ReportTitle_SRQ&A2.jpg

Q&A: Effective legal risk management

March 2021  |  SPECIAL REPORT: MANAGING RISK

Financier Worldwide Magazine

March 2021 Issue


FW discusses legal risk management with Matthew Nunan at Gibson, Dunn & Crutcher UK LLP and Sean T. Seelinger at Ropes & Gray International LLP.

FW: Could you explain why it is important for companies to have an effective legal risk management process? What are the main benefits?

Seelinger: An effective legal risk management process is essential to not only identify and mitigate legal risks, but financial and reputational risks as well. The development of a holistic legal risk management process is critical to success. A siloed approach to risk assessment, where each risk is considered in isolation, may fail to take into account the fact that one risk may have multiple facets, resulting in potential consequences or mitigants falling through the gaps. A holistic approach will optimise a company’s approach to risk management by making it more impactful and cost effective. The likelihood of unknown adverse issues is reduced. Corporate risk tolerance and the extent of mitigation required can be considered with all relevant factors on the table. Such an approach requires companies to go beyond implementing generic policies designed to address individual risks, and to take steps to understand the behaviour of employees and the culture of their organisation, and tailor their risk management processes accordingly.

Nunan: Every company – whether financial services or in any other industry – has to operate within a legal framework. For financial services companies, in a very heavily regulated industry the legal framework is incredibly complex and subject to constant change. Add in the challenges of multinational companies with overlapping and often competing laws and regulations, and managing legal risk is a time consuming, difficult and often expensive task. Despite that, effective legal risk management is not simply important – it is essential. The benefits of doing it well are easier to express in the negative. That is, failure to do it well can lead to significant fines and reputational damage. Firms can be excluded from accessing markets and clients. It is not only important for companies – their employees, whether staff or management, can also be exposed if the company fails to properly manage legal risk.

FW: What, in your opinion, are the essential characteristics of a successful legal risk management team?

Nunan: An effective legal risk management team has to, above all else, be familiar with the business it is advising. Because of the complexities of rules and regulations, a small difference in business conducted – jurisdiction, product, client or market sector – can have a material impact on the relevant legal framework and the risks involved. Knowing what the business is doing before it is done means legal risk can be managed. Prevention is better than cure. Having the trust of the business so legal teams are involved in strategy discussions and can advise on risk before decisions are made is even better.

Seelinger: An effective legal risk management team will be embedded across and familiar with an organisation from the ground up. While it is of course important that legal teams are able to work freely and independently, they cannot operate effectively in a vacuum. The entire risk management process needs to be a partnership with the business. At each stage of the process, a legal risk management team needs to understand the real risks and challenges to allow them to jointly develop appropriate solutions with the business. Where issues arise, both legal and the business need to work together to modify those solutions in real time. The team should also have a breadth of prior experience in order to facilitate a collaborative and practical approach to risk management.

At each stage of the process, a legal risk management team needs to understand the real risks and challenges to allow them to jointly develop appropriate solutions with the business.
— Sean T. Seelinger

FW: What steps can companies take to manage a potentially vast array of mutually-affecting risks across contracts, departments and subsidiaries? What are the likely consequences for companies that fall short?

Seelinger: Effective risk management in a large organisation requires control functions to work with the business to identify the top risks across an entire organisation and to prioritise those risks. Using data to support risk identification and prioritisation, as well as testing, is particularly important in a large organisation. From there, solutions can be built that do not rely on disconnected, individual policies. Ongoing testing and assessment of controls is essential, along with constant communication. Failure to do so will result in increased legal, financial and reputational risk. Siloed approaches may result in issues coming to light at a much later stage, and misconduct may become more embedded in the culture of a firm.

Nunan: Firstly, companies need to have a really good grasp on what business they are doing. For large corporations, there can be a real danger of different sections of the business taking competing positions or views, or of pockets involved in obscure businesses or markets without anyone in the firm aware or able to join the dots. Charging a person or a team with a periodic stock-take of business can identify these issues and help manage that legal risk. It can also identify low profit or loss-making sections. The consequences of falling short can be significant. The most common is exclusion from areas of business because of conflicts generated by other parts within the firm or group.

