The in-house debate: Run the risk

Is the job of the legal function to be the ringmaster and cheerleader, managing risk and compliance effectively within an organisation? Should it have to win over the hearts and minds of the board just as much as those on the front line? These were the main discussion points of a recent panel debate between nearly 20 in-house lawyers and private practice risk management specialists gathered at Mayer Brown’s London offices this summer.

***

David Harrison, Mayer Brown: A common challenge across practice areas is how to move away from historical perceptions of compliance and risk – that this is for the lawyers and could get in the way of the business, with the result that it’s underfunded. It often takes a crisis, typically an investigation or a major breach, for significant resources to be deployed.

In this context, Audrey [Harris, Mayer Brown] asked: what is the number one thing that keeps you awake at night? What is the number one thing that your board asks? And what is the number one emerging risk?

Sam Eastwood, Mayer Brown: In a compliance function, or a risk function, or a legal function, how do you make sure that the people on the ground, such as the sales force, assume responsibility?

Alessandro Galtieri, Colt Technology Services Group: There is a spread of industries here with varying team sizes. I wonder who has not got a separate compliance function within their organisation? We do not, which sometimes baffles the Fidelity [owners of Colt] executives on our board, because for them coming from financial services, it is like not having limbs. But I wonder sometimes, where there is such a function and it is well established, if it then does not become a bit of a pass-the-parcel thing: ‘Oh, that is a compliance problem. There you go, compliance, solve it,’ and we do not have that, which means we can say, ‘Look, it is everyone’s responsibility.’

Sam Eastwood: So your answer to the question is: do not have a compliance function?

Alessandro Galtieri: No, but I don’t feel the need for it – we all have seen that very large organisations with well-resourced compliance functions have had significant issues.

John Kunzler, Marsh JLT Specialty: In paired studies of similar size companies, a few factors consistently differentiate the great from the not-so-great. One important consideration is how lessons learned are shared in your organisation. Are things that go wrong brushed under the carpet, or do you socialise the learning from your own and other people’s errors? If you do, the risk culture is way better. Another differentiating factor is that none of this can be lip service. You cannot just blame the front-line guy who makes the mistake. That is a red flag. You cannot have a senior management culture that says: ‘The front-line guys are not doing what they are told.’ Quoting the safety expert James Reason: blaming people for their errors is emotionally satisfying but remedially useless. Well, you designed the system; you designed the framework in which they operate. It is your responsibility too.

‘Strong leadership needs to be in place, otherwise the work allocated to the front office falls back on the legal department.’
Ian D’Costa, Dataffirm

Audrey Harris, Mayer Brown: The key point is not to outsource ethics to any one group. There are some commentaries out there that say when you put a dedicated chief risk officer in, risk taking actually increases. Individuals in the business may reduce self-monitoring. They may think: ‘It’s compliance or risk’s role to monitor and object; if the system doesn’t catch them, they must be fine.’ As a chief compliance officer, I tried to keep the risk ownership with the risk creator – the business. I used to tell my in-house ethics and compliance team: ‘We are three things: we are guides, we are problem solvers and we are gatekeepers.’ Spending the majority of our time as guides and problem solvers, engaging with the business, gave us the visibility and credibility to be the gatekeeper when we needed to be.

Ian D’Costa, Dataffirm: Strong leadership needs to be in place, otherwise there is the risk that work allocated to the front office falls back on the legal department, because lawyers have a duty and the skillset that means they will be professional and diligent about all matters. Front-office staff and managers often try and take advantage of this.

Edouard Peers, jobandtalent: Leadership is key, because if you have strong leaders who do the right things, this will feed down the rest of the company. In tech companies, lots of VCs require you to tick all the boxes and have the right compliance, anti-bribery, etc, but this needs to be founder-led compliance to be effective.

Ian Jones, Truphone: I would argue that we as lawyers are not best placed to roll this stuff out, because a lot of lawyers have the emotional intelligence of a house brick. If you do not understand how people behave in these systems, you will not stand an earthly chance of having any sort of compliance system that will work.

One of the riskiest things for any sort of business is optimism. Optimism is the biggest risk I face, because every time I raise an issue around risk and compliance, the attitude is: ‘That is what happens to other people. It is never going to happen to us.’

Tim Langton, independent in-house expert: It is not about compliance, it is about the ethics. We all talk about compliance. Compliance is a staging post to try and protect your company. It is about ethics and compliance.

