The Singapore Law Gazette

Reputation –Your Firm’s Most Prized Asset

Reputational Risk

Cyber risk, regulatory compliance, and social media in a post-truth era have cast a spotlight on reputational risks faced by companies (and businesses).

There have been surveys on reputational risk, which is the risk of loss resulting from damage to a company’s reputation, in industries such as financial services and technology.¹Deloitte’s 2014 Global Survey on Reputation Risk – survey conducted by Forbes Insights, on Deloitte’s behalf. More than 300 respondents from companies in the financial services, consumer/industrial products, technology/media/telecommunications, life sciences/health care, and energy/resources sectors took part in the survey. 88% of respondents said they were explicitly focusing on reputation risk as a key business challenge. 87% of respondents rated reputation risk as more important or much more important than other strategic risks their companies are facing. These surveys have found that preserving a good reputation is on the risk management agenda of many companies and reputational risk is increasingly being viewed as a distinct risk category on its own.

As the importance of brand and reputation would apply equally to law practices, these surveys are instructive. This article examines the significance of reputational risk for law practices and what law practices should do to manage this risk.

Components of Risk

Apart from the surveys in other industries, there was a survey of law practices in the UK, by Byfield Consultancy, a legal PR agency. Byfield partnered with Legal Business magazine to investigate how law practices approach building, preserving, and defending their reputations. Their report, Risky Business-Taking the pulse on law firm reputation management² The survey garnered the views of 50 senior PR professionals from 100 leading UK law firms on the key reputational risks they faced. The survey found that law firms have come a long way in managing their reputations but they still lagged behind their corporate conterparts.64% of respondents to the survey cited cybersecurity threats as the biggest risk to their firm’s reputation over the next two years, followed by misuse / proliferation of social media (28% of respondents), increased regulation (26% of respondents) and clients’ reputational issues (26% of respondents). found that, on balance, reputational risk is on the increase, with 36% of respondents saying that they had managed more reputational risks in the past two years than before.

Reputational risk usually arises because of other risks. For a law practice, there are various components of risk, such as³ These components of risk and its various aspects are not exhaustive as they may vary depending on the size and practice areas of the law practice. –

1. Operational Risk-
   • delegation and supervision
   • deadlines
   • IT and cyber security
   • personal data protection requirements
   • business development – new business acceptance & terms of engagement
   • business continuity – succession planning
2. Financial Risk –
   • procedures and controls in handling client money and conveyancing money
   • prevention of money laundering and financing of terrorism requirements
3. Quality Risk –
   • competence in practice areas
   • ethics and professional conduct
   • client confidentiality
   • conflicts of interests
   • client care
   • professional negligence risk
4. Regulatory Risk – requirements of regulatory authorities
5. Outsourcing Risk –
   • client confidentiality
   • personal data protection requirements

There are prescribed obligations on law practices (in Singapore) to ensure that they have in place adequate systems, policies and controls in relation to client’s money, conflicts of interests, client confidentiality;⁴ Rule 35 Legal Profession (Professional Conduct) Rules. and the prevention of money laundering and financing of terrorism.⁵ Rule 18 Legal Profession (Prevention of Money Laundering and Financing of Terrorism) Rules.

Damage to reputation could result from a failing or shortcoming in one or more of the various components of risk that a law practice is faced with. A shortcoming in one component could also have a cascading effect in another component. For example, a shortcoming in IT and cyber security measures (operational risk), could lead to a loss or leakage of personal data or confidential client information (quality risk and regulatory risk).

Sources of Reputational Risk

As damage to reputation arises from other risks or combination of risks, reputational risk can be viewed as an overarching risk. In fact, Deloitte describes reputational risk as a “meta-risk” to reflect the combined impacts of many other components of risks.

One of the principal sources of reputational risk for law practices are its clients. Byfield’s Risky Business-Taking the pulse on law firm reputation management report found that client reputational issues caused the most problems for law practices’ communications teams, with 36% of respondents to the survey citing this as one of the biggest causes of reputational risk over the last two years.

Client reputational issues are an aspect of operational risk. At the new business acceptance stage, law practices have to be alert to potential reputational risks they face from prospective clients. Client due diligence is required not only at this intake stage (operational risk) but throughout the client relationship (financial risk and regulatory risk) to determine if the client is seeking to misuse legal services to launder illicit funds. Suspicious transaction reporting is also a critical risk management aspect (financial risk and regulatory risk).

Another major source of reputational risk is cyber risk. There have been recent incidents of law practices being the victims of global cyber-attacks, and according to Byfield’s report, the biggest reputational concern for PR professionals within UK’s leading law practices is the threat posed by a cybersecurity breach. There was a similar finding in Norton Rose Fulbright’s Reputational Risk Australia 2017 Survey Report that cyber risk was the most likely to have an impact on a company’s reputation.

