What are the risks in professional services M&A

Show Notes

In this podcast, John has been speaking to Kate Burt of HiveRisk about the risks that should be considered when involved in a law firm M&A deal or management buy out.

Kate talks about how to manage risk including considering AML and cyber security risks and she also talks about her journey from personal injury lawyer to running her own business.

Transcript

00:00:00:00 - 00:00:42:23
Unknown
The Deal Lawyer Podcast with John Andrews, powered by JMW Solicitors. But one of the real risks with the emerging acquisition is that you're inheriting someone else's IT system that you don't know what vulnerabilities or threats are within. The law firm's data is very sensitive in terms of the client information hacking scenario. It's potentially devastating for your client base.

00:00:43:00 - 00:01:04:11
Unknown
Hello, welcome to the Deal Lawyer podcast. I'm John Andrews. And today I'm joined by Kate Burt, she is the founder, CEO of High Risk. Kate, welcome to the podcast. Great to be here and thanks very much for joining me now. Could you just tell me a little bit about Hive Risk? This is an unusual podcast for us today.

00:01:04:13 - 00:01:23:03
Unknown
It's an area that I've not covered before. So yeah, So tell me what you guys say. Yeah, so Hive Risk. We're a boutique risk and compliance company, but what's unique about us is that our client base, so are all law firms. So we work with between 100 - 200 law firms at any one time looking at their risk and compliance needs.

00:01:23:03 - 00:01:47:03
Unknown
So we're quite niche and specialist in the market. Okay. But in terms of the compliance areas in the arena of law firms, what sort of areas is that? Does that cover AML, anti-money laundering, that kind of stuff? Absolutely. And that's really our biggest client base is for those law firms looking at their money laundering risk. So I don't know if anyone's read the legal press or sees anything in the news.

00:01:47:03 - 00:02:11:08
Unknown
It's a lot around the scrutiny that law firms are under, in particular on their anti-money laundering approach, really. So that's where we get most of our inbound inquiries are in relation to firms trying to get a handle on their anti-money laundering regulations and requirement because of the pressure coming from the regulator. Yeah, and that's something I myself obviously that we come across on a daily basis.

00:02:11:08 - 00:02:32:02
Unknown
We've got a compliance team up in Manchester and they have regular sleepless nights over these issues. Correct me if I am wrong, but your background is, is a lawyer, is that correct? Yeah, I'm still a lawyer and still a practicing solicitor, and I've got my practice in cert. So I was in the in the cert renewals with everyone else in in October.

00:02:32:02 - 00:03:02:12
Unknown
So yes, it qualified back in 2007, but been working in the legal sector since the early 2000 in the slip, trip capital of the world actually in the early 2000 in Liverpool, so actually trained as a predominantly predominantly a personal injury solicitor in Liverpool back in that time and I worked for a number of the top 50 law firms, UK law firms doing insurance litigation, and so did both claimant work and defendant work.

00:03:02:12 - 00:03:23:16
Unknown
So that's acting for the the person that's been injured, but also also acting for the insurance companies who are defending the claims as well. So I've seen on both sides of the fence, as I said, how did you end up doing compliance? It wasn't planned. I think like a lot of things. I think those in insurance, they you never you never plan to work in insurance.

00:03:23:16 - 00:03:48:20
Unknown
Do you know, accident by design. But I'd been working as I was at the time I left. So a traditional fee earning in 2016. I was really looking for a change and I wasn't quite sure what that change was going to be. So I actually handed my notice in as working at Keogh's at the time, a top 50 law firm, quite senior solicitors as ten years at that point.

00:03:48:22 - 00:04:09:12
Unknown
But I didn't know what I wanted to do, but I knew it was not. I knew what I just knew, but I wasn't exactly sure what that was. So I handed in my notice and before I'd actually finished working my notice, I was approached by a claims management company to say, Can you help us become a law firm? Can you help us do our ABS application?

