This article was originally published in Legaltech News.
In my last article, I wrote about some supplier risk management warning signs you need to be aware of when choosing your law firm partners. Now, it’s time to talk about a few key strategies you can use to circumvent these risks.
Before we get into these strategies, however, it’s important to note that supplier risk management isn’t something that’s “one and done.” Effective supplier risk management is an ongoing process that starts before you enter into a relationship with a law firm and continues throughout the lifecycle of that relationship. The points outlined below reflect that mentality.
With that, let’s take a closer look at five effective risk mitigation strategies.
1. Evaluate whether an outside firm is needed.
Hiring an outside firm for the work reduces transparency, reduces control, and introduces communications issues in a way that, all things being equal, increases risk. Therefore, sometimes the best risk management strategy is to keep things in-house.
In-house teams already know one another, the business, and the people, and can get and interpret information more quickly and accurately because of this knowledge. Unlike law firms, they do not have other clients who are competing for their attention. Information security is less of an issue because data is not crossing organizational lines, and the level of data security in-house should be well-understood. Diversity, inclusion, and other environmental social governance (ESG) aspects of business may not be where the organization would like them to be, but at least there is greater transparency around those issues, and the organization can address them directly rather than asking an outside firm to improve.
2. Survey outside counsel.
Proactively surveying law firms about practices that could pose a threat can be instrumental in uncovering potential vulnerabilities or risks. For example, a survey could center around whether a law firm in question has diversity programs in place or if they have a succession plan. Many e-billing/matter management solutions feature diversity modules that allow you to do just that. Some also feature information security surveys that allow you to quickly and easily gather key data about your firms’ cybersecurity infrastructures.
Surveys should be mandatory and recurrent. Make it clear that law firms that fail to answer completely and truthfully will not have your business. Surveys can be done at any time. Indeed, it’s a best practice to periodically survey outside counsel to ensure they remain low risk.
3. Research third-party data.
Obviously, law firms will always present themselves in the best light possible. But you should not rely just on what your firms tell you. Instead, do your own due diligence and refer to the many good resources available to help your check your firms’ risk levels.
For instance, information on law firm profitability, associate and partner attrition, and diversity are all readily available through various resources at little or no cost. Use these resources as you see fit to validate your firms’ statements.
4. Talk to your law firms about risk management strategies.
After all of this due diligence, there may be some law firms you want to work with but still have reservations about. All is not lost. Instead of giving up on those firms, offer to have open conversations with them about your concerns. Talk to them about ways they can mitigate risk within their organizations so you’ll feel more comfortable about working with them.
You can achieve many goals by simply having this conversation. First, it gives the firm a chance to reduce its risk profile, which helps you, them, and any other organization they may work with. Second, it provides you with the opportunity to work with them to create a risk mitigation strategy that suits your specific requirements. You’ll know they’re in compliance with what you’re looking for—because you will have helped to develop that compliance.
There may be circumstances where outside counsel cannot or will not adhere to your requirements. For instance, some information security requirements cost hundreds of thousands of dollars to put in place. If you are only giving counsel $50,000 in business per year, they are unlikely to want to upgrade their infrastructure if the only client asking for the upgrade is you.
This situation has become increasingly common, particularly in the finance sector, which involves a lot of sensitive data and strict requirements to keep it safe. Legacy firms, which got business due to the strength of personal relationships rather than the strategic positions of the firms overall, are losing business to larger firms that already have the desired IT infrastructure in place. But so be it—this is part of a larger evolution where CLDs are moving to “hire the lawyer, not the firm” to “hire the firm, not the lawyer.”
5. Take a long-term approach.
Most of us feel continuous pressure to get things done right now. That’s not the best approach with supplier risk management. While it’s an important issue you certainly need to address, the important thing is to get and keep things moving in the right direction. Small gains made today are still gains that set CLDs up for greater success tomorrow. Even simply knowing what the key supplier risks are and what relationships they reside in is a huge win.
You also do not need to “boil the ocean” by overhauling all supplier relationships at once. Instead, start by getting a better understanding of your largest suppliers—because they are handling more work and more data, that is where your biggest risk areas are likely to be.
Risk within the legal supply chain is real, and it can lead to serious issues if not dealt with. Managing supplier risk begins with understanding it, spotting it, and reducing it to the greatest extent possible.
