Effective governance and controls can give law firms a competitive edge

December 1st, 2017

By Moroke Phajane

Third party risk management is currently an important topic for most corporate entities. Most corporate entities are carefully scrutinising their third party suppliers in order to minimise the risk exposure inherent in such relationships.

This also applies to professional service providers, including, law firms. As a result of the current economic climate corporate entities are also exploring innovative ways of saving costs without compromising the quality of services required from third party suppliers. This simply means a professional services provider with effective governance, controls, suitably qualified personnel and a flexible fee structure will be most attractive to corporate entities.

This definitely creates an opportunity for law firms. The operating model of law firms is inherently flexible and makes it possible for such firms to negotiate alternative fee arrangements with their clients. This fee model coupled with effective governance, controls and suitably qualified personnel enhances the stature of the law firm without necessarily increasing in size.

Most corporate entities have a Procurement of Goods and Services Policy, which requires that a formal transparent process be followed when selecting suppliers. This involves a formal, transparent process in which suppliers are invited to bid for the provision of the required services. In most cases an independent cross-functional sourcing team is selected to assess the bids presented by the various suppliers using specified criteria and select the most suitable supplier. The following generic criteria are generally used to assess and select suppliers:

  • Preferential procurement (the service provider’s Black Economic Empowerment (BEE) status).
  • Operational and technical capability.
  • Assessment of service provider’s liquidity and solvency.
  • Commercial assessment (charge out rates, pricing structures, cost benefit analysis).
  • Risk and compliance management controls (information security, business continuity, compliance with laws).

Preferential procurement

Most corporate entities are rigorously assessing the impact of engagements with service providers on their BEE scorecard. Ownership is one of the elements that is measured on the BEE scorecard for preferential procurement.

Operational and technical capability

Law firms, like any other professional services provider, have to provide evidence of their technical and operational capability. This can be achieved by demonstrating expertise in a specific area of specialisation, the qualifications, experience and capacity of the resources employed to provide the services. This can also include personnel and technology used to provide the resources.

The law firm’s track record or success rate is also an important factor in determining the firm’s competency and capability. The law firm also has to demonstrate its case management capabilities, which include providing the necessary reports, updates and alerts to clients on the deliverables.

Assessment of service provider’s liquidity and solvency

This entails an assessment of the law firms’ audited financial statements to verify that the law firms is financially stable and that its financial position will not result in the inability to continue providing the services.

Information security

It is advisable that a firm should – at a minimum – possess the following policies to demonstrate the existence of processes and controls in place for the safe and fair management of information being processed on behalf of the corporate entity:

  • Information protection/privacy policy: Internal mandatory statements that define the minimum requirements for fair and secure information handling practices.
  • Information security policy: Internal mandatory statements that define the minimum requirements for information security, including, strong password standards, data classification, data retention storage and destruction, data loss prevention security standards, namely, patch management, application firewalls, anti-virus, anti-malware tools.
  • Access management policy: Sets out the procedures and requirements for applying for, granting, managing and revoking user access to systems, data and physical premises. This includes controls to ensure that only authorised individuals enter your premises, including, a visitor sign in process, secure remote access procedures, encryption technology.
  • Acceptable use policy: Contains explicit rules for individuals (employees and contractors) around appropriate use of the firm’s information assets, including networks, devices and good practices to secure such assets.
  • Risk management framework and policy: The defined risk management framework as it pertains to people, data, financial risk and the mitigation thereof.
  • Compliance policy: The defined compliance management approach or framework to deal with regulatory compliance as it pertains to the organisation. This includes operational, security and human resources compliance requirements.
  • Business continuity framework/plan: A process in place to manage and test the business continuity and disaster recovery capability. This includes the availability of business continuity plans, disaster recovery plans and robust backup procedures.
  • Security management alignment thereof to ISO2700X, Cobit and King III.
  • Incident management processes.

Compliance with relevant laws

It is important for the firm to understand the corporate entity’s legislative universe that is comprised of legislation, which is applicable to the entity or the industry the entity operates in. This will enable the firm to put measures and controls in their operations that will ensure that in providing the services to the corporate entity, the firm does not cause the corporate entity to contravene legislation or regulation applicable to it.

Business continuity

The firm needs to demonstrate that it has measures and controls in place that it will be able to provide the service to the corporate entity without any disruption resulting from factors such as key man dependencies, technology downtime and lack of back up procedures.


The current economic climate has resulted in businesses and individuals minimising or prioritising their procurement initiatives. Corporate entities are embarking on various initiatives to save costs. Professional services, including, legal services will definitely be on the list of services to be procured at a minimal as companies are beginning to scrutinise the necessity of outsourcing such services to external service providers. Innovative firms that address the business need at a reasonable and lower cost compared to existing service providers stand to benefit from this. This will certainly give law firms offering sound business solutions and that have adequate risk and compliance controls and track records the competitive edge.

Moroke Phajane LLB (UFS) Post Grad Dip Business Administration (Milpark Business School) is the Head of Third Party Risk Management at Liberty Life in Johannesburg. Mr Phajane writes in his own capacity.

This article was first published in De Rebus in 2017 (Dec) DR 26.