Tag Archives: risk managers

The Current State of Risk Management

The Ponemon Institute recently shared the results of its survey on risk management: The Imperative to Raise Enterprise Risk Intelligence: Inside the Promise & Pitfalls of Enterprise Risk Management. The results are disturbing, but unfortunately what I had anticipated.

The 641 who answered the survey were involved in risk management within their organization, so the results are skewed toward having some level of formalized risk management. In other words, the respondents are better than the general population. Most of the respondents are IT folk, and some of the questions reflect the author’s IT orientation, as opposed to a general business one.

See also: 4 Steps to Integrate Risk Management  

The report, as so many, has to define risk management in its own way. But, frankly, the definition isn’t bad. The report splits the issue into risk management and risk intelligence.

In the context of this research we define enterprise risk management as the application of rigorous and systematic analysis techniques to the evaluation of risks that impact the whole organization including information assets and IT infrastructure. Cyber risk management is considered a component of enterprise risk management.

We define enterprise risk intelligence as the insight necessary to drive actionable business decisions related to governance, risk and compliance. It is the organization’s ability to think holistically about risk and uncertainty, speak a common risk language and effectively use real-time information and forward-looking risk concepts and tools to maximize business performance.

Ponemon tells us that only 24% of respondents said they have a risk management strategy that is clearly defined and pertains to the entire enterprise. Ponemon doesn’t define what it means by a risk management strategy, so I can’t comment further.

But this is key:

“…only 43 percent of respondents say enterprise risk intelligence integrates well with the way our business leaders make decisions.”

I have to wonder whether the business leaders would agree with that assessment by the risk practitioners!

This adds fuel to that fire:

“A lack of collaboration among organizational functions is a barrier to an effective enterprise risk management program. 53% of respondents say their finance, operations, compliance, legal and IT functions do not collaborate on enterprise risk management activities. Only 8% of respondents say these functions fully collaborate in enterprise risk management activities.”

A lack of resources and an inadequate budget are identified as barriers.

But here is the key question. If the leaders of the organization are not persuaded that risk management is adding value by enabling success, and believe that there are better ways to invest scarce resources, why should we surprised that the risk management activity is under-funded?

This is demonstrable when “30% of respondents say no one person has overall responsibility to ensure the risk management program is well executed.”

See also: A Revolution in Risk Management  

The appendix contains some valuable pieces of information. Here are two:

  • Only 32% say their organization has a very significant commitment to enterprise risk management.
  • On a scale or 1 (low) to 10 (high), just 14% of the respondents rated the effectiveness of their risk management activity as a 9 or 10.

So what do we make of this?

Let’s start with some unpleasant facts!

  1. Our business leaders are not idiots. If they have not invested in risk management, there’s a reason! They are not convinced it will help them succeed. They see it as a compliance activity that costs time and money, checks the box for the board and regulators, but doesn’t help them be successful.
  2. If they saw risk management as helping them make better decisions, you can bet they would invest in it!
  3. They can be persuaded, not by words but by action.
  4. Risk practitioners too often are focused on managing risks instead of achieving business objectives. There’s a huge difference.
  5. Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.
  6. The traditional approach to risk management, a list of top risks, is not going to work. It hasn’t worked for decades so why should it now?
  7. Satisfying the board but not top management is not a recipe for long-term success.
  8. The risk practitioner has to think out of the box. Understand what the company’s leaders need to be successful and make intelligent and informed decisions, then deliver it.

I welcome your comments.

4 Steps to Integrate Risk Management

Let me start by saying that integrating risk management into strategic planning is NOT doing a strategic risk assessment or even having a risk conversation at the strategy-setting meeting; it is so much more.

Kevin W. Knight, during his first visit to Russia a few years ago, said, “Risk management is a journey… not a destination.” Risk practitioners are free to start their integration journey at any process or point in time, but I believe that evaluating strategic objectives at risk can be a good starting point. The evaluation is relatively simple to implement yet has an immediate, significant impact on senior management decision making.

Step 1 – Strategic Objectives Decomposition

Any kind of risk analysis should start by taking a high-level objective and breaking it down into more tactical, operational key performance indicators (KPIs) and targets. When breaking down any objectives, it is important to follow the McKinsey MECE principle (ME – mutually exclusive, CE – collectively exhaustive) to avoid unnecessary duplication and overlapping. Most of the time, strategic objectives are already broken down into more tactical KPIs and targets by the strategy department or HR, saving the risk manager a lot of time.