00:04:09:14 - 00:04:31:02
Unknown
And it was a it was a really strange request. And for anyone that knows who's listening is to, to to have an ABS, you need a solicitor involved at some point. So essentially he was a non-lawyer who needed a lawyer to get this ABS. So I was, I was sort of handy, if you like, not that I had any experience or expertise at that time.

00:04:31:04 - 00:04:52:18
Unknown
So essentially I agreed to help. And on the basis that he knew that it was the blind leading the blind and it was doing that piece of work that I actually realised that compliance was a specialist area in its own right, as well as a practicing solicitor. You just take for granted that compliance happens and you don't actually see it as a specialism.

00:04:52:20 - 00:05:23:13
Unknown
But fast forward almost a while, eight years now, it actually compliance is a specialist market and it's booming, in fact. Yeah. And I guess the consequences of getting it wrong are so severe now that you're an essential service, I think since law firms. Absolutely. There's those firms that contact us when they are in real distress. But there's also firms who see what's happening around them and other firms that are getting into trouble or making the headlines, and they want to have that really solid compliance framework.

00:05:23:18 - 00:05:46:09
Unknown
So before before they land in hot water, they want to make sure that that their systems are robust. And that's where we handle both both inquiries. Okay, great. And so I'm actually the outset of this podcast, this is quite a specialist area, and I'm going to focus, if you don't mind today on the aspects of acquiring a law firm business.

00:05:46:09 - 00:06:15:19
Unknown
Actually, I started out as much as you as a good two years as a personal injury lawyer before I decided I had become a corporate lawyer against M&A work. And over the years I did take a number of law firm acquisitions and they are specialist. They do have their own foibles, their own difficulties and their own pitfalls, but particularly in relation to sort of the money laundering aspect in the due diligence process.

00:06:15:21 - 00:06:33:10
Unknown
From your perspective, what what are the sort of areas that any potential buyer of a law firm or perhaps any boys are going to do an MBA of a law firm should be looking out for? Yeah, I, I think the AMA is one side of it, but there's a whole host of things that you know, that you need to look at when you're looking at acquiring a law firm.

00:06:33:15 - 00:06:53:19
Unknown
One is the anti-money laundering aspect to see how well the the firm your client actually runs that. So there's a lot of things that you can actually cover with insurance. But one thing that you can't cover is that reputational damage, If you if you're a new firm or the firm ends up in the headlines and email is guaranteed to hit the headlines.

00:06:53:21 - 00:07:31:02
Unknown
So what what you want to be looking for in there is how well is that firm run in terms of their compliance. So doing that due diligence on the front end to make sure have they got good policies and procedures in place, How are the files run? What what's the storage systems like? Are the firms doing actually a full so a gap analysis on on how well that firm is run in terms of compliance just to see you can't check, you can't uncover everything but you can get a sense of this is a really well run firm or actually this is something's going to come out of the woodwork here, particularly in relation to negligence

00:07:31:02 - 00:07:57:23
Unknown
claims that might come out of the woodwork later on. And poor compliance can lead to negligence claims or is an indicator of potential negligence claims. And one of the things that you will look at when you're looking to acquire a firm is the claims history. That may be in my head. The firm might have a good claims history or there may be lots of claims on there that have already happened and that will indicate what the potential is.

00:07:58:00 - 00:08:27:01
Unknown
If you acquired that firm on your liabilities, probably the cost of your insurance as well. And that's a real key area to look at is actually the insurance position. Okay. And I guess one unusual aspects of the common law firm is the that the concepts of a successor practice. And I don't know whether you've come across scenarios where there has been a takeover and it has been a successful practice on our own.

00:08:27:03 - 00:08:56:12
Unknown
And if you have, what's the impact of historical mistakes and omissions in those circumstances? Absolutely, yeah. This is one of the key questions on on insurance. So and the key decision for that that firm taking over the firm. Are you happy too And actually can you afford cover that cover successor in the successor claims. So we actually had a a recent instruction where the firm actually changed how they were going to approach that.

