FixNix Blog

Risk management – fed up with compliance yet?

Nov 10, 2014 10:47:03 PM / by Shanmugavel Sankaran




Ruth Daniels, general counsel, CPA Global: Being able to effectively identify and manage risk and, importantly, determine the organisation’s appetite for risk. People think of risk management as putting a straitjacket on the business: it’s not. It’s about ensuring a company is best placed to succeed and maximise opportunities, and that it is not prevented from doing so because it has failed to identify business, market, or legal and regulatory risk that could have a damaging effect on the company.

To do this, companies need to be able to develop a robust risk management strategy and establish appropriate responses and controls. At the heart of our risk management strategy is a comprehensive risk register, which lists and prioritises the various risks identified by potential impact, and which also includes mitigation and elimination steps for each risk.

Richard Kemp, founder, Kemp IT Law: Getting to grips with regulation as it increases in volume and complexity.

To give an example in the financial services sector, for the G20 countries alone there are 128 bodies involved in the creation, monitoring and enforcing of financial services regulation; 14 global bodies, 36 in Europe, 30 in Asia and the Middle East, 49 in North and South America and two in Africa. The industry has processed more than 55,000 regulatory documents since 2009. In the UK the Financial Services Authority published 278 documents in 2009 and by the end of the year will have published almost 3,000 in 2014.

Emma Thomas, legal director, Homeserve: Keeping up with technological developments in the business and keep skills fresh in a world that is increasingly digitally enabled.

Kiaron Whitehead, general counsel, BPI: The perennial risk is still the biggest – namely that of executives committing to commercial decisions without having first spoken to their in-house legal department. Fundamentally, it’s about relationship-building and making sure that your executives see you as one of them, part of the commercial team. You have an obligation – I’d almost go so far as to say a professional duty – not to be seen as the ‘business prevention unit’.

Chris Vigrass, director of risk management, Ashurst: In-house teams vary so it’s difficult to generalise but I’d say one of the biggest issues they’re facing is still information security or assurance. We ran a cyber awareness week throughout the firm in June, taking up the Australian experience where they have been doing this for several years. Frankly, if you call infosec ‘cyber’, people get more excited as it has overlays of MI5 and it’s easier to get them involved, possibly because it also potentially affects their personal lives. The week was successful and we now plan to do it annually. It’s indicative of a raised awareness of risk generally and technology risk specifically.


Q: In August the Information Commissioner’s Office warned lawyers about the need to keep personal information secure, especially paper files, in the wake of “a number of data breaches”. How are in-house departments responding?



Whitehead: This was a wake-up call for the legal profession. Good in-house teams will already have sensible procedures in place. If they don’t, they need to do so PDQ. I can’t see any quarter being given by the ICO to those that don’t.

Daniels: For many organisations, the protection of personal information is becoming an important factor in their choice of a service provider. We’ve responded to this challenge by implementing a global data protection policy, which includes business unit specific guidelines as well as training to ensure employees are aware of the types of personal information we collect and the potential risks if that information is not managed correctly.

Kemp: At a time of increasing anxiety over data security generally and privacy in particular, big clients often say they see their external lawyers as a particular risk area to manage, in infosec terms. This is because law firms hold a lot of sensitive, confidential data about the client but may not be as used to meeting such exacting standards as their clients.

Good information security therefore becomes an advantage to law firms that get it right and a real headache to those that don’t.

Most, if not all, the information going to the outside firm will flow through the legal department, so keeping tabs on the confidential data that has left the building is increasingly important. This means good tools to record and audit what’s gone where.

The reminder from the ICO about paper files and data breaches just shows how all-encompassing the rules are – and this is something the SRA is increasingly concerned about too.

Tyson: We provide our lawyers with regular in-house and external data protection update training so they are reminded of its importance and can keep abreast of changes.

Our local Law Society magazine recently featured an article warning law firm employees about the risk of potential data breaches and we discussed this as an in-house team.

Ellis: You have to ensure you have robust policies in place, you carry out training and do testing.

Thomas: At Homeserve Membership the data protection officer is part of the legal team. This means he works closely with the lawyers in the team to ensure all our colleagues are constantly reminded of the need to respect all data, not just our customers’.

He also helps to remind the legal team not to leave papers lying around and to focus on privacy in all the projects we work on.


Q: How difficult is it becoming for in-house departments to stay compliant as the regulatory burden increases?

Ellis: It’s not easy, especially for small in-house legal departments as the scope of compliance and regulation is so enormous, especially for multinationals working in difficult jurisdictions.

The only way to be completely compliant is to use technology, which usually means using an outsourced risk provider such as Thompson Reuters Accelus. This can be expensive, so there has to be a detailed cost-benefit analysis to set the parameters of compliance.

Whitehead: A great in-house team needs a strong general counsel who nurtures talent and inspires the highest standards. Complying with all laws and all regulations is part and parcel of that.



