What are the legal risks addressed through legal risk management?
Rob Murray Many business and operational risks have a clear legal component. Financial risks, for example, are usually the result of contractual liabilities and a failure to secure appropriate protections. I think legal risks include legislation and associated case law in general, regulation, such as that for utilities and financial services, contractual relationships, and specific legal creations, such as intellectual property rights.
Clearly some of these create legal risks outside the control of a business, but they can be managed. Others provide a framework intended to facilitate business, and give opportunities for businesses to be, to a large extent, masters of their own future. But we do not always ensure that we use the opportunities of the law to the full, nor protect ourselves effectively against the risks it poses.
These risks are not new, so why is a new branch of risk management needed to cope with them?
Rob Murray Legal risks do not exist in isolation, nor can their relevance and potential impact be assessed in the abstract. Companies need a new way of approaching LRM. Risks need to be managed on an enterprise-wide basis, and LRM needs to be integrated with that management.
Legal matters and LRM have tended not to be central to the thinking of UK business people. They have been left to the lawyers. But Turnbull quite clearly sees legal risk as an integral part of the business process. One of the reasons given for the importance of internal control is that it assists compliance with laws and regulations. The Combined Code requires that directors maintain a sound system of internal control, and they have to conduct, at least annually, a review of the effectiveness of all internal control systems, including compliance controls and risk management. Turnbull expressly identifies certain legal risks of the legislative or regulatory nature as relevant, using the term “compliance risk”. Other legal risks, those where the business retains control within a legal framework, are inherent in risks classified as “operational” or “business”.
So the current regulatory environment requires a holistic approach to the management of all material risks, including legal risks. Common sense suggests a multi-disciplinary approach using established risk management techniques across the board.
What is on the horizon to make LRM a greater necessity?
Rob Murray Put simply, tighter corporate governance and an avalanche of new laws and regulations. A few obvious examples include the government proposals on corporate killing. They would make managers, even at a junior level, personally criminally liable. At an operational level, there is the real possibility of a chilling effect, as people take a cautious approach.
Another is competition law reform. Proposals would create new criminal offences, punishable by imprisonment, for people involved in cartels, and disqualification of directors for serious competition law breaches, irrespective of intention or knowledge, plus a range of other measures.
A third example is new employment laws prohibiting discrimination on grounds of age, religious belief, or sexual orientation, and those on wider employee consultations, which will tilt bargaining power further in favour of employees. Then there is ever-increasing environmental legislation, such as the end-of-life vehicle directive, the statutory statement of directors’ duties encompassed in new company law, and more.
What kinds of companies should consider an LRM programme?
Rob Murray Every company needs to be aware of material legal risks, and have a strategy to deal with them, but clearly the approach of an owner-managed business will necessarily be different from a multinational.
What can companies do to manage their legal risks?
Rob Murray The first step is to identify gross-level risks, which means identifying those laws and regulations which may be most relevant to the business, and focusing on the nature and extent of the risks posed. Then the task is to look forward, to determine what future legislation or regulations may affect the business, and where the opportunities lie.
Next you should look at the nature and extent of the legal risk. Key factors include the sanctions for breach. Is it a question of criminal liability? What might be the extent of civil liability? What is the risk to reputation?
Thirdly, you need to move to a net position, by taking into account the existence and likely effectiveness of risk controls, maybe through a risk audit.
At the same time a company needs to consider its appetite for legal risk. Appetite is closely linked to key aspects of business strategy. The aim is not to minimise risk at any cost, but to construct an integrated risk portfolio. The important thing is to think the issues through on the basis of good information, rather than to ignore them, or take a blind stab.
The next steps are to design or review risk management processes, conduct relevant training, embed the required culture and behaviours, and provide for regular monitoring, reporting, and reviews. The key objective is to make LRM work in practice. A paper-only system will not achieve its objectives, and may well create additional problems.
The practical issues include the availability of legal resource, both internal and external, the involvement of lawyers with the right problem-solving attitudes at the right time and the establishment of a system of controls over legislative or regulatory risks, such as a competition law compliance programme, and over other legal risks, such as policies in the field of commercial contracting.
Then there is the need to educate key people about material risks, and about the controls in place to manage them. IT tools must be used appropriately to facilitate and manage these processes efficiently, and to provide the basis for the capture and analysis of risk data and, where applicable, a due diligence defence. Implementing the controls, auditing their effectiveness and, if necessary, taking disciplinary action to enforce them is a further stage, and finally there is the need to anticipate new risks, to update to take account of changes in the law, and to keep people educated.
What particular challenges arise from commercial contracts?
Rob Murray A commercial contract is intended to provide certainty. It should record the financial terms of the deal, the parties’ respective operational obligations, and the balance, nature, and extent of risks and liabilities accepted. It should also make provision for termination, and for the practical consequences that would follow. A commercial contract should be enforceable either through the courts or through an agreed dispute resolution mechanism, and it should take account of any international element.
There are difficulties in achieving these objectives. Common problems include the contract not being written down, the governing law and the jurisdiction of the courts not being defined, or dispute resolution procedures being omitted. We see many problems arising out of failure to use standard contracts where appropriate, failure to ensure that people understand what is and is not in them, and failure to ensure that they are up to date and enforceable.
Other problems arise from failing to put limits on the authority of employees and directors to enter into contractual relationships, or to have a clear policy for keeping contractual documents. Ignorance should be no excuse; directors and staff must have the right level of knowledge and training. Misconceptions abound - for example, that contracts have to be in writing and signed to be binding.
It is often the case that legal advice is sought very late in the day. Too often, agreement on price, duration, and quantity is seen as the whole deal, with the legal stuff left to the lawyers, at best a couple of days before performance starts, and often after the event. But where does this leave issues of limitation and liability? How can risk and reward be measured without such issues being explored, and account taken of the extent and nature of insurances?
Such informality is perhaps increased by modern communications. People do deals, or parts of them, over mobile phones, not faxes. They exchange brief, often incomprehensible e-mails. Are they aware that an e-mail can amount to a contract or a material representation relied upon, and should be retained in hard copy? Or that all e-mails, even if deleted, could potentially be disclosed in litigation proceedings? Or that they can result in expensive actions for libel?
Adrian Leonard is insurance market correspondent, StrategicRISK