00:08:56:14 - 00:09:23:09
Unknown
So initially they were going to approach it with reign of cover, so that that's where they, the outgoing firm, already pays for those historic claims. And then you also start with a clean slate, the way they were initially going to approach it. And actually the the insurance position was such that successive practice, if they continued on with the successor practice, it was actually going to work out cheaper on the insurance front.

00:09:23:11 - 00:09:43:06
Unknown
So opted for to go for a successor practice. Now it really comes down to a sort of that risk analysis there of what's the saving on the the premium versus what's the risk that something's going to come out of the woodwork on this case. So what we explained to the firm was it's much more risky to go successive practice, right?

00:09:43:08 - 00:10:13:20
Unknown
Because you're on the hook for everything. Yeah. Anyway, they decided to go go ahead with it and but with additional due diligence on to see what what are what is the risk or the potential for something coming out of, of of this. Okay. So if there is a successor practice scenario and you set the risk of an insurer against that, I guess that covers the financial consequences of that being of there being gaps in the AML processes.

00:10:13:22 - 00:10:48:20
Unknown
But what about criminal sanctions? Does that does that carry across to the the successor practice? Yes. So it's it depending on what it is. So if if the criminal aspect relates to their sister or an owner who is no longer with the practice, then that crime that criminal that's a sort of a personal liability for that individual so that carryover same with the regulatory penalties that would actually be the outgoing owner or solicitor that would follow them on the right side.

00:10:48:20 - 00:11:15:04
Unknown
So they could have left the firm, set up something new. But that regulatory discipline, if you like, would follow them and they could potentially get struck off or imprisoned, depending on what it is, what what it doesn't what insurance doesn't protect you against is that reputational damage because your firm's brand all over the news, the headlines, and, you know, the headline doesn't tell the full story, but it makes the impact.

00:11:15:06 - 00:11:35:05
Unknown
So your new shiny firm will actually be tainted from the beginning about anything that's out of the woodwork. Absolutely. And according to that, in a M&A scenario for a law firm, if you choose not to go down the successor practice, a sort of have a cessation of the old firm and you can you transfer the clients across the want of a better expression.

00:11:35:07 - 00:11:55:11
Unknown
I guess in those circumstances you have to start the whole amount process afresh. Yeah. So you would always look at it. So what we would always advise is one, you know, check, check out what you're buying no matter whether it's successor or if it's run off enough cover. But when when the new practices form, you want to be looking afresh at your whole approach anyway.

00:11:55:16 - 00:12:41:24
Unknown
So you want to be understanding of fresh, who your clients are, what sorts of services you're offering, and what your unique risk is for the new entity. Now with with AML regulation, it's a constantly it's a constant process. So yeah, you can never say AML done. Yes. So periodically reviewing what are our risks and particularly when you're looking at acquiring a practice, you've got a whole new potentially new work area, potentially whole different profile of client base, which brings with it unique, unique challenges and a unique approach to mitigate the risks depending on the new the new practices acquired.

00:12:42:01 - 00:13:04:20
Unknown
You're okay and safe. In theory, you cover cryptocurrencies. Is cyber security. Is that is that an area that you guys get involved with? Yeah. So tell me a bit about that. Well, what does that involve? Yeah, so we so we look after cybersecurity with firms. Not that we don't do the technical aspect of it. We, we advise on policies, procedures and also support firms getting through their accreditation.

00:13:04:20 - 00:13:27:21
Unknown
Maybe it's cyber essentials plus is they all cyber essentials or cyber essentials plus this one that most people have heard of. So what can we can we can help firms spot risks, but also what we can do is bring in those those technical experts. So whether it's doing a a a penetration testing of systems or looking at vulnerabilities within the I.T.

