Managing risk across your company
Practical Law hosted the inaugural Managing Risk conference on 12 February 2015. In this article, Jonathan Stevens (Head of Global Litigation, Atos) highlights the key themes discussed at the event, including protecting your company's brand and reputation, combating cyber crime, tackling financial crime and monitoring risk in the supply chain.
As a result of recent high-profile corporate scandals, failures and bankruptcies, the corporate world faces a regime of stricter regulations and a demand for stronger corporate governance; risk management is therefore a primary concern for all businesses.
Risk: definitions and strategies
Shareholders, investors, insurers, suppliers, creditors and the market will perceive a company to be risky if it does not have effective processes in place to monitor risks. The first step for any business is to identify the different legal risk categories that may exist, which could include the following categories:
Bankruptcy and insolvency.
Competition and compliance.
Health and safety.
It will then be necessary to analyse your business' operations, functions and geographies and identify any actual or potential risks. Internal support from the business is vital; there will be people within your organisation (such as subject-matter experts) whose help will be invaluable. If you do not have the capacity to carry out this function, consider outsourcing the process.
Next, develop a scale for rating each of the risks identified. This will help you to identify the top risks your business faces. Use this as the basis for an action plan outlining how you will manage the risks that have been identified and communicate this plan to the business. Make sure you take action; as identifying risks and then failing to act is dangerous.
Gauging the board's risk appetite
Very few businesses have a document setting out the board's risk appetite and therefore the tone set from the top of an organisation is important to establish the business' risk culture. Although the high-profile nature of bribery and corruption prosecutions have promoted risk management up the board agenda, some board members still regard risk management and compliance activities as merely a box-ticking exercise.
Compliance officers should discuss key themes with each board member to understand and assess their individual risk appetite. Once major risks have been identified, they should be highlighted at formal board meetings. Concentrating on the three or four risks that are outside the board's risk appetite should focus the board's attention and using a visual risk dashboard will improve engagement.
Building a compliance culture
A risk is something that might happen, an issue is something that has happened, and a crisis is an issue that has been handled badly.
A compliance officer's role is to ensure the company does not hit the rocks, even if they cannot see them. Creating a compliance committee consisting of members from different parts of the business (such as HR, IT, Finance and Facilities) to deal with risks would be prudent as they will provide different perspectives on the issues that arise.
Creating a compliant culture within the business will help a company's risk management profile by reducing the likelihood of wrongdoing and by providing protection if something does go wrong. Commitment from middle management is vital if a strong compliance culture is to be developed. Consider if it is possible to rate and reward performance on the basis of how effective management and employees are in delivering a good compliance culture.
Training the entire business to be complaint is crucial. Avoid "sheep dip training", one size does not fit all. Training needs to be creative, focused, dynamic and engaging. Key information can be communicated informally (for example, at staff meetings) or formally (using online training). Remember that even business units within the same company will have different risk appetites. It is therefore important to ensure that training is targeted to every part of the business and particular risks of different business units are specifically drawn to their attention.
Protecting your brand and reputation
"It is better to lose money than trust" (Robert Bosch).
All businesses can face threats to their reputation. For example, threats resulting from:
Issues within its supply chain.
Developing new products and services.
New technologies (such as data protection issues).
Companies can find it difficult to decide who has responsibility for reputation management and it is often conflated with media relations. Establishing a cross-departmental working group to deal with corporate reputation is often a good solution; lawyers should be integral to the team.
Dealing with a crisis when it hits
When a crisis happens, facts need to be established very quickly because of the 24-hour news cycle. Ideally a crisis management team will already be in place. However, the legal team is likely to be the first line of defence. When presented with a crisis, it is important to not immediately engage in fire-fighting but to try and take a step back and look at the overall picture.
Senior business leaders often get pulled into a crisis. Management may respond aggressively to an attack on the business brand and managing management can be difficult. Sometimes an expert within the company is better placed to deal with a crisis.
At times of crisis, the business will need to consider how to manage relations with:
Social media has made it more difficult to contain problems and protect a company's reputation. If the company uses social media, it is advisable to continue to communicate via it during a crisis. However, think about which platforms are appropriate in the circumstances (for example, Twitter may not be helpful in responding to a complex situation). Consider whether it would be useful to have a "dark site" that is ready to go live in the event of a crisis.