FW: How important is it to properly manage and control interactions between functions which may carry a legal risk?

Nunan: All sections of a firm carry legal risk – it is hard to think of any area of business, or life, which does not. There is a base level risk applying to all areas around issues, such as employment rights, risk of fraud or theft by employees, or loss or misuse of confidential or proprietary information. In addition, there are specific legal rights around engagement with clients which might stem from contract or regulation. Consequently, every interaction inside or outside the company involves managing legal risk. The key is that there needs to be a recognition that some legal risks outweigh others, and so a risk-based approach is required. Sometimes, for example, a decision to operate in a new jurisdiction will bring risk but the reward justifies it. In situations like this it is important to recognise the risk, assess and communicate it, and record the basis for proceeding despite it.

Seelinger: In order to operate effectively, any control function must have sufficient independence, autonomy and governance to operate without undue pressure. While ethical walls are appropriate in the most extreme cases, for most businesses, assessment of the potential risks and the development and socialisation of appropriate guidelines, policies, procedures and controls is critical. Most importantly, the control function must not be beholden or subordinate to any of the functions for which it serves as a check and balance. We have witnessed many so-called control functions where staff have felt unable to speak up against misconduct or problematic behaviours or practices perpetrated by senior management, often due to a ‘command and control’ culture. Those working in such functions must at times make decisions or observations that will be unpopular with the business and thus need the autonomy and backing to be able to do so without fear of repercussions.

FW: Against the backdrop of the COVID-19 pandemic, to what extent have legal risks increased? How should the legal department go about identifying unique touchpoints amid the crisis?

Seelinger: Fraud thrives in times of crisis. For example, kickbacks and other types of corruption surge when companies and employees face financial pressure. Opportunities for market abuse and other financial crime spike during market volatility. Underlying drivers of improper behaviour, such as pressure to meet sales targets or obtain new approvals, have risen for many during the crisis. At the same time, controls have weakened in many organisations as a result of remote working – both ‘hard’ controls, meaning actual checks, and ‘soft’ controls, meaning the bias toward compliant behaviour through a strong culture. While overall risk has increased, risks in some areas, such as lavish hospitality as an improper inducement, have reduced. It is thus more important than ever that legal and compliance teams ensure they are embedded within the business function to understand and assess new emerging risks and how existing controls may be suffering. Whistleblowing procedures should be socialised and emphasised throughout the business to encourage employees to speak up.

Nunan: Methods of interaction have changed considerably during the pandemic, both within firms and in relation to customers. This creates risks around employers’ obligations to their employees and also heightens issues like fraud or data protection. Methods of monitoring staff, required by law, may not be so effective while they work at home, increasing legal risk and while this is offset by indicators of regulatory forbearance, such latitude will be short-lived. Legal departments should work with business leaders to conduct a risk assessment, including legal risk but going broader. This should take a practical look at what has changed as a result of the pandemic, what risks that creates or changes and what can be done to mitigate them. The outcome should then be presented to senior management for a decision as to whether, given the residual risk, they should continue.

Environmental, social and governance (ESG) initiatives have gained impetus from climate change concerns, and these bring new legal interpretations for products but also for a firm’s own operations.
— Matthew Nunan

FW: What can in-house lawyers and legal advisers do to effectively integrate legal advice into all aspects of decision making?

Nunan: Many firms, when taking the decision to expand or alter business models, go through an approval process before signing-off. Legal departments should be part of this process. The decision will obviously focus on opportunities and costs, but legal risk, including or separate to compliance risk, conduct risk, operational risk and all other types of risk – must be factored into the approval process. The other essential element is to establish a relationship where legal teams are seen as trusted advisers, protecting the firm and its employees. If lawyers can persuade and demonstrate the potentially huge financial cost of mismanaging legal risk, they should find the business actually seeking to involve them in all key decisions.

