Risk and Compliance

A foundation article

Have all your bases covered….

In this foundational article, we are focusing on both risk and compliance which are both fundamental to the successful running and managing of your practice.

What is risk?

The Oxford English Dictionary defines Risk as follows –

Noun     a situation involving exposure to danger i.e. “flouting the law was too much of a risk”.

Verb      expose (someone or something valued) to danger, harm, or loss i.e. “he risked his life to save his dog”.

Accepted Risk and Compliance Frameworks also need to be considered (and taken into account) when identifying what risk actually is.

One of these is the Committee of Sponsoring Organizations of the Treadway Commission or COSO as it is referred. COSO identifies how an organisation assesses risk and threats in order to undertake necessary preventative (and sometimes corrective) action in order to minimize fallback. Understanding what risk is, is therefore a key component in undertaking this assessment. COSO defines risk as follows –

“the possibility that events will occur and affect the achievement of strategy and business objectives.” Risks considered in this definition include those relating to all business objectives, including compliance.

Another accepted Risk and Compliance Framework is ISO 3100 and it’s complimentary document ISO 31022:2020 – Risk management — Guidelines for the management of legal risk, which are also crucial risk management tools to have in place. Or, at the very least, consider.

ISO defines risk as the –

“effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected”.

But with those definitions in mind, it is important to say that there is also more than one risk.

According to Investopedia –

“Risk is defined in financial terms as the chance that an outcome or investment’s actual gains will differ from an expected outcome or return. Risk includes the possibility of losing some or all of an original investment.

Quantifiably, risk is usually assessed by considering historical behaviours and outcomes. In finance, standard deviation is a common metric associated with risk. Standard deviation provides a measure of the volatility of asset prices in comparison to their historical averages in a given period.”

But risk is broken down even further than just the above.

A blog on Systematic Vs. Unsystematic Risk, divides risk into systematic vs unsystematic risk –

1. Systematic risk is risk that is associated with the mechanics of (and therefore external to a company) that will have an impact on an entire market. In other words, its what investors refer to when they talk about “market volatility”. It is largely unpredictable and uncontrollable. Its manifestations usually affect financial markets across country borders and industries, vs
2. Unsystematic risk which is risk that is asset-specific or company- specific and is often referred to as aggregate risk. It is somewhat predictable as is mostly separated into external business risk i.e. how the general public (and therefore investors) perceive a specific industry and their assumptions of how risky that industry is and internal business risk i.e. risk affects specific companies rather than industries and arises from a company’s internal affairs and performance).

And the Corporate Finance Institute then breaks down both systematic and unsystematic risks into the following categories (which they believe all risks analysts should consider) –

1. Political/Regulatory Risk – The impact of political decisions and changes in regulation.
2. Financial Risk – The capital structure of a company (degree of financial leverage or debt burden).
3. Interest Rate Risk – The impact of changing interest rates.
4. Country Risk – Uncertainties that are specific to a country.
5. Social Risk – The impact of changes in social norms, movements, and unrest.
6. Environmental Risk – Uncertainty about environmental liabilities or the impact of changes in the environment.
7. Operational Risk – Uncertainty about a company’s operations, including its supply chain and the delivery of its products or services.
8. Management Risk – The impact that the decisions of a management team have on a company.
9. Legal Risk – Uncertainty related to lawsuits or the freedom to operate, and
10. Competition – The degree of competition in an industry and the impact choices of competitors will have on a company.

What is clear from the above definitions?

Legal needs to be both aware of and on top of both systematic and unsystematic risks that may affect the industry they serve and the businesses they operate in. Whether they are in-house legal counsel or part of a larger law firm.

In other words, legal needs to have their fingers in many pies to remain well and truly informed.

In fact, Deloitte Legal have said that there is a growing expectation in the financial services industry (especially), that legal get explicitly involved in all formal risk management processes from the very beginning. You see, where risk is involved, there is a growing belief that legal risk not only needs to be properly defined but also needs to have a broad definition to incorporate legal into more (read “all”) business operations.

And it makes sense if you think about. Risk is, as can be gleaned from the above, everywhere.

