Historically, the management of legal risk has been event-driven — a response to the emergence of unexpected and untoward circumstances. For the most part, then, organizations managed risk on a piecemeal basis by calling on their in-house or external lawyers as the occasion arose. This, despite the fact that lawyers had little training in the management of legal risk, instead relying on their legal skills, their experience and their knowledge of the client's business.
“Risk considerations by legal practitioners do not typically follow a clearly defined and well described method,” says Tobias Mahler, Associate Professor at the University of Oslo's Faculty of Law, who has written extensively on the subject of legal risk management. “This is, to a certain degree, different in other disciplines, where risk-management approaches are well-defined and subject to a considerable amount of research.”
The economic crisis of the past few years, however, began to alter things. Sometime after Basel III defined legal risk as a component of operational risk, the UK's Financial Services Authority saw the regulated industry's approach to organizational risk management as so lacking that it convened a meeting of general counsel, urging them, in the words of one observer, to “get a grip on this because we really need to do something about it.”
And it's not just the impact of risk on the bottom line that is driving change. A recent survey of general counsel commissioned by UK law firm Berwin Leighton Paisner (Managing legal risk effectively – an evolving approach) attributes the increased focus on legal risk to the heightened accountability of senior management and the pressure on general counsel to manage costs proactively.
The upshot, according to the survey, is that the combination of good judgment, experience and legal expertise no longer suffices as the ultimate panacea for the legal risk management conundrum. Slowly but surely, disciplined process is entering the equation, bringing a more proactive, preventative and holistic approach that ultimately demands the creation of a comprehensive risk-management framework.
“If we could apply risk-management methods as a part of proactive legal counselling, then we might be better able to relate the legal analysis to risk management in an organization and, in addition, benefit from the structured approach provided by risk management,” Mahler says.
What ensures that this evolutionary trend will become the norm is the fact that it is client-driven from the perspective of both external and in-house counsel. “Institutions themselves are becoming more proactive about risk management, sometimes with and sometimes without the participation of the legal department,” says Grant Borbridge, Chief Counsel at the Calgary-based Emergo Group of Companies, and Chair of the Canadian Corporate Counsel Association. “Lawyers are having to catch up, but they are starting to jump on the bandwagon.”
On the other hand, old habits die hard, especially for lawyers. “A recent survey of general counsel by Legal Week suggested that, when it comes to legal risk, lawyers just don't get it,” says Matthew Whalley, Client Knowledge Manager at Berwin Leighton and head of the firm's Legal Risk & Transformation Group, an incipient and innovative practice initiative that helps key clients to identify and mitigate legal risks. “In fact, when I joined the firm in 2011, everyone knew that legal risk existed, but nobody really knew what to do with it.”
Canadian lawyers, it turns out, are in much the same boat. “I don't think that the evolution of the management of legal risk is as prevalent in Canada as it is elsewhere, but it is an interesting area that is being actively pursued,” says Borbridge.
Consequently, legal risk management is still very much event-driven. “For the most part, we manage risk by participating with management on M&A transactions, negotiating contracts, managing litigation, protecting intellectual property and complying with public-company responsibilities,” says Ricardo Trecroce, General Counsel, North America, at Magna International Inc.
But that's evolving. “We're also engaging in a more systemic approach of late,” Trecroce says. “The most significant example is the rolling out of an enhanced legal compliance program which includes the development of guidelines and significantly more training of our employees on the principles set out in Magna's Code of Conduct and Ethics.”
As well, Magna's Board of Directors has an Enterprise Risk Oversight Committee, whose mandate includes oversight responsibilities relating to the identification, monitoring and mitigation of Magna's material risk exposure and to legal and regulatory compliance issues.
Geoff Creighton, GC at Toronto-based IGM Financial Inc. and past chair of the Canadian Corporate Counsel Association, believes companies have “found religion” as to risk management generally. “There's a greater move to impose more organized structures, responsibilities and reporting,” he says. “But it's important to realize that this applies across all the elements of business and, in our company, it takes the form of everyone sitting down and brainstorming as to what bad things could happen if they didn't do their work right.”
