Risk in the Legal Profession

This is the final report of research commissioned by the Solicitors Regulation Authority (SRA) and carried out by BMG Research, to better understand the high-risk market developments that law firms identify and how they mitigate these, where relevant. The first stage in the process was an evidence review conducted by Frontier Economics, the outputs of which informed the focus and content of the subsequent primary research. This primary research took the forms of a survey of solicitors, and in-depth interviews with solicitors and other stakeholders. Objectives of the primary research were to understand concerns around potential risks to law firms and solicitors, and to understand how they identify and tackle risks, as well as to examine how the SRA's resources are used, and any improvements they could undergo.

Surveyed solicitors are most focused on concerns around complying with changing regulations and cybercrime, with around half of all surveyed identifying these as risks to them or their business. The former includes a wide range of regulation changes including data protection and anti-money laundering and are not necessarily SRA-related. They expect these risks to impact a range of business areas, with compliance, costs/profitability, reputation and staff coming out as most likely to be affected.

When thinking about the legal sector as a whole, cybercrime is seen by solicitors as the largest risk followed by 'lawtech and Artificial Intelligence (AI)'. The latter is also seen as the most likely to present opportunities to firms. With both of these areas, there was a sense that they pose such a high risk due to the complexity and rapid sophistication of technology which they might not fully understand yet.

Perceptions on the greatest risks vary with solicitor type, for example in-house solicitors are more likely to see lawtech and AI as concerning. There are also variations across firms of different sizes, for example firms with under £100k turnover are more likely to say that changes in client demand pose the greatest risk to them than other firms.

Both in firm-specific and sector-wide risks, reasons given for their identification include:

• the perception that a lot of work will be required to deal with these
• costs will increase
• the risks themselves are growing in sophistication or volume.

Reported confidence around risks is strong, both in terms of solicitors' ability to identify risks early, and in their general risk management process. They report that this is underpinned by robust procedures they have in place. Additionally, knowledge of who has responsibility for tackling risks is high, and those who are responsible report a range of other places they may go to for support. Despite this, there is some divide over who should identify risks, whether it should be shared equally or led by certain individuals or roles.

In line with confidence in identification, solicitors also say they are broadly prepared to tackle key risks with 95% saying they are prepared to tackle at least one of the risks they identified. Additionally, when asked about actions they had taken to prepare, two thirds had:

• incorporated risk considerations into their continuity plans
• provided internal training
• shared information about risks with staff.

Interviews further explored these actions, and found that action centred around systems and processes, bolstered by training. The level of action varies across solicitors, with SRA-regulated and larger firms more likely to have taken action compared with those working in-house.

Reported confidence and preparedness differ across different risk types, with the level of confidence, and level of preparedness considerably lower when it comes to lawtech and AI, compared to other risks. This research was based on self-reporting by solicitors, and to obtain greater insight into sufficiency of preparedness and ability, a review of actual policies and procedures would be beneficial.

Four out of five solicitors use regulators as a source of guidance on emerging risks, with legal networks and the news also commonly used resources. In-house solicitors are less likely than firms to use regulators, or other legal organisations, as a source of information.

Nearly nine out of ten solicitors have used the SRA's guidance to inform their understanding of risks. The most known and used SRA sources are the SRA's online guidance and the SRA Update e-newsletter, though all sources were found useful by those that used them.

Use of the SRA's guidance is lower amongst smaller firms and in-house solicitors, with the latter also reporting lower levels of usefulness than firms.

When asked about what else the SRA could do to help solicitors increase their confidence when identifying and managing risks, responses vary. Firms report a need for more relevant/specific guidance for certain firm types, such as smaller firms. Email is solicitors' preferred method of communication from the SRA, and the most useful format for communication is considered to be short form written information.

The findings present a clear picture of the risk landscape, from areas of concern to solicitors' confidence in their capability to handle these risk areas. It is clear that there are common areas across all solicitors that are more concerning, and where they need more support to help them identify and combat risks. Furthermore, it is also clear that some solicitor and firm types have different concerns and needs. Therefore, the SRA might want to consider looking further into tailoring guidance and communication that supports all solicitors and in turn, helps mitigate subsequent implications that would impact clients and the broader market.

This report presents findings from a research project exploring perceptions of risk in the legal sector. 

As a regulator for the legal sector, the SRA plays a key role in effectively identifying, managing and monitoring risks across the legal sector. Understanding risk is central to the SRA's role. Incorporated into the SRA's strategic objectives is the need to develop its understanding of new opportunities and challenges for the firms and organisations it regulates. Risk identification and management are relevant to the regulatory objectives, especially:

• protecting and promoting the public interest
• protecting and promoting the interests of consumers
• encouraging an independent, strong, diverse and effective legal profession
• promoting and maintaining adherence to the professional principles.

To ensure its work on risk is based on sound and relevant evidence from across the legal sector, the SRA commissioned BMG Research and Frontier Economics to conduct a multi-strand research programme with the following research objectives:

• Gather and analyse evidence from a range of stakeholders about high-risk market developments to identify the current and emerging risks facing the legal sector.
• Understand perceptions of the key emerging legal market risks and opportunities, particularly those that relate to the regulatory objectives.
• Understand the ways in which solicitors and law firms identify, understand and quantify the risks identified above.
• Understand the ways in which stakeholders currently use the resources made available by the SRA to help them with risk identification.
• Assess the ability of the regulated sector to identify and act (as relevant) on events which may quickly impact risk.
• Explore the best methods of information sharing between the SRA and stakeholders.

To meet the research objectives, BMG and Frontier Economics designed a multi-strand research programme, incorporating both secondary and primary research. This approach involved:

• an inception phase to agree the detailed approach and plan for stakeholder engagement
• an evidence review to identify and summarise relevant evidence related to risk
• a survey of law firms to assess perceptions of risk and processes to identify and monitor risk
• qualitative research (interviews) with solicitors and other stakeholders to explore issues in greater depth.

Evidence review

Frontier Economics conducted the desk-based research to identify the key areas of risk in the legal sector that have been documented, as well as any evidence available on high-likelihood and high-risk developments expected to emerge in the future. The outputs of this work informed the focus and content of the primary research.

Frontier worked closely with the SRA to identify relevant publications as a starting point. Following a detailed review of these documents, the search was extended to cover additional academic and grey literature which includes publications from private organisations, umbrella bodies, government departments, arm's length agencies and other relevant organisations.

In total, Frontier reviewed more than 40 relevant publications. Studies were categorised into thematic risk groupings, and findings were synthesised, highlighting key insights and notable gaps in understanding.

The findings of the evidence review were presented to sector experts in a workshop setting. This was used to collect feedback from stakeholders to refine the evidence review (see 'Evidence Review' annex).

Data collection methods

Quantitative and qualitative research methodologies were applied by BMG Research to gather insights from solicitors and other stakeholders.

