways that your firms might actually be increasing, rather than decreasing, overall risk to your organization, it is time to talk about how to identify whether that it is actually happening and in what firms. My next article will outline some specific strategies on how to do that.
