Example 1: ‘The current and prospective risk to earnings or capital arising from violations of, or non-conformance with, laws, rules, regulations, prescribed practices, internal policies and procedures, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the Bank’s clients may be ambiguous or untested. This risk exposes the institution to fines, civil money penalties, payment of damages, and the voiding of contracts.’7
Example 2: ‘ … the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, (p. 632) related self-regulatory organisation standards, and codes of conduct applicable to its banking activities … ’8
The FSA’s principles-based approach to regulation calls such definitions into question. While the FSA has not sought to define compliance risk, the following statement highlights the problem: ‘Principles-based regulation means, where possible, moving away from dictating through detailed, prescriptive rules and supervisory actions how firms should operate their business. We want to give firms the responsibility to decide how best to align their business objectives and processes with the regulatory outcomes we have specified. We will increasingly shift the balance of our activity towards setting out desirable regulatory outcomes in principles and outcome-focused rules, enabling our people to engage with firms’ senior management in pursuit of these outcomes. We expect firms’ behaviour, in turn, to change to adjust to this shift in emphasis.’9
In this environment it seems that compliance risk needs to encompass not only the risk of loss to the financial institution arising from non-compliance with detailed rules, but also the risk that a financial institution will fail adequately to deliver on the high level ‘outcomes’ and goals specified by the regulator.
There is now a growing need to develop a clearer picture of what a ‘desirable regulatory outcome’ actually is in this context. The evolution of regulation, the increasing complexity of business (coupled with the sheer size of many financial institutions) and the potential liability that may result from an inadequate approach to legal and compliance risk management should, we anticipate, result in significant changes to the ways in which financial institutions manage legal and compliance risk and structure their legal and compliance functions. At this stage, it seems to be too early to assess whether any best practices are emerging or whether the FSA is having, or wishes to have, any influence on this.
3. Who should be involved in conducting legal and compliance risk management?
The question of definitions can have practical implications for the internal organisation of the different risk management functions, and vice versa. A narrow definition of legal risk, as relating principally to risks of litigation, can result in the assignment of certain types of risk to the legal division; whereas a wider definition which encompasses compliance risk may lead to a different organisational structure. The dynamic can be reversed: existing legal divisions may lay claim to certain types of risk, leaving the rest to compliance or other risk management functions.
Financial institutions should carefully consider who should be involved in legal and compliance risk management and what form that involvement should take. Effective legal and compliance risk management will require financial institutions to look beyond functional lines and ensure that the right information is reported both horizontally and vertically within the organisation.
This is likely to present a number of challenges for financial institutions, including ensuring that:
(p. 633) For most financial institutions legal and compliance risk management is primarily the responsibility of the legal and/or compliance functions with some oversight provided by the risk function. Whilst it is perhaps too early to draw any conclusions, it appears likely that this approach will continue to be prevalent. Effective legal and compliance risk management, however, will require the business also to assume day-to-day responsibility for managing such risks with senior management playing a key role in developing and embedding a culture of compliance.
4. What does ‘risk management’ look like?
It appears that of all areas of risk management, the effective management of legal and compliance risk is a subject on which the thinking of the FSA and industry is least developed. Most financial institutions appear to approach the management of legal and compliance risks in broadly the same way that they manage other risks.
Is this perception correct? If so, why? Legal risks are notoriously difficult to measure, but so are many other types of operational risk. Are legal risks different? Do they call for a different approach? Legal risks are often dealt with by employing more generic risk management tools, but is this an effective way of managing legal risks and how genuinely engaged are lawyers in this process?
Part B: Proceedings
The credit crunch has highlighted the extent of the risks, as well as the rewards, inherent in the financial services sector. Banks are charged with delivering a quasi social service; the provision of products such as current accounts and mortgages is no longer just a matter of private contract but is heavily regulated in favour of consumers and according to imprecise yet ever expanding concepts of fairness.
Banks trade in legal constructs at the centre of a complex web of law and regulation—the days when such issues were just a matter for shareholders are long gone. If the law governing those constructs does not function as expected, this will impact on the heart of their business models.
Legal risk is thus an all-pervasive threat, yet there has been to date no consensus over what legal risk actually is, and it is increasingly apparent that the managers and owners of legal risk need some precision as to its definition and management.