Avoid management obsession with Twitter. Sometimes the response actually exacerbates the seriousness of the situation. Focus on what can be ignored and what really needs to be countered as only 1% of Twitter users are key influencers (usually journalists or high-profile bloggers) and only 9% of users actually disseminate any information. 90% of users are passive. Although a communications team may be able to engage with journalists, it will not always possible to reach or influence other individuals, such as bloggers.
Training the business
To be effective, training has to be tailored to meet the different needs and challenges of specific business units. For example, sales people may need to know about competition law and the marketing team should be aware of the rules on comparative advertising. Training should not just be about mitigating risks, it should help business people understand why something is important.
Creating and communicating clear social media guidelines to all staff is important so that there are protocols that can be followed during a crisis. It may be necessary for businesses to monitor employee's personal statements on social media as information shared on social media platforms can still be open to the normal rules of disclosure. Employees therefore need be made aware of the consequences of posting comments about competitors or other employees on social media.
For further information, see Practice note, Managing a corporate reputation in the 21st century ( www.practicallaw.com/9-101-2026) .
Contracts: risks and rewards
According to one survey, in the past 20 years, 91% of contractual disputes in the IT sector came from disagreements over the scope and specification of the contract; whereas only 6% related to the quality of delivery of products or services and 3% with payment terms or prices.
Lawyers need to understand their business and their clients to draft effective contracts. They need to think about each contract in the context of the whole business. Even legally sound contracts can create reputational risks (for example, the multi-million pound claims linked to the selling of PPI products).
Although most business people do not think in terms of contracts, it is the lawyer's job to understand why each clause that appears in a contract is necessary. Once a contract is in place, the business must be able to use it and rely on it to establish accountability and to provide certainty if something goes wrong. It can be a good idea to run a contract past a litigator before it is finally agreed.
Getting the business involved in drafting a contract will improve their understanding of how the contract will work for them once it is agreed. As an incentive to get the sales teams engaged with the contracting process, it may be necessary to put in place policies such as not paying their commission until the final signed contract has been logged in the company's document management system. Decide if the legal team needs to be involved in all contracts or only those of higher value.
When there has been a breach of contract, efficient fact-gathering is vital, especially if the breach involves an international counterparty. Make sure you get someone on the ground as soon as possible. It may also be necessary to put in place procedures to protect legal privilege and internal communications.
Fighting a seemingly never-ending online risk
In 2013, the CIA and the FBI rated cyber crime as a more serious threat to US security than either international terrorism or weapons of mass destruction. In the UK, cyber security has been given the same threat level as a terrorist attack.
However, businesses still tend to underestimate the risk that cyber crime may pose. It is a pervasive problem which is probably going to get worse before it gets better. Cyber crime needs to be made a boardroom issue and not just left to the IT experts.
In October 2014, the top 25 Australian law firms were targeted by China because of their involvement in several commodities deals. Law firms have become targets due to their involvement in M&A activities. Long-term planning is often involved in these attacks. For example, it was discovered that an attack on a small company in the supply chain of a larger organisation took over four years from inception to execution. Indeed, law firms and lawyers are currently the number one target for cyber crime attacks.
As a first step, a business needs to consider who the company is trying to defend against, how sophisticated they are, and how determined they are. Understanding the cyber vulnerabilities of the sector in which your company operates and the specific threats to your own organisation (such as data loss) is crucial.
Threat information exchange is important to help you see what is happening within your industry and anticipate any threats to your company's future. Engage with your peers in your sector (for example, by using industry forms) and make the most of information from CiSP (a mechanism for the sharing of threat, risk and response information between the public sector and the private sector).
Training the business
Cyber security training must be an ongoing process. Avoid policy overkill and ensure you communicate clearly with staff. Any employee training programme should also highlight the threats that exist beyond the office. For example:
Travel (such as avoiding the use of wifi in airports or coffee shops).
Working from home.
Family and friends.
If your business allows BYOD, make sure encryption is employed and put in place an action plan for employees to follow if they lose the device.
For further information, see Standard document, Bring your own device to work (BYOD) policy ( www.practicallaw.com/8-524-0996) and Article, GC100 summary note on cyber security ( www.practicallaw.com/8-594-0926) .
