Jump to Content Jump to Main Navigation

Appendix 7 Legal and Compliance Risk in Financial Institutions

Roger Mccormick, Chris Stears

From: Legal and Conduct Risk in the Financial Markets (3rd Edition)

Roger McCormick, Chris Stears

From: Oxford Legal Research Library (http://olrl.ouplaw.com). (c) Oxford University Press, 2021. All Rights Reserved. Subscriber: null; date: 15 April 2021

(p. 629) Appendix 7  Legal and Compliance Risk in Financial Institutions

Materials and Proceedings from Joint Colloquia held by London School of Economics1 and Herbert Smith LLP

Earlier this year a group of academics from LSE, practitioners and legal, compliance and risk professionals met at two colloquia held at Herbert Smith’s offices to debate the definitions of legal and compliance risk, the key challenges and drivers for change in how these risks are managed, and the response of the financial institutions to these challenges.

The discussions were conducted under modified Chatham House rules, with participants agreeing that their comments, duly anonymized, could be reproduced subsequently on an unattributable basis. Set out below is an edited summary of the proceedings and materials provided in connection with the colloquia.2

Part A: Issues for Consideration

1.  Why look at legal and compliance risk management?

Difficult market conditions bring issues of legal and compliance risk management to the fore: the certainty of contractual documentation, clarity as to a financial institution’s rights and duties in its dealings with others and the effectiveness of policies, procedures, systems and controls to comply with regulatory requirements are all subjected to greater stress. It is no surprise, therefore, that the present situation in the financial markets is leading to an increase in disputes between financial institutions and private parties and an increase in incidents that expose financial institutions to increased regulatory scrutiny and the risk of regulatory intervention or sanction.

Considering how financial institutions can best manage legal and compliance risks is, therefore, of particular interest in the current environment. However, there are two other significant developments that might also suggest a need to re-examine legal and compliance risk management practices:

  • •  First, the introduction of the Basel II regime and the proposed introduction of the Solvency II regime highlight legal risk as an important element of operational risk. This reinforces the fact that the effective management of legal risks by financial institutions is, in itself, a regulatory requirement.

  • •  Second, the increasing popularity of ‘principles-based’ regulation raises some important questions over the traditional approach to the management of compliance risks. Principles-based approaches to regulation seek to focus financial institutions on regulatory goals and outcomes (p. 630) and to transfer from regulators to financial institutions (to a greater or lesser extent) the task of devising the particular strategies that the financial institution should adopt to achieve those goals or outcomes—or at least mitigate the risks of not doing so. In this environment, an approach to compliance that emphasises management of the risk of regulatory breach or sanction by seeking to ensure compliance with specific regulatory rules or requirements is likely to prove inadequate.

Managing legal and compliance risk, therefore, increasingly involves not only ensuring that a financial institution has implemented policies, procedures, systems and controls to deliver compliance with detailed regulatory requirements, but also assessing and addressing the risks that the financial institution’s business presents to the ultimate goals of regulation and the outcomes that the regulatory regime is seeking to achieve. These changes to legal and compliance risk management are likely to give rise to additional challenges for financial institutions; for many, it will require a fresh approach to legal and compliance risk management that is premised on a clear understanding of the regulator’s expectations.

In this changing and challenging environment we need to re-examine what effective legal and compliance risk management looks like for financial institutions.

2.  What is ‘legal risk’ and ‘compliance risk’?

It is easy to become bogged down in questions of definition. Nevertheless, defining what we mean by legal or compliance risk does have important practical implications. A lack of definition can lead to a lack of clarity as to who within an organisation is responsible for managing different risks and what tools are being or might be used or developed to manage them.

It might therefore be considered a matter for some concern that there are a number of competing and, in some cases, very different possible definitions of legal and compliance risk, some examples of which are outlined below.

Legal risk

Example 1: ‘ … the risk from uncertainty due to legal actions or uncertainty in the applicability or interpretation of contracts, laws or regulations.’ Depending on an institution’s circumstances, legal risk may entail such issues as:

  • •  Contract formation: What constitutes a legitimate contract?

