Professional Documents
Culture Documents
DTTL Legal Legal Risk Management
DTTL Legal Legal Risk Management
DTTL Legal Legal Risk Management
Contents
Foreword 3
What is legal risk? 5
Accountability 6
Assess and control 8
Monitor and report 11
Technology 12
Interaction with regulators 14
In time... 15
Contact 17
2
Legal Risk Management | A heightened focus for the General Counsel
Foreword
Companies, their boards and General and legal-specific ones, which we explored
Counsels (GCs) face a constantly evolving in ‘What’s Your Problem? Legal Technology.’
landscape with exposure to financial and As the Legal function transforms, so does
reputational losses if legal risks develop. the way in which it contributes to the
This has created an expectation that in- organization’s risk management, playing
house Legal teams will do more to identify, a greater and more proactive role than
manage and mitigate the legal risks in their has historically been the case. This has
organizations. In the financial services resulted in more explicit consideration of
sector, there is increased regulatory what constitutes legal risk, how it should be
interest, particularly looking at how Legal managed and by who.
fits into the wider organizational risk
framework. These combined pressures This point of view looks at the key
are causing organizations to identify and considerations in approaching legal risk
manage more effectively the overlaps and management and examines the steps
gaps between Legal and the business being taken in getting to grips with legal risk
(including other functions). management. As part of our research, we
surveyed a large number of businesses in
GCs are re-evaluating their operating multiple sectors to compare and contrast
models as discussed in our paper their relative maturity levels*, and provide
‘Optimizing your organization’s in-house our view of what the future holds in relation
legal operating model.’ In-house Legal to the management of legal risk.
teams are also making greater use of
technology, both enterprise-wide systems
loss
law
fines
proceedings
rights
contractual
actions
penalties
regulatory
litigation obligations failure loss
damages measure
risk
statutory law
reputational breach
contractual
damages
financial
legal
breach
inadequate
financial
* See page 18 for more information about our survey and methodology.
3
Legal Risk Management | A heightened focus for the General Counsel
What organizational
What interaction
structure and skills
is there with
are needed to
regulators around
ensure appropriate
legal risk/legal risk
management of
management?
legal risk?
Who in the
How can technology organization is
enable better legal primarily accountable
risk management? for legal risk
management?
4
Legal Risk Management | A heightened focus for the General Counsel
A separate risk
In the past, GCs and organizations have often not considered
legal risk as a category in its own right and it has been subsumed
within other risks rather than being explicitly identified in
risk management frameworks managed by Operational Risk,
Compliance or Internal Audit. This may have been the case for
financial services because Basel II defined legal risk as being a part
of operational risk. Another reason for this lack of identification
of legal risk in its own right could be because of its comparative
lower profile when compared to other risks arising from financial
crime, conduct and duty of care, IT and cyber security which can
have a much larger impact on the viability or capital adequacy of
an organization. However, the level of fines for many businesses
over recent years has driven significant changes in the profile of
legal risk in those organizations and peer group companies.
5
Legal Risk Management | A heightened focus for the General Counsel
Accountability
On a narrow definition of legal risk, it is do, what not to do and the implications check the work of the Legal function. This
clear that the GC and the Legal function are if specific legal risks are not properly is discussed further in the section entitled
accountable for identifying and managing managed. “Monitoring”.
those risks which arise from Legal’s
operations. In the three lines of defense Global implications Policy ownership
model, a commonly used risk management In multinational corporations, there is Policies are a common approach to driving
framework across the survey participants a significant coordination and horizon- clear accountability for management of
(70%), the Legal function is the first line scanning role for Legal. Across the risks across an organization. Many Legal
and others (typically Risk and Compliance) organization’s geographical footprint, functions have policies concerning their
need to fill a second line role in relation to Legal needs to understand the legal risks use of law firms/other third parties, for
these risks. arising in each country and how some when a mandatory referral to the Legal
risks may cross borders, potentially function is required and some will have
However, the consensus is that a broader creating a double or multiple exposure policies for specialist areas.
