What Does Risk Look Like And Does My Business Need To Do Anything?

Introduction

A successful legal risk culture is one which provides a framework for legal risks to be identified, assessed, managed and monitored consistently at all levels in a financial institution. The key starting point is having an agreed definition of legal risk in place, it being sufficiently understood and consistently applied across the organization.

With this in mind, estimation of the legal losses in the financial services sector alone globally is over a 100 billion per year. Outside the financial sector, in the US, UK, Germany, Switzerland, Brazil and Australia, business in the banking, insurance, manufacturing and energy sector have incurred costs in the amount of a billion dollar or more in legal losses. In addition, these costs are often paled by the reputational damage out weighing the direct cost with long term opportunity cost as stakeholders withdraw investments or avoid doing business with the company all together. Furthermore the costs of getting legal risk wrong is so high, there is a clear need for all business sectors to improve their or many  understanding of what a legal business risk is, and to invest in programs to identify, manage risk proactively before it occurs. In other words, comparing the eye watering fines that have been imposed do far for breaches of regulations, then investing in proactive risk management makes good business sense.

Cases Examples

For example, in Australia, Westpac agreed to pay the largest fine in Australian corporate history, a $1.3 billion civil penalty for more than 23 million breaches of anti-money laundering laws.  The biggest breach was Westpac’s failure to properly report more than 19.5 million instructions to transfer money overseas or bring foreign funds into Australia, totaling more than $11 billion.  The $1.3 billion penalty is almost twice the previous largest fine of $700 million against CBA in 2018. Another case is the Petrobas corruption scandal regarding executive collusion to inflate the prices of contracts, issuing, payoffs to lawmakers and officials to fund political campaigns.

The loss incurred was estimated to approximately 2 billion with a drop of market cap value of the company of 62%. In another high profile case, Volkswagen, one of the world’s most trusted brands designed ‘cheating devices into its diesel engines. The devices were installed on 11million vehicles and they work by detect when the cars were being tested in testing station for emissions, and then adjusted engine performance to temporarily reduce emission to pass the test when in fact on the road they were 40% higher than in the testing station. As a consequence, VW had to make provision of GBP6.7B for legal risk, GBP7.5B for ‘service measures and recalls’ and suffered a 26% drop in market value.

What is Legal Risk?

In the big picture legal risk can result from regulatory sanctions and litigation but it also originates from a broad set of operational interactions between business practices and the laws and regulations that apply to them. So the starting point for lawyers and operational risk managers is to find a way to articulate legal risk clearly that identifies the originating root interactions between law and regulation and the business. However as it stands, there is no standard definition of legal risk and the difficulty is that there is no one size fits all model mainly because each business sectors has its own set of operational factors and compliance regimes as distinct from other sectors.

To this end, since the year 2000 regulators and central banks including the Basel Committee on Banking Supervision, European Banking Authority, Bank of England and the Financial Law Panel have embraced the relationship between operating practices and legal risk and provided guidance on defining its scope and context. For example, in 2000, the Bank of England’s oversight paper introduced the concept of uncertainty in relation to how the bank with regards to the law stating” the risk that unexpected interpretation of the law or legal uncertainty will leave the payment system or members with unforeseen financial exposure and possible losses.

In 2001, the Financial Law Panel gave more detailed examples in terms of organizational legal risk and includes risk in relation to IP assets such as ownership right, liability to shareholders or shareholder compelling action contrary to management objectives; the rights of employee or trade union; failure to see the consequences of an act or omission due to failure to take appropriate legal advice; shortage of in-house legal advice defects in internal procedures for identifying risk when legal advice is needed.

Further examples included in 2004 Pillar 2 of the Basel Accord, stated that operations risk is the risk of losses resulting from inadequate or failed internal processes, people or systems, or from external events. It includes exposure to fines, or penalties or punitive damages resulting from supervisory actions or from private settlements.

In June 2015, the European Banking Authority provided final guidance on which types of operational risk loss that should be recorded as legal risk.  Article 4 addressed the most significant issues identified with their early definition of three types of loss identified:

This includes;

  • legal settlements, either judicial or out-of-court, such as arbitration, or claims’ negotiations;
  • customer refunds or discounts of future services offered to customers voluntarily in response to or to avoid future legal risk (including offered to customers due to same operational risk event);
  • Losses due to errors and omissions in contracts and documentation

However the final draft is very light on real implementation guidance and the EBA steers clear of providing a formal definition of legal risk in their guidelines so the different elements of Article 4 have been placed into a useful top-level definition that matches the EBA intent:

“Legal risk can be defined as operational risk events and losses that are triggered by a breach of obligations for the institution that derive from statutory or legislative provisions, of national or international origin, or from contractual arrangements, or internal rules and ethical conduct that derive from national or international norms and practices”.[1]

The International Bar Association also offers a definition of legal risk as being a risk of loss to an institution that is primarily caused by a defective transaction; claim (including a defense to a claim or counterclaim) being made or some other event occurring that results in a liability for the institution or other loss (for example as a result of the termination of the contract); failing to take appropriate measures to protect assets (for example intellectual property) owned by the institution; and a change in law.[2]

Additional risks include regulatory risks such as enforcement action resulting in fines, and professional liability risks which includes lawyers acting contrary to their professional obligations.  A simple yet effective definition of “legal risk is the risk of financial or reputation loss from lack of awareness or misunderstanding of, ambiguity in, reckless indifference to, the way law and regulation apply to your business, its relationships, processes, products and services”. [3]

Risk and Utility of Narrow Legal Risk Definitions

However, the utility of constructing a narrow definition has its own set of problems. Some of which are legal risks that solely arise from legal operations including resourcing decisions as in-house provision versus use of law firms, the quality of the advice provided by legal and the conduct of its lawyers. Such a definition fails to take account of the many other risks that an organization faces which have a legal component, for example financial crime, conduct and legal risks arising from an organization’s operations ranging from contractual to intellectual property disputes.