Defining legal and compliance risk
There is a wide spectrum of definitions of legal and compliance risk. Some seek to use a mixture of soft and hard norms; some focus on the risk of loss arising from non-compliance with such norms; and some focus on the environmental uncertainty created by the institutions that create the law within which the sector operates.
Definitions have acquired more of an operational risk content but it is not clear whether there is any consensus as to how firms operationalise their risk management functions to encompass legal and compliance risk management. This may be influenced in various ways:
Key questions include how firms’ risk management functions relate to their compliance and legal departments; which professionals should be or are involved in the process; how lawyers, accountants and risk management professionals can work together best to manage legal risk; and whether there is any demand for a more holistic system of legal risk/compliance management.
One firm simply defines ‘legal risk’ in terms of financial loss, being a simple concept that is readily understandable by non-lawyers. Others have extensive definitions, but express scepticism about the way they are used.
Some organisations draw stark differences between legal risk and compliance risk. Legal risk issues revolve around legal advice given to an operational section of the business, but it is those in the business, not the lawyers, who remain responsible for the risk—they decide whether to accept or reject legal advice, which is risk based. Compliance, on the other hand, is ultimately owned by the Chief Executive, and is conceived of in terms of enforcing the firm’s established policies and procedures: compliance input is prescriptive rather than advisory.
Others take a different view—that risk ownership depends more on the certainty or uncertainty of the risks. Where it is clear that to act in certain ways will give rise to adverse legal or compliance consequences, then it is for the risk manager to make this plain to the business and, if the message is ignored, to escalate it. In cases of uncertainty, regulatory or otherwise, it would be for the business to make the risk decision. The business should be the first line of defence to such risks, and compliance acts as the ‘conscience’ of the business, rather than as its police. Ideally legal and compliance risk managers would also work closely with internal audit, to achieve a more sophisticated result, although in practice it is difficult for internal audit to strike a balance between the need to maintain independence and a full understanding of the business.
Many feel that the business owns legal and compliance risk but the legal and compliance teams analyse and identify how those risks arise and quantify them—often in ways that the business will not understand—although a more integrated approach would be preferable.
Elsewhere, legal risk ownership is shared between the legal and operational functions, particularly when defined as a risk of financial loss—which is easily understood by non-lawyers. Concerns over the availability of attorney/client privilege often mean that the business’s legal and compliance functions are combined under the supervision of a lawyer to ensure that privilege is preserved—but this is not necessarily seen as a step in an evolutionary process towards a fully integrated team.
In terms of structure, the issues can be usefully illustrated by the following example—most banks and securities firms have a control room from which all potential conflicts and flows of price sensitive information are managed. Regulatory rules do not prescribe how this should be structured, but it is usually located within compliance. What is managed there is both legal and compliance risk but in order to manage it, firms need to rely on operational controls: although organisationally the management of these three types of risk is separated, in practice they cannot be delinked. This may suggest that it is wrong to focus on complex issues of ownership of risk.
Regulatory ideology seems to be moving compliance towards risk management practices, not least because Basel II speaks of legal risk as a subset of operational risk, but this has some drawbacks as a risk management approach as it is quite mathematical and not always appropriate to the measurement of legal risk. Attempts to merge the two functions can run into difficulties: lawyers have historically demonstrated little appetite for spreadsheets, for example. However, there are activities which either class of professional could perform; for example, the analysis of a contract to ensure that the correct dates on which to exercise options are recorded and acted upon.
The overlap between the interests of legal and other operational risk departments has become more apparent most recently in the transition to more principles-based regulation (MPBR). As MPBR imports ‘softer’ concepts of fairness, integrity and the like, all areas must work together more closely even whilst maintaining separate reporting lines and duties for each discipline. However greater integration with operational risk management leads to abstract concepts being isolated and transformed into hard (although not necessarily detailed or prescriptive) rules which can then (p. 635) be made subject to operational risk management. Legal and compliance risk are not necessarily adequately identified or assessed by their inclusion in an organisational operational risk matrix.
Although integrated assurance frameworks can work, front line managers are the first line of defence, and assurance functions tend to exclude legal risk management. This may be because in many cases legal risk is a difficult concept to define, but for measurement, clear definitions are needed. Legal functions tend to be more transactionally focussed and less inclined to measure and monitor risks.
