The idea of legal risk continues to influence the thoughts of in-house lawyers and compliance teams, yet –as recent research by Berwin Leighton Paisner emphasises, “little seems to have been done in any sector to clarify what is meant by “legal risk”, or to support organisations to manage it.” It’s a small survey but very interesting mainly because it suggests that, “legal risk is poorly understood outside the Office of the General Counsel (OGC)” and more particularly because, “Respondents lack confidence in the organisation’s ability to manage emerging and business-as-usual legal risks.”
Whilst legislative change and regulatory activism can be seen as heading the agenda in risk circles, the report paints a disquieting picture of the ability of company’s to manage ‘everyday’ risk:
…many institutions, if asked, would be unable to serve up their entire suite of contracts. Even fewer would have analysed the risks those contracts expose them to; or checked whether they are compliant with latest company policy.
Some equated legal risk with the more reactive management of legal problems when they manifest rather than the strategic assessment, prioritisation and mitigation of legal risk before it happens. That this is worrying is indicated by 80% of survey respondents expecting legal risks to cost their employers money. The critical unanswered question here is how much do they expect it to cost, but if BLP are right, then the answer would seem to be they do not know.
I am less surprised that GCs are the most confident people in the survey that they understand legal risk, and those outside in-house departments the least confident. This is to be expected; it is part of the GC function to evaluate and manage legal risk, after all and others in the company have a different function. However, it must be troubling if legal risk is poorly understood at Board level (here the survey suggests GCs significantly overestimate their influence on strategy). Equally only about half of inhousers below GC level are confident they understand legal risk. The figure for GCs is a modest 60%.
If in-house departments have only a weak level of understanding of legal risk, are pessimistic about their companies abilities to reduce their exposure, and have little or no influence on strategic decision making then the picture looks bleak. One possibility is that in-housers are sometimes expected to both get the commercial imperatives of the company and get the backs of those taking decisions without the troublesome uncertainties of law getting in the way. The hacking and Nightjack cases might be examples of that happening. At a less dramatic level, ask the question: is your company behaving unlawfully and the honest answer of a non-confident GC in a poorly managed and led company would have to be: Um, er, we don’t think so, when in fact they mean – we do not know. We have of course all heard CEOs on the Today programme saying something much more robust about being reassured that they are acting entirely lawfully whilst wondering what, really, lies underneath.
There are some signs that the commercial regulatory climate is changing and that corporates increasingly see the limits of treating legal as a kind of troublesome break on business or a fixer. Regulatory activism (or what one of BLPs respondents called regulator ‘antagonism’) appears crucial to this; and we may see a shift away from concerns about legal risk if regulator activity reduces. But if that does not happen, then the need for more comprehensive, sophisticated and behavioural approaches to risk grow. A place to start (and at the Centre for Ethics and Law we are conducting research on this) is to understand in depth how in-House lawyers and compliance officers understand and manage risk (anyone interested please feel free to make conatct). But it will also be necessary to go further. In part, mitigating or avoiding risk may well be about systems and how ‘legal’ or ‘compliance’ genuinely influences behaviour for the better. A compliance officer friend of mine recenly said, “Too many lawyers think compliance involves a code of conduct and a powerpoint”. Interestingly, some of the legal service innovators have seen this point and started to build it into their approaches: getting more for less means preventing legal risks before they manifest; reducing complexity and unpredictability of what they do whilst increasing the relevance of legal work. The really swtiched on ones spy opportunities to re-design how legal instruments function.
That is not to say legal risk is one more problem for which there is a technological fix. Incentives, cultures and a willingness to accept that legal must be both commercially sensitive and mindful of its rule of law obligations all very likely play a part. As knowledge of legal risk growns across the sector so, one hopes, standards can be raised to expect higher levels of know how. An interesting challenge is what kinds of skills and knowledge are necessary if lawyers are to fulfil such a role.