A mixed-mode quantitative survey of solicitors working in-house, freelance and in law firms was conducted between September and December 2023. The survey was conducted online and via telephone to maximise reach and accessibility. When describing the quantitative data, we refer to participants overall as solicitors, and detail where relevant any differences between solicitors in SRA-regulated firms, freelance solicitors and in-house solicitors. A final sample of 515 solicitors took part in the survey: 384 in firms, 29 freelance solicitors and 102 in-house solicitors. Within the sample of solicitors in firms, when referring to their main role, 46% said they were partners and 18% said they were compliance officers of legal practice (COLPs). Survey recruitment was carried out through BMG and SRA communications.

Following the quantitative survey, BMG carried out in-depth qualitative interviews with solicitors, most of whom had opted in to further research following the survey, and other stakeholders who were recruited through SRA networks. When reporting qualitative data we will refer to 'participants' when findings refer both survey participants and stakeholders, otherwise we will use individual terms 'survey participants' and 'stakeholders'.

The aim of the qualitative research was to explore perceptions and attitudes to risk in greater detail. Twenty-six interviews were conducted between December 2023 and January 2024. Interviews lasted between 30-60 minutes and were facilitated by an experienced researcher from BMG. Interviews were conducted online using Zoom. An audio recording of each interview was taken and the content anonymised and added to a grid used for analysis by the BMG research team.

Informed consent was sought from participants to take part in the interviews. Participants were assured that all information provided would be treated in the strictest confidence; that BMG would not identify any individuals or disclose the personal details of those who took part; and that views stated would not be attributable to individuals. BMG's independence and impartiality from the SRA was also reiterated to ensure confidence amongst participants when sharing their views.

This research involved solicitors self-reporting on areas they perceive as concerns and opportunities, and their own perception of their/their business's confidence and preparation around these areas. Therefore, it does not encompass data covering all possible risks to solicitors or the legal sector as the research focused on the concerns solicitors themselves highlighted.

This section covers overarching perceptions around the market developments reported as posing risks to solicitors, and in what ways. It also looks at risks to the sector as a whole, including changes in the market that may lead to opportunities.

Insights from the evidence review

The key risks identified in the evidence review were grouped into the following themes:

• Economic risks. Macroeconomic uncertainty and high levels of inflation increase cost and could reduce demand for solicitors, posing risks to profitability.
• Political and regulatory risks. In the context of a fast-evolving geopolitical landscape, ensuring regulatory compliance remains key. This is found to be more challenging for smaller law firms to manage, which have fewer resources to invest in compliance. The legal sector has been assessed as high risk for money laundering exposure and government-led regulations are evolving to mitigate this.
• Consumer risks. Public trust in the legal sector remains high. However, studies have shown that more could be done to improve transparency in the sector around price, service, and quality. The literature also points to access to justice concerns relating to reductions in legal aid provision, which disproportionately affect low socioeconomic status (SES) populations.
• Firm risks. Law firms, particularly those which are smaller in size, are experiencing high staff turnover and recruitment and retention challenges. Costs have also risen at a faster pace than profits for law firms, posing challenges to profitability.
• Technology risks. Emerging technologies, such as generative AI, pose both opportunities and threats to the legal sector. Increased dependence on technology has also increased law firms' exposure to cyber risks and given rise to key questions surrounding data and ethics.

The risks identified in the evidence review informed the BMG survey design with key risks included as pre-coded responses for risks to firms and the legal sector generally. See 'Evidence Review' annex for further details of the risks identified from the desk research.

Perceptions of risks to law firms and solicitors

When asked in the online survey to choose three risks they consider of greatest concern to their organisation or firm in the next two years, 52% of solicitors chose 'other regulatory/compliance risks' (Figure 1). This term was included to intend to encompass concerns or risks not already covered by the others listed. Qualitative findings suggest solicitors choosing this option were referring to adhering to a wide range of regulations, and whether there should be more or less regulation across the market. Almost half (49%) chose cybercrime making this the most common specific risk of greatest concern to solicitors. Money laundering and inflation/increasing overhead costs were the next most commonly selected risks with 40% and 39% respectively selecting these in their three greatest risks.

Areas less likely to be considered concerning to solicitors' organisations are the international political climate, the cost and availability of business finance, and hybrid working.

Figure 1: Greatest risk to firm/organisation in next 24 months

A1. Of the changes and risks below, please select the three you consider of greatest concern to your organisation/firm in the next 24 months. 

Source: BMG Survey of Risk in the Legal Sector 2023

Cybercrime, regulatory/compliance risks and recruitment/retention challenges are all ranked in the top five risks both by SRA-regulated firms and in-house solicitors. Many firms also selected money laundering/sanctions and inflation/increasing overheads whilst in-house solicitors consider lawtech/AI and UK-wide legislation changes more concerning. Solicitors at SRA-regulated firms are more likely than in-house solicitors to say that money laundering/sanctions (46% vs. 21%), cybercrime (53% vs. 42%), and inflation/increasing overhead costs (43% vs. 25%) are of greatest concern to their firm, and less likely to cite UK-wide legislation changes (10% vs. 27%) and lawtech/AI (15% vs. 33%). In-house solicitors are also more likely than firms to consider the greatest risks to their firm/organisation as international political climate (14% vs. 4%) and UK-wide legislation changes (27% vs. 10%).

COLPs are more likely than average to cite money laundering/sanctions (59%), cybercrime (63%) and recruitment and retention challenges (41%) as the greatest risks to their firm. They are less likely to choose changes in client demand (16%) and UK-wide legislation changes (2%).

Smaller firms, with under £100k turnover, cited inflation and changes in client demand as their top concerns (each 51%) followed by regulatory/compliance issues (49%) and cybercrime (40%). Client demand is a higher risk amongst small firms than for any other size - and an inability to keep up with these changes could indicate potential volatility in the market if clients cannot find the services they need and look to non-regulated alternatives. Small firms are also more likely than other firms to mention cost/availability of business finance (17%) as a concern. Large firms with over £10m in turnover say that cybercrime (62%) and money laundering (58%) are of most concern. Cybercrime is also seen as a risk more in those between £500k and £10m turnover compared to small firms (58% vs. 40%).

Similar findings for large firms are noted in the evidence review. The PwC (2023) law firms survey finds that cyber risk continues to be a key area of concern among large corporates, with 85% (up from 75% in 2022) of the Top 100 firms citing that they are extremely or somewhat concerned that cyber threats will stop them meeting and/or exceeding their firm's ambitions in the period from now until the end of financial year 2025. Similarly, in the LexisNexis survey (2023), cybersecurity is among the top five challenges identified by small law firms, with 78% of respondents finding it a quite or very significant challenge.

The evidence review further shows that smaller law firms seem to find regulatory compliance more challenging than larger firms. Regulatory compliance was among the top five challenges for small firms surveyed by LexisNexis (2023), 78% of whom reported the continuing demands of compliance with regulations quite or very significant. In contrast, regulatory compliance was not among the major challenges identified by the Top 100 firms surveyed by PwC (2023).

In our survey, a fifth of solicitors mentioned other risks to their firm beyond those presented to them, and of these, the most commonly mentioned were the cost of professional indemnity insurance (20%), a lack of SRA support (19%) and a burden of over-regulation/administration/compliance (13%).

