On day two of the IILPM (International Institute of Legal Project Management) conference 2022, Luis…
If operational risks are not managed properly, it becomes very difficult to plan and run legal matters.
In the absence of an operational risk management plan, delivery teams have to react to risk events ad hoc.
Having no plan to manage operational risks often results in slower progress than anticipated leading to increased costs and other operational problems once matters become live.
This could result in unhappy clients, wider reputational damage and even perhaps even leave the legal service provider open to allegations of professional negligence for not managing operational risks properly.
This post highlights some key features of a basic operational risk management process for legal matters.
When should operational risk management start?
Consideration of operational risks should start as soon as possible.
The new matter inception process provides an obvious opportunity to start assessing matter risks.
This can be done by asking questions such as:
- Is this matter within the team’s core expertise?
- How many similar matters has the team handled during the past year?
- Is there a fixed deadline?
- How many other departments are involved?
Working with legal service delivery team to answer a short set of simple questions such as these allows for the initial assessment of the overall matter risk profile.
Once this assessment has been made, before any substantive legal work has started, it is possible to determine the extent of legal project management support required for the matter.
A matter with a high-risk profile will probably require substantial project management support, while matters with a low risk profile may only require light touch project management support.
What are operational risks?
After the initial matter risk assessment has been made, further thought should be given to what might be described as lower level operational risks.
These risks can be categorised as being one of 4 types, being associated with:
To illustrate, assume for the moment you are a legal project manager working as part of the legal team on a complex litigation matter.
Some obvious matter level risks to consider:
- People: do you need access to people with specialist skills? If so, will those people be available when you need them?
- Processes: does the team follow standard internal processes for, say, discovery and disclosure of documents?
- Systems: will you need access to specialist support systems to assist with discovery and disclosure of documents? Does your firm already have such systems available? If not, how are you going to source a suitable system?
- Events: is the client aware of its duties regarding disclosure? If so, is the client aware of key dates in your project plan about disclosure? What happens if those key dates are missed?
As you can see, starting risk management early will help you to plan matters properly.
Looked at this way, operational risk management is an integral part of matter planning.
It is not put into a separate box to be considered later if time permits.
What is an operational risk management process?
A simple risk management process could comprise the following steps
- Identify risks
- Assess risks
- Prioritise risks
- Plan risk responses
- Action risk responses
- Keep risks under review.
Although these six steps may look rather long-winded, with practice they need not be.
Each step, and the process, need not be too time-consuming to apply. Especially if being managed by a skilled and experienced legal project manager.
Let’s quickly go through each step.
Step 1: Identify risks
Like so much else in legal project management, risk identification should be a team exercise.
Legal project managers should work with their teams, clients and third parties (such as outside counsel) to produce a list of potential operational risks.
A proven way of getting teams to identify potential risks in each category is to have a brainstorming event during a meeting.
I always encourage legal project managers to run project kick-off meetings for new matters, especially where the matters are reasonably large and complex. A project kick-off meeting is a great opportunity to get the team to think about operational risks.
I also find that running a brainstorming event with post-its or the virtual equivalent (perhaps by using a tool such as Miro) is much better for generating ideas about potential risks than calling a meeting and simply asking ‘can anyone think of any operational risks which might affect this matter?’.
Step 2: Assess risks
The purpose of a simple risk assessment exercise is to get a feel for the impact the risk event might have on matter delivery.
There are two components to this, assessing the likelihood of the risk event occurring and impact of the risk event should it occur.
Assessing likelihood of occurrence
The most common way of doing this is to represent likelihood of occurrence on a numeric scale.
This could be done by using a scale of, say, 1 to 5.
A score of 1 represents a risk event very unlikely to occur, while 5 represents a risk event which is almost certain to occur.
Assessing impact of the risk event
A similar scale can be used to represent the impact of a risk event.
Hence a score of 1 represents minimal impact, in terms of time, cost and resources, whereas a score of 5 represents a very serious adverse impact using the same assessment criteria.
As with risk identification, the risk assessment exercise should be a collaborative exercise by the legal service delivery team with the legal project manager applying well-honed facilitation skills to help the team form a considered view of risk assessment.
Step 3: Prioritise risks
My experience is that team brainstorming produces a lot of potential risks, which is good.
The downside to a long risk list however is that you will probably not have the time, budget and resources to address all of them in detail.
Hence you will need to prioritise and focus on a sub-set of risks.
To prioritise, you need to rank the risks.
The easiest (but not the only) way of doing this is to simply multiply each risk’s likelihood score by its impact score. You can then sort the risk list based on the combined ranking.
Depending on the time and resources you have for risk management, you can then focus on the top 3, 5, or 7 risks etc.
Step 4: Plan risk responses
I like to plan two kinds of response for each risk identified.
One set of responses is aimed at preventing, or at least minimising, the impact of any adverse risk events identified.
What action can be taken now to either prevent the risk event from occurring or minimising the adverse impact of the risk event on project delivery?
The next set of responses are designed to recover quickly should the risk event transpire.
If the adverse risk event occurs, what can be done to recover quickly and get matter delivery back on track?
As you should expect by now, this work will also be done by the delivery team, with the legal project manager using facilitation skills to help the team formulate practical and cost-effective risk responses.
During response planning you should assign one of the team to own the risk and be prepared to put the agreed risk response into action if required.
Step 5: Action Risk Responses
Should any of the risk events identified transpire, then agreed risk responses should be triggered and applied.
The role of the legal project manager here is to hold the risk owner accountable for applying the response. This means ensuring the response activity is done in a timely and cost effective way.
The effectiveness of the response should be tracked, for a number of reasons.
One reason is that the effectiveness of the response will affect matter progress, and this in turn must be reflected in any reassessment of matter delivery, including re-estimates of time and cost to complete.
Another reason is that the advent of any significant risks and their responses must be reported to all key stakeholders as part of standard matter progress reporting.
Step 6: Keep risks under review
The final step in our basic operational risk management process is to keep all the matter risks under review throughout the lifetime of the matter.
An easy trap to fall into is to spend some time on operational risk planning at the beginning of new matters and think that risk management has been completed.
Unfortunately, it has not. Risk management never stops. As matters progress, new risks come into view while risks identified earlier may no longer be relevant as they once were, if at all.
Potential risks, and how best to cope with them, need to be considered throughout the matter lifecycle.
Running legal matters efficiently
Risk management is an essential component of good matter planning.
My advice is to commence risk management as soon as possible during the matter definition phase and then continue to develop it as the matter progresses.
I cover risk management as part of my legal project management training course, showing how to create a management plan quickly and easily as part of matter definition and planning.
Another way of viewing risk management is that it is one of many processes which can be applied by legal project managers and those acting as legal project managers. All processes are candidates for improvement, and I show how legal processes can be improved in my legal process improvement course.