Law Firm Risk Management Checklist

Quarterly risk-management review the firm administrator and managing partner run together — covering intake and conflicts, regulatory compliance, data security, malpractice coverage, IOLTA controls, and matter-records discipline.

Use this workflow
1

Client Intake and Conflict Checks

  1. Audit the new-matter intake SOP

    • Walk the intake form and conflicts-clearance gate inside Clio (or your PMS) end-to-end. Confirm the SOL field is required, the responsible-attorney assignment is enforced, and matter-open is hard-blocked until conflicts are signed off. Pay particular attention to PI and family-law intakes where SOL miscalculation is the most common malpractice trigger.

  2. Re-run conflict checks on the period's matters

    • Search the conflicts database against client, related entities, opposing parties, and key non-party witnesses for every matter opened this quarter. New conflicts can surface as parties are added during representation under Rule 1.7 — this catches imputed conflicts the original intake missed.

    Collects file
  3. Review lateral-hire screening files

    • For each lateral attorney or paralegal onboarded this period, confirm the prior-firm conflicts review is on file along with any required ethical-wall memo. Imputation under Rule 1.10 is the failure mode — a lateral who worked the other side of an active matter can disqualify the firm.

    Collects list
  4. Document the ethical-wall memo for each lateral

    • Memo names the screened lawyer, the matter(s) requiring the wall, the screening procedures (no access to electronic file, no fee participation, no discussion), and includes the lateral's signed acknowledgment. Send notice to opposing counsel where the jurisdiction's screening rule requires it.

2

Regulatory Compliance

  1. Confirm CLE compliance for every attorney

    • Pull the per-attorney CLE transcript from each state bar portal. Verify total hours, ethics hours, and any mandatory diversity or mental-health hours against the deadline calendar. License suspension for missed CLE is fully preventable with a 60-day reminder.

    Collects list
  2. Schedule CLE remediation for attorneys behind

    • Identify the gap (general hours, ethics, specialty), assign specific accredited courses, and put a hard deadline on the calendar at least 30 days before the bar's reporting cutoff. The managing partner signs off when each attorney's transcript shows compliance.

  3. Review Rule 7.x advertising and website disclaimers

    • Audit the firm website, social profiles, paid Google ads, and any direct-mail PI solicitation against the Model Rule 7 framework as adopted in your state. Common gotchas: missing principal-office disclaimer, results-not-guaranteed language, the 30-day post-incident PI solicitation window.

  4. Update the annual ethics training deck

    • Refresh slides on Rules 1.6, 1.7, 1.9, 1.10, and 1.15 with current-year disciplinary cases from your state bar's reporter. Schedule the all-hands session before the bar's annual reporting cutoff so the hours count.

3

Data Security and Confidentiality

  1. Tabletop the incident-response runbook

    • Run a 60-minute tabletop on a ransomware-on-DMS scenario with the IT manager, firm administrator, and managing partner. Confirm the runbook names a breach counsel, lists state breach-notification triggers, and documents the Rule 1.6(c) reasonable-safeguards posture.

  2. Verify MFA on PMS, DMS, and email

    • Pull the user reports from Clio/MyCase, NetDocuments/iManage, and Microsoft 365 or Google Workspace. Anyone without MFA enrolled gets enrolled this week — no exceptions for partners.

  3. Audit DMS access for departed staff

    • Cross-check the HR exit list against active accounts in the DMS, PMS, billing system, and email. Lingering ex-employee access is a common breach-notification trigger and a Rule 1.6 problem.

  4. Review the privilege-review SOP for productions

    • Confirm the SOP requires a second-attorney privilege check before any production over a defined volume threshold and that the firm's standard ESI protocol includes a FRE 502(d) clawback. Inadvertent production of a single privileged document can sink a case.

4

Professional Liability Insurance

  1. Confirm malpractice declarations are current

    • Attach the current declarations page from the LPL carrier. Verify every actively practicing attorney is named, the limits and retroactive date match the firm's expectations, and any state-required client disclosure of non-coverage is on file.

    Collects file
  2. Reconcile coverage limits against the firm risk profile

    • Compare per-claim and aggregate limits against the largest matters opened in the last 12 months. New high-exposure practice areas (class actions, securities, patent litigation) often outgrow last year's tower; talk to the broker before renewal, not at renewal.

  3. Brief partners on policy exclusions and reporting triggers

    • Most LPL policies are claims-made — a client complaint that's not reported when received can void coverage on the eventual claim. Walk partners through the policy's notice-of-circumstance language and the firm's internal escalation path.

5

Financial Controls and Trust Accounting

  1. Perform three-way IOLTA reconciliation

    • Reconcile the bank balance, the book balance in the trust ledger, and the sum of individual client ledgers. All three must agree to the penny. Any negative client sub-ledger is a Rule 1.15 violation and most banks auto-report IOLTA overdrafts to disciplinary counsel.

    Collects list
  2. File corrective entries and notify bar counsel if required

    • Document the source of the discrepancy, post correcting entries, and re-run the three-way. If the discrepancy involves an overdraft or a misappropriation, follow your state's self-reporting rule — voluntary disclosure is treated very differently than a complaint-driven investigation.

  3. Review pre-bill edit discipline by responsible attorney

    • Spot-check a sample of pre-bills to confirm the responsible attorney edited time entries before the invoice went out. Verbose junior-associate narratives sent unedited are the leading driver of fee disputes and bar grievances over billing.

  4. Spot-check advanced-cost disbursements against retainers

    • Confirm no disbursement was issued from trust before client funds cleared (typically 7–10 banking days for a check). A bounced retainer with the disbursement already out the door is the classic Rule 1.15 negative-balance violation.

6

Case Management and Records Retention

  1. Audit calendar entries against statutes of limitation

    • Pull every active litigation matter and confirm the SOL is calendared with at least three independent reminders (90/30/7 days). Cross-check against CalendarRules or your court-rules service. A missed SOL is automatic malpractice — the docket is the only defense.

  2. Apply the retention schedule to closed matters

    • Walk the closed-matter list against the firm's retention schedule. Estate-planning, real-estate, and minor-client files run longer than the general 5–7 year rule. Both early destruction (spoliation risk) and late destruction (storage and breach exposure) are problems.

  3. Verify open litigation holds remain in force

    • Re-issue the hold notice on every active matter, confirm custodians have re-acknowledged, and verify auto-delete is suspended for each custodian's mailbox and OneDrive. Stale holds where IT re-enabled retention deletion are a recurring sanctions trigger.

  4. Sign off on the quarterly risk-management review

    • Managing partner reviews the findings, captures any follow-up items with named owners and dates, and signs the review. File the signed record with the firm's risk-management binder for the LPL carrier's annual questionnaire.

    Collects list Collects paragraph Collects signature