IGM goes so far as to make an inventory of the risks, classify them by the probability of their occurrence, and consider how to deal with them and mitigate them when and if they arise. By way of example, the law department prepared a matrix of the many ways in which a misrepresentation could creep into a disclosure document, tracked the potential sources of the various misrepresentations, formulated ways to avoid the problem, and considered the responses that would best mitigate the risk if it crystallized.
“Bad things have happened over the years in disclosure documents, and what we discovered was that systemizing things – say, by always having a draft go back to someone who was familiar with the integrity of the numbers in it – could have avoided a lot of these problems,” Creighton says. “Doing this kind of analysis doesn't necessarily translate into a lot of new or different activity and it doesn't necessarily affect how people operate from day to day, but it does affect awareness by forcing people to turn their mind to risk.”
Magna and IGM, however, aren't the only Canadian companies who are reassessing their risk-management structure. “There is of late a heightened emphasis on preventative risk management on many levels, and it's become a focus for many organizations,” says Anita Dusevic Oliva, senior legal counsel and corporate secretary at Calgary-based Inter Pipeline Fund.
According to the Berwin Leighton survey, robust and clearly defined processes to evaluate legal risk on a continuous basis is the most important indicator of good risk management. “In particular, assessment processes must be specific to legal risk management, not borrowed from accountancy frameworks or imposed by an audit function. For these frameworks to be effective, they need to be adapted to the legal context,” the survey states. “The result of the process must be good reporting, ensuring critical risks are made visible to the right people as early as possible.”
The goal, then, is to ensure that the business as a whole “has a clear understanding of legal risk and the legal function has a good understanding of the business and its risk.” In other words, legal and other risk functions must be aligned, something that will occur only with proper training for lawyers in how to become proactive risk managers, and proper training for others in understanding and quantifying legal risks.
“In many cases, it's not possible to distinguish legal risk from other risk, because legal risk involves a perspective on something that is happening in the real world of things like products and finance,” Mahler says. “So what companies need is a really good interface between the responsibilities of non-legal risk managers and law departments.”
Consider, for example, that what a lawyer might assess as a high legal risk isn't necessarily a high risk in terms of the consequences in the real world. “I've always been amazed by the contractual terms lawyers negotiate on,” Mahler says. “In so many cases, they negotiate about things that have no real risk, and what they are really talking about is whether the language sounds nice or whether the contract is complete. If they understood the business impact of the language they're talking about, and took a more proactive and systematic approach, they could frequently make a far greater contribution to the interests of the company they are advising.”
The problem, says Magnus Steen, formerly Head of Legal, Nordics, at Sony Ericsson and now a private practitioner at Lindahl, a large Swedish law firm, may lie in lawyers' historical professional detachment. “Lawyers are trained to do everything themselves, but I think it's time to use business intelligence in assessing legal risk,” he says.
To this end, Steen and his team at Sony invested heavily in an agreement database and contract management templates and procedures. “If you don't have control of your company's agreements, you can't be a proactive legal risk manager,” he says.
More particularly, achieving the alignment between business units and the legal department begins with communicating proper definitions of legal risk. “Proper definitions show the business how legal risk – something that may seem rather abstract – can easily translate to an expensive business problem,” Whalley says.
As evidenced by the accompanying graphic, Berwin Leighton has identified five main categories of legal risk, all of which have two-part definitions (see p. 84). The primary definitions encompass a broad area like contractual risk while the secondary definitions use real examples to explain the application of the primary risks. “Legal risks are owned by the business, so the business should help to define and flesh out these easy-to-understand, non-lawyer definitions,” Whalley says.
Once the definitions are formulated and communicated, the second step is to quantify losses for normal and extreme scenarios. Working with the various business units, lawyers will have to identify risk thresholds that define the business's appetite for risk and measure the financial and reputational impacts.
