Legal Risk Benchmarking Survey Results and analysis

About the survey The survey was submitted to participants in electronic format by direct email and was also hosted online at the BLP Legal Risk Consultancy homepage. It attracted a good level of responses from a range of ‘C-suite’ executives across a selection of sectors including Banking, Insurance, Manufacturing, Energy and Utilities. The (close to) 100 respondents were from across the globe with a sample covering Europe, North America, South America, Africa and Asia Pacific.

Berwin Leighton Paisner LLP

Foreword

Legal risk isn’t just an issue for Financial Services. Organisations across all sectors would benefit greatly from taking a risk-based approach to their legal work. Matthew Whalley Head of Legal Risk Consultancy

In 2003 the Basle Capital Accord set the challenge to Financial Institutions: to create systems and controls that will contribute to the management of ‘the legal aspects of operational risk’ (legal risk). But although Financial Services dominate this area, legal risk is an issue across all sectors. Since that initial challenge was set in 2003, little seems to have been done in any sector to clarify what is meant by “legal risk”, or to support organisations to manage it (our legal risk consultancy is a unique and recent example of a law firm taking the lead in this area). After 10 years, how well understood is this important risk type? And how are organisations coping with the challenge to identify and manage it? Our Legal Risk Benchmarking survey set out to answer these key questions and incorporates responses from eleven different sectors across Europe, the Americas, Asia Pacific and Africa. Legal risk should be taken seriously, two recent headline Financial Services examples show how a material legal risk – one that could have been identified and managed – has caused significant financial and reputational damage. The well-publicised PPI scandal and more recent swaps misselling scandal are predicted to cost UK high-street banks up to £22bn. And perhaps as a result of such losses, Financial Services regulators across Europe are now increasingly asking organisations to identify and manage their exposure to legal risk. Because of this, and supported by the survey results, we believe that organisations across all sectors would benefit greatly from taking a risk-based approach to their legal work. I hope you find the results and analysis useful and would be interested to get your views on the issues covered. If you would like to discuss any aspect of the report then please do get in touch.

Matthew Whalley Head of Legal Risk Consultancy [email protected]

Legal Risk Benchmarking Survey /01

At a glance

At a glance The following facts and figures provide a quick introduction to our Legal risk benchmarking surveys findings

1 legislative and regulatory issues are the highest concerning factor for those who responded to the survey

20%

80%

of respondents expected their business to experience material losses as a result of legal risks

of respondents were confident in their ability to identify and mitigate against emerging risks within their business

60%

of respondents overall agreed that they had a clear understanding of legal risk

50%

of risk and compliance professionals have a clear understanding of legal risk

25%

of CEO/Director level professionals have a clear understanding of legal risk

30%

25

0

of risk and compliance professionals were comfortable with the position of the legal department in the 3-lines of defence model.

02/ Legal Risk Benchmarking Survey

0

of CEO/GC/Senior risk and compliance roles agree that legal risk analysis is used to guide strategic decision making within the organisation.

Legal risk benchmarking survey

Legal risk benchmarking survey: results and analysis

Our first legal risk benchmarking survey explored where organisations across sectors think their legal risk priorities are, how well legal risk is understood across different roles and how confident individuals are in their ability to manage legal risk. We draw three broad conclusions from the results, which are discussed in more detail in the rest of this document. 1. There is broad agreement on what are the top 3 legal risk priorities. The top three risks vary slightly by sector, but there is enough agreement to guide your initial work priorities and quickly begin to identify your own key legal risks. 2. Legal risk is poorly understood outside the Office of the General Counsel (OGC). To improve understanding, General Counsel should report clearly how legal risk materially impacts their organisation. 3. Respondents lack confidence in the organisation’s ability to manage emerging and business-as-usual legal risks. The legal department’s role in the 3-lines of defence is a particular weakness. To resolve this, assign clear roles and responsibilities for legal risk management within the legal department and the business.