The most common reasons given for considering areas as risks, were that they will require a lot of work or effort to handle (20%), the risk itself is increasing in volume or sophistication (20%) and the risk will lead to increased costs, or reduced profit margins (17%). Reasoning varies depending on which different risks are cited, for example where regulatory/compliance risks were chosen as most concerning, the respondents felt that it would create a lot of work is a primary reason (34%). For cybercrime, the prominent reasoning is that it is increasing in sophistication and volume (37%).

The perceived risk of reduced profit margins is complemented by data in the evidence review which indicates that in the US, Thomson Reuters (2023a) estimated that an average lawyer in 2022 produced $98,000 less than their counterpart in 2007.

Areas of business impacted by risks

When looking at the areas of business likely to be impacted by each risk, there are variations and patterns. There are some risk areas which are seen as likely to have a broad impact, for example, of those selecting money laundering/sanctions, other regulatory/compliance risks, and cybercrime as key risks, over a third said that the risks would affect all of the areas shown (40%, 35%, 41% respectively) (Figure 2), covering compliance, staff, reputation, fees, services, leadership and marketing areas of the business.

Other risks are far more likely to be associated with a particular area, for example hybrid working and recruitment/retention challenges are closely linked with impacts on staff (74%; 61%) (Figure 2). Similarly, inflation and increasing overheads and the availability and cost of business finance are both seen as more related to fees and profitability. In fact, fees/profitability is the area that solicitors see as most impacted across the highest number of risk areas (6 of 12).

Figure 2 also shows that, for money laundering and regulatory/compliance risks, the greatest perceived impact on a specific business area is on compliance with professional or ethical duties (39%, 37%). For cybercrime, reputation is seen as the area most likely to be impacted (41%). When it comes to lawtech and AI, solicitors place a few business areas as likely to be most affected, with the types of services offered, fees, and staff all with high proportions (42%, 41%, 40%).

Figure 2: Areas of business likely to be impacted by each risk

Source: BMG Survey of Risk in the Legal Sector 2023

Interviews with survey participants and stakeholders gave additional depth to reasoning behind the perceived risks. For example, some saw money laundering as a great risk - particularly for those working in conveyancing and handling large sums of money. Others felt that solicitors and firms were very aware of this and so well-equipped to identify and manage it.

'Understanding and training around these risks [money laundering] has become almost second nature.' (In-house solicitor)

'[…] every staff meeting starts with money laundering, going through just who is my client, where is the money coming from, why are they instructing me and are they who they said they are.' (Freelance solicitor)

Comparatively, cybercrime was discussed in interviews as more threatening, due to it being seen as complex and niche, requiring expert attention, and because of the impact being potentially widespread, and pervading all types of firms and clients.

'Cyber is a big risk because (a) it can shut you down immediately, (b) it costs a lot of money and (c) it is constant.' (Partner, SRA Regulated Firm, turnover £30-70M)

'Everyone is terrified about it [cybercrime] as it can affect anything in the firm. We had one attack and were able to deal with it, it did not affect any of our clients, but it showed how easy it is for someone to click on the wrong thing.' (Partner, SRA Regulated Firm, turnover £3-10M)

'There's lots of guidance and understanding around AML [anti-money laundering] but this is less the case with cybercrime because of the technicality of the area and you cannot identify the risk because you don't understand what is out there […] If you don't know the subject matter, you don't know what risks are in that subject matter.' (Partner, SRA Regulated Firm, turnover £500K-1M)

While inflation and increases in overhead costs were less frequently discussed, compared to the risks described so far, it was often touched upon when discussing other risks such as cybercrime (i.e. the cost of cybersecurity).

When discussing lawtech and AI in interviews, some participants felt that the SRA and the Law Society perhaps sent an overly positive message, in contrast to participants' caution. While they felt AI and lawtech offered benefits, they also acknowledged its possible disadvantages. One concern was that clients might rely on AI or lawtech to produce legal documents which clients would then not have the knowledge to quality assure.

'There are programmes that draft legal documents, that produce garbage but lay people might not understand that it is wrong […] The documents that are created look like intelligent garbage and clients use them as a substitute for lawyers.' (Partner, SRA Regulated Firm, turnover £150M+)

Like cybercrime risks, it also transpired that participants were not necessarily aware of intricate details of AI, which increased their feelings of perceived risks surrounding it.

'I consider AI a big risk because I don't fully understand it, and I think many people don't.' (Sole-practitioner, SRA Regulated Firm, turnover £200-500K)

While the data do not allow for exploration of how participants define AI, it is worth noting that interviewees often used the terms AI and lawtech (and sometimes 'cyber') interchangeably. This potentially suggests that it is not always clear to people what the exact terminologies mean or what their boundaries are.

Given the importance of 'regulatory and compliance risks' in the survey, it is surprising that very few concerns were raised in the interviews around this. Those that did address regulatory and compliance risks predominantly focussed on the need for firms and individuals to ensure they understood the rules and regulations that applied to them. In relation to this, some participants expressed the need for other professionals (eg paralegals) to also be regulated to a certain degree.

Perceptions of risks to the legal sector

To gain a broader sense of risk perceptions in the sector, solicitors in the survey were asked again about the market developments posing the greatest risk, this time to the legal sector as a whole.

Cybercrime is perceived to be the greatest risk overall to the legal sector (43%) (Figure 3), followed by lawtech and AI (36%), which is seen as much greater risk to the sector as a whole than it is to solicitors' own business (ranked 2nd compared to 7th). Money laundering/sanctions, inflation and other regulatory and compliance risks are also seen as posing some of the greatest risks by around a third of solicitors (33%; 33%; 32%).

As seen for individual businesses, hybrid working, political climate, reputation and business finance are of less concern to the profession.

Figure 3: Greatest risk to legal sector in next 24 months

Source: BMG Survey of Risk in the Legal Sector 2023

There is generally less variation across solicitor and firm types when looking at risks to the broader sector than seen when solicitors think about their own business. Where there is variation, it is in the same areas as noted above, for example firms are more inclined to see money laundering and cybercrime as risks than in-house solicitors (38% vs. 18%, 48% vs. 26%) and less likely to say lawtech/AI (29% vs. 58%). Firms with £10m+ turnover see money laundering as a risk to the sector (46%) and those with between £500k and £10m turnover are more likely to cite cybercrime (51%), inflation (42%) and recruitment challenges (28%).

When giving the reasoning for their choices here, one in five solicitors referred to the same factors as those for risks to their business. The key reasons are, again, increased costs and reduced profitability that a risk might cause (22%), the increasing volume and sophistication of the risk (17%) and the creation of a lot of work due to the risk (14%). Those choosing cybercrime as one of the greatest risks to the sector were more likely to indicate increased volume/sophistication reasons (35%), and those choosing lawtech /AI were more likely to cite the potential elimination of jobs (26%).