In addition, primary activities may be owned by other parts of the business and to deny some legal function responsibility for managing the legal risk inherent in those activities doesn’t make sense and could result in responsibilities falling through the gap between the legal department and the business. Hence, many organizations apply a broad definition of legal risk which encompasses any risk faced by the business which has a legal component. Surprisingly, Deloittes surveys found that 41% of non-banking and 14% of banking organizations with no definition of legal risk. Where a definition was in place, this still varied widely in definition and focus, reflecting the lack of a legal industry standard definition for legal risk.[4]

So What Should Legal Risk Management Achieve?

What is agreed on is that legal risk management systems must be capable of identifying risks that have not yet crystallized. Risks may be ‘invisible’ for a number of reasons, derive from legal uncertainty, or from a court interpretation of the law which is contrary to the accepted understanding of the market. Alternatively they may be ‘invisible’ in the operational sense – the control functions of the firm, including the legal department, are not aware that individuals or divisions within the organization are not complying with legal or regulatory standards.[5] Dedicating sufficient time to addressing ‘invisible’ risks, and factoring them into the overall risk profile is equally as important as tackling known and visible risks.

The concept of legal risk management also has to be forward looking, notwithstanding the fundamental difficulties in attaining this objective. [6] Knowledge of the present law is not sufficient, and given the pace of legal and regulatory change, firms are increasingly looking for efficient and effective ways of scanning the legal and regulatory horizon. A successful legal risk framework will define the scope and parameters of legal risk and when looking at changes to law and regulation, firms must decide whether risks should be confined to jurisdictions that it operates in, or encompass risks in any jurisdictions which may have an impact on the firm’s financial position or its reputation. It is also important that legal risks are assessed on a holistic basis, even if they are being reported on a business unit basis. Assessors should take stock of trends, and apply lessons learnt across the firm. Legal risk committees could serve to consolidate issues across the board, and to determine the scope of legal risks which need to be managed.

The key question to be addressed is the threshold for assessment: what are risks being assessed against? What is the firm’s ‘legal risk appetite’? Assessment of legal risks has to be accompanied by systems for their effective management. Responsibility should be assigned for assessing and managing aggregated issues across a firm. Legal risk policies for assessment must strike an appropriate balance between prescription and high-level principles. If there is too much prescription, assessors risk focusing on ‘ticking the boxes’, rather than standing back and looking at what is intended to be achieved. An overly prescriptive policy may also create blind spots or gaps for risks to fall into, even if there are sophisticated risk management processes in place. Another danger is that a narrow assessment methodology may tempt the business to circumvent legal consultation. The nature of the firm may lend itself to either a prescriptive or principles based approach, and larger firms may decide that the former would be more successful. Either way, there must be clarity around procedures, processes and responsibilities. This does not necessarily mean legal risk management should be cloaked in bureaucracy.

Final Remarks

Legal risks cut across many other forms of risk and need to be integrated into wider risk management systems. There is a tension between legal risk management and general risk management, resulting from difficulties in reconciling the categorization of commercial risks tailored to particular businesses and their bespoke processes, with the more sweeping scope of legal risk. Integrating the management of legal risks within the wider risk management framework may also create difficulties in preserving legal privilege, since it could lead to the circulation and escalation of information that would otherwise be privileged beyond the legal teams and into wider risk management systems. Nevertheless, there are significant benefits to facilitating closer integration of the legal function with the firm’s governance risk and compliance management capabilities. In pure governance terms, the origination and management of legal risk remains the primary responsibility of the business.

[1} Bryan Cave, leighton Paisner, “New Guidance From EBA Keeps Ethical Conduct In Scope Of Legal Risk” https://www.lexology.com/library/detail.aspx?g=bc62b490-2b8e-4d9e-9557-1a292e709444

[2] Karen Anderson, Julia Black, Legal risks and risks for lawyers https://www.lse.ac.uk/law/people/academic-staff/julia-black/Document.

(3) Matthew WhalleyChris Guzelian  Legal Risk Management Handbook: An International Guide to Protect Your Business from Legal Los, 15 December 2016

[4] Deloittes Legal, Legal Entity Management Legal Risk Management, A heightened focus for the General Counsel, https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Legal/dttl-legal-legal-risk-management.pdf

[5] Karen Anderson, partner, Herbert Smith Freehills LLP Professor Julia Black, London School of Economics June 2013, Herbert Smith Freehills and London School of Economics Regulatory Reform Forum Legal risks and risks for lawyers, https://www.lse.ac.uk/law/people/academic-staff/julia-black/Documents/black9.pdf

[6] Ibid.