Stephenson Harwood LLP hosted a seminar titled, "Legal risk management: Managing for success" on 25 February 2014. Below is a summary of the panel discussion that took place.
The Regulatory Climate
Legal risk management is as difficult as it has ever been, for two reasons. First, regulators are acting significantly more aggressively than they have done in the past, and are less willing to compromise or co-operate with companies. This has affected the initial willingness of businesses to take risks, knowing that - should regulatory difficulties arise - it will be significantly more difficult to control the outcome. Secondly, the consequences of a failure to manage risk are often worse than before: social media has now given aggrieved parties a very public forum for airing discontent, and can cause significant reputational or commercial damage to organisations that have otherwise acted entirely within the law. These issues are common to almost all businesses, who must be aware of this to manage risk effectively.
The value of risk management procedures
The panel were asked for their views on how to balance the need for both effective processes and procedures on the one hand, and for common sense and analysis on the other. In other words, how could the use of risk management processes avoid becoming a box-ticking exercise? The panel stressed that clear policies and procedures were good, not least for providing an audit trail for dealing with regulators and a guide for most employees in an organisation. However, processes and models were not an end in themselves; they are only useful to the extent that they are implemented, reviewed, and tailored to the business that is reliant on them. Problems arose not only when models of risk were unfit for purpose, but also when otherwise adequate models were followed slavishly, or relied upon without a careful analysis of relevant risks. In short, risk management procedures and models could be excellent servants in managing risk, but would always be terrible masters.
The panel discussed procedures at more length in relation to whether organisations could, and should, blame or sanction any individuals responsible for problematic behaviour. A clear escalation strategy, setting out how individuals within an organisation could seek to address problems, would assist everyone: in the event of behaviour in breach of internal policies or external legislation, issues could be dealt with in an appropriate manner without putting confidentiality or legal privilege at risk. It would also help boards not to respond rashly to problems, but to deal with individuals responsible without compromising their organisation's position or reputation. It was stressed throughout the day that ensuring that policies were both clear in theory and conformed to in practice would be crucial.
Legal risk management - fighting a losing battle?
Another issue discussed at some length was the behaviour of individuals. Arrogance or hubris on the part of individuals who believed themselves above risk management or training programmes, or people leaving a trail of documents (supposedly deleted or undetectable) that would reveal unlawful behaviour, had the potential to render risk management procedures ineffective in practice. The panel noted that, in their experience, carelessness with documents - in particular with emails - had indeed often provided regulators with a 'smoking gun', revealing unlawful intentions or actions. Arrogant or careless behaviour, however, usually came within a corporate culture that did not take risk management seriously. By contrast, many on the panel underlined the need for those at the top of an organisation to set the tone: not only taking risk management seriously, but being seen to take it seriously, was an essential part of creating a corporate culture that was sensitive to risk, and thus well placed to deal with problems before they arise.
Be aware of today's risk environment. Aggressive regulators and 24-hour media attention can make effective risk management (and certainly effective crisis management) more difficult than it used to be.
Effective risk management can never take a 'cut and paste' approach from a different business. Be aware of the particular risks facing your organisation.
Put procedures in place to ensure that these risks are managed and responsibilities are clear, and review them regularly to ensure that they are being followed in practice.