definition of legal risk should get more if the risk materialises. Understanding
focus from the Legal function. Every the consequences of a breach for the The survey results illustrate Legal is not
operation and function of an organization organization, its directors or individual usually accountable for all areas that give
runs risks which need to be controlled or employees is essential in determining the rise to legal risk; for example, Conduct
avoided. Many of those risks have a legal risk appetite and the efforts which should and Anti-bribery will often sit under
component. Legal needs to work across the be deployed in managing or avoiding Compliance. This highlights the importance
organization to identify those legal risks, the risk. Where significant penalties are of clear accountability and agreed roles
set the appetite for each risk and agree involved, such as for failures in relation to and responsibilities between Legal, other
the roles and responsibilities for legal risk the GDPR, or criminal sanctions, as can functional areas and the business to
management including accountability and be the case where corrupt practices are ensure that legal risk does not “fall between
the controls or other mitigation measures uncovered, Legal will need to work with the cracks”.
to implement. GCs and risk specialists will other specialists and in-country teams
need to collaborate to develop an effective to raise awareness of the corporate and
framework that captures the multitude of individual consequences of particular
In the three lines
legal risks that exist in organizations and risks crystallizing. For some groups, this of defense model,
design controls to mitigate the most critical. has involved shutting down operations in
certain jurisdictions or not trading with
a commonly used
Who owns the risk? them, managing the risk by avoiding it. risk management
Ownership of risk will be determined
by the structure of the organization Independence
framework across the
and where the expertise sits to manage It is accepted that the GC and the Legal survey participants
it. On a broader definition, business function need to maintain a degree of
management own legal risk (including the independence from the organization
(70%), the Legal function
GC in respect of legal operational risk) they serve to maintain their objectivity in will most often play a
and Legal and other functions provide providing advice. Where Legal is filling a
support and advice. Where business first line of defense risk management role, a
combination of a first and
functions have first line responsibility for robust second line would ideally be in place second line role depending
legal risk management, Legal’s role is to to avoid the potential (real or perception)
establish policies, raise awareness, advise that Legal’s objectivity is compromised.
on the activities
and monitor the effectiveness of controls This is best achieved when those acting
and mitigations. Legal needs to educate as the second line sit outside the Legal
business management so that they are function. However, this is when problems
better able to manage legal risk – what to emerge as it is difficult for non-lawyers to
6
Legal Risk Management
Legal| Entity Management
A heightened focus for|the
Beyond
General
compliance
Counsel
90
80
Number of organizations surveyed
70
60
50
40
30
20
10
0
s
es
ty
ns
ct
er
en
m
he
ac
io
io
du
er
th
ut
t io
Fir
ti t
pt
em
ri v
ac
op
O
sp
n
isi
pe
ru
re
aP
Co
aw
ag
Pr
di
qu
r
m
/b
Co
n/
an
t
L
al
Ac
Da
Co
s
t io
of
tu
ge
M
d
s&
an
e
iga
ec
an
ct
Us
ll
t ra
r
ry
ch
Lit
te
ge
e
n
In
er
ib
Co
io
Br
M
at
ti -
isl
An
g
Le
* See page 18 for more information about our survey and methodology.
7
Legal Risk Management | A heightened focus for the General Counsel
8
Legal Risk Management | A heightened focus for the General Counsel
Strategy and operating model which the organization is either selling comprehensively managed and ensuring
implications or purchasing. Across the respondents that Legal maintains its independence and
Assessment of legal risk and where legal to our surveys, legal risks are generally doesn’t “mark its own homework” by filling
resource should be invested and focused managed using the organization’s own first and second line roles in relation to the
should be a key driver in deciding the company-wide, operational risk system. same risk. The three lines of defense model
strategy and legal operating model for Fewer than 10% of respondents to both can also be a useful framework to define
an organization. Which activities Legal our surveys use a legal specific risk what monitoring requirements should be
will continue to own and which will be management system. put in place to manage legal risk.
