Don't leave it to chance

By Nick Bungard on 24 November 2014

In the 1800s, American writer Ralph Waldo Emerson wrote “Shallow men believe in luck. Strong men believe in cause and effect." Whether or not you think this statement is true across the board, it is certainly still very relevant to risk management today.

Imagine this scenario. You wake up on a Monday morning, with the curtains closed. You suddenly remember you have a key meeting at 9am. Being late is not an option. There is only one problem: you rely on public transport to get to work and it is rarely attentive to your needs! So in order to be punctual, you need to know just how likely it is that your usual bus will be on time. If it's very unlikely, a taxi or earlier bus may be in order.

Logically, we should take a step back and think about the things which may increase the probability of the bus being late. If you open the curtains and it is raining, you may assume the bus has to go slower and therefore it may be somewhat likely to be late. But there is also a chance that it could still run on time—unlike snow, rain doesn't completely halt all British transport. If you remembered the road works were due to start today, you may have determined that it is almost certain that the bus will be late. Roadworks always create delays.

This thought process acknowledges that the probability of something bad occurring is dependent on the different causes which affect it. It can be a difficult thought process to apply effectively: sometimes we may make decisions based on hunches and intuitions when really we should take a step back and come to reasoned conclusions.

One of the best ways to approach a problem is to apply a structure upon which it can be analysed. The updated Risk Index, released in March 2014, has created a structure that can enable most risks in the legal services market to be seen in terms of cause and effect.

For example, a breach of confidentiality is one of the risks we see within firms. It can harm clients, prospective clients and employees. A breach of confidentiality can also be seen as the 'effect' of something else going wrong. As a firm, understanding how likely it is for a breach of confidentiality to occur requires consideration of the key causes. This could be a failure in policy, ineffective systems and controls or dishonest actions.

You can start to manage this risk by asking yourself questions that allow you to understand if these causes are present and, if so, how they could contribute to a breach of confidentiality. This might include questions such as

  1. Do I have a clear policy for taking sensitive information off-site?
  2. Do I have adequate encryption on my systems?
  3. Do I have controls to prevent rogue employees from accessing sensitive information?

How you choose to approach this is really up to you. Some large firms may need sophisticated systems in order to effectively manage these risks while small firms and sole practitioners may be able to do so effectively in a far more straightforward manner.

You may want to organise some brainstorming sessions, carry out an audit, or perform some number crunching. You may want to introduce a risk register. You may have a selection of key performance indicators, shown on a dashboard with graphs and statistics. Provided a proportionate approach is taken to managing risks, the options you choose just need to be right for your business and not something that should be imposed on you by your regulator. Of course, just as you can use cause and effect to avoid the bad effects happening, you can also apply it in entirely the same way to help make the good effects happen (more often).

Nick Bungard is a Risk Analyst-Modeller at the Solicitors Regulation Authority.