The panel of experts discusses using data to horizon scan, identifying key legal issues through management information and how their firms are helping clients reduce costs related to legal risks.
Q: What are your clients saying about the type and profile of the legal risks they are facing, and how are these risks changing?
Matthew Whalley, head of the legal risk team for financial services, EY: Most of the risks we discuss with clients are strategic rather than transactional. There is continuing concern around legislative and regulatory risks, of course. The level of legal loss associated with getting legislative or regulatory compliance wrong has increased massively since 2013. But we’re also seeing more contract risk projects, with concern among some businesses that risk baked into contracts will come back to bite.
Muriel Marseille, head of risk assessment, Ashurst: Recent laws such as the UK Modern Slavery Act reflect a rapidly growing regulatory focus on ethical sourcing and supply chains more broadly, and this has also meant an increased compliance burden for clients and their legal advisers. Clients who fail to comply with the expanding regulatory framework obviously run the risk of fines, loss of business and reputational damage. Risk of non-compliance in this area can be managed and largely mitigated as clients can prepare in the lead-up to the implementation of new laws and rules.
In terms of emerging risks, many clients cite tackling cyber crime as a priority. This is a new type of risk with no publication or implementation date. The nervousness around this high-profile risk is justifiable; being subject to a cyber attack can be commercially damaging and costly.
Another emerging risk relates to the economic impact of uncertainties in the political landscape, from Brexit to the suspension of Iranian sanctions. The complexity of the considerations needed to ensure protection of clients has increased significantly.
“The nervousness around cyber crime risk is justifiable”
Akber Datoo, partner, D2 Legal Technology: Regulatory issues dominate the legal risks of most concern to our clients, which is to be expected in the financial services industry. The political and public anger after the financial crisis is still present, meaning it has the potential to result in high-profile and material losses to the business. The swaps mis-selling scandal illustrates this perfectly.
The risks are becoming multi-faceted and more complex due to a lack of harmonisation of regulation across jurisdictions and the speed at which regulations are being written. Underlying client business models do not have the ability to evolve and mature at a sensible pace. This is why legal risk is so high on the agenda, although it still feels like clients are having to play catch-up rather than being in control of risks.
Q: How are you helping clients to identify legal risks or horizon-scan?
Marseille: Identification of legal risks requires a multi-track analysis of the material and operational weaknesses attached to a transaction, new relationship, business partner, industry or business strategy.
Partners regularly provide thought leadership on key issues such as Brexit or the changing sanctions landscape in Iran. Our economists and experts also provide in-depth sectoral reviews focusing on, say, construction or oil and gas.
Operationally, clients can benefit from tools to guide them through certain issues. Their appetite to transition from document-based advice, publications or briefing notes to digital solutions reflects their need for real-time advice and help in this field. This is something the Big Four do very well. Given the higher profile of legal risks, this is now expected of global law firms.
Whalley: We have a large regulatory practice, especially in the financial services sector. But we’re different in terms of how we help clients take a proactive approach to legal risk. In addition to our tools to identify, quantify and report legal risk, we can draw on EY’s global resources to augment control processes and improve overall legal risk profiles for our clients.
Datoo: We have used industry surveys to good effect here. An example is the management of legal opinions for regulatory capital purposes. There has been a lot of focus on this due to CRD IV [Capital Requirements Directive] and there is a growing sense of regulators challenging the current mode of operation of banks, potentially resulting in fines and sanctions as well as loss of regulatory capital relief. We questioned 17 banks on their operating models, ensuring we covered the whole process rather than solely the traditional advisory role played by the in-house legal team. The outcome was a capability maturity model whereby clients were able to understand how their processes conformed to legal and regulatory requirements, and benchmark themselves against their peers.
A similar approach was taken to the broader topic of legal contract data, which covered a much wider range of legal risks clients should be ensuring they have proper management of.
“I would encourage investment in legal risk management to reduce the risk and cost of future legal losses”
Q: Can you identify ways your firm has helped clients reduce the costs related to legal risk?
Whalley: By managing exposure to legal risk we can help reduce overall operational risk exposure which means clients benefit from the consequent capital reductions. But the costs associated with day-to-day legal risk management – in the form of total legal budget – are also under pressure. Reducing legal risk can result in a reduction in the usually large and uncontrolled budgets needed for legal crisis management.
Datoo: D2LT have been advocates of technology enablers to manage the legal risks firms run. An example is the use of search and natural language processing tools to help quantify and address particular issues. Client asset and money treatment, pursuant to the CASS rules, is a particularly hot topic, and once the right governance and processes have been identified such tools can help identify breaks.
The primary medium through which we have assisted in this regard has been legal data, be it contract data, regulatory data or legal opinion data. Regulatory compliance is increasingly achieved through data management, a fact emphasised by the exponentially increasing reporting requirements being put on firms.