The recent Panama Papers and the Paradise Papers incidents illustrate how cyber risk and client reputational issues could affect the reputation of a law practice. Although it has not been established that any of the clients concerned were engaged in money-laundering, or illegal tax arrangements, the manner in which the matters were portrayed in the media, cast insinuations about the reputation of the law practices involved. These incidents also demonstrated the fragile and volatile nature of reputation. Money-laundering or the failure to file a suspicious transaction report, and cyberattacks have the tendency to garner much media attention. And any adverse news could affect a law practice’s reputation even if allegations against it subsequently turn out to be unfounded.

Intertwined with cyber risk, is the risk of loss or leakage of personal data and confidential client information, as a result of a cyber-attack. This could lead to complaints by clients regarding their personal data and confidential information, and action being taken by the regulator(s) against the law practice. Norton Rose Fulbright’s Reputational Risk Australia 2017 Survey Report cited regulatory investigations together with cyber risk as the most likely to have an impact on a company’s reputation. With regard to data protection, some law practices may face increasing regulatory compliance as they may be caught by the extraterritorial reach of the EU General Data Protection Regulation (GDPR), which will apply in all EU Member States from 25 May 2018. This could lead to greater reputational risk for law practices.⁶ A global study from Veritas Technologies earlier this year revealed some of the concerns of organisations worldwide, including in Singapore. 92% of the organisations surveyed in Singapore were concerned about not complying with the GDPR, and 56% of respondents were afraid of being unable to meet the regulatory deadlines. There was also concern about brand damage among businesses in Asia Pacific. 22% of respondents in Singapore, and 21% in Japan and Republic of Korea respectively, fear they could lose customers because of negative media and social coverage.

A law practice’s online reputation is also a source of risk, especially in this post-truth age. With social media, information spreads quickly and can potentially affect reputation rapidly. Adverse comments, or false allegations on social media about a law practice, if left uncorrected, may harm the law practice’s reputation.

Consequences of Damage to Reputation

For small and mid-sized companies in the UK, research has found that 28% of a UK company’s value is accounted for by reputation.⁷Pulse – Small and mid-cap sentiment index (Issue 15, Autumn 2015).

As for law practices, reputation, and the risks related to it, may be difficult to value or quantify. Nevertheless, based on the surveys that have been conducted, the consequences of damage to reputation would be noticeable. There will be immediate and long-term consequences.⁸ According to Norton Rose Fulbright’s Reputational Risk Australia 2017 Survey Report, there is no exact formula to quantify its value, yet damage to reputation is immediately noticeable, and long-lasting. The survey found that the main concerns of reputational damage included its immediate consequences and costs, distraction to business functions, and long-term impact and erosion in brand equity. Overall, the immediate consequences, e.g. crisis management and minimising financial costs, takes precedence over its long-term impact. Dissatisfied clients may not instruct the law practice again,⁹ Byfield’s Risky Business: Taking the pulse on law firm reputation management report revealed that 82% of the PRs felt that the lawyers themselves consider reputation to be of high importance when it comes to winning work and attracting talent. which may result in a loss in revenue. Members of the public may warn others not to engage the law practice. Staff morale could also be negatively affected. And there may be issues of retention and attraction of talent as lawyers and staff may be reluctant to be associated with, or join the law practice.¹⁰ According to Byfield’s Risky Business: Taking the pulse on law firm reputation management report, 90% of respondents felt that a badly managed reputation can deter lawyers from joining the law firm.

Managing Reputational Risk

The following are steps a law practice could consider in managing reputational risk –

• Identify the various components of risk (e.g. operational risk, financial risk, etc.).
• Understand how the various components of risk could affect one another. For example, as most data breaches involve a cyber or IT incident, your IT and cyber security measures (operational risk) could affect your obligations in relation to personal data (regulatory risk).
• If there are different departments or teams handling different components of risk, ensure that there are no gaps, and there is coordination and communication between the different departments or teams.
• Identify how the various components of risk could affect the reputation of your law practice, in particular IT and cyber security, personal data protection requirements, new business acceptance, and prevention of money laundering and financing of terrorism requirements.
• Adopt a firm-wide approach to manage or mitigate reputational risks. For example, IT & cyber security should not be only an IT matter, but a firm-wide risk management consideration. Similarly, new business acceptance should be a firm-wide risk management consideration in order to mitigate any regulatory risks.
• Monitor and review the online reputation of your law practice – review and monitor @replies in your Twitter feed, comments in your LinkedIn account, and posts on your Facebook page. You could also rely on tools such as Google Alerts or Yahoo! Alerts to monitor your online reputation.
• Regularly review the various components of risk, and how they could affect the reputation of your law practice.
• Incorporate reputational risk into your business continuity plans, e.g. succession plans.

By incorporating reputational risk into your risk management plan, your law practice will be able to manage its risks in a more holistic manner.

Knowledge Management Department

The Law Society of Singapore