  • •  Capacity: Does a counterparty have the capacity to enter into a transaction? eg, Hammersmith and Fulham case3

  • •  Perfection of an interest in collateral

  • •  Netting agreements: Under what circumstances are they enforceable?

  • •  Contract frustration: Unforeseen circumstances that might invalidate a contract…

Legal risk can be a particular problem for institutions who transact business across borders.4

Example 2: ‘Legal risk’ is the risk of loss to an institution which is primarily caused by:

  1. (a)  a defective transaction;

  2. (b)  a claim (including a defence to a claim or a counterclaim) being made or some other event occurring which results in a liability for the institution or other loss (for example, as a result of termination of a contract);

  3. (c)  failing to take appropriate measures to protect assets (for example, intellectual property) owned by the institution;

  4. (d)  a change in the law.

The reference to a ‘defective transaction’ in (a) above includes—

  1. (i)  entering into a transaction which does not allocate rights and obligations and associated risks in the manner intended;

  2. (p. 631) (ii)  entering into a transaction which is or may be determined to be void or unenforceable in whole or with respect to a material part (for whatever reason);

  3. (iii)  entering into a transaction on the basis of representations or investigations which are shown to be misleading or false or which fail to disclose material facts or circumstances;

  4. (iv)  misunderstanding the effect of one or more transactions (for example, believing that a right of set-off exists when it does not or that certain rights will be available on the insolvency of a party when they will not);

  5. (v)  entering into a contract which does not, or may not, have an effective or fair dispute resolution procedure (or procedures for enforcement of judgments/arbitral decisions) applicable to it;

  6. (vi)  entering into a contract inadvertently; and

  7. (vii)  security arrangements that are, or may be, defective (for whatever reason).5

The above definition was intended to be read in conjunction with the accompanying notes, which included the following points:

  • •  Each institution may wish to adapt the definition for its own particular purposes and, especially, to reflect any allocation of responsibility within that institution (for example, to the legal department) which may not be consistent with the definition as it stands.

  • •  With regard to paragraph (b) institutions may wish to make a distinction between claims which reflect a risk which has been anticipated (but nevertheless deliberately taken) and claims which come as a genuine ‘surprise’.

  • •  It was not thought necessary to make any distinction between contractual, tortious or other claims in this context. However, the prevailing view (and, it is submitted, best practice) was that risks which arise from wilful or reckless behaviour (including fraud)—although they are operational risks—should not properly be regarded as legal risks.

  • •  It is suggested that risk of loss caused by contractual commitments to pay money (for example, indemnities or guarantees) entered into voluntarily should not be regarded as legal risk. The treatment of risk of loss caused by breach of such obligations is more difficult.

  • •  Situations may arise under (a), (b) or (d) which have strong political overtones and may more properly be regarded as examples of political risk or a combination of political and legal risk.

Example 3: ‘… the risk that the law is proved to operate in a way adverse to the interests or objectives of the insurer, where the insurer:

  • •  did not consider its effect;

  • •  believed its effect to be different; or

  • •  operated with uncertainty as to its effect.’6

Compliance risk

Most traditional definitions of compliance risk focus on the risk of loss to the financial institution arising from non-compliance with relevant regulatory requirements.

For example:

Example 1: ‘The current and prospective risk to earnings or capital arising from violations of, or non-conformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the Bank’s clients may be ambiguous or untested. This risk exposes the institution to fines, civil money penalties, payment of damages, and the voiding of contracts.’7

Example 2: ‘ … the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, (p. 632) related self-regulatory organisation standards, and codes of conduct applicable to its banking activities … ’8

The FSA’s principles-based approach to regulation calls such definitions into question. While the FSA has not sought to define compliance risk, the following statement highlights the problem: ‘Principles-based regulation means, where possible, moving away from dictating through detailed, prescriptive rules and supervisory actions how firms should operate their business. We want to give firms the responsibility to decide how best to align their business objectives and processes with the regulatory outcomes we have specified. We will increasingly shift the balance of our activity towards setting out desirable regulatory outcomes in principles and outcome-focused rules, enabling our people to engage with firms’ senior management in pursuit of these outcomes. We expect firms’ behaviour, in turn, to change to adjust to this shift in emphasis.’9

In this environment it seems that compliance risk needs to encompass not only the risk of loss to the financial institution arising from non-compliance with detailed rules, but also the risk that a financial institution will fail adequately to deliver on the high level ‘outcomes’ and goals specified by the regulator.