Marseille: We’re constantly reviewing and devising ways to help clients reduce costs in relation to legal risk. The best example would have to be the launch of our Glasgow office in 2013. From a risk perspective the set-up was not simply to improve efficiency. We innovated in terms of consolidating our risk assessment activities to service the firm and clients globally, splitting the function between operational and advisory arms to add value for clients and embed expertise in the legal team.
Q: What skills are needed to work out where clients’ business practices interact with the law and therefore have the potential to create legal risk?
Datoo: Legal and compliance professionals are used to focusing on details, less on the identification and quantification of risks or the underlying processes and controls to manage them. Those are the additional skills needed. They need to get closer to the business and identify gaps in the traditional advice given to businesses and be closer to driving the way business is conducted through an understanding of the legal risks. Simple things such as sitting with the business can really help in bridging the gap between the business and the legal function.
Change and project management will be crucial skills, given the pace and complexity of regulatory changes.
Whalley: Operational risk management skills need to be combined with legal knowledge across many business and legal areas. We are lucky to have access great lawyers plus the collective experience of EY’s global risk advisory business.
Marseille: Understanding the bigger picture, in terms of fully appreciating the broader challenges facing the client beyond the remit of the mandate, especially with regard to a particular commercial tie-up, products, jurisdiction or sector.
And the ability to understand who the client is. Although that sounds like a given cyber crime, identity theft, ghost transactions and globalisation have made truly understanding the client more complex.
In risk assessment you have to identify and address areas of vulnerabilities quickly. How effectively you do this can give competitive advantage.
Q: How do you see your role, relative to that of in-house legal teams, in managing legal risk for your clients?
Datoo: It is a role of education, helping in-house legal teams understand the crucial role they play. This involves challenging them to be closer to the business and understand how the advice they give is used – typically through legal data. Specified Condition is a case in point. This is a heavily negotiated clause in over-the-counter derivative contracts but rarely understood by client collateral or liquidity teams. In many cases they are simply unaware of the presence or the consequences of it. We have facilitated that discussion between the in-house legal team and the rest of the business, then helped change the process such that legal risk is appropriately understood and managed.
“Regulatory compliance is increasingly achieved through data management”
Whalley: We are essentially an extension of their team. In-house legal are at the business end of legal risk management. They have the pressure every day of not knowing where or when the
next legal crisis will bubble up. We provide advice in areas such as strategy, structure, and training, delivering wide-scale legal risk assessments. In-house counsel are on the front line and,
if I were to give one piece of advice, it would be to encourage investment in legal risk management to reduce the risk and cost of future legal losses.
Marseille: Given that risks are more complex, bear higher costs and have a bigger impact on the viability of a deal or a relationship, there has been more reliance on external legal advice. From an operational standpoint in-house teams have more to deal with internally and, to best protect their companies, contracting out legal advice in relation to managing higher risks or uncertain risks has clear advantages.
At Ashurst there is a growing relationship between our risk team and our clients’ in-house teams. This is the result of a transition in the legal profession from a position of trusted adviser to trusted business partner, helping to facilitate a client’s commercial success.
Q: How can technology help the legal sector deliver new or better risk solutions for clients?
Datoo: This is imperative. The legal sector has been slow to embrace technology so there has been an inability to scale solutions for clients as those businesses have scaled through the use of technology. The fact the legal sector is information-intensive indicates technology will be a disruptor and facilitate the creation of innovative risk management solutions for clients. For all the noise about machine learning and AI, or the ‘Uberisation of lawyers’, it will result in standardisation of how core risks are managed. It creates more need for expertise to ensure one scans the horizon for risks as they arise and ensures processes and systems are updated accordingly.
Technology in isolation is never a magic bullet – it is the process and context in which it is used that determine how successful it is in helping clients manage their risk. There is no value in a system to extract ‘toxic’ clauses from a legal agreement portfolio if there is no process or mechanism in place to deal with the problematic contractual terms. Technology can, of course, assist with controls to prevent such items going into documents through the use of document generation tools and workflow, but only with defined approvals and template management processes in place.
Whalley: There’s huge potential here. I have seen first-hand how effective cognitive contract robots are at reading through and analysing documents. This will boost legal teams’ ability to embed best legal practices throughout negotiation teams, for example. As we build detailed knowledge of where legal risks originate we will also be able to develop key risk indicators that inform predictive legal risk models. However, this technology is in its infancy. Legal teams need to be clear about what is possible and which solutions will deliver the best returns in the short and medium terms.
Marseille: Technological solutions are central to risk assessment and resolution. As a global business, close collaboration between the IT and risk team is essential to ensure the suite of systems in place protects the firm and its clients. The requirements from a regulatory, statutory and commercial standpoint focus on the protection of information, management of large databases, confidentiality, security and the screening and monitoring of third parties or clients on business transactions. Poor technology in this area is a huge legal risk in itself.
Technology is getting smarter. IT-based risk specialists are pairing with the regulated sector to ensure their product meets customer demands. R&D on such products is booming. Developing innovative technological solutions and being the best advisers to clients are clearly linked.