Phillip Norah, Aggregate Industries: Boards can add the most value to the compliance agenda when they look at compliance risk holistically rather than just focus on red flags on a compliance dashboard. To achieve this, it is important for the board to make sure they understand the practical operational realities of the industry the company is operating in. Given that most boards will have independent directors, this can sometimes be a challenge. A board which understands the industry and particularly the individual behaviours associated with that industry is better placed to give effective challenge and direction to executives responsible for the compliance programme.

Kate Ball-Dodd, Mayer Brown: We are often asked to present to boards on various different matters, including what the underlying responsibilities or obligations are. It amazes me that boards seldom seek to ask their compliance people about this. They should be saying to their compliance leaders: ‘What should we be asking you?’

Audrey Harris: There is no perfect programme. If anybody comes in and sits in front of a board, and says theirs is a perfect programme, they should probably be fired. The goal should be a dynamic state of continuous improvement. There are two types of problems: one is where the company fails the individuals; the other is where the individuals fail the company. Every time I look at any problem, I ask that question: ‘What are the organisational and individual challenges?’ and that helps target improvement.

‘Lawyers are not best placed to roll this stuff out. They have the emotional intelligence of a house brick. If you don’t understand how people behave, you will not stand a chance.’
Ian Jones, Truphone

Mark McAteer, Legal Business: Chris, how do you get compliance on the agenda in an investment context?

Chris Bulger, Vitruvian Partners: Private equity is increasingly regulated under financial services regulation, but compared to the banks, this was relatively light touch historically. Now, that has completely changed. There are risks of attributing liability up the chain and any argument that a financial investor should be treated as different to a corporate investor has gone away. It is quite difficult to make that case to regulators, politicians and judges, and expect a sympathetic response. Now, obviously, the extent of the risk does depend on the jurisdictions and sectors you are targeting.

Manu Chopra, CBRE Global Investors: It is slightly easier if you are working for financial services to have that conversation with compliance, because with the way things have travelled in the last decade, with the formation of self-regulatory organisations and the FCA, it has become a much larger part of what we have to deal with. It is obviously very much on the agenda of the senior guys – you have to have that transparency and that education and communication downwards, leading from the front and from the top.

Nayeem Syed, Refinitiv: We’re here to help our organisations do business safely and a powerful way to convey the issue to the c-suite is that non-compliance and regulatory risk equals financial cost. Executives respond well to the impact compliance has on the cost of capital. Poor risk management adds to the cost of borrowing and erodes the share price. If you are working toward an IPO, you want to report fewer risk factors, fines and lawsuits.

Mark McAteer: There is nothing that crystallises minds more than the negative experience of others. I am thinking of your industry specifically, Robin, with the reputational issues caused by the Harvey Weinstein scandal.

Robin Chalmers, ALL3MEDIA International: It is astonishing how much coverage there is in the newspapers of compliance issues and problems in all manners of business and the fact that compliance is still a dirty word. Ultimately, such a responsibility for thinking holistically and ethically about everything that you are doing is awfully complicated. It gets in the way of just doing what you want to do. I think that certainly in our immediate business, it is particularly challenging.

Ian Jones: One of the things that fascinates me is that reputational risk has been the number one or number two risk on The Economist’s risk survey for the last 15 years, which is taken among finance directors and senior finance executives. Compliance impacts on reputation both positively and negatively. Good compliance is good business, bad compliance is bad for your reputation.

It is making compliance real for people. So, when you talk about how compliance affects the investment value, you are talking to people who are focused on the financials and the value of the business as directors. Therefore, that has a real effect upon them. They can visualise that; they can feel that.

Melissa Darby, Cummins: That for me is massive and, with respect to how we can start managing communication on compliance, I feel like I am being repetitive, because I am saying the same thing over and over, but I like to think I am seeing results. The points we address in internal discussions are: ‘This is what has happened. This is what is on the horizon. Law is coming out quicker than we are able to manage it. What are we going to do to address it?’ It is definitely a bullet-point script for me, for getting everyone thinking short and long term.

‘With managing communication on compliance, I am saying the same thing over and over, but I am seeing results.’
Melissa Darby, Cummins

David Harrison: What about acquisition risk? How do compliance teams get their boards thinking about that upfront before the company does an acquisition?

Alessandro Galtieri: This is an area where legal can leverage due diligence findings, but law firms need to align with their clients. My personal view is that instead of a due diligence check list, which is frankly a copy of what you had as a template when you started as a trainee, you now have to have a broader conversation on what is the risk appetite of the buyer. This means considering potential risks of the target, maybe because of the areas or the geographies in which it operates, or the things that they do differently. Then you have a due diligence that allows the purchaser’s board to have an informed decision on the potential risk. LB

mark.mcateer@legalease.co.uk