There is now a growing need to develop a clearer picture of what a ‘desirable regulatory outcome’ actually is in this context. The evolution of regulation, the increasing complexity of business (coupled with the sheer size of many financial institutions) and the potential liability that may result from an inadequate approach to legal and compliance risk management should, we anticipate, result in significant changes to the ways in which financial institutions manage legal and compliance risk and structure their legal and compliance functions. At this stage, it seems to be too early to assess whether any best practices are emerging or whether the FSA is having, or wishes to have, any influence on this.

3.  Who should be involved in conducting legal and compliance risk management?

The question of definitions can have practical implications for the internal organisation of the different risk management functions, and vice versa. A narrow definition of legal risk, as relating principally to risks of litigation, can result in the assignment of certain types of risk to the legal division; whereas a wider definition which encompasses compliance risk may lead to a different organisational structure. The dynamic can be reversed: existing legal divisions may lay claim to certain types of risk, leaving the rest to compliance or other risk management functions.

Financial institutions should carefully consider who should be involved in legal and compliance risk management and what form that involvement should take. Effective legal and compliance risk management will require financial institutions to look beyond functional lines and ensure that the right information is reported both horizontally and vertically within the organisation.

This is likely to present a number of challenges for financial institutions, including ensuring that:

  • •  senior management is sufficiently engaged and supportive of the legal and compliance risk management approach (for example, have input into compliance planning);

  • •  legal and compliance risk is owned by the business and that all staff are responsible for adhering to the desired legal and compliance culture which has been clearly articulated;

  • •  legal and compliance risks are adequately aligned with and integrated into operational processes;

  • •  where they are separated, the legal and compliance functions have a clear understanding of their respective roles and the need for coordination and clear communication in advising the business about legal and compliance matters; and

  • •  the independence of those performing legal and compliance risk functions is preserved and valued within the organisation (so that they can, for example, challenge the views and/or practices of other control functions).

(p. 633) For most financial institutions legal and compliance risk management is primarily the responsibility of the legal and/or compliance functions with some oversight provided by the risk function. Whilst it is perhaps too early to draw any conclusions, it appears likely that this approach will continue to be prevalent. Effective legal and compliance risk management, however, will require the business also to assume day-to-day responsibility for managing such risks with senior management playing a key role in developing and embedding a culture of compliance.

4.  What does ‘risk management’ look like?

It appears that of all areas of risk management, the effective management of legal and compliance risk is a subject on which the thinking of the FSA and industry is least developed. Most financial institutions appear to approach the management of legal and compliance risks in broadly the same way that they manage other risks.

Is this perception correct? If so, why? Legal risks are notoriously difficult to measure, but so are many other types of operational risk. Are legal risks different? Do they call for a different approach? Legal risks are often dealt with by employing more generic risk management tools, but is this an effective way of managing legal risks and how genuinely engaged are lawyers in this process?

5.  Key questions

  • •  What are the implications of principles-based regulation and other key legal and regulatory developments (such as Basel II and Solvency II) on how compliance and legal risks are managed within financial institutions?

  • •  Where, within financial institutions, are legal and compliance risks managed? Is this the right place? How do we know?

  • •  Are the techniques used for managing other operational risks appropriate for managing legal and compliance risks?

Part B: Proceedings

Preliminary remarks

The credit crunch has highlighted the extent of the risks, as well as the rewards, inherent in the financial services sector. Banks are charged with delivering a quasi social service; the provision of products such as current accounts and mortgages is no longer just a matter of private contract but is heavily regulated in favour of consumers and according to imprecise yet ever expanding concepts of fairness.

