Tackling Legal Risk Management: Key Focus Areas

2015 CT User Conference

On October 29th and 30th, legal professionals from around the country gathered at the CT User Conference in Alexandria, Virginia to focus on improving their subsidiary governance processes and procedures. They were joined by representatives from Hunton & Williams LLP, TMF Group and ELM Solutions.

During the conference, participants took time to network and discuss best practices for assessing risk throughout their organizations. Although the discussions were far ranging, there were a number of common themes that emerged, including:

  • Needing to establish documented procedures for tracking where their organization’s were conducting business throughout the world
  • Understanding the regulations and security implicit in maintaining data about their entities and the personally identifiable data of the officers, managers and employees who work for those entities
  • Centralizing data and regulatory requirements in a primary system of record that is shared throughout the organization
  • Working to mitigate known risks while striving to identify potential risks before they arise.

As a starting point for assessing risk, most attendees tended to look internally at areas of known risk including maintaining compliance with local, state and federal regulations and developing control mechanisms to prevent the occurrence of unauthorized entities being created, unregistered business names being utilized or unauthorized work being conducted without the proper authority to do business. Typically these types of issues appear minor at the outset but can lead to extremely negative consequences for an organization down the road. Attendees discussed balancing the needs of the businesses they support with the risks associated with failing to comply with regulatory requirements.

“Legal Can Fix It”

There was additional discussion of how to address the concept from some business leaders that it is better to ask for forgiveness after the fact rather than ask for permission up front. This also led to discussions around the “Legal can fix it” attitude implying that the business objectives are sometimes used to override the internal legal processes allowing groups to move forward without permission and leaving the legal team to clean up any issues that arise.

The Changing Role of Legal with Global Expansion

As discussions continued, attendees also focused upon the changing role of the legal team as more companies undertake expansion of their businesses outside of the United States. Starting with an understanding of what is necessary for basic compliance in non-U.S. jurisdictions and enlarging the discussion to include how to locate the correct resources to provide assistance on a country-by-country basis. As a result the attendees related their experiences and provided a number of best practices for improving the flow of information from the U.S. based legal departments to their international subsidiaries throughout the world.

As part of the discussions, TMF Group experts suggested that when expanding across borders, multinationals need to allocate more internal and external resources to comply with the requirements of complex jurisdictions. To make good business decisions, international companies must also conduct in-depth due diligence research in a variety of fields, including the following:

  • Determining the most appropriate type of legal entity for compliance, risk management and tax purposes.
  • Finding trustworthy local business partners, suppliers and service providers.
  • Identifying a safe and secure location for a physical facility and deciding whether to lease or purchase the property.
  • Screening, recruiting and hiring a productive workforce in compliance with local and national labor laws.

The challenge for legal departments is to determine the most effective method for resolving these issues, including ideas like forming an in-house task force, relying on the advice of independent local professionals in each country or engaging a firm with global expertise in functional areas like tax, accounting, and human resources as well as on-the-ground knowledge of local markets.

Insurance to Help Protect against Cyber Events

The need to keep organizational information properly secured, yet still accessible to those employees who require it, proved to be another area of great concern. The intersection of technology combined with the legal ramifications of issues created by technology continues to cause concern. As one attendee stated, “We don’t know what we don’t know.”

Lon Berk, from Hunton & Williams LLP provided the attendees with some practical ideas for evaluating insurance for cyber security issues.

Different industries have different exposures. Different insurance products address these exposures differently. Especially with respect to cyber risks, insurance needs to be evaluated in light of the company’s entire operation.

For example, a retailer’s primary risk may arise out of the disclosure of customer credit card information, while a manufacturer’s primary risk may arise out of failure of an industrial control system and resulting loss of income. Not all insurance products will respond to the latter. An important step is therefore to evaluate what sort of cyber risk the company needs to protect. Is your company primarily concerned about protecting data? Or is it more concerned with protecting operations?

The company should also carefully evaluate what sorts of cyber exposures it faces. If it is concerned with protecting data, the regulatory issues impacting a disclosure of that data should be analyzed. For example, does the primary data risk relate to confidential third party information that may require notification, or is the primary concern the company’s trade secrets?

Similar questions need to be asked concerning operations. If a cyber-event interrupting operations is a main concern, the impact on the company’s income needs to be determined. With respect to operations, it may also be necessary to evaluate the impact of a cyber-attack on vendors and others in the supply chain.

In addition to the type of losses, the type of events leading to those losses needs to be considered. For example, it has been reported that while health providers’ main cyber risk arises out of lost or stolen storage devices, those in retail have a much higher risk from malware and hacking events.

Once the nature of the potential loss is analyzed, the company should work closely with its advisors to evaluate different insurance proposals and see whether the policy terms match the company’s risk profile. Insurance protecting against cyber-events has been around for some time; nonetheless policy terms and definitions are far from standardized and need to be considered in light of the business’ actual risk.

Finally, the company should seriously consider table top exercises of some sort or another. Proactively plan how different personnel will respond in the event of an unfortunate cyber-attack.

Technology Helps to Make More Informed Decisions

The ever increasing demands from business leaders, combined with the greater oversight of regulators, are pushing the General Counsel’s office to be managed more like a business than a law practice. Companies and their informational technology groups and legal departments are making more informed decisions when purchasing technology solutions and choosing legal providers.

Chris Weaver, from ELM Solutions, shared some insight into how legal departments are looking outside their own data management needs to determine how different departments can share data and be better informed. The link between risk management and litigation or matter management was not always fostered by true data sharing. Today’s technology allows companies to purchase an information platform that has litigation, IP, contracts, claims, eDiscovery, and risk management together in one searchable and reportable ecosystem. Legal departments can then capture outside counsel spend around each of these matter areas and make better decisions. Ultimately, once legal departments understand their own spend dynamics, they can leverage big data analytics to benchmark how their law firm rates, budgets, and efficiencies truly compare.

Greater Sharing of Content Needed

The networking and discussions among the speakers and the audience highlighted the need for greater sharing of information between business leaders and their legal teams. Increased sharing of information presents opportunities for improved productivity and greater organizational alignment while also creating additional risk in managing the information. These challenges form the background of the modern day legal department. As the business environment continues to evolve, the legal department’s job requirement to “fix it” will become ever more critical. With that in mind, the opportunities for both business leaders and the legal department to proactively communicate in order to avoid continually having to “clean up” problems will behoove all parties involved.


To learn more about how CT can help you better manage your legal service needs, contact a CT representative at 844-206-9032 (toll-free US).

Presenters contact information:

Chris Weaver
Regional Sales Director
Wolters Kluwer ELM Solutions, Inc.
3009 Post Oak Boulevard - Suite 1100
Houston, TX 77056
Direct: (713) 702-7650

Sharon Carroll
Compliance Business Consultant
208 South LaSalle Street
Chicago, IL 60604
Office: 312-416-3716
Cell: 847-863-3224

Lon Berk
Hunton & Williams LLP
1751 Pinnacle Drive, Suite 1700
McLean, Virginia 22102

TMF Group
Dennis Day
Global Head of Strategic Alliances

Questions? We can help.

Have a specific question about a product? A CT Specialist will follow up with a custom quote along with a comprehensive assessment of your needs.