Knowledge and Risk: box-ticking considered harmful

I had been running the knowledge management function for a couple of years in my last firm, when the decision was taken to build a proper risk management team. Until then, the firm’s partners had managed risk themselves, with support from some key litigators and a team of staff to handle client and matter intake (conflict checking, information barriers and so on). The firm had grown, and the regulatory landscape had become more complex, so that there was a compelling case for professional risk management. And so a risk director was appointed, who very quickly identified a need for a larger team of risk lawyers.

2015-04-21 08.51.17-1I was initially nervous about this development. I feared that the new regime would arrive with a list of ‘do nots’ and thereby undermine the work I and the PSLs were doing to encourage knowledge sharing around the firm. I had heard scare stories from my peers in other firms about clashes between risk and knowledge teams: each having a completely different perspective on openness than the other.

In the end, my fears were misplaced. There may be risk professionals who see their role as restrictive, but ours did not. Nor did they interpret the rules as a recipe book for prohibitions. In fact, I found that the goals of the risk and knowledge teams were closely aligned in some significant ways.

Until 2011, the rules governing solicitors in England and Wales were contained in a set of documents combining general principles and detailed rules. This approach worked moderately well when law firms were all fundamentally similar. As the market opened up following the Legal Services Act 2007, it was clear that the myriad of legal business models would need a different type of regulation. The new Code of Conduct combined a set of high-level principles with mandatory outcomes and indicative behaviours. The Solicitors Regulation Authority (SRA) gave firms real flexibility in how they achieved the desired outcomes:

The SRA Code of Conduct (the Code) sets out our outcomes-focused conduct requirements so that you can consider how best to achieve the right outcomes for your clients taking into account the way that your firm works and its client base.

The message that firms had to think carefully about their own approach to risk was communicated very clearly by the SRA’s executive director of supervision, risk and standards, Samantha Barrass.

Addressing a risk management conference in London, Ms Barrass said the SRA is concerned that some firms might see the indicative behaviours that help interpretation of the 10 core principles as a checklist, rather than possible examples of practice – the SRA is likely to take a “dim view” of this.

She said: “The indicative behaviours are not mandatory, they provide examples or a starting point to aid thinking on how to deliver the outcomes and principles. Unthinking reliance on the indicative behaviours is not a risk-free approach to compliance; they do not cover all regulatory scenarios or compliance requirements, and certainly focusing attention on the achievement of the behaviours alone could actually lead to a firm overlooking or de-prioritising emerging risks.”

She said that some solicitors “have proudly told me that in preparation for outcomes-focused regulation (OFR) they had extracted the indicative behaviours, and ticked off every one that could possibly be relevant as being present in their organisation in order to present a model of best-practice compliance to the SRA”.

Ms Barrass asked: “But can the firm say, hand on heart, that this approach really gets to grips with the nature of the firm itself and its business practices?”

Since 2011, no firm in England and Wales should take a ‘box-ticking’ approach to risk.

Another significant change in the new Code was that it applied to the whole firm: not just solicitors. Everyone employed in the practice was expected to demonstrate that they were working in support of the mandatory outcomes.

These changes meant that our new risk team was focused on helping people across the firm understand their obligations. Their goal was to shift people’s working practices to meet those obligations.

My goal was similar. Rather than establish a set of rigid knowledge activities and measure compliance with simple KPIs, I wanted our work as a knowledge team to support the firm’s desired outcomes. For me, success would be measured in improvements to the way people developed and handled knowledge in their everyday work, rather than counted in numbers of precedents or items in a knowledge bank.

Good risk management and good knowledge management have these things in common. They work best when there are clear outcomes. Those outcomes may require people to change the way they work. Risk or knowledge regimes that allow people to tick boxes but carry on working as usual merely store up serious problems.

So, the firm’s knowledge and risk teams had much in common. We had a similar (but not identical) message to convey to the firm, and we had an equally strong interest in the firm doing things properly. As a result we worked together pretty well.

Our common interest was most strongly manifested when the firm started to develop a formal quality programme. Most of the products of that programme were driven by risk and knowledge teams together or were strongly influenced by people from both areas. The approach adopted was also similar. Rather than aiming for external certification, the firm defined a number of desired outcomes. Those were driven by known shortcomings in the way work was done. Like the risk and knowledge teams, the quality team avoided a mechanical approach to achieving the desired outcomes.

Over the past few years, I have seen a number of firms (and not just in England and Wales) combining one or more of risk, knowledge and quality in one role. Whilst this isn’t a model for all firms, it seems to work well for those that have adopted it. If, however, there is antagonism between any of these functions, the firm will undoubtedly suffer. Even separated, there should be substantial common interest.

Whether separate or together, each of these teams should “really get to grips with the nature of the firm itself and its business practices.”