Banks trade in legal constructs at the centre of a complex web of law and regulation—the days when such issues were just a matter for shareholders are long gone. If the law governing those constructs does not function as expected, this will impact on the heart of their business models.

Legal risk is thus an all-pervasive threat, yet there has been to date no consensus over what legal risk actually is, and it is increasingly apparent that the managers and owners of legal risk need some precision as to its definition and management.

Defining legal and compliance risk

There is a wide spectrum of definitions of legal and compliance risk. Some seek to use a mixture of soft and hard norms; some focus on the risk of loss arising from non-compliance with such norms; and some focus on the environmental uncertainty created by the institutions that create the law within which the sector operates.

Definitions have acquired more of an operational risk content but it is not clear whether there is any consensus as to how firms operationalise their risk management functions to encompass legal and compliance risk management. This may be influenced in various ways:

  • •  by trends towards structuring expertise in certain ways, with compliance risk sitting within legal risk in some models;

  • •  as a response to scandals or shocks; or

  • (p. 634) •  because responsibility for legal risk is moving away from the legal function towards risk management as this evolves more generally.

Key questions include how firms’ risk management functions relate to their compliance and legal departments; which professionals should be or are involved in the process; how lawyers, accountants and risk management professionals can work together best to manage legal risk; and whether there is any demand for a more holistic system of legal risk/compliance management.

One firm simply defines ‘legal risk’ in terms of financial loss, being a simple concept that is readily understandable by non-lawyers. Others have extensive definitions, but express scepticism about the way they are used.

Some organisations draw stark differences between legal risk and compliance risk. Legal risk issues revolve around legal advice given to an operational section of the business, but it is those in the business, not the lawyers, who remain responsible for the risk—they decide whether to accept or reject legal advice, which is risk based. Compliance, on the other hand, is ultimately owned by the Chief Executive, and is conceived of in terms of enforcing the firm’s established policies and procedures: compliance input is prescriptive rather than advisory.

Others take a different view—that risk ownership depends more on the certainty or uncertainty of the risks. Where it is clear that to act in certain ways will give rise to adverse legal or compliance consequences, then it is for the risk manager to make this plain to the business and, if the message is ignored, to escalate it. In cases of uncertainty, regulatory or otherwise, it would be for the business to make the risk decision. The business should be the first line of defence to such risks, and compliance acts as the ‘conscience’ of the business, rather than as its police. Ideally legal and compliance risk managers would also work closely with internal audit, to achieve a more sophisticated result, although in practice it is difficult for internal audit to strike a balance between the need to maintain independence and a full understanding of the business.

Many feel that the business owns legal and compliance risk but the legal and compliance teams analyse and identify how those risks arise and quantify them—often in ways that the business will not understand—although a more integrated approach would be preferable.

Elsewhere, legal risk ownership is shared between the legal and operational functions, particularly when defined as a risk of financial loss—which is easily understood by non-lawyers. Concerns over the availability of attorney/client privilege often mean that the business’s legal and compliance functions are combined under the supervision of a lawyer to ensure that privilege is preserved—but this is not necessarily seen as a step in an evolutionary process towards a fully integrated team.

In terms of structure, the issues can be usefully illustrated by the following example—most banks and securities firms have a control room from which all potential conflicts and flows of price sensitive information are managed. Regulatory rules do not prescribe how this should be structured, but it is usually located within compliance. What is managed there is both legal and compliance risk but in order to manage it, firms need to rely on operational controls: although organisationally the management of these three types of risk is separated, in practice they cannot be delinked. This may suggest that it is wrong to focus on complex issues of ownership of risk.

Regulatory ideology seems to be moving compliance towards risk management practices, not least because Basel II speaks of legal risk as a subset of operational risk, but this has some drawbacks as a risk management approach as it is quite mathematical and not always appropriate to the measurement of legal risk. Attempts to merge the two functions can run into difficulties: lawyers have historically demonstrated little appetite for spreadsheets, for example. However, there are activities which either class of professional could perform; for example, the analysis of a contract to ensure that the correct dates on which to exercise options are recorded and acted upon.