In qualitative interviews, further thoughts about some of these risks, and how they interlink, came to the fore. Changes in client demand for services were felt to increasingly encompass clients' expectations that solicitors have AI technology. This meant that clients would expect work to be done more efficiently, with faster turnarounds and lower costs. As a result, some participants felt that practitioners would have no choice but to introduce AI to their business in a safe and secure way. Consequently, this introduction and evolution of AI could potentially disrupt the profession by widening the gap between firms that were able to invest in it and firms that were not. Some participants shared the same concerns about cyber and IT security in general.

'I think AI is a good thing and really exciting. One of the risks I perceive is a growing gap between haves and have nots […] It has the potential to disrupt the profession […] because it has the potential to widen the gap between the magic and silver circle firms who can afford that investment and those firms who simply cannot. This could create a two or even three tier legal profession which the SRA needs to be cognisant of.' (Partner, SRA Regulated Firm, turnover £30-70M)

'The future of the profession is somewhat compromised by the fact that small firms might not be able to pay for the needed cybersecurity and IT security.' (Sole-practitioner, SRA Regulated Firm, turnover £20-100K)

Some survey participants and stakeholders voiced concerns that AI and lawtech could potentially lead to deskilling in the legal sector. They said that inexperienced lawyers could for example use AI to do some of 'the work for them'. In addition, it was felt that solicitors and other lawyers could become devalued when they were compared with lawtech or platforms that were highly marketed, but did not necessarily yield the same legal quality as work done by lawyers.

'As I understand it, there could be a risk of deskilling because it works worst where you have inexperienced lawyers who are using it as a crutch to do the research for them. I think there is the risk of significant deskilling within the legal sector and if a computer can do it just as well as a lawyer because the lawyer is deskilled then that devalues the presence of a lawyer in any transaction.' (Partner, SRA Regulated Firm, turnover £30-70M)

'These platforms have good marketing and tend to work with clients who don't necessarily 'know better'. The challenge as a profession is that solicitors are not being championed in a way that they should be.' (Partner, SRA Regulated Firm, turnover £150M+)

According to some participants there was also the risk that cyber and digital systems could be easily 'taken out or destroyed' (either on purpose or by accident). When relying on digital systems, participants felt this was a vulnerability to firms – potentially leaving them unable to access the data they needed.

'If you rely entirely on digital…we have had several instances of the computer systems simply not working and it includes security, which means you can't get in or out of the building…' (Partner, SRA Regulated Firm, turnover £1m-£3m).

Perceptions of opportunities

When solicitors were asked to identify which market developments might present the greatest opportunities for their firm, lawtech and AI was chosen by a third (34%) (Figure 4), with changes in client demand and hybrid working the next most common areas considered as opportunities (30%; 28%). Just under one in five (19%) solicitors did not think any market developments presented an opportunity.

SRA-regulated firms (33%), and particularly those with over £10m turnover (44%), were more likely to see changes in client demand offering opportunities than other groups. The latter are more likely to identify lawtech/AI as an opportunity than small firms (50% vs. 21%) while in-house solicitors are more likely to say lawtech compared to firms (51% vs. 30%).

Figure 4: Greatest opportunity to firm/organisation in next 24 months

Source: BMG Survey of Risk in the Legal Sector 2023

Again, when asked for reasons for their choices, responses are varied with the most common being that the opportunities would improve efficiency (11%), would open up new markets and clients (13%), and would assist in recruiting or retaining staff (10%). Reasoning also differs across opportunity areas, with efficiency (23%) and opening up new markets (26%) named more often where lawtech/AI is seen as an opportunity, and recruiting/retaining staff (22%), money saving (10%), and more flexibility (17%) all mentioned as reasons where hybrid working is named. The finding that AI may present an opportunity for many solicitors is supported by the evidence review which found further data to suggest AI is viewed as a positive prospect by lawyers. Thomson Reuters (2023) found that 58% of UK lawyers surveyed were positive about the prospect of AI being used widely at work. They believed that AI would help their firm most by:

• increasing productivity (77% thought this)
• improving the efficiency of internal processes (70%)
• improving communication with clients (50%)
• however, 33% believed that it would increase competition from new market entrants and 32% expect AI to hamper recruitment and retention.

This section explores attitudes solicitors have to the risks discussed, including how aware, confident and prepared they are in relation to these. It also covers responsibility for risks and actions taken to combat them.

Insights from the evidence review

Findings from the evidence review suggest a variation in firms' awareness, preparedness and activity in relation to the key risks highlighted in the previous section. Smaller firms are found to be more exposed to some risks compared to larger firms.

• Economic. Evidence consistently suggests that law firms have a high awareness of current economic risks. Recent evidence shows that the legal sector has demonstrated economic resilience, with firms focussing on cost reductions and staff productivity.
• Political and regulatory. Large law firms are found to rely significantly on legal technology to manage compliance risks, for which smaller firms lack the capacity. Similarly, small and medium firms have fewer resources to implement certain anti-money laundering procedures than large firms, and as a result may more frequently struggle fail to keep up with regulatory updates.
• Consumer. Regulatory requirements have improved price and service transparency in the legal sector in recent years; however, variation in the quality and presentation of information means that a lack of clarity for consumers remains an issue. Solicitors recognise the severity of issues relating to legal aid provision but lack the ability to address it without government support and a significant increase in funding to ensure sustainability in the long run.
• Firm. Findings suggest that law firms are highly concerned about the attraction and retention of talent. Firms have attempted to increase appeal by raising salary offerings and establishing mental health policies. Firms are also concerned about rising costs in the context of falling demand. While small firms seem to struggle more with client retention, some have sought to implement alternative solutions, such as offering flexible payment options or seeking borrowing options.
• Technology. Large firms tend to have a closer understanding of new technologies and are more able to identify opportunities, such as increased efficiency with AI usage. However, adoption of new technologies is found to be low in the legal sector overall. Cybersecurity remains a key area of concern for the legal sector, with smaller firms appearing less equipped.

Findings from the evidence review informed the design of the questionnaire, with awareness, preparedness and action taken all identified as key issues to explore in the survey. See 'Evidence Review' in annex for further details of firm awareness, preparedness and activity highlighted by the desk research in response to key risks.

Identifying risks

To better understand perceptions of risk, survey respondents were asked how they keep up to date with information or guidance about emerging risks facing, or likely to face, them as legal professionals. Among the top sources of information about risk are regulators such as the SRA (83%), networks of legal professionals (70%) and the news (65%) (Figure 5).

Figure 5: Sources of information and guidance about emerging risks

Source: BMG Survey of Risk in the Legal Sector 2023

Regulators are more likely to be used for information and guidance on risks by SRA-regulated firms (91%) than in-house solicitors (57%) (Figure 6). In-house solicitors are also less likely to use other legal services organisations (22% vs. 35% of firms).

Figure 6: Sources of information and guidance about emerging risks by type of solicitor

There is little variation in how firms of varying sizes (based on turnover) source information and guidance on emerging risks. Firms with a turnover of less than £100k are as likely (94%) to use a regulator as a source of risk-related information as firms with £10m+ turnover (94%). Qualitative findings suggested that solicitors view resources as complementary to each other, and some participants highlighted the importance of experience and intuition, believing that common sense could help in the identification of risks. 