managed elsewhere, the nature of legal
expertise required, the balance of in-house Some organizations see the discipline Awareness raising
resource and external counsel and the use of legal risk management as a key area Legal’s advisory function is critically
of technology are all decisions that should of expertise for future leaders of the important to helping other parts of the
be influenced by the legal risk profile of Legal function. In others, responsibility organization to understand the legal
an organization. for managing legal risk is rotated around risks involved in their activities, mitigating
different lawyers in the team to further risk through awareness raising rather
Work with experts build expertise and develop career paths. than leaving non-legal colleagues to
Legal should not be expected to do it alone We discuss this further in the section manage legal risks or to apply controls
when developing a more mature approach “Monitoring”. by rote without understanding the risk
to legal risk management. It is essential which the control is designed to mitigate.
that organizations adopt a multidisciplinary Three lines of defense This upskilling can be achieved without
approach which leverages the skills of the Many organizations—two thirds of non- making everyone in the organization a
Legal Chief Operating Officer (if they have banking respondents and all apart from legal expert. In the same way, risk and
one), legal project management specialists, one of the banks we surveyed—apply technology specialists can raise awareness
risk experts who are able to advise on the the three lines of defense model in the within Legal of best practice approaches
best controls and mitigations on a risk-by- management of legal risk. Unsurprisingly, to risk management and help Legal to
risk basis and technologists to advise on given that a broad definition of legal risks understand new technologies. That
the best technology to use for legal risk dominates, Legal often operates in a mix of way, legal risks inherent in them can be
management purposes. These risk and first line and second line risk management identified and managed.
technology specialists can also help Legal roles. The most important consideration
to identify new risks in new technologies is to make sure the legal risks are
9
Legal Risk
Entity
Management
Management
| A| heightened
Beyond compliance
focus for the General Counsel
10
Legal Risk Management | A heightened focus for the General Counsel
Technology
The use of technology to enable better effectively managing those legal risks which •• Horizon scanning of large volumes of
management of legal risk is a developing have crystallized. Resource allocation internet data and websites to identify
area. In our survey, the most common technology allows Legal to profile its legislative changes
use of technology was organization- workload and make sure it is focused on
•• Litigation predictive analytics using large
wide operational risk systems to help the right things. For example, tooling could
volumes of case precedents to better
identify, assess and report on legal risk help to identify the number of incidents
inform legal decisions to settle or fight
and control across the organization. across the organization in relation to
However, outside of this, there was very specific risks so that effort can be directed •• Chatbots covering legal policy areas
little use of technology to manage legal risk. to monitoring and potentially identifying providing greater management
As technology matures in the legal sector, the root causes of areas of heightened legal information and insight to the type of
this is an area we anticipate will evolve risk. In this way, technology increases risk questions coming into the Legal function
significantly. oversight and control providing Legal with and trends/potential risk areas
greater visibility across an organization.
•• Whistleblowing
A changing skills mix It provides increased coverage of business
As legal risk management moves up the activities than would be possible through a
corporate agenda and Legal functions purely manual, people-based approach.
refine their operating models, technology
is receiving increased focus. This is Use cases
reflected in the recruitment by some of Other areas in which technology is
the technologists and data scientists, and increasingly being used as a component of
the use of technology to automate some legal risk management include:
tasks and provide insightful reporting.
•• Non-compliant event reporting. Although
Legal’s needs are likely to be met through
dependent on access to data, through
a combination of risk management-specific
the use of technology this can be turned
tooling and the incorporation of legal risk
into insights to help strengthen legal risk
parameters into other technologies. For
management
example, contract management technology
could analyze contracts to identify higher •• The creation of management information
risk clauses or include prohibitory controls (MI) which ensures that the whole
which reflect the organization’s legal risk organization has visibility on risk areas
appetite to prevent the execution of a and can plan for and mitigate these risks
contract which falls outside the appetite. effectively
An organization might have certain
•• Exchanging information with regulators
categories of assets that it was prepared to
to demonstrate that measures are in
accept or pledge as collateral for a contract.