The mere fact that Basel II puts legal risk under the operational risk umbrella does not necessarily mean operational risk techniques should be used.
There are some signs of a trend towards the merger of the management of legal, compliance and other operational risks although this is not a universally observed phenomenon. The effectiveness of internal structures in which different risk types are allocated to certain functions may often depend on the interaction between individuals regardless of the formal structuring of the organisation. To an extent, internal structure will be less relevant if individuals from each function work together in practice— although this is more likely to happen if the respective functions are organisationally aligned. The key regulatory imperative is to ensure that senior management is engaged in the management of all risks. Although it is increasingly difficult to draw clear distinctions between legal and compliance risk, the question remains whether it is appropriate to use operational risk management tools to attempt to manage legal risks. As the discussion above shows, there is a demonstrably wide range of different approaches and cultures in the identification, logging and measuring of legal risk. This makes it difficult to draw conclusions about which structures, skills and tools are optimal for managing legal risk.
Key challenges and drivers for change
The Basel II accord includes legal risk in its definition of operational risk; and in this context ‘legal risk’ encompasses compliance risk. It would be interesting to hear how firms have implemented Basel II and the CRD, and how this is playing out in practice. Basel II does not specify what the ‘advanced approach to the management of legal risk’ might look like, and neither the regulator, in-house lawyers or practitioners have currently produced much thinking on this.
MPBR has a profound impact on our understanding of ‘compliance risk’. Classic definitions of compliance risk focus on the risk of loss to the institution from breaches of laws or regulations, but these are of limited use in a principles-based environment. MPBR deliberately injects uncertainty as to the applicable standards in order to make firms think for themselves what specific compliance arrangements are needed in order to achieve the regulatory outcomes set by the FSA. This reflects the transfer, from regulator to regulated, of responsibility for assessing the risks that firms’ businesses pose to broader regulatory goals. This is a key feature of MPBR. This means that compliance risk is wider than merely the risk of regulatory breach and attendant sanctions. The FSA’s supervision and enforcement processes can provide some very different expectations as to the way in which firms should manage compliance risk. In respect of initiatives such as Treating Customers Fairly, firms need to be able to evidence that they have gone through a risk-based assessment of how their systems interact with the FSA’s specified outcomes.
The definition of risk focused on by MPBR is closer to an analysis of risk that the firm poses to its customers, which is a goal external to the firm’s own business objectives. Through MPBR, the FSA has shifted the responsibility for the management of these risks from itself to the regulated community—it appears to be trying to adjust firms’ ‘moral compass’. It remains to be seen whether the FSA’s strategic shift in policy will be effective (the FSA has arguably also delegated the task of measuring the effectiveness of its principles-based regime to firms themselves) and there may yet be areas which turn more on matters of conscience and ethics than on the threat to the FSA’s regulatory objectives.
It is clear, however, that the FSA’s emphasis on senior management responsibility will force senior managers to engage more closely with legal and compliance officers collectively to set their firm’s risk appetite (if indeed it is permissible to have a ‘compliance risk appetite’ of anything other than zero).
(p. 636) The greatest challenge will be at the supervisory interface, which will have to become more open and frank and through which the FSA will have to be prepared to engage with businesses and answer questions regarding the firm’s internal approach to achieving a particular outcome specified by the FSA. The fallout from Northern Rock gives rise to the risk that the behaviour of FSA supervisors may become more conservative in practice which may itself make MPBR unworkable on the ground. Conversely, the fallout from Northern Rock may herald a return to more detailed rules, notably in the area of liquidity risk.
The plethora of informal FSA guidance materials makes it increasingly difficult for compliance officers to gauge the FSA’s regulatory expectations. The FSA will have to be more disciplined about the issuing of new guidance and in particular about indicating where existing guidance is no longer relevant. Even larger firms tend not to have proper processes in place to keep track of the guidance issued by the FSA and the clear risk of ‘regulatory creep’ from a growing body of detailed informal FSA guidance (treated by firms in practice as if it had the force of FSA rules or formal FSA guidance) is still present. The FSA’s focus on the development of policies by firms also gives rise to the risk that those policies will be set at a detailed level, with the result that they may become increasingly prescriptive and require frequent updating.
