Risk Management

It is good business practice to understand, and plan how to deal with, the potential risks to your business. By
carrying out the planning, you will be better placed to recognise the signs of risk and take any necessary action.

Business continuity plan

It is important to consider what you would do, and how your business would survive, if the unexpected happened. Banks, insurers, and clients are more likely to take a company seriously if it has a business continuity plan. Helpful advice from the Scottish Government suggests you should ask yourself a series of questions:

  • Have you identified someone responsible for leading a crisis response?
  • Do you know what processes are critical to continuing in business?
  • Do you have arrangements to communicate with staff, or their relatives, in a crisis?
  • Could you cope if staff were absent?
  • Are your business computer records protected and backed up offsite?
  • Are your suppliers (including utilities) resilient with their own business continuity plans?
  • Can you access essential equipment at short notice?
  • Have you tested your assumptions about recovering from a business crisis or range of emergencies that might affect your business?

For incorporated practices there is a rule requirement – D5.4.2. See Scottish Government’s website for a continuity plan template.

Fraud and cybersecurity

Confidentiality and security of information are at the heart of any legal business. Advances in technology continue to change the way legal services are delivered – but can also present security risks. It is worth noting that your IT supplier is not necessarily an IT security expert.

Client accounts

Your client accounts are the most attractive to cybercriminals, so we recommend that you start there with your security measures. These risks can be mitigated by operating with robust processes and procedures, including two-factor authentication/authorisation and ensuring client communication via email is encrypted or, where not encrypted, does not contain confidential information, particularly in relation to bank account details or anticipated dates for transaction settlements. Our website sets out the most common cyberthreats and how to deal with them.

See the Law Society’s Guide to Cybersecurity
See Journal article Check those bank instructions

Professional risk

In day-to-day legal practice, there is always the risk that the client will be unhappy with the work you have done, or you may miss something or make an error. In those circumstances, a client may make a claim against a firm for professional negligence. Such claims would be covered under the Master Policy for professional indemnity. However, it is important to understand that most professional indemnity claims arise not from errors in the law but from poor standards of administration, poor procedures or not following procedures. It is important to consider the processes and procedures which you need to establish within your firm to help to avoid, or at least mitigate, the risk of a professional indemnity claim being made against your firm.

Some examples of good risk management would be:

  • Checklists of stages for various standard types of transaction
  • File reviews
  • ‘Second pair of eyes’ checks on important or complex documents
  • Carefully considered letters of engagement – with particular attention to the scope of services.

All solicitors must undertake a minimum of one hour of risk management CPD as part of their annual requirement.

In this section