2020/11/02 Articles

How to Conduct a Good Risk Management Analysis?

November 2, 2020

In our articles, we focus on concrete actions to reduce the risk of facing a malpractice claim. That said, it is also worthwhile to regularly conduct a more comprehensive analysis of the risks your firm faces, particularly in terms of professional liability. The purpose of this article is to guide you through the main steps of a risk analysis.

Global Affairs Canada defines risk “as the effect of uncertainty on objectives”.[1] In other words, risk refers to the likelihood and impact of an event that could adversely affect the achievement of your firm’s objectives.[2] However, it should be noted that a risk can also have positive effects. In such a case, risk gives rise to opportunities.[3]

The Five Steps of a Risk Management Process

In an article published by Michael Herrinton in the Harvard Business Review, he discusses a study conducted by Ernst & Young LLP that showed that companies with a strategic risk management program outperformed their peers financially.[4] In fact, these companies were able to align their risk management strategy with the broader corporate strategy. It is also reasonable to believe that a firm with integrated risk management will be more productive[5] and that client service will be improved. But how does one do that?

There is a particularly important step preceding the five steps presented below: the creation of a risk management committee. Not only will this committee be responsible for ensuring that risks are identified and appropriate solutions are put into place, but one of its primary functions will also be to establish channels of communication between the various departments of the firm to ensure that risk management measures are consistent across departments.[6]

That being said, here are the five steps in the risk management process:

  1. Identify and define risks: This involves identifying the risks to which your firm is exposed and which could influence the expected results.[7] In this respect, several risks are possible, but in terms of professional liability, there are two predominant ones: clients and lawyers.

    Malcolm M. Mercer, a Toronto lawyer, has identified four categories of client risk.[8] First of all, there are claims risks. These are likely to result in costs and damage to the reputation of the firm and the lawyer. The departure of a client also generates a risk that manifests itself in terms of revenue, reputation and sometimes team cohesion. Moreover, a client who terminates his professional relationship because of dissatisfaction with the services rendered is more likely to institute malpractice proceedings. Third, a credit risk may arise when the client is a bad payer. Lastly, there are conflicts risks. Indeed, agreeing to represent a client implies that we will have to refuse to represent any client with an opposing interest.

    As regards the risks associated with the lawyers with whom you practice, MMercer[9] raises the existence of risks related to poor performance and ethical or other misconduct. A newly arrived lawyer may also cause concern if they do not have the expected level of expertise. Similarly, this new arrival may lead to conflicts of interest forcing the firm to cease representing certain clients. Finally, a lawyer who leaves the firm is a risk with respect to the loss of clients or the disclosure of confidential information.

    Here is an example of risk identification and definition: You review the firm’s billing process and find many deficiencies, including the lack of clear guidelines. In fact, each lawyer acts according to their own good judgment and in some cases this results in the absence of regular billing. The risk could therefore be defined as follows: There is a risk that perceived deficiencies in the billing process could lead to a deterioration in client relationships and their eventual departure from the firm’s practice, which could adversely affect the achievement of the firm’s objectives. The risk identified here is the billing process. As for the impacts, they will be felt on the relationship with clients and, consequently, on the achievement of results.
  2. Determine the effect of risk on outcomes: Among the short-, medium- and long-term objectives/outcomes, identify which ones could be affected by the risk in question.[10]

    Let’s take the example of the billing process again.[11] A firm that has a stated goal of being recognized among the top ten firms in its region (reputation) compromises the achievement of this goal by maintaining a deficient billing process, because of the impact this has on client satisfaction. The firm’s financial objective could also be affected.
  3. Identify risk responses: This step involves establishing the strategies you will implement to manage risks and reduce the likelihood of their occurrence.[12] The strategies put into place must be realistic given your budget, time frame and the expertise available for their implementation.[13] It should be noted that continuing education is one of the strategies that regularly recurs when it comes to risk management.[14] This training should cover not only the law, but also best professional practices and the prevention of malpractice proceedings.[15]

    Thus, as regards billing, it could be decided to make lawyers and their assistants aware of this risk through training or meetings. In addition, a directive could be issued that any invoice for X amount must be forwarded to the client within a specific time limit. Software to indicate cases where work has not been billed for a specified number of days is also a possible measure.
  4. Assess the level of risk: The aim is to establish the level of residual risk, i.e. the “level of risk after risk responses have been taken into account”.[16] The two assessment criteria are the probability and the impact of the occurrence of the risk on objectives.
  5. Monitor, update and report: Since risks may disappear or evolve, it is essential to regularly review your risk analysis.[17] Furthermore, the importance of communication cannot be overemphasized. Indeed, risk management is everyone’s business! Your colleagues and your firm’s administrative staff must be able to bring any perceived risk to your attention.

In closing, it is important to note that a global and integrated risk management analysis allows one to effectively reduce professional liability risks. Indeed, it forces lawyers to regularly review their policies and procedures and to react less impulsively, and it reduces the perception that they are always “putting out fires”.[18] Do you have yours?


[1] Global Affairs Canada, Risk Management, September 28, 2018. Found at:

[2] Id.

[3] Vivian Kloosterman, What are the 5 Risk Management Steps in a Sound Risk Process, Continuing Professional Development. Found at:

[4] Michael Herrinton, How Mature is Your Risk Management?, Harvard Business Review, June 29, 2012. Found at:

[5] Malcolm M. Mercer, A Systematic Approach to Law Firm Risk Management, Slaw, April 30, 2012. Found at:

[6] Rabiya Hirji-Young, Risk Management in Law Firms, Law Technology Today, December 20, 2016. Found at:

[7] Global Affairs Canada, supra, note 1.

[8] Malcolm M. Mercer, supra, note 5.

[9] Id.

[10] Global Affairs Canada, supra, note 1.

[11] We could also have used the example of the process for monitoring deadlines.

[12] Id.

[13] Id.

[14] Michael Herrinton, supra, note 4; Malcolm M. Mercer, supra, note 5; Rabiya Hirji-Young, supra, note 6.

[15] Malcolm M. Mercer, supra, note 5.

[16] Global Affairs Canada, supra, note 1.

[17] Id.

[18] Vivian Kloosterman, supra, note 3.


Also worth reading

2024/06/03 Articles

2024/04/15 Articles

2024/04/11 Articles

2024/04/11 Articles

Tous les articles