In Conversation with Deborah O’Riordan
As many of our readers will be aware, Deborah is Risk Solutions Practice Manager at QBE, working with the Finanical & Specialty Markets Division (Professional Indemnity, Management Liability, Financial Lines), with overall responsibility for the delivery of risk management services, products and information to our policyholders and brokers.
What in your view are the top three risks facing firms offering legal services today?
I’m trying not to think too hard about this as it would be too easy for me to get analytical, and depending on any chosen strategy the risks will be different anyway, but let’s just say:
- Business model failure: This could be a failure to adapt at all or adoption of new service models that are not well thought-out. Risk management thinking can be applied equally to create value as well as to prevent errors and harm, but if not applied correctly, or at all, this can lead to epic and sometimes very public fails.
- Uncontrolled growth: We’re still seeing a lot of M&A activity and organic growth with many businesses.
A growth strategy is going to struggle if the underlying controls, education and supervision aren’t robust enough to start with, or aren’t scalable or flexible enough to match the extra volume, variety and complexity, that inevitably arises through M&A activities.
- Security failures: We’re in the information age and as often happens, the pendulum has swung too far in one direction, in this case towards ease of access and use, without being balanced by appropriate security controls. When GDPR comes in next year, the procedural and cultural change that will be needed, and the potentially large fines that could seriously impact a low profit business, could have very damaging effects.
Odd maybe that I’ve not mentioned the C word (Cyber) yet, but there can be an ICT element to any of the above so there is scope for malicious cyber-based disruption on many fronts, especially if systems are not adequately protected. As with a legal breach or error though, there is often the potential for remediation and/or mitigation, so having the right tools in place and having access to experts that can help before it gets out of hand is critical. So get your cyber cover in place (with QBE of course!)
In your role you deal with risk management in relation to professional services firms other than lawyers. Are the risks facing those businesses different and, if so, in what way?
There are of course individual nuances for each profession as they each operate in their own business environment with unique factors (the legal framework, the physical environment, the property market, investment and tax landscape etc.), so if you looked at the claims arising they would appear to be different. But essentially a professional firm is one that designs a product or solution, or tailors an existing process, to suit an individual and/or a unique set of circumstances. It’s a very broad spectrum with greater and lesser degrees of creativity at either end.
Due to the creative design element, it’s imperative that client and adviser have the same aims, objectives, and parameters in mind, so these must be captured, defined, agreed and reconfirmed as work progresses - right up until the end solution to ensure suitability and fitness for purpose. Following a risk-focussed ‘Assess, Monitor & Review’ framework (loosely aligned to ‘Plan-Do-Check-Act’), should be adaptable to any profession and reduce the likelihood of ‘failure to advise’ type errors where the scenario often goes "if you had told me x then I would’ve / wouldn’t have done y" etc. As these account for some 25% of all QBE claims (against lawyers at least), then that core risk needs to be front of mind at all times.
Of course, being able to prove you did advise x is the crux to defending any future claim, so capturing that in writing is a fundamental risk management control in all professions. So whether you’ve trained as a Lawyer, Architect, Financial Adviser or Tax Consultant, skills to manage risk this type of risk (listening, investigating, articulating, communicating, influencing and managing expectations) to make sure you are always on the same page are vital - not so dissimilar after all!
What qualities, in your view, make a good Risk Manager?
To my mind, there needs to be an absolute dedication to drive improvement in the business in a way that will both prevent errors and add value, and depending on where a business is in its risk management journey will dictate the priorities. Regardless, I think the following qualities are essential:
Influence: The ability to sell concepts and benefits to people at different levels in the business is essential for getting and keeping people on board for change management. Additionally, training to build awareness of risk is vital to developing a strong risk culture which develops understanding and risk-thinking rather than getting people to robotically follow processes and tick boxes.
Collaboration: nothing can be achieved alone so collaborative skills to work across teams and functions are needed to ensure solutions to risk issues involve all key stakeholders, change is embraced and embedded, and the right messages are cascaded without being watered down.
