Law Firm Risk Management Checklist

Walk the intake form and conflicts-clearance gate inside Clio (or your PMS) end-to-end. Confirm the SOL field is required, the responsible-attorney assignment is enforced, and matter-open is hard-blocked until conflicts are signed off. Pay particular attention to PI and family-law intakes where SOL miscalculation is the most common malpractice trigger.

Search the conflicts database against client, related entities, opposing parties, and key non-party witnesses for every matter opened this quarter. New conflicts can surface as parties are added during representation under Rule 1.7 — this catches imputed conflicts the original intake missed.

For each lateral attorney or paralegal onboarded this period, confirm the prior-firm conflicts review is on file along with any required ethical-wall memo. Imputation under Rule 1.10 is the failure mode — a lateral who worked the other side of an active matter can disqualify the firm.

Memo names the screened lawyer, the matter(s) requiring the wall, the screening procedures (no access to electronic file, no fee participation, no discussion), and includes the lateral's signed acknowledgment. Send notice to opposing counsel where the jurisdiction's screening rule requires it.

Pull the per-attorney CLE transcript from each state bar portal. Verify total hours, ethics hours, and any mandatory diversity or mental-health hours against the deadline calendar. License suspension for missed CLE is fully preventable with a 60-day reminder.

Identify the gap (general hours, ethics, specialty), assign specific accredited courses, and put a hard deadline on the calendar at least 30 days before the bar's reporting cutoff. The managing partner signs off when each attorney's transcript shows compliance.

Audit the firm website, social profiles, paid Google ads, and any direct-mail PI solicitation against the Model Rule 7 framework as adopted in your state. Common gotchas: missing principal-office disclaimer, results-not-guaranteed language, the 30-day post-incident PI solicitation window.

Refresh slides on Rules 1.6, 1.7, 1.9, 1.10, and 1.15 with current-year disciplinary cases from your state bar's reporter. Schedule the all-hands session before the bar's annual reporting cutoff so the hours count.

Run a 60-minute tabletop on a ransomware-on-DMS scenario with the IT manager, firm administrator, and managing partner. Confirm the runbook names a breach counsel, lists state breach-notification triggers, and documents the Rule 1.6(c) reasonable-safeguards posture.

Pull the user reports from Clio/MyCase, NetDocuments/iManage, and Microsoft 365 or Google Workspace. Anyone without MFA enrolled gets enrolled this week — no exceptions for partners.

Cross-check the HR exit list against active accounts in the DMS, PMS, billing system, and email. Lingering ex-employee access is a common breach-notification trigger and a Rule 1.6 problem.

Confirm the SOP requires a second-attorney privilege check before any production over a defined volume threshold and that the firm's standard ESI protocol includes a FRE 502(d) clawback. Inadvertent production of a single privileged document can sink a case.

Attach the current declarations page from the LPL carrier. Verify every actively practicing attorney is named, the limits and retroactive date match the firm's expectations, and any state-required client disclosure of non-coverage is on file.

Compare per-claim and aggregate limits against the largest matters opened in the last 12 months. New high-exposure practice areas (class actions, securities, patent litigation) often outgrow last year's tower; talk to the broker before renewal, not at renewal.

Most LPL policies are claims-made — a client complaint that's not reported when received can void coverage on the eventual claim. Walk partners through the policy's notice-of-circumstance language and the firm's internal escalation path.

Reconcile the bank balance, the book balance in the trust ledger, and the sum of individual client ledgers. All three must agree to the penny. Any negative client sub-ledger is a Rule 1.15 violation and most banks auto-report IOLTA overdrafts to disciplinary counsel.

Document the source of the discrepancy, post correcting entries, and re-run the three-way. If the discrepancy involves an overdraft or a misappropriation, follow your state's self-reporting rule — voluntary disclosure is treated very differently than a complaint-driven investigation.

Spot-check a sample of pre-bills to confirm the responsible attorney edited time entries before the invoice went out. Verbose junior-associate narratives sent unedited are the leading driver of fee disputes and bar grievances over billing.

Confirm no disbursement was issued from trust before client funds cleared (typically 7–10 banking days for a check). A bounced retainer with the disbursement already out the door is the classic Rule 1.15 negative-balance violation.

Pull every active litigation matter and confirm the SOL is calendared with at least three independent reminders (90/30/7 days). Cross-check against CalendarRules or your court-rules service. A missed SOL is automatic malpractice — the docket is the only defense.

Walk the closed-matter list against the firm's retention schedule. Estate-planning, real-estate, and minor-client files run longer than the general 5–7 year rule. Both early destruction (spoliation risk) and late destruction (storage and breach exposure) are problems.

Re-issue the hold notice on every active matter, confirm custodians have re-acknowledged, and verify auto-delete is suspended for each custodian's mailbox and OneDrive. Stale holds where IT re-enabled retention deletion are a recurring sanctions trigger.

Managing partner reviews the findings, captures any follow-up items with named owners and dates, and signs the review. File the signed record with the firm's risk-management binder for the LPL carrier's annual questionnaire.