Revolutionizing Law Firm Pricing, Law Firm Data Security & Reengineering Contract Management

Transcription

1 Revolutionizing Law Firm Pricing, Law Firm Data Security & Reengineering Contract Management Bob Harchut VP, Associate GC GlaxoSmithKline Hosted by Brennan Torregrossa VP, Associate GC GlaxoSmithKline Participants: Andrew Hopp, Chubb Nitin Batra, Citibank, N.A. Robert F. Harchut, GlaxoSmithKline Brennan Torregrossa, GlaxoSmithKline Justin Ergler, GlaxoSmithKline Barbara Weber, GlaxoSmithKline Jim Michalowicz, TE Connectivity Carol Simcox, TE Connectivity Sean Haney, Teva Pharmaceutical Industries Dina Traugot, Travelers This Management Report provides an overview of discussion results from a Law Department Executive Leaders session held in Philadelphia, PA on October 6th, These sessions are designed to provide a benchmarking forum for executives responsible for managing their large law departments operations. They are conversation-based and comments are not for attribution. This report summarizes only the key takeaways and conversation points. Revolutionizing Law Firm Pricing The journey toward completely leaving the billable hour behind for GSK rests heavily on sophisticated reverse auction system. GSK s journey started with articulation of the audacious goal of getting as close to 100% non-hourly billing as possible, but use of shadow billing, caps and collars hindered progress. Breakthrough came in collaboration with Procurement to find another way to price matters reverse auctions using a weighted scorecard (described in detail in this webcast). Now, a whopping 85% of external spend is non-hourly. Key aspects include: Scorecard weights pricing at 30-33%, diversity at 10%; other factors include case strategy. Severely restricting exclusions from use of the reverse auction system. No practice area is off limits. Centralization into the hands of 7-8 people in Global External Legal Relations Team (GELRT). Taking it out of the hands of the line attorneys is key. Dealing in the currency of trust. If there s a material change in the scope, GSK is willing to adjust (happens 10-20% of the time). Even with those changes, we are getting a better deal. Ensuring that the firm gives the matter priority through success bonuses. Spend strategy is aligned to matter strategy. To promote harmonization of non-hourly matter scoping and pricing practices, GSK has proposed adoption of a new task coding scheme (see Straw Man AFA Bill Code for Defense of a Product Liability Case and The Future of Standardizing Law Firm Services p. 18). The proposition is that moving toward standard tasks improves confidence in pricing without resorting to shadow billing. Discussion points included: Clearly defined scoping and staffing by task at the outset of a matter instigates solid legal project management practices. The beauty is that [the agreed upon task-based matter pricing document] turns into your project management work plan.

2 Forward-looking task focus gets it to a different plane, leaving behind the defective historic billable hour data. Once the price for a task is set, the firm should be getting more efficient at completing it. Benchmarking pricing for discrete tasks across industries avoids overcharging in litigation-heavy sectors such as pharmaceuticals. Law Firm Data Security Discussion of the ACC Law Firm Data Security working group s proposed Minimum Information Protection And Security Controls For Outside Counsel Possessing Company Confidential Information and the presentation by a working group member appended to this report. Key points: Access control is critical, internally and externally. On a least privilege and need-to-know basis includes authorizing 3 rd parties. Monitoring is an ongoing challenge. Subcontractors are a huge responsibility. GSK is conducting 3 rd party risk assessments, and the firms are screaming bloody murder. The ability to execute demands to return or destroy sensitive information has to be immune to managing attorney turnover. Companies have (and use) more leverage with new law firms, including with regard to responsibility for subcontractors, encryption, and data hosting. Strong data security is definitely not cheap, for the firm or the company. Recommended certification is through the ISO standard (not loose self-certification through the billing system that many use). ISO is time-consuming and expensive, but it is a strong standard. Cyber liability insurance is a solid backstop, and the certification of risk management is an important and useful part of the underwriting process. Every year the standards ramp up. It may be better than ISO because it s a mini-third party assessment, not self-certification. It is not sufficient, though, because reputational risk is the critical motivator to preventing security breaches, even for those who are insured. Dealing with exceptions and non-compliance is also an ongoing challenge, and taking a strong stand with firms/vendors is important. Firm objections are a red flag; you have to get past the bluster. Tactics to deal with firms that fail the audits mentioned include: Setting up a remediation plan, then a risk-acceptance process Stopping payment on pending bills Forbidding new engagements ( you need to be willing to cut some firms ) Reengineering Contract Management All of the companies represented have been undertaking reengineering efforts, and yet none is satisfied with the state of their contract lifecycle management systems. All are implementing intake portals, and several use shared service centers ( centers of excellence ). Initial focus of the reengineering efforts often include reduction in the number of template agreements and focus on the lowest risk, most repetitive agreements (e.g. NDAs). For one, applying lean six sigma methodology was critical. Challenges many are still addressing include: The contract management tool is not satisfactory, or widely enough deployed and/or utilized (low compliance). Gaining buy-in to apply risk calibration to reduce effort/cost on lower impact agreements. Triage and workload optimization models require fine-tuning. Need to better mine data to prevent disputes look for the triggers (e.g. customer complaints) and make changes.

3 Association of Corporate Counsel Working Group: Outside Counsel Data Security Update: October 6, 2016

4 ACC Working Group: Outside Counsel Data Security Update: October 6, 2016 Working Group Member Companies Abbott GSK AVX Corporation Liberty Mutual AXA Equitable Life Ins.Co. Marsh & McLennan Bank of America Memorial Hermann Health Boise Cascade Mutual of Omaha Cybis/Orbis PA Turnpike Commission DHL The Hartford Disney 2

5 Why We ve Formed a Working Group 3

6

7

8

9 7

10 MINIMUM INFORMATION PROTECTION AND SECURITY CONTROLS FOR OUTSIDE COUNSEL POSSESSING COMPANY CONFIDENTIAL INFORMATION 8

11 Components of Minimum Information Protection and Security Controls: Definition of Confidential Information Policies & Procedures Retention Return/Destruction Data Handling including requirements for encryption and breach reporting Physical Security Protections Logical Access Controls Monitoring Vulnerability Controls and Risk Assessments System Administration and Network Security Security Review Rights Industry Certification Background Screening Cyber Liability Insurance Responsibility for Subcontractors 9

12 Status of Working Group s endeavor: Working Group members sent draft Minimum Controls to one large, one medium, and one small law firm for comments by Working Group members on September 15; Input from law firms expected by mid-october 2016 Once law firm input is received and the document is finalized, ACC will communicate it to member companies 10