Tackling financial crime: anti-money laundering and the 4th European Directive
Statistics show that £57 billion is laundered through the UK every year. In December 2012, HSBC paid a record $1.9 billion in fines for money-laundering offences. Various ways are used to launder money, including fake litigations. The hallmarks of a money laundering are:
Placement. The criminal wants to introduce to money into the financial system (for example, via a cash deposit).
Layering. Hiding or concealing the proceeds of crime (for example, by cash withdrawals).
Integration. For example, using fictitious loan agreements.
Legal and professional obligations
Professional rules of conduct require lawyers not to facilitate the commission of crime, which includes money laundering. Domestic and International laws and treaties also place obligations on lawyers and businesses (for example, Proceeds of Crime Act 2002) to monitor and report the commission of money laundering and other crimes.
The Money Laundering Regulations 2007 (SI 2007/2157) (MLR 2007) set out the requirement for businesses to establish and maintain appropriate and risk-sensitive policies and procedures relating to:
Customer due diligence.
Risk assessment and management.
The monitoring and management of compliance.
The internal communication of such policies and procedures in order to prevent activities related to money laundering and terrorist financing.
These policies must include procedures that enable management to, among other things, identify and scrutinise complex or unusually large transactions. Senior management is responsible for ensuring that the business's policies and procedures are designed to operate effectively to manage the risk of the business being used for financial crime and to fully meet the requirements of the MLR 2007.
AML training for employees
Staff must be made aware of the consequences of breaching the anti-money laundering (AML) regulations. Training should be delivered on a regular basis and should focus on, among other things:
The risks that your particular business faces from money laundering and terrorist financing.
The vulnerabilities of the business and the products it markets.
How to recognise suspicious activities.
A recent Financial Conduct Authority study indicated that staff training was ineffective in half the banks surveyed, with staff in important AML roles frequently unable to talk knowledgeably about any money laundering risks that their business specifically faces.
Fourth EU Money Laundering Directive (4MLD)
4MLD is expected to be implemented in the UK by mid-2017. 4MLD will:
Introduce a risk-based approach to identify and mitigate risks to financial systems and the wider economy.
Reduce the threshold of person dealing in goods for cash payments from EUR15,000 to EUR7,500.
Extend the definition of politically exposed person (PEP) and create two categories of PEPs:
domestic PEP, which includes all politically exposed persons in the EU; and
foreign PEP, which includes those from a third country.
For further information, see Practice note, Fourth Money Laundering Directive (MLD4) ( www.practicallaw.com/7-596-2725) .
Managing risk with third parties: supply chain
Why is supply chain management important?
You need to protect your company's reputation. The transparency and ethical behaviour of your suppliers is important as regulators and enforcement agencies are interested in a company's supply chain. Some charities specifically monitor big businesses and publish reports on the lawfulness of their supply chain.
Businesses cannot simply rely on terms and conditions imposed on suppliers but need to look at each supplier within their supply chains and have visibility of what they are actually doing. For example, some charities will send researchers to look at environmental and labour standards (such as payment of workers) of the suppliers within their own supply chains to ensure that they are acting lawfully.
Auditing the supply chain
Conducting a supply chain audit can be a complex and expensive exercise. If you do not have the resources, look at your company's existing structure and leverage what expertise there is (for example, the finance function or internal auditors). There are good third party audit and due diligence programmes available.
Any audit should focus on, among other things:
Conflicts of interest.
Politically exposed persons.
Producing a report setting out all the issues highlighted during the audit and then putting in place procedures to monitor, review and update the report on a quarterly basis is good practice.
The absence of bad news is not always good news; it may simply indicate that your whistleblowing mechanisms as ineffective. It could be that whistleblowing may not be an accepted part of the culture of the countries where your supply chain operates. However, when action is taken on fraud and bribery it often has a positive impact on the number of calls to a whistleblower hotline.
Keeping corporate crime at bay in your company
Bribery and corruption is a global problem (for example, Rolls Royce in Indonesia, GSK in China and Airbus in Saudi Arabia). The Serious Fraud Office (SFO) secured its first individual convictions under the Bribery Act 2010 in December 2014 (see Legal update, SFO secures first Bribery Act convictions ( www.practicallaw.com/7-591-4150) ).
Bribery Act 2010: adequate procedures
The key defence to a section 7 corporate offence for bribery under the Bribery Act 2010, is that the organisation had adequate procedures in place to prevent bribery. Companies can help protect themselves by:
Conducting regular risk assessments.