The overlap between the interests of legal and other operational risk departments has become more apparent most recently in the transition to more principles-based regulation (MPBR). As MPBR imports ‘softer’ concepts of fairness, integrity and the like, all areas must work together more closely even whilst maintaining separate reporting lines and duties for each discipline. However greater integration with operational risk management leads to abstract concepts being isolated and transformed into hard (although not necessarily detailed or prescriptive) rules which can then (p. 635) be made subject to operational risk management. Legal and compliance risk are not necessarily adequately identified or assessed by their inclusion in an organisational operational risk matrix.

Although integrated assurance frameworks can work, front line managers are the first line of defence, and assurance functions tend to exclude legal risk management. This may be because in many cases legal risk is a difficult concept to define, but for measurement, clear definitions are needed. Legal functions tend to be more transactionally focussed and less inclined to measure and monitor risks.

The mere fact that Basel II puts legal risk under the operational risk umbrella does not necessarily mean operational risk techniques should be used.

There are some signs of a trend towards the merger of the management of legal, compliance and other operational risks although this is not a universally observed phenomenon. The effectiveness of internal structures in which different risk types are allocated to certain functions may often depend on the interaction between individuals regardless of the formal structuring of the organisation. To an extent, internal structure will be less relevant if individuals from each function work together in practice— although this is more likely to happen if the respective functions are organisationally aligned. The key regulatory imperative is to ensure that senior management is engaged in the management of all risks. Although it is increasingly difficult to draw clear distinctions between legal and compliance risk, the question remains whether it is appropriate to use operational risk management tools to attempt to manage legal risks. As the discussion above shows, there is a demonstrably wide range of different approaches and cultures in the identification, logging and measuring of legal risk. This makes it difficult to draw conclusions about which structures, skills and tools are optimal for managing legal risk.

Key challenges and drivers for change

The Basel II accord includes legal risk in its definition of operational risk; and in this context ‘legal risk’ encompasses compliance risk. It would be interesting to hear how firms have implemented Basel II and the CRD, and how this is playing out in practice. Basel II does not specify what the ‘advanced approach to the management of legal risk’ might look like, and neither the regulator, in-house lawyers or practitioners have currently produced much thinking on this.

MPBR has a profound impact on our understanding of ‘compliance risk’. Classic definitions of compliance risk focus on the risk of loss to the institution from breaches of laws or regulations, but these are of limited use in a principles-based environment. MPBR deliberately injects uncertainty as to the applicable standards in order to make firms think for themselves what specific compliance arrangements are needed in order to achieve the regulatory outcomes set by the FSA. This reflects the transfer, from regulator to regulated, of responsibility for assessing the risks that firms’ businesses pose to broader regulatory goals. This is a key feature of MPBR. This means that compliance risk is wider than merely the risk of regulatory breach and attendant sanctions. The FSA’s supervision and enforcement processes can provide some very different expectations as to the way in which firms should manage compliance risk. In respect of initiatives such as Treating Customers Fairly, firms need to be able to evidence that they have gone through a risk-based assessment of how their systems interact with the FSA’s specified outcomes.

The definition of risk focused on by MPBR is closer to an analysis of risk that the firm poses to its customers, which is a goal external to the firm’s own business objectives. Through MPBR, the FSA has shifted the responsibility for the management of these risks from itself to the regulated community—it appears to be trying to adjust firms’ ‘moral compass’. It remains to be seen whether the FSA’s strategic shift in policy will be effective (the FSA has arguably also delegated the task of measuring the effectiveness of its principles-based regime to firms themselves) and there may yet be areas which turn more on matters of conscience and ethics than on the threat to the FSA’s regulatory objectives.

It is clear, however, that the FSA’s emphasis on senior management responsibility will force senior managers to engage more closely with legal and compliance officers collectively to set their firm’s risk appetite (if indeed it is permissible to have a ‘compliance risk appetite’ of anything other than zero).

