Editor’s Note: This column is written by a lawyer who specializes in advising attorneys and law firms on ethics, mergers, dissolution and other issues.

“Once upon a time, in a galaxy far, far away…” law firms didn’t have General Counsel or CLOs (“Chief Legal Officers”). The almost universal thinking was “we’re all lawyers; why do we need a lawyer?”

At most, firms had an ethics committee. This began to change in the 1970s and 1980s, and today there are only a very few substantial firms anywhere in the United States (or London) that don’t have such officers – often with substantial staff supporting them.

Indeed a number of the larger international and global firms now recognize the “Office of General Counsel.” Even mid-size firms, commonly have GCs, sometimes serving in that role on a part time basis. Initially, these developments were driven in significant part by the need to manage the client intake process to avoid conflicts of interest. Today, the role and scope of the responsibilities of the occupants of these positions have expanded enormously. Now, just like their counterparts in the corporate world, these roles are really about helping law firms to address the panoply of enterprise risk management issues — the threats that pose potentially existential risks to their firms.

As a starting point to understanding what this means for law firms today, and as a general proposition, law firm GCs are charged with responsibility for identifying and managing — proactively rather than reactively whenever possible — their firms’ (and lawyers’) reputations. But of late this has begun to include the recognition — and management — of regulations imposed by clients as well as local, national and even foreign governments and regulators. Typically, today, clients, particularly governmental agencies and corporations of any size impose outside counsel guidelines (“OCGs”) which can often run to several hundred pages and which encompass every aspect of law firm operation — conflicts, fees and billing, indemnification, staffing, and more. Some firms have found that they need a lawyer, working under the GC (or within the Office of the GC), on a full or nearly full time basis, just to manage and oversee OCGs[1] .

But the problems posed by governmental regulations are also ballooning. Three are of special note. Increasingly law firms — even domestic US firms with no overseas offices — need to understand and address human rights issues if their clients are involved in global supply chains. Next, firms are increasingly facing their own money-laundering risks, as well as risks arising not only by operation of the US Foreign Corrupt Practices Act but also under the even more draconian UK Bribery Act. Thirdly — and perhaps the most pressing issue — law firms are at the heart of cyber risk management. Here again the issues are not merely the firms’ own (and client directed) need to preserve client secrets in a digital universe, but, increasingly, the need to comply with detailed and global regulation of the cyber world, such as The (EU) General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (replacing the data protection directive (officially Directive 95/46/EC)).

While in each case the underlying concern of law firm GCs is their firms’ reputation, the risks in these areas come down to the singular fact that it cannot be a positive event if the firm is publicly associated with money laundering or corruption, or a human rights violation, or a data breach involving the loss or compromise of client data.

Human Rights

Today, law firms are regularly receiving human rights questionnaires from clients as well as human rights provisions in outside counsel guidelines. The intersection of business and human rights (for instance, does the client’s purchase of any kind of product, from raw materials to finished items, involve the violation of laws relating to human trafficking, or child labor or slavery by the client’s suppliers) is becoming a more pressing issue both for companies and the law firms that represent them. Did the firm’s partner negotiating and documenting a supply chain transaction appropriately take account of and advise the client of these issues?

From the public policy perspective, the American Bar Association has endorsed the UN’s Guiding Principles on Business and Human Rights and the International Bar Association’s Practical Guide on Business and Human Rights for Business Lawyers. On the legal requirements side, the EU’s non-financial reporting directive, which is being implemented in 2017, encompasses social, labor and human rights issues.

And some clients are pro-actively imposing human rights policies with which they expect their outside law firms to comply. They actively need their law firms to demonstrate that they understand the frame of reference that the clients are confronting in this arena.

Money Laundering and Corruption

Law firms are increasingly vulnerable to unwittingly becoming involved in money-laundering schemes. While the involvement of law firms may lend a sense of reputation and sophistication to a transaction, in fact the ability of lawyers in the United States to create escrow funds and pay interest on lawyer trust accounts allows them to sidestep the Bank Secrecy Act. They don’t have to disclose the clients from whom the funds came, and the funds in the accounts are commingled. Law firms, for example, were involved in the multibillion-dollar embezzlement scandal involving Malaysian sovereign fund 1Malaysia Development Berhad. The U.S. Department of Justice has alleged that the ill-gotten funds moved through the accounts of several very prominent U.S. firms. While so far US regulators have largely by-passed the law firms in these situations, the past is not a good predictor of the future. And the regulations based on the UK Bribery Act — which the British enforce extra-territorially, and which are about to become even more pervasive and draconian — may ensnare US law firms involved in international transactions even if their lawyers never set foot outside the United States. And even if your firm isn’t a direct target of a regulator, whether foreign or domestic, from a reputational point of view law firms are obviously better off, if they can avoid landing in headlines for involvement, inadvertent or not, in a money-laundering or corruption scheme.

Risk management in these areas critically involves the client intake systems in place within law firms. To avoid reputational hits, law firms need to take a close look at their existing and potential clients. Client intake management is no longer limited to questions such as whether a firm has the expertise a client needs, whether there are conflicts and whether a client can pay. Today, to avoid these reputational threats (or worse) the intake process has to encompass “know your client” due diligence — even if it leads to difficult conversations with partners who want to bring in a high-risk client.

Cyber Risk

Much has been written elsewhere about the cyber risks facing law firms (and everyone else). What is important in the context of risk management is that law firms must be extraordinarily vigilant to protect their clients’ — and their own — secrets. A simple example is the Panama Papers incident. If a partner in a law firm engages a foreign law firm to assist in a client’s transaction, did the partner who engaged the foreign firm do adequate due diligence to determine the foreign firm’s level if cyber protection — and insurance coverage? Even if the firm did not agree to an indemnity provision in the client’s OCGs, the client will surely hold the lawyer and the law firm responsible even if the breach occurs entirely outside the firm, if the firm was responsible for the handling of the matter and the selection and engagement of the foreign firm.

In light of these expanding areas of risk for lawyers and their firms, the role and range of responsibility of law firm GCs and CLOs is growing commensurately, and is increasingly critical to the success, and perhaps even the survival of the firms they serve.

[1] For discussion of the scope of OCGs, and the very serious risks they pose for law firms, see Anthony E. Davis and Noah Fiedler, Indemnity Provisions in Outside Counsel Guidelines: A Tale of Unintended Consequences, The Professional Lawyer, Vol. 23 No. 4, June 2016, p1, and Anthony E. Davis and Noah Fiedler, The New Battle Over Conflicts of Interest: Should Professional Regulators – or Clients – Decide What Is a Conflict?, The Professional Lawyer, Volume 24, No. 2, March 2017, p1]