Risk ownership: How legal can create a culture of accountability that helps to control costs
Businesses sometimes assume their in-house lawyers are the de-facto Chief Risk Officers for their organisation. As such, the lawyers are often asked to weigh in on various risks. It seems innocent enough, but this can reinforce the perception that the legal team is responsible for all risk.
It’s a view that’s compounded when such advice is outside their immediate areas of expertise. For instance, the legal department is well placed to highlight changes in regulatory obligations in data privacy but will tend not to have the expertise to develop and assess controls. These would classically sit with the department responsible for the storage of data; often IT.
However, in regulated industries including financial services, legislation and international standards (such as the Basel Framework) require these organisations to develop a more mature approach to risk management.
Accordingly, many organisations follow the Three Lines of Defence Model, which supports business stakeholders to identify, size and mitigate risk. Ultimate responsibility for the management of risk sits with the board of directors, supported by the executive.
So, what can unregulated industries learn from their regulated peers?
General Counsels and legal departments are not the owners for all business risk, unless the GC dual-hats as Chief Risk Officer. However, the legal department, as business leaders, can facilitate a culture in which the risks of each business area are well understood and managed appropriately throughout the organisation.
A mature risk management model helps business stakeholders to know where responsibility and accountability sit for each business area. This allows the legal function to define its role within an appropriate operating model, with clear lines of responsibility for managing risk.
Without proper controls in place for managing risk, the organisation is exposed to unknown levels of uncertainty, including fiscal uncertainty. For legal functions, costs could arise from predictable litigation, urgent remedial compliance work, or from complex matters escalating in scope and fees with law firms.
Invariably, any assumed responsibility for risk can strain the legal department as it strives to protect the business. We’ve observed key indications that suggest a business may be ill-equipped to identify risks and build proper controls around them. These include:
- The legal department is in a constant state of “firefighting” where it is reacting to tactical events instead of focusing on strategic issues;
- Matters being opened and worked on by outside counsel without the legal department’s knowledge (and by extension the GC’s), with the legal department often held accountable for overspend;
- The amount due on law firm invoices being higher than expected and catching the legal department – and the finance team – by surprise; and
- Difficulty in gaining a comprehensive understanding of how much the business has spent on legal services across the organisation.
These indicators are symptomatic of a legal department struggling to gain proactive control of their ongoing work, with limited ability to accurately forecast costs. For this reason, we believe legal spend management forms an important subset of a mature risk management framework.
Here are three starting points for mapping risk ownership and, in the process, taking control of legal costs:
1. Educate the business about the role of legal
The GC and the legal leaders must strive to educate their peers in business as to the role of the legal department. For many GCs, their focus is managing litigation and building the legal processes to support the business. It’s not usually possible to be responsible for all risks facing the business.
Educating the business begins with formalising the legal department’s purpose and key tasks in writing – and initiating a conversation with the C-suite and the board of directors to obtain buy-in. This will naturally lead to a discussion about risks outside of that mandate and who is the business owner of each material risk.
2. Take a commercial view on risk management
It’s natural for business leaders to turn to legal teams for risk advice since they are generally trained to be risk-averse and practised in mitigating risks - often at any cost.
However, the assumption that any risk is to be avoided may not be in the best commercial interests of a company. Businesses make risk-based decisions every day, for example, on entering or exiting a market or product. In many instances, the business chooses to accept a certain level of risk with associated benefits.
Crucially, GCs may lack the skills or experience to identify risks and make a business decision on whether these require further mitigation. In this scenario, a well-implemented risk management framework could enable such organisations to take a more commercial view on risk-based decisions. Models encourage organisations to find the ‘sweet spot’ of optimal risk-taking by balancing the returns against the level of risk involved.
The key here for the legal department is to help provide the business with the tools to identify, prioritise and manage the risk for themselves – not to manage the risk on their behalf.
3. Get the legal department’s own house in order
The legal department ought to be a model example. It must get its own house in order and effectively manage the financial, reputational and legal risks associated with its activities, including litigation. Process improvement and automation are good places to start, including the following:
- Prevent new matters from being initiated – or existing matters from escalating – without their knowledge or visibility into the work and scope;
- Consider the organisation’s risk, and develop business self-service options for low risk, but high-volume tasks such as routine contracts and non-disclosure agreements;
- Manage matters and litigation including records of instruction, documents and relevant communications in one place;
- Gain comprehensive visibility over their organisation’s total legal spend and proactively manage spending to prevent cost overruns for most matters; and
- Collect and analyse data to drive legal decisions and better legal outcomes.
The proactive management of risks, ongoing legal matters and costs will lead to increased control within the legal department. In turn, such activities will allow legal leaders to advise their businesses with foresight and confidence
* * *
Download a free PDF copy of this article.
* * *
Genevieve Landricombe is a legal transformation consultant. She works with GCs to articulate and deliver their strategic value to organisations, from defining purpose through to the design of efficient operating models.