(p. 636) The greatest challenge will be at the supervisory interface, which will have to become more open and frank and through which the FSA will have to be prepared to engage with businesses and answer questions regarding the firm’s internal approach to achieving a particular outcome specified by the FSA. The fallout from Northern Rock gives rise to the risk that the behaviour of FSA supervisors may become more conservative in practice which may itself make MPBR unworkable on the ground. Conversely, the fallout from Northern Rock may herald a return to more detailed rules, notably in the area of liquidity risk.

The plethora of informal FSA guidance materials makes it increasingly difficult for compliance officers to gauge the FSA’s regulatory expectations. The FSA will have to be more disciplined about the issuing of new guidance and in particular about indicating where existing guidance is no longer relevant. Even larger firms tend not to have proper processes in place to keep track of the guidance issued by the FSA and the clear risk of ‘regulatory creep’ from a growing body of detailed informal FSA guidance (treated by firms in practice as if it had the force of FSA rules or formal FSA guidance) is still present. The FSA’s focus on the development of policies by firms also gives rise to the risk that those policies will be set at a detailed level, with the result that they may become increasingly prescriptive and require frequent updating.

The FSA, other regulators and lawmakers (both in the UK and elsewhere) need to resist the temptation to ‘knee jerk’ and impose ill thought out rules and laws in response to recent economic shocks (for example, the collapse of Northern Rock, the credit crunch and rogue trader losses).

The risk of a criticism by the regulator of a gap between a firm’s own assessment of an acceptable appetite for compliance risk and that of the FSA may in itself be a new breed of compliance risk. Therefore, through MPBR, is the FSA asking firms to do the impossible?

Setting a firm’s appetite for qualitative not quantitative risks (for example, reputational risk, fraud risk) is not a new technique, it may be difficult to do the same in relation to the external social evil of failing to advance the FSA’s regulatory objectives. Others suggested that thinking about social outcomes was not necessarily a new issue—firms wrestle with reputational issues all the time. The problem is that a benchmark is being set outside the firm. What is truly different is the need to make the process more systematic, and more transparent. The regulator’s stress on ‘evidencing’ the process tends to force firms to translate soft concepts into more detailed controls that are themselves receptive to the FSA’s apparent expectations.

Some contributors felt it would be difficult if not impossible to measure the risk to a firm’s bottom line of unquantifiable social benchmarks set externally to the firm.

Some questioned the appropriateness of a regulator setting social benchmarks. This is the province of legislators; the regulator’s role is primarily to ensure orderly markets. However, the FSA’s statutory objectives under FSMA do allow the FSA licence to trespass into these areas, but subject to formal restraints such as cost-benefit analyses and consultation—although these are already being by-passed through the production of informal guidance.

How are financial institutions responding?

There may be many reasons for identifying and documenting risk. In order of increasing utility, these can include:

  • •  maintaining a record;

  • •  satisfying regulators;

  • •  repairing specific damage once a risk has crystallised;

  • •  repairing the underlying process once a risk has crystallised;

  • •  attributing financial impact to the risk;

  • •  allocating capital and resources to areas of the business; and

  • •  influencing strategy and contributing value.

To achieve the latter goals, risks must be measurable, comparable, consistent and meaningful; the challenge is to design data that will not only help the risk manager attribute a value to particular events or risks, but then to use that data in a predictive way to inform the risk environment in the (p. 637) future. Other than credit risk and market risk data, it may be difficult to identify types of risk management data which can be truly predictive.

Operational failures tend to produce little data of predictive value—they tell you about stable doors that have been shut rather than the ones that are left open. This creates a problem because in order to attribute a capital value to data, you must believe the predictive value is there.

Many of the risks which firms are already being required to assess under the Basel II regime are not necessarily quantitative or measurable. Yet in order to allocate capital to those risks firms have to act as if they are. Moreover, in Solvency II, reputational risk is included within the operational risk category. Practitioners struggle with how to value reputational risk even when the methodology is there; the further challenge introduced by MPBR is that the outcomes against which a risk evaluation must take place may be set by wider stakeholder groups than senior management at the firm.

The structuring of firms’ risk management functions may be far less relevant than the quality of the people carrying out the risk management and the scope of the risks which are to be assessed.