'If something doesn't smell right, that's usually a good indicator that something is not right.' (Partner, SRA Regulated Firm, turnover £500K-1M)

In addition to identifying sources of information and guidance on risk, survey respondents were asked how confident they are that they can identify risks early, on a scale from very confident to not at all confident. Overall perceptions of their own confidence are strong with a majority saying they were confident they could identify early the risks of greatest concern to them/their firm. Confidence is highest for early identification of money-laundering/sanctions risks (96%), legislation changes (92%) and risks to reputation and brand management (91%) (Figure 7). Confidence levels drop, however, for the risks posed by lawtech and AI (66%).

Figure 7: Confidence in early risk identification by type of risk

Source: BMG Survey of Risk in the Legal Sector 2023

The qualitative data indicate two key reasons why confidence levels around AI and lawtech might be lower:

• The availability of information and guidance is greater around some risks (such as money laundering) than others (eg cybercrime).
• AI, lawtech and cyber all sat within a field (technology) that participants referred to as being 'more technical' and 'specialised', with many seeking expert advice to ensure risks in this area were being managed appropriately.

Levels of confidence in early risk identification did not vary greatly between different types of solicitors. However, regulated firms are significantly more confident than in-house solicitors in their ability to identify cybercrime (87% vs. 74%) and recruitment and retention challenges (90% vs. 58%) early. This is possibly because it is not the in-house solicitors' role in their organisation to do so – but this still suggests an area of these organisations that may be vulnerable to a cyber-attack. This could leave this section of the market more vulnerable to business disruption, for example through a cyber-attack or, in terms of retention and recruitment, losing staff to other businesses.

The qualitative interviews revealed some variation around identification, for example sole practitioners and smaller firms considered that their size removed a lot of risk around managing people and gave a better overall view of risks. On the other hand, larger firms may benefit from their size in terms of capacity for training and procedures.

'In some ways small firms are safer as you would like to think you can notice and stop something as there is less overall to monitor and fewer staff to make mistakes.' (Partner, SRA Regulated Firm, £4-10M)

'In bigger firms, there is probably a better degree of training about risk […] The risk to independent or sole practitioners operating on their own is they could just let that slide.' (Freelance Solicitor)

'The real risk I see for law firms are the people and managing people […] working on my own, the risk is far less than when I was working as one of many.' (Sole-practitioner, SRA Regulated Firm, turnover £200-500K) (Freelance Solicitor)

Qualitative interviews demonstrated that having policies and guidance in place is key to helping identify risks.

It appeared that firms had usually created their policies based on guidance from the SRA and the Law Society, however it was noted that in terms of IT and cyber security, specific expert advice was often sought.

'I have instructed an external cybersecurity team of IT experts to do it for me, to find the policy that's right and which they've now implemented to find the highest security that can be put in place and to find the best that's on the market […] You have to turn to experts like that, I think, because they know more about what's available on the market than we're ever going to do.' (Sole-practitioner, SRA Regulated Firm, turnover £20-100K)

'We have policies, and we have a risk committee, and we meet regularly and we, on the back of that, we put training in place, and we change our systems […] But with cybercrime, in particular, it is all very technical and so we need to get advice and source that from third parties […].' (Partner, SRA Regulated Firm, turnover £500K-1M)

Responsibility for risks

Survey respondents were asked who in their organisation would have responsibility for tackling any of the risks cited in the survey. Most (67%) respondents said they themselves are responsible (Figure 8) and 18% say a colleague is responsible. Almost all (96%) sole practitioners said that they had responsibility, as did 76% of partners in firms and 66% of those who said they were COLPs within firms. Overall, 78% of respondents in SRA-regulated firms said that they were personally responsible but this fell to 19% among in-house solicitors. More than half (56%) of in-house solicitors said that a colleague was responsible but only 10% of respondents in firms said this. In-house solicitors are also more likely than average to say they do not know who is responsible (9% vs. 3%) and that an external body is responsible (4% vs. 1%).

Figure 8: Responsibility for tackling immediate risks

Source: BMG Survey of Risk in the Legal Sector 2023

Respondents who say they are responsible for tackling immediate risks to their organisation were asked where else they would go for assistance or information. Seventy-six per cent say they would go to a regulator such as the SRA (Figure 9), 51% would go to another colleague in their organisation, 47% to a network of other legal professionals and 46% to an external body such as a consultant.

Figure 9: Sources of assistance or information for those responsible for tackling risk

Source: BMG Survey of Risk in the Legal Sector 2023

Solicitors in larger firms with £10m+ turnover are significantly more likely to speak to a colleague when tackling risks (93% vs. 51%), more likely to speak to an external body (63% vs. 46%) and more likely to speak to another law firm (53% vs. 34%).

Where respondents say a colleague is responsible for tackling immediate risks to the business, compliance officers are the most common colleague identified (21%) (Figure 10%), followed by directors (19%) and CEOs (17%).

Qualitative interviews revealed a mixed picture in terms of who does and should manage risk. On the one hand, participants referred to the risk committee, the managing partner, risk and compliance officers and the SRA, sometimes in combination with mentioning the need to involve IT staff. On the other hand, it was noted that individuals carry their own responsibility for risk, and ultimately individuals decided whether or not to follow guidance and updates.

Figure 10: Colleagues with responsibility for tackling risks

Source: BMG Survey of Risk in the Legal Sector 2023

The interviews also revealed that often people in certain positions (eg COLP) would share the necessary information, guidance and updates with individuals at the firm, but ultimately it was each individual's decision whether or not they would follow this.

'It's up to me to give people the tools, but then it is up to them to use them and go and discuss those with me if needs be. The fact people are doing this, gives me confidence.' (Partner, SRA Regulated Firm, turnover £500K-1M)

'Lawyers, I think, don't want to be told what to do […] It's in the nature of them being lawyers trained to question everything […] You can tell them, but getting them to follow it I think is something else entirely.' (Sole-practitioner, SRA Regulated Firm, turnover £200-500K)

Owners of smaller firms described how they would likely feel a greater responsibility for risk than those working at the firm.

'All you can do is just keep track of everything that everyone's doing at all times and drum into them over and over, you must get this before we take money […] They don't always listen, well they listen, but they don't always follow it.' (Sole practitioner, SRA Regulated Firm, turnover £20-100K)

One participant further added that, perhaps more important than asking 'who' is responsible for risk, is the fact that 'someone' needs to own the responsibility around risk. Owning that responsibility also entailed measuring and managing the risk.

Tackling risks

Survey respondents were asked how prepared they/their firms are to tackle the risks they identified, on a scale of 'very prepared' to 'not at all prepared'. It did not set out or attempt to test this preparedness but understand their own view on it.

Reported levels of preparedness are strong, particularly for those who identified money laundering/sanctions (97%) and cybercrime (94%) as risks (Figure 11). However, as noted with early risk identification, reported preparedness drops when specific to lawtech/AI 56%).

Figure 11: Confidence in preparation for risk to firms/organisations

Source: BMG Survey of Risk in the Legal Sector 2023.

