Management Assistance Program

A Risky Business: Managing Law Firm Risks

By Jim Calloway

Disaster recovery for law firms, cyberattacks, backing up data and protecting digital client security are all things I have discussed in this space during the preceding year. This month I want to cover law firm risk management more generally.

Managing and mitigating risk is a key element of much legal work, even though many lawyers do not think of their delivery of services in those terms. A contract ensures the terms of an agreement are clear and enforceable. A cliché about litigation is that cases are often settled “on the courthouse steps” right before the trial is set to commence. One reason for that is that once all evidence and witness testimony is known, parties to litigation and their attorneys can forecast a range of results so both the high-end risk and the low-end risk can be quantified.

Lawyers and law firms must manage their own risks. Historically, those risks were easily understandable. There was the risk of a grievance filed against a lawyer or firm alleging failure to comply with appropriate ethical standards. There was the possibility of a malpractice case brought against the firm – and there were a range of physical loss and liability issues similar to other businesses which are normally addressed by purchasing insurance.

Without a doubt, managing risks in today’s business environment involves a wider and more complex set of issues.


In last month’s column, I discussed disaster recovery plans and why every law firm needs one. One subset of disaster planning involves a discrete incident response plan (IRP) for quick response to cyber-attacks.

Risks associated with cyber-attacks, malware and ransomware have been discussed in the pages of this publication and other places for several years. Several months ago, there were reports of a Providence, Rhode Island, law firm held hostage by ransomware blackmailers for 90 days while the criminals demanded $25,000 in ransom paid in bitcoin to restore access. The news item involved the law firm’s litigation against its insurer for not paying a claim for $700,000 in lost billing as the firm’s 10 lawyers were left unproductive and inefficient.

The idea of a law firm’s computer network and workstations being offline for a few days, much less 90, is a chilling thought for all lawyers and law firm administrators. Now the experts tell us it may be impossible to guard against all forms of evolving cyber-attacks. This creates the need for an IRP that focuses on detection response and recovery as well as protection against threats. All businesses need an IRP section of their overall risk management planning. Internet searches will locate some form of incident response plans that can be used as guidance. Some are free. Some are available for purchase. It is important to recognize that “filling out the form” will not cover all of the unique and special situations in your law firm or your clients’ businesses.

If your law firm has neither an IRP nor a disaster response plan, it is well past time to begin those projects. If the firm has them, then the question is how long it has been since they have been reviewed and updated.

But there are other types of cyber risks. In an era of rapid change, regular training for staff on email threats and other cyber risks is important, but regular training is also needed for issues like individual social media posts referencing the law firm and what to do if physical access to the workplace is blocked.

Law firms also have business risks as they prepare to move into a rapidly changing and uncertain future.


Technology advances and automation tools are replacing many workers in the American economy today. Clients are exerting pressure for legal fees to be reduced with no corresponding reduction in the quality of services. Firms that cater to the individual consumer market are seeing challenges from competing online delivery services. This type of risk is unprecedented. Sometimes the term unprecedented is used to refer to looming disasters of huge magnitude. Here the term is used in its dictionary sense to mean we have not experienced these types of changes in our profession before.

At the OBA Annual Meeting, I presented a program touching on blockchain, artificial intelligence and other future trends in the law. I told the attendees that today a “smart contract” means one that is automated to be quickly prepared using document assembly methods. Soon a “smart contract” will mean something that will not be fully contained in a paper document, but will encompass a process that will be largely self-executing, blockchain connections will note delivery of goods and any quality control testing before automatically transferring previously escrowed funds through a blockchain powered process. Just think, a smart contract may mean that there cannot be a breach of the contract – or at least that any breach will be automatically handled by the software rather than litigation. That will be a major change!


What about key clients? Does your firm have one or more clients you cannot afford to lose? All clients expect and deserve a high level of service. Your days may be crowded with deadlines, decisions and projects, but for those clients whose loss would imperil the firm or an entire practice group, it should be an ongoing project to demonstrate to those clients that you are as indispensable to them as they are to you.

Losing key lawyers is an ongoing concern. Lawyers moving between firms is a reality today. A firm likely cannot avoid loss of some clients when a lawyer or practice group bolts, but there should be constant messaging to clients that they are represented by the entire firm.


We are all mortal. The death or temporary disability of a lawyer can have a profound effect on a law firm.

Larger law firms have infrastructure in place to step in when a lawyer dies or becomes temporarily disabled. For solo and small firms, significant planning is typically required. So, for the second month in a row, let me mention that all lawyers should log into MyOKBar and download the OBA-provided publication “Protecting Your Clients in the Event of Your Death or Disability.”

Your clients have supported you financially throughout your professional career. You have an obligation to make certain that the impact of your death or disability on them is minimized to the extent possible.

Mr. Calloway is OBA Management Assistance Program Director.  Need a quick answer to a tech problem or help solving a management dilemma?  Contact him at 405-416-7008, 1-800-522-8065 or jimC(at)OKbar.org.  It’s a free member benefit!

Originally published in the Oklahoma Bar Journal — November 18, 2017 — Vol. 88, No. 30

Article pertains to , .