This breakdown is a critical step to make sure risk managers understand the business logic behind each objective and helps make risk analysis more focused.

Important note: While it should be management’s responsibility to identify and assess risks, the business reality in your company may be that sometimes the risk manager should take the responsibility for performing risk assessment on strategic objectives and take the lead. 

Example: Risk Management Implementation

VMZ is an airline engine manufacturing business in Russia. The product line consists of relatively old engines, DV30, which are used for the medium-haul airplanes Airliner 100. The production facility is in Samara, Russia. In 2012, a controlling stake (75%) was bought by an investment company, Aviarus.

During the last strategic board meeting, Aviarus decided to maintain the production of the somewhat outdated DV30, although at a reduced volume due to plummeting sales, and, more importantly, to launch a new engine, DV40, for its promising medium-haul aircraft Superliner 300.

See also: What Gets Missed in Risk Management  

The board signed off on a strategic objective to reach an EBT (earnings before tax) of 3,000 million rubles by 2018.

Step 2 – Identifying Factors, Associated With Uncertainty

Once the strategic objectives have been broken down into more tactical, manageable pieces, risk managers need to use the strategy document, financial model, business plan or the budgeting model to determine key assumptions made by management.

Most assumptions are associated with some form of uncertainty and hence require risk analysis. Risk analysis helps to put unrealistic management assumptions under the spotlight. Common criteria for selecting management assumptions for further risk analysis include:

  • Whether the assumption is associated with high uncertainty.
  • Whether the assumption impact is properly reflected in the financial model (for example, it makes no sense to assess foreign exchange risk if in the financial model all foreign currency costs are fixed in local currency and a change in currency insignificantly affects the calculation).
  • Whether the organization has reliable statistics or experts to determine the possible range of values and the possible distribution of values.
  • Whether there are reliable external sources of information to determine the possible range of values and the possible distribution of values.

For example, a large investment company may have the following risky assumptions: the expected rate of return for different types of investment, an asset sale timeframe, timing and the cost of external financing, rate of expected co-investment, exchange rates and so on.

Concurrently, risk managers should perform a classic risk assessment to determine whether all significant risks were captured in the management assumptions analysis. The risk assessment should include a review of existing management and financial reports, industry research, auditors’ reports, insurance and third party inspections and interviews with key employees.

By the end of this step, risk managers should have a list of management assumptions. For every management assumption identified, risk managers should work with the process owners and internal auditors and use internal and external information sources to determine the ranges of possible values and their likely distribution shape.

Example: Risk Management Implementation (Continued)

The assessment would look into:

Macroeconomic assumptions

  • Foreign exchange
  • Inflation
  • Interest rates (rubles)
  • Interest rates (USD)

Materials

  • DV30 materials
  • DV40 materials

Debt

  • Current debt
  • New debt

Engines sales

  • New DV30 sales volume
  • New DV40 sales volume
  • DV30 repairs volume
  • DV40 repairs volume
  • DV30 price
  • DV40 price

Other expenses

  • Current equipment and investments in new
  • Operating personnel
  • General and administrative costs

Based on the management assumptions, VMZ will significantly increase revenue and profitability by 2018. Expected EBT in 2018 is 3,013 million rubles, which means the strategic objective will be achieved.

We will review what will happen to management projections after the risk analysis is performed in the next section.

See also: A New Paradigm for Risk Management?  

Step 3 – Performing Risk Analysis

The next step includes performing a scenario analysis or Monte Carlo simulation to assess the effect of uncertainty on the company’s strategic objectives. Risk modeling may be performed in a dedicated risk model or within the existing financial or budget model. There is a variety of different software options that can be used for risk modeling. All examples in this guide were performed using the Palisade @Risk software package, which extends the basic functionality of MS Excel or MS Project to perform powerful, visual, yet simple risk modeling.

When modeling risks, it is critical to consider the correlations between different assumptions. One of the useful tools for an in-depth risk analysis and identification of interdependencies is a bow-tie diagram. Bow-tie diagrams can be done manually or using the Palisade Big Picture software. Such analysis helps to determine the causes and consequences of each risk and improves the modeling of them as well as identifying the correlations between different management assumptions and events.