This lower level of confidence around lawtech /AI as seen here, and in lower confidence in identification of these risks, could mean that solicitors would miss out on positive opportunities that these areas pose, and prevent them from being able to help support clients who are trying to use AI to do things themselves. There is also the chance that unregulated organisations offer competing services using this technology and not only could solicitors lose clients, but these clients could also be put at risk.

Solicitors in SRA-regulated firms are more likely than in-house solicitors to say they are prepared to tackle recruitment and retention risks (80% vs. 48%). Other than this there are no differences in preparedness across solicitor types or firm sizes. Findings from the evidence review show that smaller firms appear to be less equipped to deal with risks such as cybercrime. This may be attributed to a 'cyber skills shortage', and small firms may struggle to attract and retain key staff with the right skills and experience in order to support the delivery of an effective cyber security strategy.

A small minority (5%) solicitors did not say they were prepared to tackle at least one of the risks they identified. This was 4% amongst solicitors in SRA-regulated firms, and 6% amongst in-house solicitors. There is little difference across firm sizes, with those in a firm with under £100k turnover at 2%, and those with £100k-£10m turnover at 4%.

Those respondents who said they were prepared to tackle at least one risk were asked what actions they had taken to prepare. A majority of respondents perceiving themselves as prepared have incorporated risk into their business continuity plans (65%) (Figure 12), have provided specific training internally (63%) and shared information with staff (62%). Forty-six per cent have had specific training delivered externally and 22% have shared information with clients.

Figure 12: Actions taken to prepare for risks

Source: BMG Survey of Risk in the Legal Sector 2023.

A notable variation in levels of preparation is seen between sizes of firm. Firms with a turnover of £10m+ are significantly more likely than those with a turnover under £100k to have taken actions such as providing internal training (94% vs. 39%) (Table 1), sharing information with staff (90% vs. 17%) and incorporating risk into business plans (86% vs. 59%). The table below shows differences against the total, with green highlighted cells indicating significantly higher than the total and red indicating significantly lower than the total.

You said you are prepared to tackle at least one risk. What actions have you taken to prepare? Significance against total. Base: Those who said they are prepared to tackle at least one risk: Under £100k (46) * £100k-£500k (115) £500k-£10m (132) £10m+ (49) *

Table 1: Risk preparation action taken by size of firm (by turnover). *Low base

Action taken	Under £100k* (46)	£100k-£500k (115)	£500k-£10m (132)	£10m+* (49)
Incorporated risk into business continuity plans	59%	61%	70%	86%
Specific training provided internally	39%	47%	80%	94%
Specific training provided externally	37%	43%	64%	53%
Shared information with clients	17%	20%	31%	33%
Shared information with staff	17%	63%	80%	90%

Another notable variation in risk preparedness is seen between the types of risks identified. As shown in the table below (Table 2), participants who identified money laundering/sanctions as a risk are significantly more likely to say they have taken all listed actions to prepare for this risk. Almost all actions have also been reported to be taken in preparation for the risk posed by cybercrime. Conversely, participants who identified changes in demand for client services as a risk to their organisation are significantly less likely to have taken actions to prepare for this risk.

Table 2: Risk preparation action taken by risk identified

Risk to firm	Specific training provided internally	Specific training provided externally	Shared information with clients	Shared information with staff	Incorporated risk into business continuity plans
Total (491)	63%	46%	22%	62%	65%
Money laundering/sanctions (203)	75%	58%	28%	71%	71%
Other regulatory/compliance risks (254)	62%	47%	22%	59%	61%
Cybercrime (246)	73%	53%	24%	71%	72%
lawtech and Artificial Intelligence (92)	64%	40%	23%	58%	63%
Inflation and increasing overhead costs (193)	57%	43%	19%	59%	67%
Changes in client demand for services (133)	41%	37%	20%	45%	51%
Recruitment and retention challenges (141)	71%	47%	17%	72%	67%
UK-wide legislation changes (71)	52%	39%	21%	59%	59%

When preparedness and actions related to tackling risks were discussed in qualitative interviews, two main areas emerged, focusing on systems and processes, and regular training – mirroring the top actions reported through the survey.

Systems and processes typically evolve from policies and guidance and might involve areas such as a 'checklist' or risk assessment that needed to be completed when on or offboarding clients. Some participants also used programmes (eg LEAP, Tessian, Lexcel) which flagged issues such as late payments that could impact on cashflow or potential cyber risks. Meanwhile, others backed up all their data at night to minimise the risk of losing data.

While systems and processes were invaluable, some participants noted that they were cautious about the systems they relied upon and would rigorously examine suppliers eg when sharing client data, to ensure the supplier was safe to use and signed off by the IT department.

'I've put a process in place which makes me answer questions, makes me think about it and document it and then put it on the file so it's one thing to have policies flying, but you [have] got to operationalise them.' (COLP, SRA Regulated Firm, turnover £3-10M)

'Each time a file is started, a risk assessment is carried out both in relation to money laundering and in relation to 'risk' on the file to practice.' (Freelance solicitor, Outside the UK)

Training around 'risks' was not limited to solicitors or lawyers, but often included all staff at a firm. For example, it was noted that receptionists were also very much at risk eg of cybercrime and therefore received training too.

Some participants described how training could be tailored, for example, based on phishing exercises that had taken place at the firm. Training could entail both internal as well as external training and learning also took place by attending (external) webinars. However, in response to the question of whether they felt prepared for risks, some felt inadequately prepared for risk and/or that no training could prepare them beyond sharing what the law and red flags were.

'There's no training to prepare for risks, you get what the law is and the red flags but that relies on people to be prepared and identify [them].' (Partner, SRA Regulated Firm, turnover £500K-1M)

Risk management

Survey respondents were asked to reflect on their organisation's approach to risk and rate their confidence on their general risk management process. As in other survey questions, this confidence is self-reported, and the survey did not attempt to test the confidence or the firms' processes themselves. Overall, 87% of respondents report they are confident in their risk management process (Figure 13), which includes 27% who are very confident. Just 2% say they are not confident and 10% say they are neither confident nor unconfident in their risk management process.

Figure 13: Confidence in general risk management process

Source: BMG Survey of Risk in the Legal Sector 2023.

Reported confidence is significantly higher among SRA-regulated firms than in-house solicitors (91% vs. 75%). There is limited variation in the levels of confidence between different sizes of firm, but firms with a turnover of £10m+ are significantly more confident than firms with between £100k and £500k turnover (98% vs. 87%).

Respondents who said they are confident were then asked why they feel this way. Twenty-three per cent of solicitors say this is because they have robust procedures/policies in place, 19% hold regular meetings, review or audits, and 12% said they are confident because they provide staff training and keep their staff updated on risks.

Interview participants noted that risk cannot be eliminated entirely, but firms can try to mitigate it as much as possible. Some participants had used consultants to run penetration tests on their platforms to spot vulnerabilities.

'You can never get rid of risk, you can only try to ameliorate it as much as possible […] Problems or issues usually arise when people are multitasking and perhaps not thinking twice about clicking on an email.' (Partner, SRA Regulated Firm, turnover £3-10M)

It was also clear from discussions that, to some, risk management also meant the ability to recover from adverse events (eg being able to recover data after the system has been disrupted).

