Organisational culture is a key part of risk management

Published: Wednesday, 13 December 2023

Approx 90% PI and cyber claims are caused by human error

Image for article: Organisational culture is a key part of risk management

Professional Indemnity and Cyber Insurance Claims continue to dominate the legal press daily.

Lack of technical expertise is rarely the issue

Insurers and the SRA both say that organisational culture is a critical part of the success or failure of a Law Firm. Around 90% of Professional Indemnity Insurance (PII) claims are caused by ‘culture and behaviour’ rather than technical expertise, or an incorrect interpretation of the law. Similarly, over 90% of cyber breaches are caused by the ‘Human Risk Factor’ and not the network security system itself.

You can't control every step, of every interaction with clients

Like managing a football team, managing a service is a complex business. You can set a strategy for the style of play you desire, train your players, have them hone their technical ability, even make them practice set moves for specific opportunities at corners/free kicks. Yet you, as manager or owner, are helpless when they walk out onto the pitch. You have no control over the hundreds of ‘interactions’ that will take place between your players and the other team (clients).

Your organisational culture and risk management approach will determine how your staff behave with clients when you are not supervising them.

The old way of measuring and reducing risk

At each Professional Indemnity insurance and Cyber renewal, underwriters assess risk using the data compiled in your proposal form – the statistics that describe what your law firm does and what they did last year. This same approach is used by the SRA and Law Society, assembling ‘compliance’ data on your firm which is only about ‘what’ you do. None of it shows ‘how’ you manage your business on a day-to-day basis - this is the missing data.

Measuring culture has been costly and difficult

If 90% of the causes of PII and Cyber claims are down to culture and behaviour, and not technical expertise, why are the SRA and Insurers not attempting to measure this critical element in risk management? It’s historically been a time-consuming and expensive process interviewing staff and management then producing a report for the senior management to consider and implement. Thankfully, the advent of the digital age with machine learning, and now AI, has helped dramatically to speed the process.

An updated approach to measuring organisational culture and individual risk traits

One company we're starting to work with is New Eden Way. They have developed 3 online questionairres that can measure the culture of a service organisation in 15 minutes, and they can be combined with a cyber security questionnaire to identify the ‘behaviour traits’ of every individual in your organisation.

What follows are actionable insights regarding the ‘perception gaps’ in culture (Service Strategy, Compliance and Team Mix/Leadership Style), plus a bespoke, individual remediation plan for each member of staff regarding their cyber behaviour style.

The results of both questionnaires also indicate to insurers who is more at risk of PII claims and Cyber breaches in the future, thus augmenting the conventional data collected in the proposal forms, and a summary of the styles is shown in Figures 1 and 2 below.

Figure 1: The Risk Culture Matrix

Figure 2: The Risk Personality Matrix

The role of insurers is changing with new risk management approaches

AI is enabling the insurers to enhance their services from collecting premiums 'from the many to care for the few losses' who suffer loss, to predicting and preventing loss in the first place. They then collaborate with the client to reduce risk.

Personal Lines and Catastrophe insurance approaches to data and risk assessment has already changed dramatically over the past decade, with in-car Telematics driving (literally!) behaviours behind the wheel with better outcomes and fewer accidents, whilst Parametrics are predicting and protecting property and land disruption and IOT devices are helping in the home, as well as in our place of work.

Many Cyber insurance providers are already shifting to the mantra of ‘predict, prevent, protect’; Professional Indemnity Insurance is next.

Insurance, whether PII, Cyber, D&O or other, is just one part of the risk equation. It should not be your only risk management strategy and culture plays a key role.