The outcome of risk analysis helps to determine the risk-adjusted probability of achieving strategic objectives and the key risks that may negatively or positively affect the achievement of these strategic objectives. The result is strategy@risk.

Example: Risk Management Implementation (Continued)

The risk analysis shows that while the EBT in 2018 is likely to be positive, the probability of achieving or exceeding the strategic objective of 3,000 million rubles is 4.6%. This analysis means:

  • The risks to achieving the strategy are significant and need to be managed
  • Strategic objectives may need to change unless most significant risks can be managed effectively

Further analysis shows that the volatility associated with the price of materials and the uncertainty surrounding the on-time delivery of new equipment have the most impact on the strategic objective.

Management should focus on mitigating these and other risks to improve the likelihood of achieving the strategic objective.

Tornado diagrams and result distributions will soon replace risk maps and risk profiles as they much better show the impact that risks have on objectives.

This simple example shows how management’s decision making process will change with the introduction of basic risk modelling.

Step 4 – Turning Risk Analysis Into Actions 

Risk managers should discuss the outcomes of risk analysis with the executive team to see whether the results are reasonable, realistic and actionable. If indeed the results of risk analysis are significant, then management, with help from the risk manager, may need to:

  • Revise the assumptions used in the strategy.
  • Consider sharing some of the risk with third parties by using hedging, outsourcing or insurance mechanisms.
  • Consider reducing risk by adopting alternative approaches for achieving the same objective or implementing appropriate risk control measures.
  • Accept risk and develop a business continuity/disaster recovery plan to minimize the impact of risks should they eventuate.
  • Change the strategy altogether (the most likely option in our case)

Based on the risk analysis outcomes, it may be required for the management to review or update the entire strategy or just elements of it. This is one of the reasons why it is highly recommended to perform risk analysis before the strategy is finalized.

See also: A Revolution in Risk Management  

At a later stage, the risk manager should work with the internal auditor to determine whether the risks identified during the risk analysis are in fact controlled and the agreed risk mitigations are implemented.

Join our free webinar to find out more (click the link to see available dates and times). Read the full book from which this is adapted. You can download it for free here.

3 Things SMEs Can Teach Big Firms

I was very fortunate to host a roundtable during the FERMA risk seminar in Malta. I am very thankful for the opportunity, because the experience of brainstorming for 45 minutes with the representatives from various small and medium enterprises (SMEs) really highlighted some major problems with modern-day risk management and risk managers.

Here are three things that I think all of us could learn from managing risk at SMEs:

SMEs simply can’t afford to waste time or other resources on an activity that does not generate direct value

For SMEs, time is pressure, management teams are small, margins are limited and, as a result, management is very pragmatic about any new, sexy activities and initiatives. Risk management is no different. It has been around for years, yet few SMEs have properly adopted it. Something’s not right…

So can risk management make companies money? Of course it can. Do modern-day risk managers in non-financial companies in fact make money for their companies? Very few. Most of the modern-day approaches used by risk managers are so academic and superficial that management has a tough job buying it. Here is a short video on showing value from risk management, and it’s not what most risk managers are doing.

See also: Can Risk Management Even Be Effective?  

I think it’s about time we had an honest look at some of the activities risk managers do:

  • Do risk assessments really change the way business processes work, change the manufacturing process and change the way products are sold?
  • Do risk managers bring something of value to the table when any important business decision is made?
  • Do risk assessments change the way executives make decisions, and is risk analysis available on time to support every significant decision?
  • Are risk registers looked at by the CEO before making an important decision?
  • Do risk owners check their risk mitigation actions regularly?
  • Do risk appetite statements in non-financial companies change the way the company operates and the way decisions are made?
  • Do employees regularly read risk management framework documents?
  • Do managers call the risk manager before making a decision when faced with uncertainty?

I suspect the answer to most of those questions is “not quite.” This could mean one of two things: Either the risk manager is not doing his job properly, or he is properly doing his completely wrong. My bet is on the second option. There is simply a better way than risk profiles, risk registers, risk frameworks, risk owners — and so on. Here is a short video about what the future holds for risk management.