That's not an easy task. “It's hard for lawyers to focus on attaching hard numbers to risk, because they're inclined to look for the perfect numbers,” Whalley says.
Standard operational losses from a particular risk in a typical operating environment will also have to be identified. By way of example, Whalley says that in assessing organizational contractual risk, lawyers may have to ask how many contracts currently result in disputes and determine the historical cost of those disputes. Extreme operational loss will also have to be assessed. Finally, there must be an assessment of reputational damage measured by the impact of negative press coverage and regulatory actions.
Through it all, the legal department must be careful not to get drawn into what Whalley describes as “front-line” tasks. “In-house legal can't manage legal risk on their own, nor should they,” Whalley explains. “Front-line business units are the first line of defence and they must own the risks that they're exposed to. Legal are the second line of defence and can help business units identify risks, advise on how to mitigate them, and report on overall risk exposure.”
As Whalley sees it, there are a number of techniques available to GCs to preserve their second-line role and therefore their resources. These include training front-line staff in the legal-risk message; raising the profile of legal risks so that business units spend less time fighting fires; setting up frameworks for contract governance to reduce contractual risk; ensuring that sales teams don't vary standard terms or change financial thresholds without proper approval; monitoring the legislative and regulatory risk landscape; and conducting regular assurance reviews that monitor business units' risk-management and compliance processes.
Finally, Whalley says, it's critical to report on risk clearly: “The formats will be different for different businesses, but reports that are meaningful and easy to comprehend will highlight the value of the legal team's work and analysis.”
To be sure, not all companies will have the resources or the inclination to spearhead a legal risk-management framework internally. That's where firms such as Berwin Leighton, with its Legal Risk Consultancy, enter the picture. Indeed, legal futurist Richard Susskind has argued that managing legal risk will be one of the legal profession's primary roles going forward.
“This category of lawyer is sorely needed and is long overdue,” he writes. “Senior in-house lawyers around the world insist that they are in the business of legal risk management — clients prefer avoiding legal problems rather than resolving them. And yet hardly a lawyer or law firm on the planet has chosen to develop methods, tools, techniques or systems to help their clients review, identify, quantify and control the legal risks that they face. I expect this to change. This could fundamentally change the way in which the law is practised and administered.”
“Risk considerations by legal practitioners do not typically follow a clearly defined and well described method,” says Tobias Mahler, Associate Professor at the University of Oslo's Faculty of Law, who has written extensively on the subject of legal risk management. “This is, to a certain degree, different in other disciplines, where risk-management approaches are well-defined and subject to a considerable amount of research.”
The economic crisis of the past few years, however, began to alter things. Sometime after Basel III defined legal risk as a component of operational risk, the UK's Financial Services Authority saw the regulated industry's approach to organizational risk management as so lacking that it convened a meeting of general counsel, urging them, in the words of one observer, to “get a grip on this because we really need to do something about it.”
And it's not just the impact of risk on the bottom line that is driving change. A recent survey of general counsel commissioned by UK law firm Berwin Leighton Paisner (Managing legal risk effectively – an evolving approach) attributes the increased focus on legal risk to the heightened accountability of senior management and the pressure on general counsel to manage costs proactively.
The upshot, according to the survey, is that the combination of good judgment, experience and legal expertise no longer suffices as the ultimate panacea for the legal risk management conundrum. Slowly but surely, disciplined process is entering the equation, bringing a more proactive, preventative and holistic approach that ultimately demands the creation of a comprehensive risk-management framework.
“If we could apply risk-management methods as a part of proactive legal counselling, then we might be better able to relate the legal analysis to risk management in an organization and, in addition, benefit from the structured approach provided by risk management,” Mahler says.
What ensures that this evolutionary trend will become the norm is the fact that it is client-driven from the perspective of both external and in-house counsel. “Institutions themselves are becoming more proactive about risk management, sometimes with and sometimes without the participation of the legal department,” says Grant Borbridge, Chief Counsel at the Calgary-based Emergo Group of Companies, and Chair of the Canadian Corporate Counsel Association. “Lawyers are having to catch up, but they are starting to jump on the bandwagon.”