Legal needs to be enabled by their organisations and/or clients to do more “just” their “day-jobs” to identify, manage and truly mitigate legal risks from the very start. Again, legal needs to have their fingers in all of a business’s pies. Legal needs to be included from the get-go, from the very point of departure of business decisions being made. And that may be a departure from how businesses currently operate by only including legal when hiccups arise. Sort of like a clean-up crew. When the opposite should be the case – start off clean, compliant and risk free.

How should a legal risk be defined?

Defining what a legal risk is, should incorporate everything from reputational impact, operating or financial losses and issues affecting the organisation’s ability to actually do business to e-financial crime and contractual and intellectual property disputes (including everything in-between). Simply put – all conduct (and inherent legal risks) that arise from an organisation’s day-to-day operations.  Legal, quite rightly, in trying to mitigate risk (which as we have seen above is literally “all around”) needs to be involved in it all.

And that may be a big ask from your legal team or legal counsel and a difficult concept for business ops to digest (let us be honest).

But it is important for an organisation to do a business wide assessment of legal risk exposure to both ascertain and understand each area of legal risk (and therefore take the necessary action to avoid it as best as one can).

Once legal risks have been identified, what happens next?

Identifying legal risks can (admittedly) be a highly subjective exercise, but when using a common framework of risk factors such as regulatory, customer, financial and reputational implications, historical loss data (where available) all whilst considering different risk event scenarios, the process is given structure and order, resulting in more objective results. And these factors all relate (in one way or another) to compliance.

The question of controls i.e. the management of different legal risks then comes into play.

Management of these legal risks will, quite obviously, vary from risk to risk. Where legal risks are low, the risk may be easily dealt with by each organisation’s in-house legal teams with minimal investment required to mitigate, manage, or control the issues. But when a higher legal risk arises, such as competition risk, more resources and investment in controls will be required to proactively bring the risk within the organisation’s ambit of control. This could require policy setting, comprehensive training programs across the business and more active review and involvement from lawyers embedded in business processes to address competition risks proactively.

Managing legal risks and imposing a set of controls to address these risks will form an important part of a legal risk management framework. The legal department will need to consider whether the legal risk controls that are put in place are effectively managing the respective risk to an acceptable level for the organisation and furthermore, whether or not more or less risk management is required.

The use of contract templates (as an example) to manage contractual risk, with responsibility for using and complying with these templates, being the responsibility of business teams, not just the legal department (who will have set the parameters for compliance). In addition, where contract risk is owned by the business, controls may require that any contract over a certain value is reviewed by the Legal function. Moreover, what checks are in place to make sure this happens? If referred to Legal, is their review checked by another lawyer, or is the organization happy that someone outside of Legal just checks that the review has occurred?

All of the steps set out above are perfect examples of what would essentially form part of a legal risk management framework based on mapped processes and implemented controls.

Of course, legal should not be expected to decide on and enforce the legal risk management framework alone (especially when developing a more mature approach to legal risk management). It is essential that organisations adopt a multidisciplinary approach to effectively advise on the best controls and mitigations on a risk-by-risk basis.

Once a legal risk framework is in place, in other words – in-house counsel and/or legal practitioners and/or law firms have not not only designed their own policy or programme but have ensured that it is actively in place (allowing them to not only learn about their policy but implement it at the same time) – a monitoring and reporting regime can then be established which will cover both the effectiveness of the legal risk management framework and flagging emerging exposures and the remediation of failures. Whether monitoring and reporting is enabled by technology or not, legal practitioners need to understand what must be monitored upfront. And this, it would seem, takes us straight back to the importance of management reporting as we set out in our article Accounting and Reporting.

All the foundational principles once again coming into play.

Compliance steps into the room

Compliance is the act of complying with a command, desire, wish, order, or rule. It can also mean adhering to requirements, standards, or regulations.

Compliance is also a fickle friend – it serves to both identify and avoid possible red flags in your business, but also shines a very bright light on any failure to comply with either law, regulation or any other standard set by governing bodies which can result in costly fines, penalties and in some cases jail-time for a business that finds itself on the wrong side of compliance. 

Put quite plainly, compliance in a business or in a company means adhering to government laws, health and safety standards, or data and security requirements. Compliance therefore becomes essential to the very existence of a business or company and therefore requires conscious recognition of the said rules and policies in place.