One way of grappling with the scope question is to ask whether there are any compliance or legal risks which are not in themselves due to operational failures, namely those involving people, process, systems or assets. If it is accepted that legal and compliance risks are all caused by operational risks, then a new definition of regulatory risk emerges which is the risk of incorrectly articulating the outcome of operational failure to regulators. One methodology for doing so is to approach risk management from an operational perspective rather than a top-down, classic risk management perspective: to ‘look through the other end of the telescope’. In other words, rather than starting with a list of the legal and regulatory rules to which a firm is subject and identifying what risks they pose, to list out a firm’s operational process controls and then to assess what legal or regulatory problems a failure in any one of those controls would produce. Given that it is this type of risk which is hard to quantify and value and which has given rise to many of the major shocks to the sector in recent times, the need for a consistent method to appraise them is all the greater. Yet the expectation is that irrespective of these difficulties, Basel II, the CRD and Solvency II evidence the general expectation that organisations can articulate and value any type of important risk to which they are subject.

An additional problem is that when firms formulate their business models, they are used to taking extremely long term decisions on how to operate, informed by a series of controls which are designed to consider the risk analysis to support those models. Nevertheless, this approach cannot take account of the fact that the legal and regulatory climate can change around them. For example, the ‘free-if-in-credit’ banking model was developed in the late 1970s, but the OFT was only handed its powers over consumer credit in the last decade. One function of any piece of legal risk management will be to look at predicting forward changes in legislation and regulation—‘upstream legal risk management’.

Although the object of all such analysis is to allocate capital against quantifiable risks, there was no consensus as to whether the data available to managers of legal and compliance risk will allow this kind of process to take place. The uncertainty engendered by informal FSA guidance makes this task even more difficult, a trend that will accelerate as a result of MPBR.

Parallel work on the political/regulatory environment can also be useful if it does not become too esoteric—issues such as the composition of the European Commission after the next change of Commissioners could have a significant impact on the legal and regulatory framework—but this still does not enable businesses to make any strides towards validating the predictive nature of the data which is generated from such an exercise.

Further problems include:

  • •  compliance and legal professionals who are used to focussing on details but not necessarily to identifying and quantifying risks

  • •  cultural differences

  • •  parties protecting their position

  • •  the history of an institution in terms of its organisational structure all of which may hinder a holistic approach to risk management.

(p. 638) One organisation retained a consultant who attempted to reduce every potential risk to a monetary value and then asked the owners of those risks to estimate their ‘real value’ in practice—the relatively high values initially assigned by the businesses in the initial exercise were then significantly reduced to what experience suggested were more realistic figures.

The FSA’s move to a more principles-based approach requires a change in culture. Managers need to ask themselves how they operationalise cultural change. They have been used to compliance taking the lead, and to a tick box process, and look to push responsibility for compliance onto legal and compliance functions. This remains a significant challenge.

In summary, the challenge faced by risk professionals is how to provide a credible and dependable risk assessment input relating to legal and compliance risk in the absence of a truly quantitative framework. The main issues such as what could happen, how likely is it, how bad could it be, and what risk mitigants could be employed, require something of an intuitive, reasoned and/or judgmental approach. To a certain extent, the problem just has to be lived with, and firms will be driven to certain methods or risk matrices. Many compliance inputs are both experience-based and judgmental.

It is also relevant to ask, ‘Whose risk is it anyway?’ Although the business itself may well be the first line of defence against such risks arising, and ultimately responsible for dealing with them, the reality remains that compliance and legal professionals do carry the risk that their judgements may be wrong and it is in that interpretative/advisory context that the ultimate risk of being a compliance or legal professional is to be found. This risk is particularly relevant at present because the FSA wants to see how principles-based requirements are translated into operational policies on the ground—although they are expecting to see input from the board level downwards, this is still at heart the role of the compliance department, which must mitigate between regulatory and business desires.

Sitting legal and regulatory risk personnel closer to the business can produce significant returns. Compliance staff who know what the deals and strategy are can be a great risk mitigant.