'They [paralegals] don't behave like regulated people and I had problems with them because compliance doesn't matter as much to them. When one is regulated, the regulator sits on your shoulder like an 'invisible' and feeds into the way you operate. This is not the case among non-regulated people, their mindset is different.' (Sole-practitioner, SRA Regulated Firm, turnover £20-100K)

'Risk is always there, and you never quite know where it is going to come from or how serious it's going to be, but I'm confident that everyone is alert, and we can recover from it.' (Partner, SRA Regulated Firm, turnover £500K-1M).

This section looks into the position of the SRA and its guidance in terms of supporting law firms and solicitors with risk identification and management both relating to experience of using the SRA's guidance and where it might be improved.

Solicitors were asked about their awareness and usage of specific SRA resources. Awareness is highest for both SRA guidance (94%) and SRA Updates (95%) but far lower for Risk Outlook reports (65%) and Thematic reports (57%) (Figure 14). Usage follows a similar pattern, with over four fifths saying they have used SRA guidance and SRA Update resources (81%; 83%), while just 43% have used the Risk Outlook reports and 34% Thematic reports.

The vast majority of solicitors reported to have used any sources of information provided by the SRA (88%). This increases to 94% amongst solicitors in firms, and 100% in firms with over £10m turnover, as well as amongst COLPs. It is lower, at 68%, for in-house solicitors.

Figure 14: Awareness and usage of the SRA’s guidance

Source: BMG Survey of Risk in the Legal Sector 2023

Across each of the SRA's resources they were asked about, in-house solicitors are more likely to be unaware of them and therefore are less likely to have used them. Firms with £500k-£10m turnover, and those with over £10m turnover, are also consistently more likely to have used these resources. For example, even the least used resource, Thematic reports, which had been used by 34% solicitors overall, has been used by 47% of those in firms with £500k-£10m turnover and 74% of those in firms with £10m turnover.

All resources are considered useful by most solicitors who had used them, with SRA Update and SRA guidance resources showing slightly higher levels of solicitors saying they are very useful (39%, 42%) (Figure 15).

Figure 15: Usefulness of SRA resources

Source: BMG Survey of Risk in the Legal Sector 2023

The only differences between solicitor types here are that both the SRA's guidance and SRA Updates were considered more useful by SRA-regulated firms than by in-house solicitors (90% vs. 78% and 92% vs. 81%).

Half of solicitors said they do not know what else the SRA could do to help them feel more confident in identifying and managing risks. In-house solicitors are even more likely to say this at 68%.

Of those who did share ideas, the most common suggestions were having more relevant, specific or targeted information, as well as more collaborative and supportive working (17%; 16%) (Figure 16), followed by training (12%), clear and simpler guidance (10%) and providing case studies or examples (6%).

Figure 16: Desired actions from the SRA

Source: BMG Survey of Risk in the Legal Sector 2023

There were no differences between solicitor types here in the survey, but qualitative interviews provide a more nuanced insight. Some participants - predominantly in-house lawyers – in the qualitative interviews did not feel supported in their role by the SRA. Future research might usefully explore whether this feeling comes from in-house positions being situated in a non-regulated industry or if other factors are at play. Some solicitors also alluded to the feeling that the SRA was not necessarily there to 'help' or 'support' them but rather to 'police' them. Furthermore, a few participants felt that the SRA did not treat all firms with the same scrutiny. Participants believed that the SRA 'came down harder' on smaller firms compared to bigger, well-known firms.

Suggestions were given about areas in which the SRA could potentially play a greater role, including:

• Increasing its focus on corporate commercial firms as well as sole-practitioners and freelancers.
• Ensuring rules and regulations were followed by small and big firms.
• Highlighting and emphasising issues, and subsequent risks, that can be related to home working.
• Providing guidance on post-employment restrictions to protect firms when staff leave and join another firm, become a sole-practice or go into consultancy.
• Improving guidance and clarity around cyber security, including an indication of the level of security firms need and a list of approved systems.

Preferred communication methods

In terms of preferences around SRA information and guidance, the clear preference is for email with four out of five solicitors in the survey saying this is how they would like to receive information (82%) (Figure 17). A newsletter is also a popular option with 56% of solicitors selecting this. Letters and social media are the least preferred ways of receiving information from the SRA (both 9%).

Figure 17: SRA communication channel preferences

Source: BMG Survey of Risk in the Legal Sector 2023

All types of solicitors prefer email communications. Those in larger firms with a turnover of £10m are more likely than other firm sizes to want a newsletter (72%), as are those in SRA-regulated firms (59%) compared with in-house solicitors (45%).

There are also clear preferences about the format in which information is shared. Nearly two thirds of solicitors said that short written information such as posters or leaflets would be most beneficial (64%) (Figure 18). Half would also want to see live webinars (50%). Infographics were the least preferred information sharing format, with just 18% of solicitors considering this as beneficial.

Figure 18: SRA communication format preferences

Source: BMG Survey of Risk in the Legal Sector 2023

Short written information formats are more favoured by firms with under £100k turnover (83%) but less favoured by in-house solicitors (54%). The latter group are also more likely to see infographics as beneficial (26%). Firms with over £10m turnover are more likely to say they would prefer to have long written information (52%).

Qualitative participants echoed these findings, with email being preferred. The desired frequency of communications differed, with some citing information overload that can come with too much communication and some wanting as much information as possible.

'It's better to have too much information, than not enough information.' (Freelance solicitor)

'I'm linked up to them all, but I sometimes wonder if I would be better off not being linked up to getting all their alerts and all their highlights because it's just constant […] The SRA churn out stuff all the time.' (Freelance solicitor)

In this section we reflect on the findings of the research in relation to each of the research objectives. This section also suggests actions that could be taken to address the findings, draws out implications for the market and suggests further research that could complement the findings.

Understand perceptions of the key emerging legal market risks and opportunities, particularly those that relate to the regulatory objectives.

Overall, the risks rated of most concern to surveyed solicitors are regulatory and compliance risk, and cybercrime. The former encompasses concerns around adhering to changing regulations and guidelines and remaining compliant. Cybercrime is also seen as posing the greatest risk to the sector as a whole, with the fast-moving nature of the threat and cost of addressing it driving concerns, while lawtech and AI is seen both as a risk and an opportunity by large numbers of solicitors. Solicitors acknowledge challenges in understanding issues around AI and recognise potential risks for clients of AI being used in place of services provided by qualified professionals. Cybercrime, law tech and AI are challenges that have implications for several aspects of the regulatory objectives including protecting consumer interests and encouraging an independent, strong, diverse and effective profession.

Small firms were significantly more likely to see inflation and increased overheads, and changes in client demand as risks of greatest concern, suggesting potential economic vulnerability among these firms which could have implications for access to justice and the maintenance of a strong and diverse legal profession. Hybrid working, business finance and international political climate were rarely seen as major risks. Solicitors perceive the risks to their own firms to have impact on a range of business functions, including finances, staff, and compliance.