When you clearly meet regulatory requirements, you create a positive business reputation. And when you identify and take the necessary steps to comply with policies, relevant laws, and regulations, you can define under which framework your company should operate.

Therefore, to be compliant a company needs to meet certain requirements to run both legally and safely. And this in turn involves identifying risks and ensuring proper use of and management of the legal risk framework. The two concepts are inexplicably interlinked and yet different all at the same time.

How is risk and compliance linked?

Compliance and risk management are intricately linked. That should be quite evident.

Compliance with established rules and regulations helps protect organisations from a variety of unique risks, while risk management helps protect organisations from risks that could lead to non-compliance (which is, no doubt, a risk in itself).

Ultimately, both compliance and risk management help organisations maintain their stability and integrity on a variety of levels. In fact, an organization cannot claim that they have a robust risk management program and legal risk framework without compliance having a key role to play. 

However, their differences are worth noting because compliance-related activities and risk management-related activities deserve unique approaches and execution tactics. Here is how to compare compliance and risk management:

1. Tactical vs. Strategic: non-compliance can trigger expensive fines and penalties, as well as reputation damage, so it should not be overlooked. It undoubtedly requires a process of dotting your i’s and crossing your t’s to ensure that an organisation is obeying prescribed rules and regulations. Risk management, on the other hand, should depend more heavily on analysis to circumvent risks or determine risks worth taking, like a legal risk framework being in place.
2. Prescribed vs. Predictive: the prescriptive nature of compliance and predictive nature of risk management explains, in part, why the former is more tactical, and the latter is more strategic. With compliance, organisations must adhere to rules and regulations already in place. Risk management, however, should be less reactive. It should be able to forecast the impact risks will have on an organization—thereby creating new and innovative processes (as opposed to subscribing to established rules) that minimize risks or take advantage of their upsides.
3. Risk Aversion vs. Value Creation: complying with governance rules and regulations rarely translates into value-generating business propositions without the long-lens approach of risk management. Compliance usually stops with verification that a rule has been followed to avoid risks. The best risk management, though, can transform the necessary evils associated with compliance into a winning value proposition, and
4. Siloed vs. Integrated: compliance is often driven by a siloed compliance department or siloed initiatives in various departments. And while compliance processes certainly benefit from broad transparency, they can survive without it. Conversely, the most impactful risk management programs cannot perform in silos. Integrating departments, technology systems and processes is necessary to determine the overarching risks within an organization and how they should be managed—whether it is to avoid their implications or to drive value.

Despite the differences between compliance and risk management, the right risk management technology can address both risks and compliance issues. As we set out in our article Trend Spotting – The “Top 7” legal tech trends for 2022, regulatory tech is already on everyone’s forecast (or at least, should be) –

“Regulatory Technology or “RegTech “is not just a buzzword, it is something that is already having a major impact on regulatory compliance.

RegTech is a category of technology that assists organisations to effectively navigate distinct functions within the regulation landscape. This includes functions such as regulatory reporting and compliance, risk management, identity management and monitoring transactions.

According to Deloitte, RegTech tools for compliance combine regulation, risk assessment and risk management into a sort of compliance collaboration platform. They monitor and identify changes in the regulation landscape, evaluate the impact and disseminate the relevant information to the relevant department in a timely and efficient manner.

RegTech therefore streamlines the collation, assessment, and reporting processes to ensure compliance whilst managing and mitigating potential risks.

Looking to the future, a greater emphasis on RegTech solutions that combine machine learning technology and rules-based automation with a focus on highly practical applications, will most certainly come to the fore”.

Being an efficient, affordable, and reliable legal practice has never been easier. And has never been more necessary.

As Thomas A. Edison said –

There’s a way to do it better, find it

Just because it is a foundational principle, does not mean it cannot be improved upon. So, do that. Seek to continually improve your legal practice – incorporate legal tech to become more efficient, accurate and affordable and make an effort to boost your revenue, your productivity and client retention in order to build a successful operation.

Contact AJS today to see how we can assist you with your risk and compliance functions.  We will, no doubt, have a solution for you.

– Written by Alicia Koch on behalf of AJS