SMEs don’t do risk management to mitigate risks; they do it to make better decisions

This I found bizarre: We seem to have created a myth that risk management is about managing risks. Not so. Risk management is not an objective in itself. It’s just another management tool to help make better decisions and achieve objectives. This realization is a big difference between SMEs and large corporations.

SMEs do risk analysis when a decision needs to be made, using whatever risk analysis methodology is appropriate for that particular type of decision. Large corporations do risk management when it’s time to do risk management, be it annually, quarterly or some other regular internal. Nothing could be further from the truth. Unless your methodologies, approaches and tools allow risks to be analyzed at any moment during the day — when an important decision is being made or at every milestone within the core business processes — you are probably doing something wrong.

If there is one thing I learned over the years it is that no one in the company, and I mean NO ONE, expects the risk manager to care about risks. Well, maybe some about-to-retire audit committee member would, but most executives wouldn’t have the courage to deal with the real risks if you showed the risks to them. The rest of the company cares about making money, meeting objectives with the least amount of effort and getting nice bonuses as a result.

You can assign risk ownership to top executives as much as you like — no one cares. SMEs learned the hard way that unless an activity directly contributes to achieving objectives, it’s not going to be done. Risk management is no different. I find it ridiculous when risk managers talks about high risks and the need to mitigate them when, instead, they could be saying things like, “the probability of meeting this objective is 10% — unless we change things,” “there is an 85% chance your business unit will not get bonuses this year based on our risk analysis” and so on.

Anyone can be a risk manager, but it’s not natural

Despite what we within the risk management community have been telling each other for years, managers are not really managing risks every day. Thinking about risks is not natural for humans. The way System 1 and System 2 thinking operate in our brain make it literally impossible to see most of the risks associated with making decisions, let alone analyze them or manage them. Since the 1970s, many scientists, including two Nobel Prize winners (Kahnemann and Tversky), have discovered more than 200 cognitive biases that prevent managers from seeing, understanding and dealing with risks.

See also: 4 Ways Risk Managers Can Engage on Cyber  

This basically means risk surveys, most risk workshops and any kind of qualitative risk assessments are very unlikely to produce truthful results. But then what should risk managers use? There are plenty of alternatives, much better alternatives.

So how was the rest of the FERMA seminar?

My feedback to the organizers stays the same as my last post on the FERMA forum in Venice last year. In short, it’s impossible to grow if the people you talk to at conferences are people just like you: risk and insurance professionals.

Someone needs to play the devil’s advocate. It would be good to hear from a CFO who says he doesn’t care about any of the work risk managers do and budgets based on his own methodology with no input from the risk manager.

But, then again, Europe is probably way too politically correct for that 🙂

5 Keys to Successful Claims

When I started as director of marketing at RWH Myers, I asked a lot of questions of the partners. With the firm specializing in loss accounting, I wanted to understand the most important attributes in a successful claim. What I learned seemed too obvious at first, but I soon discovered why each component was essential.

The five keys to successful claims are not rooted in complex business interruption equations or piles of documentation. They are critical fundamentals. Fundamentals in any endeavor are easily missed and hard to execute without practice. But if you master the fundamentals, you’ll be on your way to a positive outcome. Get them wrong, and you’ll struggle to recover what you deserve.

When millions of dollars are on the line, risk management cannot afford to come up short on recovery. Our firm exists to help policyholders in their attempt to be made whole after a loss, so we thought it would be valuable to share what we found to be most important.

Here are the five keys to successful claims:

  1. Define the Claim‘s Priorities

When you have a loss, it is important for everyone to understand what is important to the organization at that time. Is it the recovery amount? Is it the speed of settlement? Is it a smooth process? Is it cash flow? Is it resource relief? It may be all of these and more.

Risk managers should discuss the priorities with executives and other key personnel to ensure all considerations are accounted for. When cash flow is critical, the claim preparation strategy should incorporate interim claim filings. If the primary need is to get the loss off the books before financial reporting, the strategy may focus on speed of settlement.

Knowing the priorities of the organization will enable a claim strategy that can meet those needs. As the old saying goes, “If you don’t know where you are going, any road will take you there.” With a property and business interruption claim, everyone involved needs to know where to go.

  1. Have the Right Team in Place

If you’ve been through a significant property claim, you know that your insurer(s) will have a team of experts whose job it is to adjust and audit your claim filings. Their goal is not to pay out the claim amount. It is to minimize the exposure to the underwriter to preserve profitability. Insurance companies are for-profit enterprises, and they take their profits seriously.