Seelinger: First, lawyers need to ensure they are integrated into the decision-making processes, at both the executive and operational levels. Legal and compliance should be involved in business discussions to ensure risks are identified and policies and processes are designed in a way that can be effectively operationalised, while simultaneously mitigating risk. Achieving this integration is particularly challenging in the current climate, due to the physical distance caused by remote working, but also as a result of increased pressures on business staff in the current environment and the risk of ‘cultural recession’. Second, lawyers must effectively communicate the legal risks facing the business throughout the organisation. Once non-legal staff understand how to identify potential legal risks, at least at a high level, the opportunity to capture new and emerging risks is expanded. If the business as a whole does not understand why legal team involvement is important, it will be less engaged in seeking out that legal input.

FW: How would you characterise the role of the board in legal risk management? How important is it for the board to establish a relationship of trust with the legal team?

Seelinger: The board’s role in driving the agenda and overall culture is critical. Effective risk management is set by the top. Board members should expect to review the results of thorough, evolving risk management processes and should probe the assumptions upon which the results are based. The board has a resourcing and cultural responsibility as well to ensure that the legal team feels empowered to ask the questions and obtain the data they need to properly assess risk, and then to elevate concerns for review and discussion by management and the board. A key to a strong relationship between the board and the legal team is direct reporting and dialogue.

Nunan: There is a question about whether lawyers, for example a firm’s general counsel, are considered an adviser or a decision maker, as reflected in the Financial Conduct Authority’s (FCA’s) consultation on whether to make ‘head of legal’ a senior management function. The best-run firms do not need to distinguish. The general counsel should have a strong and trusted voice in the boardroom, giving clear, robust advice. And the board has to recognise and welcome that advice. The worst examples are when matters are concealed from legal teams to avoid being given advice they do not want to hear. One would not expect a firm or board to take a decision to operate illegally. However, the role of the executive board members is to make decisions based on advice, and where competing legal risks are raised, ultimately the board must choose the course of action. This is where trust in the legal team is most important. They are best placed to weigh the competing legal risks, but boards will only accept that advice if they feel it is well-judged and commercial.

FW: Looking ahead, do you expect companies to devote more time and resources to legal risk management in the months ahead? What trends are set to shape corporate strategy on this front?

Nunan: Brexit will bring a new shape to many of the laws governing companies, particularly financial service companies over the next few years. Similarly, a new administration in the US will lead to a different tone and regulatory and legal approach. So, for the next 12 months, I anticipate legal teams devoting considerable time and resource to understanding the new picture of legal risk around the world. Not all new issues come from changing law. In past years, the Me Too and Black Lives Matter movements have led to legal teams looking again at their employment practices and risks. Environmental, social and governance (ESG) initiatives have gained impetus from climate change concerns, and these bring new legal interpretations for products but also for a firm’s own operations. The focus on tech and privacy also continues and will inevitably bring changing law or legal interpretation that will occupy many lawyers.

Seelinger: The elevated risks posed by the coronavirus (COVID-19) crisis show no sign of receding in the near term. The return to ‘normal’ will create further changes and disruption that risk creating new opportunities for control failures. There are as many different views on the future of remote working and meetings as there are employees. Short term, a key risk every business will need to assess is how continued remote work arrangements, whether full or part time, may increase risk through weakened controls, diminished collaboration or cultural recession. Long term, I expect that ESG risk management will be further integrated into holistic risk management. The most effective legal teams will be those who are able to consider legal, financial, reputational and social risks collectively rather than in individual silos.

 

Matthew Nunan is an English qualified barrister and partner based in Gibson, Dunn & Crutcher’s London office and is a member of the firm’s dispute resolution group. Mr Nunan specialises in financial services regulation and enforcement, investigations and white-collar defence. Prior to joining Gibson Dunn as a partner, he was head of conduct risk for Europe, Middle East and Africa at Morgan Stanley. He can be contacted on +44 (0)20 7071 4201 or by email: mnunan@gibsondunn.com.

Sean Seelinger is a US-trained lawyer based in London and a member of the firm’s anti-corruption & international risk practice. His practice focuses on government-initiated and internal investigations of cross-border anti-corruption, anti-money laundering and trade compliance matters, as well as advising private equity firms and their portfolio companies regarding compliance issues and the development of effective compliance programmes. He can be contacted on +44 (0)20 3201 1574 or by email: sean.seelinger@ropesgray.com.

© Financier Worldwide


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.