Skip to main content

In times of great uncertainty, one thing is certain – risks are hitting law firms faster than ever before, which means they now need to manage at the speed of risk. Paul Haley and Neil Belton from Azets explore how law firms can prepare to manage at such a pace, and what to consider.

In the last few years, we have faced a global pandemic, a war that resulted in high energy prices, escalation in cyber attacks from state actors, high inflation & interest rates, changes in consumer behaviours, changes in workforce expectations, early retirements & skills shortages from reduced labour force, more regulation, uncertain changing Government, climate change… the list is endless.

Most of the above would not have been on your radar four years ago. So, how prepared are you to manage emerging risks?

According to the Chartered Institute of Internal Auditors, the top 10 risks in 2024 are likely to be:

  1. Cybersecurity and data security
  2. Human capital, diversity, talent management & retention
  3. Macroeconomic and geopolitical uncertainty
  4. Changes in law and regulations
  5. Business continuity, operational resilience, crisis management and disaster response
  6. Digital disruption, new technology and AI
  7. Climate change, biodiversity and environmental sustainability
  8. Supply chain, outsourcing and ‘Nth’ party risk
  9. Market changes, competition and changing consumer behaviour
  10. Financial, liquidity and insolvency risks.

It would be easy to take the view that some of the above are irrelevant to your legal practice. But, global connectivity has shown recently that a covid outbreak in China impacted everyone. So, the ostrich approach to risk management does not work.

Number one risk

Let’s look at the number one risk, especially around cybersecurity and data security. These are just some of the questions you should be asking of your own organisation:

  • Do you still have old legacy systems in your server room or old paper files in your dusty cupboard with years of old case files?
  • How are you ensuring you meet GDPR data protection regulations?
  • Are they vulnerable to a ransomware attack?
  • Are they patched up to to date or secured effectively?
  • Are your data privacy impact assessments up to date?
  • What about system security: Do you encrypt & protect client data?
  • Have you managed starters and leavers effectively?
  • Are your staff printing from home or using their own computers where data may be stored?
  • Are you relying on a third party to take care of all this for you?
  • How are you getting assurance that their work is performed effectively?

The impact of Cyber and Data breaches is potentially huge and the fines are large from the Information Commissioner if you aren’t asking these questions and taking action, so it’s worth checking.

We are also seeing many businesses relying on third parties to look after their IT, particularly risk 5 continuity arrangements.

Have you ever undertaken a controlled business continuity/ disaster test? How would you respond to a Ransomware attack? Do you know enough to ask the right questions to ensure you have the operational resilience you assume you have?

Interlinked risks

Other risks are interlinked. Digital disruption through competitors innovating and utilising new technology is changing consumer behaviour, who also are making environmental & ethical choices of their suppliers.

We are seeing increased insolvencies of legal firms, so doing what you’ve always done is not an option. Managing change requires good risk management and strong clear Business and IT Strategies are a must.

Investing in a good risk management will give comfort that you’ve done what you can to identify, assess, mitigate things that could affect your business operations and that your forward looking strategy has every chance of delivering success.

Putting in place cost effective controls that reduce, avoid, share, accept risk is essential, and understanding how to deploy preventive, detective, corrective, directive controls effectively & efficiently are key.

It will also future proof you for what might be coming down the track from regulators, as we await news from the FRC in 2024 on enhanced internal control reporting.

Need to talk it through?

Azets has a specialist Risk & Technology Assurance Team that can advise on creating risk policies, process, risk appetite statements, as well as running risk workshops and conducting risk assurance and advisory reviews.

Let us help you manage at the speed of risk and provide answers to the questions you need to ask of your own organisation.

With specialists spread across the UK, we offer a personal, local approach to risk assurance. If you are looking for practical advice and expert support, we’re ready to help.


Paul Haley

Partner, Azets

Paul is a Partner in Risk Assurance at Azets UK, specialising in Internal Audit services for Wales and the West. Paul is a Chartered Fellow of Chartered Institute of Internal Auditors and qualified in 1993, with over 30 years experience. For his full profile, click here.