The conclusions lead to several calls-to-action for people with existing legal risk management responsibilities and for organisations just beginning their work to identify and manage legal risks. These are highlighted in the following analysis, which I hope you will find interesting and useful in your work.

[BLP’s] effort and focus in producing this legal risk benchmarking survey should be applauded by many communities of interest – including ours. Legal risk, and how it is perceived and measured, is at the heart of Funding. Selvyn Seidel, CEO, Fulbrook Capital Management LLC

Three broad conclusions from our results

1

2

3

Top three legal risk priorities

Legal risk is poorly understood

Lack of confidence

Legal Risk Benchmarking Survey /03

Top three legal risk priorities

Top three legal risk priorities

There is broad agreement on what are the top three legal risk priorities. Our first conclusion relates to the relative priorities of different types of legal risk. In question 7 of the survey, we asked respondents to assign relative priority weights to seven risks. We also gave respondents the option to select an additional priority of their own. The chart below shows the relative priorities for legal risks across all sectors and roles. We can see that legislative and regulatory issues are a top concern by quite some margin, but contractual estate (your total body of contracts) and dispute/litigation management risk also feature. Relative risk weight from all responses

1

2

3

Regulator action is at the front of our respondents’ minds

The increasingly complex legislative landscape and proactive enforcement from regulators makes legislation/regulation a natural top priority, common across all regulated sectors. This view is reinforced by respondents entries to the “other”, question. Where respondents added their own priority under “other”, Bribery and Corruption was mentioned specifically by more than one respondent. And “antagonistic regulation” was highlighted as the top risk by a respondent from the energy sector. Regulator action is at the front of our respondents’ minds, and regulators are making increasing efforts to be clear about their approach and the serious consequences of failing to comply with regulation. The quote from the UK Financial Conduct Authority in their 2012 RCRO gives a clear steer on what UK banks, for example, should expect.

Banks appear to be focussing on issues that are receiving enhanced regulatory attention, rather than proactively considering their own risks relative to the regime as a whole.

04/ Legal Risk Benchmarking Survey

Dispute

Mis-sell/ Mis-buy

IP

Contract

Legislation / regulation

Competition

Social Media

RCRO 2012 p74

Top three legal risk priorities

The clarity of approach means that, even with the increasingly complex legislative landscape, there are tools and services available to scan the legislative and regulatory horizon and prioritise your regulatory compliance work accordingly. Within our own firm, we already prioritise legislation according to the likely regulator action if clients get implementation wrong vs the likely additional cost to clients to comply. To help guide action, we believe you can manage these risks (within your organisation’s risk tolerance limits) by following the three steps below: 1. Assess your business model and processes against your regulator’s approach and principles; and taking enforcement action into account. 2. Prioritise areas where you have the highest potential exposure to regulator or legal action. 3. Minimise exposure by improving models and processes in ways that are proportionate to the exposure identified.

Contractual risk was rated as number one priority by the second highest number of respondents

Risks arising from contractual estate were rated as the third priority overall, but were rated as number one priority by the second highest number of respondents.

Dispute management was rated as the second highest priority overall Although contractual estate was rated as number 1 by the second highest number of respondents, dispute management came second in the overall weightings.

The high ranking of dispute management is a surprise to us and possibly indicates a confusion of a key legal risk management principle: being in “dispute” is not a legal risk in itself. Dispute, in our terms, is an outcome that arises when legal risks have been mis-managed or haven’t been identified. Dispute management, on the other hand, covers (broadly) the initial and on-going strategy as well as the day-to-day details of case management. The risk of “dispute management” therefore should be easily dealt with by spending more time up-front deciding a strategy and preferred outcome with their advisors; and effectively managing the day-today details of the dispute process. If our assumption is correct and the real risk being rated here is the root-cause of disputes, then clearly you should as a priority focus on finding and mitigating these root-causes. By doing so, you can reduce the number of disputes you are subject to and therefore reduce your need for lawyers over time.