The FSA, other regulators and lawmakers (both in the UK and elsewhere) need to resist the temptation to ‘knee jerk’ and impose ill thought out rules and laws in response to recent economic shocks (for example, the collapse of Northern Rock, the credit crunch and rogue trader losses).
The risk of a criticism by the regulator of a gap between a firm’s own assessment of an acceptable appetite for compliance risk and that of the FSA may in itself be a new breed of compliance risk. Therefore, through MPBR, is the FSA asking firms to do the impossible?
Setting a firm’s appetite for qualitative not quantitative risks (for example, reputational risk, fraud risk) is not a new technique, it may be difficult to do the same in relation to the external social evil of failing to advance the FSA’s regulatory objectives. Others suggested that thinking about social outcomes was not necessarily a new issue—firms wrestle with reputational issues all the time. The problem is that a benchmark is being set outside the firm. What is truly different is the need to make the process more systematic, and more transparent. The regulator’s stress on ‘evidencing’ the process tends to force firms to translate soft concepts into more detailed controls that are themselves receptive to the FSA’s apparent expectations.
Some contributors felt it would be difficult if not impossible to measure the risk to a firm’s bottom line of unquantifiable social benchmarks set externally to the firm.
Some questioned the appropriateness of a regulator setting social benchmarks. This is the province of legislators; the regulator’s role is primarily to ensure orderly markets. However, the FSA’s statutory objectives under FSMA do allow the FSA licence to trespass into these areas, but subject to formal restraints such as cost-benefit analyses and consultation—although these are already being by-passed through the production of informal guidance.
How are financial institutions responding?
There may be many reasons for identifying and documenting risk. In order of increasing utility, these can include:
To achieve the latter goals, risks must be measurable, comparable, consistent and meaningful; the challenge is to design data that will not only help the risk manager attribute a value to particular events or risks, but then to use that data in a predictive way to inform the risk environment in the (p. 637) future. Other than credit risk and market risk data, it may be difficult to identify types of risk management data which can be truly predictive.
Operational failures tend to produce little data of predictive value—they tell you about stable doors that have been shut rather than the ones that are left open. This creates a problem because in order to attribute a capital value to data, you must believe the predictive value is there.
Many of the risks which firms are already being required to assess under the Basel II regime are not necessarily quantitative or measurable. Yet in order to allocate capital to those risks firms have to act as if they are. Moreover, in Solvency II, reputational risk is included within the operational risk category. Practitioners struggle with how to value reputational risk even when the methodology is there; the further challenge introduced by MPBR is that the outcomes against which a risk evaluation must take place may be set by wider stakeholder groups than senior management at the firm.
The structuring of firms’ risk management functions may be far less relevant than the quality of the people carrying out the risk management and the scope of the risks which are to be assessed.
One way of grappling with the scope question is to ask whether there are any compliance or legal risks which are not in themselves due to operational failures, namely those involving people, process, systems or assets. If it is accepted that legal and compliance risks are all caused by operational risks, then a new definition of regulatory risk emerges which is the risk of incorrectly articulating the outcome of operational failure to regulators. One methodology for doing so is to approach risk management from an operational perspective rather than a top-down, classic risk management perspective: to ‘look through the other end of the telescope’. In other words, rather than starting with a list of the legal and regulatory rules to which a firm is subject and identifying what risks they pose, to list out a firm’s operational process controls and then to assess what legal or regulatory problems a failure in any one of those controls would produce. Given that it is this type of risk which is hard to quantify and value and which has given rise to many of the major shocks to the sector in recent times, the need for a consistent method to appraise them is all the greater. Yet the expectation is that irrespective of these difficulties, Basel II, the CRD and Solvency II evidence the general expectation that organisations can articulate and value any type of important risk to which they are subject.
An additional problem is that when firms formulate their business models, they are used to taking extremely long term decisions on how to operate, informed by a series of controls which are designed to consider the risk analysis to support those models. Nevertheless, this approach cannot take account of the fact that the legal and regulatory climate can change around them. For example, the ‘free-if-in-credit’ banking model was developed in the late 1970s, but the OFT was only handed its powers over consumer credit in the last decade. One function of any piece of legal risk management will be to look at predicting forward changes in legislation and regulation—‘upstream legal risk management’.
