The increasing complexity of laws and regulations impacting organisations and the financial and reputational consequences of non-compliance, as highlighted in some high-profile failings, has meant that in-house legal teams now often play a more critical role in their organisations in relation to the identification and management of legal risks.Legal risk is not always shown as a separate category of risk but may be a subset of the key risks affecting the organisation, such as in relation to operational, financial and data risks. This is because many areas of an organisation’s activities, whether it is a business or not, will have a legal element to them and it may be easier to define and manage the relevant legal risk by reference to an operational function. However it is categorised or defined, legal risk is likely to be concerned with a potential breach of legal obligations giving rise to possible harm to the organisation, most likely in relation to its finances, reputation and ability to carry out its functions in some material respect.
Legal should expect to play an important role in helping to identify, control and manage legal risk within the organisation, both as a primary actor in relation to risks flowing from the running of the legal function and as a secondary line of defence working in collaboration with others across the organisation.
Here we consider a number of factors relevant to the managing of legal risks and also look briefly at the Three Lines of Defence model for risk management.
Identifying legal risks
The organisation’s risk framework will usually identify and prioritise those risks that would impact the ability of the organisations to carry out its functions in some material respect and give rise to financial or reputational harm. What may be less clear is what actually constitutes a legal risk. This is where Legal can play an important role in helping the organisation understand the range of legal risks and their nature i.e. the universe of legal risks for the organisation. To do this effectively, Legal clearly needs a good understanding of the organisation and its operations. Some of these risks will be closely linked to the work of Legal, such as in relation to contracts and contract management and disputes, for which Legal may already be accountable. Others may fall within the responsibility of other functions and be familiar to Legal through its work for those functions.
Who owns the risk?It is important to establish clear lines of responsibility for the legal risks identified. This matters as there may otherwise be a tendency for all legal risks to be seen as Legal’s responsibility, which can result in risks falling between the cracks. Except for those legal risks for which Legal is accountable, all others will be owned by management. It should be clearly understood that Legal advises and is not in any way the owner of the legal issue in question. As in-house lawyers are aware, advising on legal risk is as much about understanding the rights and obligations of the organisation as it is about understanding the letter of the law itself.
Assessing legal riskHaving identified the legal risks and allocated accountability for them, how then are the different risks to be assessed so that control measures can be put in place? There are a number of factors that could influence the organisation’s approach to managing its legal risks, including the level of regulation in the sector and its business strategy. For example, an acquisitive commercial business may well have a different approach to certain risks compared to a public body.
Many organisations will use a framework against which to assess legal (and other) risks. This will typically include such categories as finance; customers; operations; reputation; property/assets; and regulation. Different risk scenarios can then be mapped against these factors to identify the potential impact of the legal risk. For example, in relation to a data breach, a product recall, a major litigation case, or a regulatory intervention.
The tolerance for legal riskAs part of the processing of assessing legal risk, it will be important to determine the appetite or tolerance for the risk in the organisation. This will depend on a number of factors relating to the type of organisation, its business and strategy. As such, different risks will have different levels of tolerance. Legal’s role here will be to help management understand the impact of a legal risk and to advise on mitigating controls that will help manage the risk. Some legal risks may have zero or near zero tolerance because of the impact of a failure, whereas others will be managed within a range of tolerance acceptable to management. It is not Legal that sets the risk appetite, although its advice will be influential.
Managing legal risksThe controls that are put in place to manage legal risks will vary depending on the likely impact of the risk and the accepted appetite for that risk. Generally, the purpose is to bring the risks within the organisation’s risk appetite. The impact of the risk will influence the extent of the controls. Typical control measures will include the implementation of checklists and policies, the use of technology, horizon scanning, escalation procedures (including to Legal), training and guidance and the provision of bespoke legal advice.
In this way, Legal can play an important role in helping to manage legal risk by drafting and updating policies, proving generic guidance and training and giving specific advice.
Smart workingLegal’s advice to other areas of the organisation on the legal risks that arise in their operations will play an important role in how well these risks are managed. To help business colleagues become familiar with legal risk and to help them in assessing it, it can be useful for lawyers to incorporate in their advice the impact of the legal risk by reference to the framework of risks utilised by the organisation – finance, customers, operations etc. Additionally, the legal risk can be quantified by reference to a narrative summary complimented, where possible, by a defined percentage range or ‘score’ in respect of each affected business area. To do this, in-house lawyers need to understand the issues in play. There is a balance to be struck here between digging for too much detail, which may reflect a nervousness to commit to giving advice, and not digging enough because of overconfidence. A sensible middle-ground involves advising “based on what you have told me…”, or something similar.
Monitoring legal riskOrganisations will typically have a risk management process by which significant risks are monitored and reported. Whether or not legal risk is itself a defined category of risk or is a sub-set of other key risks, it will be important to have a methodology for reporting on legal risks wherever they sit in the risk management framework for the organisation. This may include the use of key indicators of risk levels and thresholds via dashboard reports, using a traffic light system to indicate current compliance levels. Periodic stress testing and reports from risk owners will often also be part of the reports escalated to different levels of management and the board.
Global aspectsIn a multi-national organisation, legal risks will not only arise across the organisation but they may also differ in different jurisdictions and thus the assessment and management of the risk may not be universal. Legal and external counsel are likely to play a key role here in advising on this diversity of regulation and in helping to construct management controls on both a local and pan-organisation basis.
Relationship with regulatorsParticularly in heavily regulated sectors, the relationship with regulators will form an important part of the risk management strategy of the organisation with Legal playing an important role in helping to maintain effective relations. Of course, there’s a balance to be struck to having good lines of communication and being too open and conciliatory in circumstances where it’s unnecessary. Good lines of communication will help with horizon spotting by enabling Legal to learn quickly about proposed changes in the regulatory landscape and should also help to manage tensions and disputes in a way that de-escalates them, wherever possible.
Three lines of defence and the role of Legal
Although Legal will often play an important role in the management of legal risks, in larger organisations they are likely to be one of a number of specialists concerned with risk management. These will typically include risk and compliance managers, fraud specialists and internal auditors.
A commonly used risk management model is known as The Three Lines system. This allocates responsibility for managing risks between three groups within the organisation on these lines: -
- The functions that own and manage the risks
- Functions that oversee the risks
- Functions providing independent oversight (assurance)
In this model, the 1st line of defence rests on management controls where operational management manage the risks in their area for which they are accountable. This will include Legal. Depending on Legal’s areas of responsibility they may, for example, own risks in relation to the use of external lawyers; litigation; contract management; anti-bribery and corruption; and the quality of legal advice, among others. It is for local managers to identify and assess risks and set controls, including monitoring and reporting requirements.
The 2nd line of defence has an oversight function to help build the architecture for the 1st line and also to monitor that different areas of risk are being adequately controlled, monitored and reported. Depending on the size and complexity of the organisation, this oversight may comprise specialist groups (including committees) concerned with areas such as financial controls, risk management, compliance, quality and security. Legal will typically be part of this second tier, looking at legal risks across the organisation, assisting with policies, procedures and training to manage them, compliance with relevant laws and regulations and identifying legislative and regulatory changes and their potential impact.
The 3rd line of defence is usually an internal audit function providing the board and senior management with an independent oversight and assurance regarding compliance and risk management controls operating in lines 1 and 2.
Legal Risk Management – A Heightened Focus for General Counsel – Deloitte Legal 2019
The Three Lines of Défense in Effective Risk Management and Control – IIA Position Paper