Knowing what their priorities are should reinforce the need to have a skilled team representing you. You will undoubtedly need to involve internal personnel to assist you, but know that they do not have the experience to match the insurers team’s acumen.

It is in your best interest to assemble your own team of experts ahead of a loss. Savvy policyholders may specify certain adjusters to be written into the policy in an effort to minimize potential claim issues. No matter what, you should avoid relying on the insurer’s forensic accountants’ calculations as the measure of your losses. An independent loss accounting firm can not only provide you with an accurate loss valuation but will be instrumental in guiding the claim to meet your goals.

Experience matters greatly, and you will need it to ensure success. Professional fees coverage is available for this service. It is there to pay for the experts you’ll need. Take advantage of it. Having your team in place in advance will make a big difference.

  1. Develop a Claim Strategy

The claim process involves many activities that could be daunting and burdensome to everyone in your organization, but the demand to achieve your priorities is relentless. It is critical to develop an effective strategy to get the best results from your claim. Engaging experts can help develop your strategy as they will know the obstacles you will face and can plan for them. The strategy should incorporate your priorities and the steps to achieve them. It should involve analyzing possible adjustments and ways to overcome them.

To keep the claim moving, create a timetable that maps each milestone. It should include request for information (RFI) responses and feedback, interim claim filings and audit results, periodic meetings and requested settlement date.

Don’t rely on hope or faith that your carrier will do the right thing. The carrier will do what’s right for it, not for you. Engage your experts immediately after a loss so that they can be involved in the design and execution of your strategy from the onset. If you are looking to recover millions of dollars, you better have a solid plan to do so.

  1. Give the Claim Appropriate Attention

At the beginning, claims get a lot of attention, but, as time passes, other items will distract from your claim. Managing an insurance claim is not a normal part of the job for anyone involved unless that is their job. For the insurer’s team, managing the claim is their job. It’s what they do everyday.

If you engage a loss accounting firm that specializes in preparing claims for policyholders, the firm will help to ensure your claim gets the appropriate attention. Not only will the firm keep your attention on the claim, but the firm will hold the insurer’s team accountable to the timetable.

Claims take time. You must be patient, but persistent. You can ill afford to lose attention. Don’t let your claim get lost amid all your other duties.

  1. Prepare a Logical Claim

When I worked for one of the largest brokers in the world, I often wondered what exactly our claims group did to help clients with claims. I was surprised to learn that the onus was on the client to actually put the claim together — all the financials, the calculations, all the invoices, the claim report, everything.

This documentation is the basis of the claim. It’s what’s reviewed, audited and adjusted. As the broker, I thought our claims group did it. I came to realize it’s not our responsibility, nor should it be. After all, we’re the broker, not the policyholder.

For the clients that used a loss accounting firm, the claims went much more smoothly and were resolved faster. I didn’t understand why until I joined RWH Myers. Putting the claim together is only half the battle. There is a technique to it that makes the difference from start to finish. As the claim progresses, there are always gray areas. Sure, you’ll recover some of your claim regardless of your approach, but that gray area may represent 20% or more of your losses. If recovery is important, that 20% matters greatly.

When claiming time element as business interruption, you are claiming earnings that you would have earned had the loss not occurred. There is an art to the model used to calculate these losses and a science to showcasing the logic behind it. A simple, logical and easy-to-understand claim will meet less resistance and recover more than a complicated, confusing and overbearing claim. Unfortunately, there isn’t a cookie cutter formula. You can’t just teach it. Experience is the only way to ensure this “key” will lead to a successful claim.

The bottom line is that claims have lives of their own. There are two opposing sides with opposing agendas. Claims ultimately come down to a negotiation. The amount remaining at the negotiation table tells the tale of how well the claim was prepared, including all the fundamentals — the priorities, the teams, the strategy, the attention and the claim report. It all matters to recovering your losses efficiently and effectively.

How to Manage Legal Fees for Work Comp

Loss expenses are on the rise, at an alarming rate, according to California’s Workers’ Compensation Insurance Rating Bureau (WCIRB). The California Workers Compensation — Aon Advisory Bulletin (July 2014) indicates that “allocated costs (mostly attorney payments) increased 7.3% in 2013. Unallocated costs increased 10.3%.”

