Typically, most modern organizations will have a well-defined and properly fleshed-out Risk Management Process by which significant risks are monitored and reported. Whether or not legal risk is itself a defined category of risk or is a sub-set of other key risks, it is important to have a methodology for reporting on legal risks wherever they sit in the risk management framework for the organization. This may include the use of key indicators of risk levels and thresholds through dashboard reports, using a traffic light system to indicate current compliance levels. Periodic stress testing and reports from risk owners will often also be part of the reports escalated to different levels of management and the board.
What are the “Three Lines of Defense”?
Although Legal will often play an important role in the management of legal risks, in larger organizations they are likely to be one of several specialists concerned with risk management. These will typically include risk and compliance managers, fraud specialists and internal auditors.
A commonly used risk management model is known as “The Three Lines” system. This is a method of risk management that allocates responsibility for managing risks between three groups within the organization on these lines: –
▪ The functions that own and manage the risks
▪ Functions that oversee the risks
▪ Functions providing independent oversight (assurance)
FIRST LINE OF DEFENSE
In this model, the 1st line of defense rests on management controls where operational management manages the risks in the area for which they are accountable. This will include the organization’s Legal Department. Depending on Legal’s areas of responsibility they may, for instance, own risks in relation to the use of external lawyers; litigation; contract management; anti-bribery and corruption; and the quality of legal advice, among others. It is for local managers to identify and assess risks and set controls, including monitoring and reporting requirements.
SECOND LINE OF DEFENSE
The 2nd line of defense has an oversight function to help build the architecture for the 1st line and to monitor that different areas of risk are being adequately controlled, monitored, and reported.
Depending on the size and complexity of the organization, this oversight may comprise specialist groups (including committees) concerned with areas such as financial controls, risk management, compliance, quality, and security.
Legal will typically be part of this second tier, looking at legal risks across the organization, assisting with policies, procedures, and training to manage them, compliance with relevant laws and regulations and identifying legislative and regulatory changes and their potential impact.
THIRD LINE OF DEFENSE
The 3rd line of defense is usually an internal audit function providing the board and senior management with an independent oversight and assurance regarding compliance and risk management controls operating in lines 1 and 2.
How to manage relationship with regulators?
In heavily regulated sectors, the relationship with regulators forms a critical part of the risk management strategy of the organization with Legal playing an important role in helping maintain effective relations.
Now, of course, there’s a fine balance that needs to be maintained between having good lines of communication and being too open and conciliatory in circumstances where it’s unnecessary. Good lines of communication will help with horizon spotting by enabling Legal to learn quickly about proposed changes in the regulatory landscape and should also help to manage tensions and disputes in a way that de-escalates them, wherever possible.
Global aspects
In a multi-national organization, legal risks will not only arise across the organization, but they may also vary in different jurisdictions and thus the assessment and management of the risk may not be universal. Here, Legal and external counsel are likely to play a key role in advising on this diversity of regulation and in helping to construct management controls on both a local and pan-organization basis.
Smart working
Legal’s advice to other areas of the organization on legal risks that arise in their respective operations will play an important role in how well these risks are managed. To help business colleagues become familiar with legal risk and to help them in assessing it, it can be useful for lawyers to incorporate in their advice the impact of the legal risk by reference to the framework of risks utilized by the organization – finance, customers, operations etc.
Additionally, the legal risk can be quantified by reference to a narrative summary complimented, where possible, by a defined percentage range or ‘score’ in respect of each affected business area.
To summarize…
The increasing complexity of laws and regulations impacting organizations and the financial and reputational consequences of non-compliance, that have been highlighted in some recent high-profile failings, has meant that in-house legal teams now often play a more critical role in their organizations in relation to the identification and management of legal risks. Thus, Legal’s role in identifying, managing, and mitigating risks cannot be emphasized enough, in today’s modern organizations.