On the other hand, old habits die hard, especially for lawyers. “A recent survey of general counsel by Legal Week suggested that, when it comes to legal risk, lawyers just don't get it,” says Matthew Whalley, Client Knowledge Manager at Berwin Leighton and head of the firm's Legal Risk & Transformation Group, an incipient and innovative practice initiative that helps key clients to identify and mitigate legal risks. “In fact, when I joined the firm in 2011, everyone knew that legal risk existed, but nobody really knew what to do with it.”
Canadian lawyers, it turns out, are in much the same boat. “I don't think that the evolution of the management of legal risk is as prevalent in Canada as it is elsewhere, but it is an interesting area that is being actively pursued,” says Borbridge.
Consequently, legal risk management is still very much event-driven. “For the most part, we manage risk by participating with management on M&A transactions, negotiating contracts, managing litigation, protecting intellectual property and complying with public-company responsibilities,” says Ricardo Trecroce, General Counsel, North America, at Magna International Inc.
But that's evolving. “We're also engaging in a more systemic approach of late,” Trecroce says. “The most significant example is the rolling out of an enhanced legal compliance program which includes the development of guidelines and significantly more training of our employees on the principles set out in Magna's Code of Conduct and Ethics.”
As well, Magna's Board of Directors has an Enterprise Risk Oversight Committee, whose mandate includes oversight responsibilities relating to the identification, monitoring and mitigation of Magna's material risk exposure and to legal and regulatory compliance issues.
Geoff Creighton, GC at Toronto-based IGM Financial Inc. and past chair of the Canadian Corporate Counsel Association, believes companies have “found religion” as to risk management generally. “There's a greater move to impose more organized structures, responsibilities and reporting,” he says. “But it's important to realize that this applies across all the elements of business and, in our company, it takes the form of everyone sitting down and brainstorming as to what bad things could happen if they didn't do their work right.”
IGM goes so far as to make an inventory of the risks, classify them by the probability of their occurrence, and consider how to deal with them and mitigate them when and if they arise. By way of example, the law department prepared a matrix of the many ways in which a misrepresentation could creep into a disclosure document, tracked the potential sources of the various misrepresentations, formulated ways to avoid the problem, and considered the responses that would best mitigate the risk if it crystallized.
“Bad things have happened over the years in disclosure documents, and what we discovered was that systemizing things – say, by always having a draft go back to someone who was familiar with the integrity of the numbers in it – could have avoided a lot of these problems,” Creighton says. “Doing this kind of analysis doesn't necessarily translate into a lot of new or different activity and it doesn't necessarily affect how people operate from day to day, but it does affect awareness by forcing people to turn their mind to risk.”
Magna and IGM, however, aren't the only Canadian companies who are reassessing their risk-management structure. “There is of late a heightened emphasis on preventative risk management on many levels, and it's become a focus for many organizations,” says Anita Dusevic Oliva, senior legal counsel and corporate secretary at Calgary-based Inter Pipeline Fund.
According to the Berwin Leighton survey, robust and clearly defined processes to evaluate legal risk on a continuous basis is the most important indicator of good risk management. “In particular, assessment processes must be specific to legal risk management, not borrowed from accountancy frameworks or imposed by an audit function. For these frameworks to be effective, they need to be adapted to the legal context,” the survey states. “The result of the process must be good reporting, ensuring critical risks are made visible to the right people as early as possible.”
The goal, then, is to ensure that the business as a whole “has a clear understanding of legal risk and the legal function has a good understanding of the business and its risk.” In other words, legal and other risk functions must be aligned, something that will occur only with proper training for lawyers in how to become proactive risk managers, and proper training for others in understanding and quantifying legal risks.
“In many cases, it's not possible to distinguish legal risk from other risk, because legal risk involves a perspective on something that is happening in the real world of things like products and finance,” Mahler says. “So what companies need is a really good interface between the responsibilities of non-legal risk managers and law departments.”