Understand the ways in which solicitors and law firms identify, understand and quantify the risks identified above.

Sources used for keeping up to date with risk guidance are varied, with regulators, legal networks and the news all used by a majority of solicitors to help identify or understand risks. There is a clear sense of responsibility amongst solicitors, and a knowledge of where to get further guidance to help assess the risks. Solicitors broadly demonstrate perceived confidence in their, or their firm's, ability to identify risk. Although identification of lawtech and AI risks is a notable exception raised in both the survey and evidence review. This indicates a lack of understanding of these fast-developing areas, presenting a gap for provision of information and advice. This has implications for the market as solicitors may not be well-positioned to harness benefits for their own firms or for clients in terms of efficiency or range of service offering for clients. There may be greater competition from unregulated legal service providers using lawtech and AI which might create additional risk for clients.

The findings revealed some differences by role and type of firm, for example with in-house solicitors less confident in identifying cybercrime than SRA-regulated firms and challenges identified by smaller firms in addressing concerns such as regulatory requirements. This suggests that tailored guidance that is specifically targeted to different types of solicitor or firm may be helpful.

Understand the ways in which stakeholders currently use the resources made available by the SRA to help them with risk identification.

In addition to the finding that four out of five solicitors use regulators to keep up to date with information about emerging risks, the research found that most solicitors generally do use the SRA's guidance. Risk Outlook reports and Thematic reports are less used than the SRA's guidance and SRA Update, but all resources are felt to be helpful by those who use them. There are clear differences in the use of the SRA's resources across different types of solicitors, however, with in-house solicitors less likely to be aware of them, to have used them, and to find them useful compared to those in SRA-regulated firms. Again, this reinforces a need to assess how to direct solicitors from all backgrounds to the SRA's guidance and making it clear that there is extensive support available.

Explore the best methods of information sharing between the SRA and stakeholders.

Research also aimed to uncover what the best styles and methods of information sharing are. Interestingly when asked about ways the SRA could help more with risk identification and management, half of solicitors were unsure, demonstrating that they may not know themselves what the best solutions for information sharing are.

Where solicitors did have ideas in terms of content, they would want to see more relevant and targeted information, and signposting for this. This would be particularly useful for small firms or solicitors that work in-house who feel less represented in current guidance. Additionally, solicitors felt the SRA could do more to help them with risks by offering more support and collaboration, and by presenting itself more as a helping body they might be more encouraged to reach out. In thinking about the method of communication, email and newsletters would be preferred, as well as shorter written information formats.

Assess the ability of the regulated sector to identify and act (as relevant) on events which may quickly impact risk.

A similar pattern to confidence in identifying risks is seen around risk preparedness, with strong levels of perceived confidence in abilities to tackle each risk, but a clear drop in perceived confidence when thinking about lawtech/AI. This may indicate potential vulnerability across the regulated sector to events related to AI or technology which arise unexpectedly. Core actions that solicitors say they have taken to prepare for risks are around training, continuity plans, processes and policies. Levels of preparation and confidence tend to be higher in larger firms, with greater use of internal training and information sharing with staff. The evidence review also highlighted particular challenges for smaller firms, such as that small firms are less prepared to tackle cybercrime. There may therefore be a role for regulators in providing greater support to smaller firms, with provision of training and advice on processes that these firms may have less internal resource to provide themselves.

This is an area where further triangulation of data from other sources would be beneficial in providing the SRA and stakeholders with well-rounded and more holistic insight. The research is based on self-reporting by solicitors and in areas such as confidence and preparedness, perceptions may not be accurate and this research did not set out to objectively assess levels of preparation. The areas of action solicitors report having taken could be compared with data on how many firms actually have, for example, training in place, business continuity plans covering all risk areas, and qualified assessments of the robustness of these. Doing this would help the SRA and other regulators gauge whether there is a gap between reported and actual confidence or a misalignment between actions solicitors say they have taken and actual processes in place and subsequently develop more efficient training and communications where needed.

Implications for the market

The findings of this research have a number of potential implications for the market. While the overall levels of awareness and preparedness suggest that firms are generally well-equipped to address risk, there are some areas where risk might affect clients or the ability of the regulated sector to service market demands. These include:

Potential risks to clients as a result of solicitors not effectively identifying risks or not having effective processes in place to deal with risks that arise quickly. Across the sector as a whole this risk is greatest in relation to AI and lawtech, as solicitors are less confident in their understanding of this area and their ability to address risks that arise. This may make clients vulnerable, particularly with greater reliance on digital services. For smaller firms, there is also specific risk in relation to cybercrime as smaller firms may be less well-equipped to deal with this, with potential for clients to suffer negative direct consequences or to be affected by disruption to the firm.

Clients may be disadvantaged by solicitors not fully harnessing the opportunities presented by AI and lawtech to provide greater efficiency and convenience and potentially reduced costs for clients. This may also lead to clients making greater use of non-regulated providers using AI/ lawtech, without the protections offered by regulated providers.

Challenges in keeping abreast of regulatory and compliance requirements, particularly for smaller firms, could also affect clients if compliance is breached unknowingly, underlining the importance for effective information sharing and communications so that firms are clear on actions they need to take to protect clients.

Ability of SRA-regulated firms to meet evolving market demands and clients' ability to find the services they need. Changing client demands was raised as a key risk by smaller firms, although only 51% of surveyed solicitors noted that this featured in their business continuity plans, and inability to adapt to these could lead to clients being unable to find the services they want. Similarly, the potential economic vulnerability of smaller firms highlighted by identification of inflation and increased overhead costs as a key risk, could lead to gaps in service availability, particularly if some geographical areas are more affected and potential lack of access to justice for those on lower incomes. Again, gaps in the market may be filled by non-regulated providers leaving clients without the protections offered by regulated firms.

Areas for further research

This project had a broad remit across the topic of risk and across solicitor roles and firm types. Further research to build on the findings could include:

• Asking key questions on risk identification and understanding to a larger survey sample of solicitors to facilitate more detailed analytical breakdown by solicitor characteristics.
• More focused research with specific groups, particularly in-house solicitors and small firms to fully understand their needs and to help target communications. A qualitative approach is likely to be most useful here.
• Additional research (potentially survey and qualitative research) focusing on risks and opportunities of lawtech and AI, particularly in relation to smaller firms.
• Research which compares reported levels of confidence in preparedness with objective assessment of the processes and plans that firms have in place (as described above).

Overall, solicitors report that they are aware of the risks identified through our evidence review and feel that they understand how to identify and tackle them in most cases. There are gaps in this confidence which could have a range of implications for the market, and there are also gaps in the support they feel that they get from the SRA. It will be important for solicitors to learn how to recognise these gaps in knowledge or confidence in their own business and work together with the SRA to establish how they can be filled through communications or training. In turn the SRA could help solicitors identify areas to improve and then provide them with necessary guidance. This two-way interaction is vital in ensuring the solicitors, and the sector as a whole, can be better prepared to manage the threats and opportunities posed by market developments.