risk management is effective positioning as well as prevention

A March Briefing roundtable co-hosted with insurance broker Miller heard that while the market has been softer of late — which law firms are likely to have seen reflected in premiums — claim severity appears to be on the up. ‘Good’ times cannot be taken for granted against a business risk backdrop more complex than ever — flexible working patterns, working with generative AI and on data strategy in tandem, appropriate work supervision — and securing the required level of cover with clear evidence of robust policies and reliable practices will be key.

However, all individual controls must be seen as part of a bigger picture — a vision for risk management as the issues in question rise or fall off; not to mention regular horizon-scanning for regulation, tech-based game-changers or unpredictable geopolitical ramifications coming down the track. Critically, this picture not only needs to be comprehensive — it must be capable of being understood and acted on in a timely and empowered manner as part of a positively risk-focused culture.

Enter enterprise risk management

Insurers want to see evidence of the former in the form of a risk register — a sign that firms they support can weather the ups and downs of fortune and reassure that when the big claim does hit it’s more likely to be a one-off than signal of potentially worse to come.

But in turbulent 2025 that risk register can’t then be left on a shelf until it’s time for an annual review — which brings us to what is hopefully growing appreciation for the business value of building out ‘enterprise risk management’. There are several key components to consider, including driving ownership of risk aspects, flexibility, connectedness, communication, and challenging of assumptions. And as in so many other areas of law firm management today, firms’ clients may be making a strong case for investing time in the changes based on their own strategies, practices and priorities.

In terms of communication, for example, firms might consider turning their respective risk appetites into a simpler “statement” for all internally to hear. Clear articulation — as well as being transparent — also helps with the message internally that the risk and compliance function is not itself a threat. After all, some risk is tolerable risk — but the firm’s people should recognise the business value of reaching that decision. Where a risk level is heading too far into the red, perhaps that even makes the business case for greater resource or investment in an area.

Decisions aren’t for all time — focus that can flex

On flexibility, whether they erect barriers or otherwise, individual policies shouldn’t be viewed as static. Risk-based decision-making, just like process improvement, is more continuous. The external pace of change may dictate a rapid shift in what’s required — and this would require understanding and articulating the connectedness. Do you need consistency or a more tailored approach for offices internationally? Can you coalesce around best practice effectively in a business that is fast growing and dramatically diversifying what it does or evolving who does what within?  In some cases policies may call for efficient consolidation more than additions — and then how are they pressed home, policed, and does a particular breach lead to universal consequences?

One business leader who attended noted a less obvious risk that too much business success might breed laziness or complacency — a certain resting on legal laurels. Are senior people at a firm prepared a) to change themselves and b) to back the investments needed to facilitate it for the firm, whether that’s big bang in approach or pursuing a programme of continuous improvement?

Finally, with a world that makes more use of AI almost certainly appearing on your agile risk register somewhere, firms should be taking steps to understand their clients’ own risk appetites and scenario-planning for that future. Risk has a role to play in the choice, timing and use of the technology, of course — and in meeting either clients’ expectations or reservations. But there’s also an increasingly significant risk they fail to position themselves so they can respond no less rapidly when clients’ needs around AI inevitably change.

Read more Briefing takes on all the biggest legal business/organisational challenges and strategic priorities in the Briefing app