Securing top level commitment against bribery from the board.
Undertaking routine and thorough due diligence before entering into new business relationships.
Developing and keeping up to date an anti-corruption code of conduct.
Implementing effectively the code of conduct throughout all parts of the business.
Monitoring and auditing anti-corruption policies and procedures.
For further information, see Bribery Act 2010 toolkit ( www.practicallaw.com/9-503-9451) .
Preventing and investigating financial fraud
Businesses must deliver a strong internal message that there is a zero tolerance of fraud within the organisation. Having good processes in place to tackle fraud will lead to good relations with investors and insurers. Making sure there is widespread knowledge of your whistleblowing programme throughout the business can be useful as fraudulent activity is often detected via this channel. Monitor the whistleblowing programme to ensure it is not abused, for example to settle personal scores.
A business should consider how and to whom it communicates information about fraudulent activities when discovered, making sure that there is a set of investigation principles in place, as a well-drilled process will avoid unnecessary business disruption. For an example, an investigation team can be owned by legal, executed by the security team and supported by other key functions (such as Audit, HR and Finance).
For further information, see Practice note, Preventing and investigating internal fraud ( www.practicallaw.com/8-101-1980) .
Deferred Prosecution Agreements
Deferred Prosecution Agreements (DPAs) were introduced in the UK in February 2014. They are an alternative to criminal prosecutions introduced from the US where they have proved popular with the Department of Justice (DoJ). DPAs are essentially a contract in return for payment of a fine and adherence to certain conditions the prosecution is stayed. DPAs may encourage early reporting and could become an important tool for the SFO.
For further information, see Practice note Deferred prosecution agreements (DPAs) ( www.practicallaw.com/1-585-2065) .
Combating risk as an individual
A company's governance structure is often not aligned with the risks within the business, which can lead to problems. The particular risks that face your business need to be monitored and reviewed regularly to maintain the relevance of your policies and procedures. However, a company's culture and the attitude of the people it employs is as important as having relevant procedures and up-to-date risk analysis metrics in place.
Managing compliance in smaller companies
With smaller companies, the compliance team will need to engage even more with the business, for example, by working in conjunction with the audit, finance and legal teams. It is good practice to address any risk and compliance issues at business meetings where different business functions are present so that you avoid bothering the business with similar requests. It is always good practice to solicit the help of personnel from different business functions (such as audit) in addressing compliance issues.
Remembering to use external lawyers to bounce ideas off (for example, advice from a senior partner) and obtaining informal advice can build important relationships that will get you quicker access to external legal services when a problem does arise.
Finally, it is important to make sure your compliance officer has the right skills sets to be effective in this role. They need to be, among other things:
Driven by metrics.
Knowledgeable about the business' products or services and the risks associated with them.
Comfortable in a business leadership role.
Of sufficient seniority to be able to communicate effectively at board level.
Building an ethical business structure
As always, the tone from the top is crucial. Business leaders need to be closely aligned with the company's code of conduct (for example, a code of conduct should include an introduction by the CEO). Other ways to make sure that staff are always mindful of the code of conduct are by including appropriate mentions of the code at all employee meetings and requiring employees to annually certify that they have read and understood the code (for example, by asking them to complete a short quiz to demonstrate their understanding).
Creating a whistleblowing culture within a business
It is important to have an awareness of the different whistleblowing regimes around the world, particularly if your business operates in multiple jurisdictions. For example, the US has a significant whistleblowing culture which is much more focused on the message rather than the messenger, unlike in the UK. US government prosecutors have big budgets (the Criminal Prosecutions Service has an annual budget of around £0.5 billion whereas the DoJ has a $28 billion budget) and if found guilty, US civil penalties can be high and criminal sentences long. Remember, you do not need US citizenship to be eligible for accommodation in a US penitentiary!
Under the US False Claims Act, 84% of claims rely on whistleblowers. The Dodd Frank Act introduced a new incentive regime which provides individuals with significant financial incentives when they disclose "original information" to the regulator which leads to successful enforcement action.
If a company wants to implement an effective whistleblowing programme, it needs to have:
An efficient internal reporting mechanism.
Policies that can be clearly understood by all employees.
An open culture.
Timely responses to any issues that are raised.
Effective implementation of internal controls.