Given that legal costs are on the rise, here are nine ways that risk managers can more closely manage legal services:

Have in-house counsel monitor outside counsel (and adjuster performance). Litigation costs must be properly managed because overzealous defense counsel and untrained (or cooperating adjusters) can prolong litigation, increase costs for the employer and wreak havoc on the lives of injured workers.

Review outside counsel financial arrangements — consider capped fees, flat fees or invoice paid upon file completion. Paying at the end allows outside counsel to defend the claim but discourages unnecessary hearings and runaway fees and lets risk management easily review the ultimate fee rather than numerous monthly bills. Excessive fees are more noticeable and easier to compare against other files and law firms. Attorneys who are milking the claim become more visible.

An “invoice paid upon file completion” is a good approach if you use the same attorney frequently. However, this approach should not be used when the defense counsel only has one file. You could end up with an excessive bill, with little recourse other than to fight with your own chosen counsel over the amount.

Conduct an independent audit to assess whether defense counsel was needed in the first place, or whether she was just assigned the case to do work the adjuster, assigned too many cases, was too busy to do.

A favorite ploy of overworked adjusters (and lazy adjusters) is to allow the defense counsel to handle the claim. Legal counsel should not be paid to do the adjuster’s job, including gathering medical reports, state board records and ISO reports, arranging independent medical exams (IMEs), etc. An independent claims audit of your files will tell you whether you are paying legal fees for the work the adjuster should be doing.

Review hearing rulings. Review whether the same attorneys are requesting hearings on the same issue repeatedly or requesting hearings on issues they are likely to lose. For example, if benefits are terminated but reinstated at the hearing, and this happens repeatedly, it is an indication that benefits are being terminated without sufficient cause, thereby creating unnecessary legal expense. In insurance speak, this is called “churning” files.

Churning is any unnecessary activity undertaken by defense counsel for the sole purpose of increasing the legal services bill. It can be unnecessary research on a subject the attorney should know, unnecessary motions, unnecessary discovery, having another attorney in the firm review the case, having a paralegal or junior partner undertake an unnecessary action, etc.

Before any preparation by defense counsel for the hearing, the adjuster should phone the defense attorney and discuss the need for the hearing and what the probable outcome will be. If you know going into the hearing that you are going to lose, have counsel resolve the issue with the opposing counsel. It will save both legal fees and unnecessary claim costs (indemnity and medical costs continue while you wait for the hearing). By removing the unnecessary hearings, you move the file faster, with less overall claim cost, to the final resolution.

Review whether opportunities for agreement between counsel are ignored. Defense counsel may avoid agreement because it is more profitable to have a junior attorney attend hearings and collect a large fee.

For example, in Connecticut, a claimant’s doctor can be changed, with agreement of counsel, but defense counsel rarely agree even though knowledgeable counsel will know which doctors have reputations for overtreating and overrating disability, which doctors are known for unbiased treatment and ratings and which doctors have a reputation for being conservative in their treatment and ratings.

Review whether defense counsel makes unfounded accusations against claimant of misbehavior or wrongdoing (e.g. claimant is not credible or is trying to game the system) on every claim to obfuscate the issues and prolong the litigation.

If defense counsel is not totally objective in his assessment of both the claim and the claimant, it is time to immediately identify new defense counsel.

Look at whether the attorney charges for lots of research, on many files. Very little research is necessary except in unusual claims with issues of law, so files with legal research should be reviewed very carefully.

Adjusters — with sufficient authority — should attend all hearings with defense counsel. Sometimes, there are opportunities to settle litigation during hearings. These opportunities should be considered while someone with the requisite authority is present. In many cases, seasoned adjusters are capable of attending hearings without defense counsel. (This is not allowed in some jurisdictions.)

Risk managers (or the company human resources manager or the workers’ compensation coordinator) should attend all hearings to be available to testify about the job requirements and efforts to provide transitional duty and to show interest in the injured worker’s well-being. Specify this procedure in the account handling instructions.

To verify you are controlling your legal fees, a two-pronged approach is needed. A litigation management review by an independent claims auditor will determine the effectiveness of your adjusters in controlling legal expenses. This should be combined with an audit of the legal invoices by an experienced legal bill auditor.