Kemp: This goes to what is expected of the legal department and how it is communicated. As regulation becomes more prescriptive and intrusive, and the compliance burden gets heavier, the legal function needs to be more clear about its responsibilities and authority levels. This varies from organisation to organisation, but the real risk is that the legal function ends up with responsibility for things it has no authority over at a time when sanctions are being applied at an individual as well as a corporate level and regulation is developing quickly.

Thomas: We work closely with our colleagues in the regulatory compliance team; we’re highly focused on compliance matters in any case as we have regulatory oversight for our international businesses, and we keep up to date with seminars and webcasts run by our external legal advisers.

As we work in the financial services sector we consider it important to keep abreast of regulatory requirements.

Q: Is compliance fatigue setting in?

Thomas: Not yet. We try hard to keep the business not only aware of the need for regulatory compliance but also the reasons for it – it’s much easier to behave in a compliant way if you know what the purpose of the regulation is.

Tyson: Not at all. Our legal and compliance departments keep up to speed with Financial Conduct Authority/Prudential Regulation Authority guidance and we are always looking at ways to raise the profile of compliance and reinforce this message within our team.

Our legal team makes extensive use of control self-assessments, group policy compliance and operational risk and control reporting to manage our legal risks, as well as regular risk reporting by our general counsel and his direct reports.

Our external lawyers provide us with regular financial services update training too.

Daniels: Not so much ‘fatigue’, but all businesses have decisions to make around where to invest money, people and resources, and so tensions can exist as to how compliance may add visible ‘value’. Where there have been issues in an industry, there is a tendency for that market to over-correct before more measured approaches are implemented.

With the sharp rise in the number of regulatory enforcement actions in recent years, many companies have sought protection by putting compliance programmes in place. The problem with this is that, having established such programmes, some organisations can be lulled into a false sense of security. Increasingly, regulators are signalling that the mere existence of a compliance programme, while fulfilling a baseline requirement, may not be sufficient.

The programme has to be implemented, promoted and managed across the whole organisation, which requires an investment of people, time and money. The upside of this is that an effective compliance programme doesn’t only help prevent regulatory violation, but, where properly implemented, can also be a mitigating factor that regulators will take into account in enforcement actions.

Kemp: The pendulum is still swinging towards more regulation and compliance so it’s a bit dangerous if fatigue is setting in.

In the financial services sector, high and increasing fines and the granular sign-offs top management are now required to give to regulators are seeing a more robust compliance structure developing that still has a long way to go.

Vigrass: It’s a continuous battle to have compliance regarded as a force for good rather than a force for stopping work. I know that is a common sentiment in financial institutions and there’s an element of that in law firms as well. We say we’re business enablers, not the people who are stopping lawyers from working.


Q: What steps can in-house legal departments take to assist the business with this problem?

Daniels: Education and awareness building throughout the organisation are important, although such activity needs to be linked to outcomes and value creation or preservation so that it doesn’t just seem like a box-ticking exercise. Experienced internal compliance resources and/or external partners can
regularly evaluate compliance programmes to ensure they are relevant, effective and robust. They can also conduct employee and agent training, due diligence, and corporate policy drafting.

It should also be remembered that compliance programmes are not a one-off exercise that you can tick off and forget about. They require ongoing evaluation, evolution and enhancements to keep up with the changing legal and enforcement landscape.

Vigrass: From our point of view the help tends to be along the lines of general advisory and handholding. The bigger clients are as much on top of the subject as we are. They have what amounts to a quality assurance system which cascades actions throughout their business and suppliers, including us. The in-house legal team will often have their own risk management audit or a procurement team. Overall, I think it has helped increase our standards, which is a good thing.

At the smaller end my sense is that if a general counsel needs assistance they’ll ring the client relationship partner for help and, depending on the circumstances, we may send someone on secondment. This can then assist or free up the general counsel. The number of secondments has increased over the past six years, although that’s part of the value-add that we provide.

Ellis: The business has to understand that compliance and the cost of compliance is part of doing business in the modern world. In any business plan there needs to be a cost-analysis of compliance.

The legal team is fundamental in helping the business understand the necessity of a compliance programme and the risks of non-compliance, and should have the expertise to provide solutions to the business and the costs associated with those solutions. If they haven’t already got it, all businesses should have a compliance budget.

Kemp: Again, this goes to the role of the legal department. As the compliance team grows, legal has a big role to play in helping shape internal policies and procedures. Legal can clarify roles, functions, responsibilities and authority levels from both the organisational and the legal/regulatory perspective.

Tyson: Our in-house legal team works in collaboration with our business colleagues in promoting best practice in everything we do. When it comes to compliance we have a framework that makes extensive use of control self-assessments, group policy compliance and operational risk and control reporting to manage our legal risks.

We also require regular risk reporting by our general counsel and his reports. Our external lawyers provide us with financial services update training too, and we keep up to date with changes and promote the importance of compliance in our team.

Whitehead: It’s incumbent on a general counsel to explain to senior management the professional duties of in-house lawyers and to advocate for appropriate facilities and funding.

source :

Topics: FixNix GRC, Governance, grc, incident management, Risk Management, asset management, audit management, BCM, Blog, compliance, risk

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

see all

Recent Posts