Your contractual estate represents the value of your business. The sum of an organisation’s sales and supply agreements goes a long way to establishing that organisation’s commercial viability. But many institutions, if asked, would be unable to serve up their entire suite of contracts. Even fewer would have analysed the risks those contracts expose them to; or checked whether they are compliant with latest company policy. It seems that contractual risk analysis and policy compliance are at the top of the agenda for a lot of our respondents.

Legal Risk Benchmarking Survey /05

Legal risk is poorly understood

Legal risk is poorly understood

Legal risk is poorly understood outside the Office of the General Counsel. The questions about legal risk priorities resulted in broad agreement across all respondent roles in all sectors. The next set of questions we will look at identified clear disagreement between two sets of respondent.

Respondents with a clear understanding of legal risk (%) 73

52

Questions 1, 2 and 4 of the survey were designed to evaluate the clarity of understanding and approach towards legal risk management. The responses show that, outside of the Office of the General Counsel (OGC), there is still some mystique surrounding legal risk.

Only 6 out of 10 respondents overall admitted to a clear understanding of legal risk... Only 60% of respondents overall agreed that they had a clear understanding of legal risk. If we compare responses from different roles, General Counsels had the highest degree of confidence (73%), reducing to 52% for their in-house counsel. Outside of the OGC, 50% of Risk and Compliance professionals admitted to a clear understanding of legal risk, and only 25% of respondents at CEO/Director level.

General Counsels had the highest degree of confidence in their understanding of legal risk (73%), Compared to only 25% of respondents at CEO/Director level.

50

25

General Counsels

In-house counsel

Risk and Compliance

CEO/ Director

This finding should perhaps be no surprise. Very little material has been published that helps to clarify legal risk as more than an abstract concept. Without such guidance, should we really expect a good level of understanding? Especially outside the legal department, which is alone in having daily exposure to legal risk incidents. If there is one call to action for readers of this report, it is to clarify their thinking on the ways in which legal risks affect your organisation.

ERAL COUNSELS GEN

CEO /

DIRECTOR

73% 25% 06/ Legal Risk Benchmarking Survey

Legal risk is poorly understood

To help develop understanding in this key areas, we have included an extract from our own legal risk library (see table on page 08). This table is also available to download on our website.

Of respondents in particular job roles, 54% of risk and compliance respondents and 63% of respondents at board level actively disagreed with the statement in question 6. Positive disagreement is fairly unusual and so should be especially noted.

...but General Counsel are optimistic about the impact their work has on strategic decision making.

The opinion of the General Counsel is almost the exact opposite to the board. 60% of General Counsel did think that legal risk informed strategic decision making at board level, to some degree.

This difference between the General Counsel’s good understanding of legal risk and the relatively poor understanding in the board room, risk and compliance functions seems to have resulted in an overly optimistic outlook from General Counsel about the influence legal risk information has on their organisation’s strategic decision making.

To improve understanding of legal risk and move it up the agenda in the board room, GCs should take time to communicate the way they define legal risk and how it affects their organisation, and report clearly the materiality of the risk to the board.

Question 6 asked respondents to state whether legal risk information is used to inform strategic decision making at board level. The general consensus outside the OGC (around 75%) is that legal risk information plays little or no part in the strategic decision making process of the organisation.

63%

of respondents at board level actively disagreed their organisation uses legal-risk reports to inform strategic, risk based business decisions

60%

of General Counsel did think that legal risk informed strategic decision making at board level, to some degree.

Legal Risk Benchmarking Survey /07

Legal risk is poorly understood

Primary legal risk categories and definitions with examples of secondary definitions Primary legal risk

Primary category definition

Examples of secondary definitions

Legislative risk

The risk that the business fails to implement legislative or regulatory requirements (this often includes regulatory risk).

• Failure to stay aware of existing legislation or regulation that could impact business operations

Contractual risk

The risks that your current – and future – contracts expose you to.