00:13:27:21 - 00:13:54:22
Unknown
Infrastructure, we wouldn't do that. We'd bring experts in to do that. But one of the the real risks with the merger and acquisition is that you're inheriting someone else's i.t system, that you don't know what vulnerabilities or threats are within within their current framework. And if you're bringing those two systems together, you're potentially opening up all your data up to potentially a malicious threat there.

00:13:54:24 - 00:14:32:16
Unknown
So again, I mean, all these things come down to due diligence and understanding the risks in that infrastructure. There when you're bringing that back into your firm. And I would absolutely recommend that i.t experts are involved at that stage, particularly when you've got large datasets to ensure that that that's done safely and there's a plan around that below firms data is very sensitive in terms of the client information operations, financial information and basically if if there is a hacking scenario, it's potentially devastating for your client base fee firms reputation and also fines with the ICO as well.

00:14:32:18 - 00:14:54:07
Unknown
It's interesting. Listen, you describe that actually, because I was thinking about it from the perspective of a purchaser. And you know what due diligence she would do price completion, what sorts of warrant system indemnity she would seek. But I guess if you if you're if your settlement and you're going to release that data across to a potential buyer, you've got to make sure you've got the necessary consents to do that.

00:14:54:09 - 00:15:31:17
Unknown
And I guess you'd want some kind of assurance, some prompt detection, that the system of which that information, every chance gets installed is going to be is going to be secure. Yeah, absolutely. And that's it. That's it. The concerns on both sides of the fence really isn't there. And when you're dealing with such sensitive information. So we definitely always recommend in that situation that there is that that technical call support there on the front as well as the compliance support as well as the lawyers is that many there's there's there's armies on both sides really supporting that through.

00:15:31:17 - 00:15:58:06
Unknown
But it's got to be so, so tightly project managed. Yeah and I guess one of the consequences of it will go horribly wrong is that there's a complaint to the Data Protection Commissioner for data. It's not spread across or there's a cyber breaches can really lead to a a complaint or a disclosure that has to be made. If that happens, what sort of financial consequences which will get in terms of regulatory fines?

00:15:58:07 - 00:16:20:23
Unknown
Well, I mean, we'll all remember the the headlines from GDPR when that came in 2018 and that you know, 4% of global turnover. So yeah, yes, I mean, we were all frightened back then by the headlines, but in reality, that's those aren't the sorts of figures that we see. I think one of the in the legal space, then one of the biggest we saw was Tuckers, which is a criminal practice.

00:16:21:00 - 00:16:43:22
Unknown
They were fined around 90,000 for the breach. So it is it depends on the turnover and the severity of the of the breach really. But looking at those sorts of figures, not those sort of millions, but but again, we're back to reputation issue as well. If clients take care of that data, secure or safe, they're not going to say that.

00:16:43:24 - 00:17:09:18
Unknown
Absolutely. That and also the the the management time that's pulled into this the the the drain on is also almost an opportunity cost at that point people and that goes with any regulatory investigation or any even negligence claims and you may be able to defend those claims. But the energy that's gone into it and the distraction from when actually you should be building your business should be putting that energy into growing your business.

00:17:09:24 - 00:17:27:14
Unknown
It's a complete Zuckerberg that. Yeah, well, listen, Kate, it's been fascinating talking to you today. You kind of have this. Just want to get in touch with fun a bit to find out a bit more about what you guys do, how much it costs, of course. And most importantly, what's the best way for them to do that? Yes.

00:17:27:14 - 00:17:49:11
Unknown
So we've got our website is hiverisk.com  the whole leadership team is very active on LinkedIn as well. So please do look out for us on LinkedIn as well. We we're we're constantly giving updates and and providing our thoughts on what's happening in the industry at best. Thanks very much for joining us.

00:17:49:12 - 00:18:27:11
Unknown
Okay. Thank you. Thanks very much for listening to the daily podcast. If you've got to contact me, discuss any issues arising from this podcast or indeed any previous ones, you can contact me on - john.andrews@jmw.co.uk or my mobile number is  0768660336. Thanks for listening.