Although the object of all such analysis is to allocate capital against quantifiable risks, there was no consensus as to whether the data available to managers of legal and compliance risk will allow this kind of process to take place. The uncertainty engendered by informal FSA guidance makes this task even more difficult, a trend that will accelerate as a result of MPBR.
Parallel work on the political/regulatory environment can also be useful if it does not become too esoteric—issues such as the composition of the European Commission after the next change of Commissioners could have a significant impact on the legal and regulatory framework—but this still does not enable businesses to make any strides towards validating the predictive nature of the data which is generated from such an exercise.
Further problems include:
(p. 638) One organisation retained a consultant who attempted to reduce every potential risk to a monetary value and then asked the owners of those risks to estimate their ‘real value’ in practice—the relatively high values initially assigned by the businesses in the initial exercise were then significantly reduced to what experience suggested were more realistic figures.
The FSA’s move to a more principles-based approach requires a change in culture. Managers need to ask themselves how they operationalise cultural change. They have been used to compliance taking the lead, and to a tick box process, and look to push responsibility for compliance onto legal and compliance functions. This remains a significant challenge.
In summary, the challenge faced by risk professionals is how to provide a credible and dependable risk assessment input relating to legal and compliance risk in the absence of a truly quantitative framework. The main issues such as what could happen, how likely is it, how bad could it be, and what risk mitigants could be employed, require something of an intuitive, reasoned and/or judgmental approach. To a certain extent, the problem just has to be lived with, and firms will be driven to certain methods or risk matrices. Many compliance inputs are both experience-based and judgmental.
It is also relevant to ask, ‘Whose risk is it anyway?’ Although the business itself may well be the first line of defence against such risks arising, and ultimately responsible for dealing with them, the reality remains that compliance and legal professionals do carry the risk that their judgements may be wrong and it is in that interpretative/advisory context that the ultimate risk of being a compliance or legal professional is to be found. This risk is particularly relevant at present because the FSA wants to see how principles-based requirements are translated into operational policies on the ground—although they are expecting to see input from the board level downwards, this is still at heart the role of the compliance department, which must mitigate between regulatory and business desires.
Sitting legal and regulatory risk personnel closer to the business can produce significant returns. Compliance staff who know what the deals and strategy are can be a great risk mitigant.
As a related point, operational risk can be defined as using operational failure as an umbrella term for anything which causes the business to fail. This includes legal and compliance problems, ranging from poor business decisions, to poor documentation or computer issues.
There may be parallels to be drawn here with the evolution of the practice of providing formal legal opinions. At the outset, requests for legal opinions were considered unnecessary—the adviser, with his expertise and financial backing, would obviously not be recommending the transaction if he believed there was an issue. Seeking legal opinions became par for the course, but with caveats and carve-outs starting to proliferate, what began as a box-ticking exercise exposed weaknesses in the underlying law. Netting and settlement opinions in relation to foreign exchange contracts were a notable example in the 1980s. This produced pressure for reform, and eventually led to law reform, and in some cases to a regulatory requirement for legal opinions to be given (for example, to obtain regulatory capital recognition of netting arrangements). What is now perceived as a tedious requirement may prove to have unexpected benefits because it will allow consensus to be developed. If a consensus can be achieved on how best to handle the process, and the priority to be attributed to it, then there may be willingness to make amendments.
The commoditisation of the ISDA master agreement provides a classic example of the value of consensus, particularly around transactional documentation and related legal opinions. This does not mean that one agreement fits all transactions; there is still a need to ensure what they are doing is appropriate to the transaction, and advice. A process is still needed, and the FSA will want to know that there is a proper process.
However, there are other instances where process has not resulted in real regulatory change. Many commentators feel that the value of Sarbanes-Oxley, for example, which arose out of a crystallised risk event, has been swamped by the process itself, and by the activities directed towards evidencing it. The process does not get to the heart of the risk.
Not all firms in London are UK incorporated—the effect of the FSA’s move to MPBR will impact on the operation of branches overseas and in the EU. There is a risk that by elevating risk to (p. 639) a high level systems and controls requirement, the FSA may lose the jurisdiction to look at the way the firm handles these issues as this might fall within the province of the home rather than the host state.