• Use of non-standard terms & conditions; • Technical fault: for example, lack of appropriate documentation, inadequate/unclear authorisation; • Failure to enforce or to comply with terms

Non-contractual rights risk

The risk that the business fails to assert its non-contractual rights. Often called ‘intellectual property risk’.

• Management of: trademarks, patents, trade secrets, channel knowledge.

Non-contractual obligations risk

The risk that the business fails to keep to the spirit, as well as the letter, of the law.

• Infringement of third party intellectual property rights; • Failure to meet requisite standard of care due to customers: for example mis-selling; • Inappropriate use or management of social media

Dispute risk

The risk that the business makes operational or strategic errors when it manages disputes.

08/ Legal Risk Benchmarking Survey

• Failure to adhere to dispute resolution timelines or other mismanagement of the dispute process; • Inappropriate strategy or resolution regime

It is good to see a law firm help their clients be pro-active about this risk rather than simply addressing the impact when it materialises. Stephen Allen, PwC

Respondents lack confidence

Respondents lack confidence

Respondents lack confidence in the organisation’s ability to manage emerging and business-as-usual legal risks. We have seen that the survey identified a gap in understanding of legal risk and how it materially affects the organisation. The last of our three core conclusions concerns organisation’s ability to mitigate against legal risks. Questions 3 and 5 asked respondents to rate their ability to prevent emerging risks (Q3), and how likely they are to experience material legal risks in their day-to-day activity (Q5). The answers revealed a striking lack of confidence from respondents in their organisation’s ability to identify and mitigate against either kind of legal risk.

Only 2 in 10 respondents were confident in their organisations ability to manage legal risk. When asked about the ability to identify and mitigate against emerging risks, or “unknown unknowns”, 80% of respondents had little or no confidence in their ability to do so. By their nature, you would expect emerging risks to be difficult to identify and therefore to mitigate against. And a degree of doubt here is healthy, and can lead to good forward looking analysis. But if organisations were actively participating in scenario planning to test the likelihood and impact of plausible but unlikely events – for example, you would expect confidence to be higher. And business-as-usual activities shouldn’t be expected to give rise to material legal risks. 8 in 10 respondents actually expected their organisation to experience some level of material legal risks as part of their business-as-usual activity. It is very difficult to see respondents’ lack of confidence in any kind of positive light.

10/ Legal Risk Benchmarking Survey

Overall, and taking the responses at face value, much more work needs to be done simplifying and explaining day-to-day and forward looking legal risk identification and mitigation techniques. And putting in place robust mitigation controls that instil confidence in the organisation.

You should clarify the roles and responsibilities the legal department has to identify and manage legal risks. The positioning of the legal department within the operational risk defence model (often called “3-lines of defence”) should support the organisation to proactively identify and manage legal risk. However, only 3 in 10 risk and compliance professionals surveyed were comfortable with the position of the legal department in the 3-lines of defence model - and only 2 out of 10 General Counsel were comfortable with the positioning of their own function. It is therefore quite clear that the roles and responsibilities for legal risk management need to be clarified for both the legal department and the business units. Anecdotally, we see an unhealthy obsession with debating the three lines of defence model. We would prefer risk, compliance and in-house legal to focus on how they can affect the way individuals make the decisions that expose their organisations to legal risks. It may not be a simple task, but positively influencing behaviour is the key to proactively mitigating risk. The position of the legal department should support behavioural change at the macro and at the micro level.

Next steps

Next steps

If you are considering implementing a legal risk management framework, or simply want to improve what you have, then you should:

1.

Define legal risk and how it affects your organisation

2.

Clearly allocate responsibilities for legal risk identification and management

3.

Prioritise which legal risks are of most concern to you

4.

Analyse the level of exposure and the rootcause of the risks and take proportionate mitigating action

5.

Report clearly the materiality of legal risks to the board

Legal risk affects individual organisations and sectors differently. To quickly get a high-level view of how to structure your efforts, start with a review of the 5 legal risk categories described on page 08.