Consider, for example, that what a lawyer might assess as a high legal risk isn't necessarily a high risk in terms of the consequences in the real world. “I've always been amazed by the contractual terms lawyers negotiate on,” Mahler says. “In so many cases, they negotiate about things that have no real risk, and what they are really talking about is whether the language sounds nice or whether the contract is complete. If they understood the business impact of the language they're talking about, and took a more proactive and systematic approach, they could frequently make a far greater contribution to the interests of the company they are advising.”
The problem, says Magnus Steen, formerly Head of Legal, Nordics, at Sony Ericsson and now a private practitioner at Lindahl, a large Swedish law firm, may lie in lawyers' historical professional detachment. “Lawyers are trained to do everything themselves, but I think it's time to use business intelligence in assessing legal risk,” he says.
To this end, Steen and his team at Sony invested heavily in an agreement database and contract management templates and procedures. “If you don't have control of your company's agreements, you can't be a proactive legal risk manager,” he says.
More particularly, achieving the alignment between business units and the legal department begins with communicating proper definitions of legal risk. “Proper definitions show the business how legal risk – something that may seem rather abstract – can easily translate to an expensive business problem,” Whalley says.
As evidenced by the accompanying graphic, Berwin Leighton has identified five main categories of legal risk, all of which have two-part definitions (see p. 84). The primary definitions encompass a broad area like contractual risk while the secondary definitions use real examples to explain the application of the primary risks. “Legal risks are owned by the business, so the business should help to define and flesh out these easy-to-understand, non-lawyer definitions,” Whalley says.
Once the definitions are formulated and communicated, the second step is to quantify losses for normal and extreme scenarios. Working with the various business units, lawyers will have to identify risk thresholds that define the business's appetite for risk and measure the financial and reputational impacts.
That's not an easy task. “It's hard for lawyers to focus on attaching hard numbers to risk, because they're inclined to look for the perfect numbers,” Whalley says.
Standard operational losses from a particular risk in a typical operating environment will also have to be identified. By way of example, Whalley says that in assessing organizational contractual risk, lawyers may have to ask how many contracts currently result in disputes and determine the historical cost of those disputes. Extreme operational loss will also have to be assessed. Finally, there must be an assessment of reputational damage measured by the impact of negative press coverage and regulatory actions.
Through it all, the legal department must be careful not to get drawn into what Whalley describes as “front-line” tasks. “In-house legal can't manage legal risk on their own, nor should they,” Whalley explains. “Front-line business units are the first line of defence and they must own the risks that they're exposed to. Legal are the second line of defence and can help business units identify risks, advise on how to mitigate them, and report on overall risk exposure.”
As Whalley sees it, there are a number of techniques available to GCs to preserve their second-line role and therefore their resources. These include training front-line staff in the legal-risk message; raising the profile of legal risks so that business units spend less time fighting fires; setting up frameworks for contract governance to reduce contractual risk; ensuring that sales teams don't vary standard terms or change financial thresholds without proper approval; monitoring the legislative and regulatory risk landscape; and conducting regular assurance reviews that monitor business units' risk-management and compliance processes.
Finally, Whalley says, it's critical to report on risk clearly: “The formats will be different for different businesses, but reports that are meaningful and easy to comprehend will highlight the value of the legal team's work and analysis.”
To be sure, not all companies will have the resources or the inclination to spearhead a legal risk-management framework internally. That's where firms such as Berwin Leighton, with its Legal Risk Consultancy, enter the picture. Indeed, legal futurist Richard Susskind has argued that managing legal risk will be one of the legal profession's primary roles going forward.
“This category of lawyer is sorely needed and is long overdue,” he writes. “Senior in-house lawyers around the world insist that they are in the business of legal risk management — clients prefer avoiding legal problems rather than resolving them. And yet hardly a lawyer or law firm on the planet has chosen to develop methods, tools, techniques or systems to help their clients review, identify, quantify and control the legal risks that they face. I expect this to change. This could fundamentally change the way in which the law is practised and administered.”
