Governance, risk and taxation

2013 Annual Law Firms’ Survey

Our survey this year focuses on the broad risk agenda and the impact of recent regulatory changes. Our findings suggest that the risk agenda continues to evolve for law firms; however, it is still relatively immature compared to similar sized corporates.

The legal sector appears divided in terms of how best to address the risk agenda, with significant variations emerging around structure and risk coverage. The Top 10 banding remains at the forefront, with continuing significant developments across the rest of the Top 50.

  • Ownership of risk remains fragmented across the sector and is split between the Audit Committee, dedicated Risk Committee and other parties.
  • The composition and remit of the Internal Audit (IA) function remains variable. For the 50% of firms who have such a function, approximately one third comprise only one individual and only 28% have more than two. External resource is increasingly being sought to address the growing complexity of the risk agenda including IT.
  • Since January 2013, when the SRA’s new Outcomes Focused Regulation (OFR) became effective, almost 25% of the Top 100, including 27% of the 11-25 banding, have reported a material breach to the SRA. This has been a stand-alone incident for almost three-quarters of respondees and over half of these breaches relate to the SRA Accounts Rules.
  • Focus of the SRA’s Client Relationship Manager (CRM) has been on new procedures implemented as part of OFR, as well as focus on clients monies, office monies and anti-money laundering procedures.
  • Information Security is a key area of focus across all law firms, but over one-quarter of respondees to our survey have yet to carry out a security risk assessment covering both Information Security and Physical Security. The nature and extent of security incidents faced by law firms, coupled with the growing expectations of clients, are key triggers for such activity. For around 40% of the Top 25, reporting in-house Information Security provisions is now a prerequisite as part of many key client pitch processes.