Consider separating responsibilities for identification, management and assurance. And make sure your governance structure encourages open communication across business lines and legal teams.

After you’ve identified your legal risks, assess them to see which represent the most significant threat to your organisation. And put controls in place to mitigate them.

Capture incident data and use forward looking indicators to quantify expected and unexpected losses in your chosen legal risk categories.

As well as affecting capital allocation decisions, significant legal risks should be taken into account in board level decision making. Report clearly the materiality of your overall legal risk exposure, and highlight incidents within individual business lines that are above agreed loss thresholds.

Legal Risk Benchmarking Survey /11

Appendix 1

Appendix 1: Analysis of respondents Analysis of responses by role, geography and sector

51 respondents were from within the in-house legal department (general counsel or other in-house legal role). 10 were at board level (CEO or equivalent), 13 were in senior risk and compliance roles.

Financial services was the best represented (37%), other significant sectors identified were: IT, Media & Telecoms (15%), Legal services (13%) and Energy & Utilities (7%)

Geographically, the survey is predominantly UK and western Europe bias (72%) but does have a good dispersion around the rest of the world. 4% from North America, 3% from Latin America, 6% from Africa and 8% from Asia Pacific.

Job roles of respondents (%)

Geography (%) 66

33 25 15

16

11 04

General Counsel

In-house Risk/ lawyer compliance

Other

CEO/ Director

Europe

03

06

North Latin Africa America America

07

06

Asia Pacific

Other

Respondents by sector (%) 37

02

02

01

Retail and Leisure

Transport and Logistics

04

Other

Legal services

IT, Media & Telecoms

Financial Services

12/ Legal Risk Benchmarking Survey

Manufacturing

04

01 Energy

10

Public services

07

Education

Construction and engineering

04

13

Pharma/ Life Sciences

15

Appendix 2

Appendix 2: Question by question responses Question 2

Question 1

I have a clear understanding of what legal risk is, and how to manage it in my organisation

I am comfortable with the legal team’s role and positioning within my organisation’s operational risk management role (often known as “3-lines of defence”)

51

31 26

25

12

Agree

Agree slightly

05

04

Neither agree nor disagree

Disagree slightly

Question 3

I am confident in my organisation’s ability to identify and mitigate against emerging legal risks, or “unknown unknowns”

28

14

03 Agree

Agree slightly

Neither Disagree agree nor slightly disagree

Disagree

Question 4

In my organisation, responsibilities to identify, quantify and manage legal risk are clearly defined and allocated

28

28

21 16 10

Agree

Agree slightly

Neither Disagree agree nor slightly disagree

12

11

11 07

Disagree

Agree

Agree slightly

Neither Disagree agree nor slightly disagree

Disagree

Legal Risk Benchmarking Survey /13

Appendix 2 (continued)

Appendix 2 (continued): Question by question responses Question 5

Material legal risks are likely to arise from my organisation’s current daily, operational, business-as-usual activities

Question 6

My organisation uses legal-risk reports to inform strategic, risk based business decisions

46

24 21

22 14

08

Agree

Agree slightly

18

07

06

Neither Disagree agree nor slightly disagree

16

Disagree

The potential impact of business risks that result from law and regulation are largely misunderstood. Losses are often written off as ‘operational failings’ because they materialise outside of the legal team. And the importance and underlying reasons for such losses are often missed. With greater knowledge and focused management, many organisations can greatly reduce the impact of these [legal] risks. Stephen Allen, PwC

14/ Legal Risk Benchmarking Survey

Agree

Agree slightly

Neither Disagree agree nor slightly disagree

Disagree

Appendix 2 (continued)

Question 7

Rate the following seven legal risk areas in order of seriousness, from 1 to 8 (where 1 is the most serious and 8 the least). We analysised this in two ways, first by risk type ranking and then by ranking the overall priority for each risk factor. Risk type ranking Rated 1 or 2

