From time to time I will post blogs written by a guest author. Today's guest is Cameron Scott, a senior member of the CDC team, former magic circle partner, barrister and a graduate of the Ashridge Business School Advanced Management Programme. Cameron has spent over 25 years' as a lawyer both in private practice and in-house and has significant experience of leading teams of professionals, delivering legal projects and dealing with the personal and professional challenges faced by senior lawyers.
There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know… it is the latter category that tend to be the difficult ones. (Donald Rumsfeld 2002)
Although these words were spoken in relation to the US-led invasion of Iraq, they could just as well have been applied to legal risk management. It’s the unknown unknowns which keep general counsel awake at night and can cause the greatest damage when they happen.
One such event which has been in the news in the past few days was the phone hacking scandal. The legal consequences of this led to the arrest of over 100 people, nine convictions and the closure of one of the UK's most popular Sunday newspapers. I very much doubt that, assuming the businesses involved maintained legal risk registers, that phone hacking and the potential for criminal prosecution would have featured. They resulted from the unknown activities of part of an unregulated business in which the in-house legal and compliance functions would have had limited, if any, involvement.
I could cite endless other examples of unknown and unforeseen legal risks: PPI, pensions mis-selling, massive personal data hacking, VW's emissions scandal. The list goes on.
So do businesses just have to accept that these things will happen and there is nothing they can do about them? I don't think they do but there are issues which need to be addressed. These have been highlighted by the recent report Legal Risk: Definition, Management and Ethics published jointly by UCL and the University of Birmingham which suggests that "legal risk management is in its infancy".
The first is defining what legal risk is in any business and who owns it. Is it limited to the legal consequences of what the legal team does or does it extend to the legal consequences of business operations? Does it go further and extend to a culture of compliance with the spirit rather than just the letter of the law? Taking a broader definition makes it more likely that legal risks from business activities will be identified and that, while the in-house legal team may not have primary ownership of certain "business" risks, they will at least have a seat at the table when risk management is discussed. It also makes it less likely that risks will fall between the cracks.
The second is the need for in house teams to consider rigorous and effective legal risk management processes and to address what can sometimes be gaps or "turf wars" between the legal and compliance function in the business. Effective processes will include processes to identify and measure risks, such as legal "heat maps", as well as monitoring and auditing compliance and documenting risk events (such as non-compliance, legal claims and complaints). Here, as with so, many aspects of in-house counsel's role, communication and engagement with the business is key.
The third is what is seen as the tension for in-house counsel between the desire to be a "trusted adviser" to the business (something discussed recently in Greg's Blog) and the need to maintain independence and objectivity as a lawyer. While there may sometimes be tension, I think it's entirely possible to be both a trusted and independent advisor. Indeed, independence and adherence to ethical principles is at the heart of being trustworthy.
The Client Development Centre has been working with in house teams for over ten years. Amongst other things, we have advised on legal risk management processes and have developed a framework and tools for the identification, assessment and management of legal risk. Please get in touch if you would like to discuss how we can support you and your team.