place to improve compliance
If the operations department attempted
to complete a contract with unacceptable •• Fraud monitoring and detection, and call
collateral, the system would reject the monitoring especially in environments
contract. which combine huge transaction volumes
with the need for rapid reporting
Quality data
•• eDiscovery
Technology can also support monitoring
and reporting by enabling an auditable •• Case management tooling allowing for
environment, allowing access to data cases to be risk-rated
and improving reaction times for both
proactively mitigating legal risks and
12
Legal Risk Management | A heightened focus for the General Counsel
Identification, assessment and reporting of risks and controls Enterprise risk management systems
Here are some
Transparency and reporting of legal activity and risk profile Matter management & eBilling examples of
technology use
cases available
Managing legal instructions and business self service Workflow
to improve the
management
Managing documentary information Document management system of legal risk
13
Legal Risk Management | A heightened focus for the General Counsel
14
Legal Risk Management | A heightened focus for the General Counsel
In time…
As organizations become increasingly
Fit for the future legal risk management will:
mature in their identification and
management of legal risk, we can expect
to see legal risks separately identified •• Define legal risk and its boundaries with other risk areas
and included in an enterprise’s Risk
Management Framework. This change of
approach and mindset will enable Legal
•• Assess legal risk using a robust framework informed by data and
to respond more effectively to increased scenario planning
expectations and contribute to competitive
advantage by controlling legal risks arising
across the organization’s operations. •• Define legal risk appetite at an individual risk and organization-
wide level prioritizing and focusing resources on risk
management activities effectively
Lessons will be learned from today’s
approach to monitoring and reporting
of litigation risk, market risk and for •• Apply the three lines of defense model to ensure appropriate
financial services companies, credit risk. accountability, independence and assurance over legal risks
Monitoring, measurement and reporting
will become more formulaic, with the
•• Report legal risks and the effectiveness of controls to the board
use of key risk indicators to reduce the
and appropriate committees against a clear risk framework
degree of subjectivity in what should be
reported. The measurement of legal risk
will become increasingly prevalent as legal
operating models leverage technology to •• Include objective key risk indicators in their reporting
capture the underlying data and present
it together with insights into root causes
and recommendations that make legal risk •• Use technology in the management of legal risk to provide broader
management increasingly robust. risk and control oversight and visibility across the organization.
15
Legal Risk Management | A heightened focus for the General Counsel
1 2
Identify Assess
Understand the risk universe to help Define and embed a risk assessment
identify the legal risks which could have process to assess the level of legal risk
a material impact on the organization’s exposure against an agreed set of risk
business strategy or objectives factors (e.g., regulatory, customer, financial
and reputation implications)
Clearly define what constitutes legal risk so
this is understood across the organization Set risk appetite thresholds for legal risk
areas
Ensure clear ownership for risks between
Legal and other functional areas such as
Compliance
4 3
Monitor & Report Control
Design a methodology for assessing the Embed a control framework to bring
effectiveness of the control environment residual legal risk within risk appetite
(e.g., key control indicators, control testing,
control owner attestations) Determine the level of investment in control
and the appropriate balance of proactive/
Report residual risk profile for legal reactive depending on risk appetite
and control effectiveness to relevant
governance forums Control measures could include policy
setting, guidance and self service tools,
training, thresholds for escalation to legal,
provision of legal advice, horizon scanning,
issue management, use of technology to
drive control
16
Legal Risk Management | A heightened focus for the General Counsel
Contact
At Deloitte, we have a broad range of skills to assist you in evaluating your current approach to legal risk management and identifying focus
areas to minimize the threat of legal risks crystallizing. We use multifunctional teams with expertise in Legal Operations, Risk Management,
Technology and Change to equip your organization for the future.
17
Legal Risk Management | A heightened focus for the General Counsel
18
Legal Risk Management | A heightened focus for the General Counsel
Deloitte Legal means the legal practices of Deloitte Touche Tohmatsu Limited
member firms or their affiliates that provide legal services. In the UK, Deloitte
Legal covers both legal advisory (regulated by the Solicitors Regulation
Authority) and non SRA regulated legal consulting services. For legal,
regulatory and other reasons, not all member firms provide legal services.