Rated 3 or 4 48

35

23

26

26

24

23 18

21 16

Rated 5 or 6

Mis-sell/ Mis-buy

IP

Contract

Legislation / regulation

Competition

Rated 7 or 8 24

14

16

19 11

Mis-sell/ Mis-buy

IP

Contract

Legislation / regulation

08

Dispute

17

Competition

Dispute

Contract

19 11

Mis-sell/ Mis-buy

11

IP

10

Legislation / regulation

19

Social Media

21

Competition

Social Media

18

Social Media

Dispute

Mis-sell/ Mis-buy

IP

Contract

Legislation / regulation

Competition

Social Media

14

Dispute

27

24

33

Legal Risk Benchmarking Survey /15

Appendix 2 (continued)

Appendix 2 (continued): Question by question responses Relative risk weight from all responses

We were able to separate responses from respondents in two sectors: Financial Services and IT, Media & Telecoms (overleaf). Looking at the comparative results, we see that financial services are more concerned about legal risk (the size of the columns overall); and with good reason given current regulator scrutiny.

16/ Legal Risk Benchmarking Survey

Dispute

Mis-sell/ Mis-buy

IP

Contract

Legislation / regulation

Competition

Social Media

Other sector groups generally followed the same trend with slightly different priorities outside of legislative/regulatory landscape and dispute/litigation management. Contract and IP, for example, were rated more serious for IT, Media & Telecoms. Dispute much less seriously. Fig. 1 and 2 At the lower end of the scale overall, social media is the lowest weighted in financial services, perhaps due to the emerging nature of the medium. But also perhaps due to the relatively low losses incurred to date, when compared to the other risk examples. And where social media is concerned, there are differences between sectors. When looking at Social media risk within, for example, IT, Media & Telecoms, it is rated a higher threat than dispute management. Fig. 2

Appendix 2 (continued)

Relative legal risk weightings: Financial Services vs All Sectors (Fig. 1) All sectors

265

Financial services

149 125 92

87

39 23

66

58

46

42

39

21

Social Media

Competition

Legislation / regulation

Contract

IP

31

Mis-sell/ Mis-buy

Dispute

Relative legal risk weightings: IT, Media & Telecoms vs All Sectors (Fig. 2) All sectors

149

IT, Media & Telecoms

93 50

61

79

58

55

42

39

31

23

66 41

-06 Social Media

Competition

Legislation / regulation

Contract

IP

Mis-sell/ Mis-buy

Dispute

Legal Risk Benchmarking Survey /17

BLP’s Employment practice

Getting in touch When you need a practical legal solution for your next business opportunity or challenge, please get in touch. London Adelaide House, London Bridge London EC4R 9HA England Matthew Whalley Tel: +44 (0)20 3400 3587 [email protected]

About BLP Today’s world demands clear, pragmatic legal advice that is grounded in commercial objectives. Our clients benefit not just from our excellence in technical quality, but also from our close understanding of the business realities and imperatives that they face. Our achievements for clients are made possible by brilliant people. Prized for their legal talent and commercial focus, BLP lawyers are renowned for being personally committed to clients’ success. Our approach has seen us win five Law Firm of the Year awards and three FT Innovative Lawyer awards. With experience in over 70 legal disciplines and 130 countries, you will get the expertise, business insight and value-added thinking you need, wherever you need it. Expertise • Commercial • Competition, EU and Trade • Construction • Corporate Finance • Dispute Resolution • Employment, Pensions and Incentives • Finance • Funds and Financial Services • Intellectual Property • Legal risk consultancy • Private Client • Projects • Real Estate • Regulatory and Compliance • Restructuring and Insolvency • Tax

Clients and work in 130 countries, delivered via offices in: Abu Dhabi, Beijing, Berlin, Brussels, Dubai, Frankfurt, Hong Kong, London, Moscow, Paris and Singapore www.blplaw.com 020/ BLP’s Employment practice