As a related point, operational risk can be defined as using operational failure as an umbrella term for anything which causes the business to fail. This includes legal and compliance problems, ranging from poor business decisions, to poor documentation or computer issues.

There may be parallels to be drawn here with the evolution of the practice of providing formal legal opinions. At the outset, requests for legal opinions were considered unnecessary—the adviser, with his expertise and financial backing, would obviously not be recommending the transaction if he believed there was an issue. Seeking legal opinions became par for the course, but with caveats and carve-outs starting to proliferate, what began as a box-ticking exercise exposed weaknesses in the underlying law. Netting and settlement opinions in relation to foreign exchange contracts were a notable example in the 1980s. This produced pressure for reform, and eventually led to law reform, and in some cases to a regulatory requirement for legal opinions to be given (for example, to obtain regulatory capital recognition of netting arrangements). What is now perceived as a tedious requirement may prove to have unexpected benefits because it will allow consensus to be developed. If a consensus can be achieved on how best to handle the process, and the priority to be attributed to it, then there may be willingness to make amendments.

The commoditisation of the ISDA master agreement provides a classic example of the value of consensus, particularly around transactional documentation and related legal opinions. This does not mean that one agreement fits all transactions; there is still a need to ensure what they are doing is appropriate to the transaction, and advice. A process is still needed, and the FSA will want to know that there is a proper process.

However, there are other instances where process has not resulted in real regulatory change. Many commentators feel that the value of Sarbanes-Oxley, for example, which arose out of a crystallised risk event, has been swamped by the process itself, and by the activities directed towards evidencing it. The process does not get to the heart of the risk.

Not all firms in London are UK incorporated—the effect of the FSA’s move to MPBR will impact on the operation of branches overseas and in the EU. There is a risk that by elevating risk to (p. 639) a high level systems and controls requirement, the FSA may lose the jurisdiction to look at the way the firm handles these issues as this might fall within the province of the home rather than the host state.

Concluding remarks

  • •  There is some variation in the extent to which different financial institutions maintain a distinction between their legal, compliance and risk functions in terms of their organisational structures and definitions

  • •  There remain concerns at the use of traditional operational risk management techniques for the management of legal and compliance risk and about how best to attribute quantitative value to these risks (although this is common with most operational risks)

  • •  There is also concern that institutions lack clarity as to the expectations of regulators in relation to legal and compliance risk management policies and techniques

  • •  There appears to be some consensus that, despite the limitations of a ‘box ticking’ exercise, systematic identification and assessment of legal risk when developed and used properly can be extremely valuable.

(p. 640)


1  The seminars were arranged in 2008 by Herbert Smith LLP and the LSE’s Law and Financial Markets Project, an academic and practitioner based initiative. Based in the LSE’s Law Department, the Project, amongst other things, aims to bridge the gap between lawyers in the commercial world and those in academic institutions. It provides opportunities for UK and overseas lawyers to participate in the study and analysis of how law (including regulation) serves and interacts with financial market activity. The role of law in a highly competitive, international marketplace is high on the Project’s agenda, as is its role in facilitating investment in developing countries. Areas where the law requires reform or a greater degree of harmonization or certainty, whether in England, the EU or elsewhere, are also a key feature.

2  The principal participants (and authors of the materials) were Professors Julia Black and Michael Power (from LSE) and Martyn Hopper, Patrick Buckingham, Hammad Akhtar, and Alexandra Truesdale (from Herbert Smith LLP). The proceedings are reproduced here with their kind permission.

3  Hazell v Hammersmith and Fulham London Borough Council [1991] 2 WLR 372 HL.

5  International Bar Association working group definition, circulated in advance of their October 2003 Symposium—see special supplement to Butterworths JIBFL, April 2004.

6  Previously contained in Guidance Note P3 of the FSA’s Interim Prudential Sourcebook for Insurers.

8  Paper entitled ‘Compliance and the compliance function in banks’ by the Basel Committee on Banking Supervision, April 2005.

9  FSA, ‘Principles-based regulation–focusing on the outcomes that matter’, April 2007.