Investigative and analytical skills: a good RM won’t take things at face-value but will dig, discuss, and uncover all contributory factors when things go wrong or something needs developing
Objectivity & Independence: for professionals, that one needs no explanation!
Tenacity: A risk manager is also a change agent and pushing through corrective action and improvement measures across a whole professional practice, will need a tenacious character.
Pragmatism: The ability to convert complex regulatory and legal requirements into practical risk controls that are articulated in a straightforward language is essential. Making change feel less onerous by building on existing processes and documents and making use of existing channels.
Value Focus: Understanding that risk and failure events (both internal and external) are all opportunities for valuable learning and for that learning to embed long term, it can’t just be talked about, no matter how widely incidents are shared. They will understand that changes need to be captured in written systems on as many levels as possible to hold on to the knowledge learned.
I haven’t mentioned technical knowledge yet. If the role covers compliance then Yes, that will be needed to hit the ground running, but if the risk manager you have or are going to employ has all the above qualities, getting to grips with legal obligations and a regulatory framework will be a piece of cake.
Is there such a thing as "risk culture" within businesses?
Oh definitely, and there are numerous definitions out there but they all generally align to risk culture being the culmination of attitudes, beliefs, values and behaviours which shape and influence the risk decisions made by everyone in an organisation. Given that most practices now have some sort of operational risk framework in place, at QBE we are promoting risk culture as an effective way to drive the risk management agenda.
When thinking about risk management, consider the tangible controls as the bricks, and the risk culture as the mortar that holds them all together. On their own it doesn’t take much to knock a hole in the assembled brick wall, but with the mortar holding it all together, it takes a lot more to break down the barrier. Last year QBE launched its ‘Risk Culture Profiling Tool’ which provides a practical framework to evaluate risk culture in any business. It covers 31 evaluations across 7 core areas: Leadership, People, Reward & Recognition, Communications, Operations, Evaluation, and Improvement. If you visit the QBE Blog or the Document Library, you’ll find various articles on the subject. And if anyone’s up to a challenge, QBE policyholders and Airmic members can obtain free access to the online profiling tool by contacting us on RS@uk.qbe.com, and those submitting responses will receive a personalised benchmarking report shortly after.
Can the effectiveness of good risk management practices be measured within any business and, if so, how?
Absolutely: It’s just a case of looking for the right indicators to measure. The obvious ones are generally claims, complaints and regulatory breaches but its better to seek out indicators at a lower level and respond to those early to prevent repeats or similar failure events at higher (and costlier) levels. Errors, incidents and near misses, financial issues (write-offs of any sort) or insufficient profitability, poor file inspection or audit results, plus feedback of any sort, are all fodder for monitoring how well the risk control measures you’ve already implemented are working and what else needs to be done – there’ll always be something (if you believe in continuous improvement and the theory of marginal gains).
Measures for upside risk should also be included and this might be reflected in how many new and successful services are brought to market, what innovations are adopted (and maybe even how many are started, even if they fail). Encouraging the behaviours to ensure a wide array of failure events are captured, good practice is shared, and innovation and development is nurtured, needs to be thought about within the reward and remuneration structure: "What gets measured, gets done" so we need to think about how risk management effectiveness can be included in objectives and performance measures. And of course, longevity and continued success is the ultimate indicator of effective risk management – if your business is still here in 50, 100, 200 years time, then you must have been getting your risk management right. Simples.
What is the biggest risk you have ever taken?
LOL! I am not a big risk-taker at all - I get even more risk averse as I get older, and becoming a mum sent my risk antennae into complete overdrive.
It’s calmed down a bit now but it’s always on, and probably why I’m doing the job I do. "You are what you do and you do what you are." as they say. A big risk for me at the time was moving to London straight after University with a massive overdraft, without a home or a job, and no savings or anyone to fall back on. So I slept on a friend’s floor, borrowed a suit from her to do a few interviews, and got a job as an Ops Assistant in an architectural metalwork design company. It was a short hop from there to take on the quality assurance responsibility which led me in to risk management.
This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.