Following our successful seminar on mitigating risk in January, we will be running a series of Q&A in which in-house counsel from different sectors discuss their approaches to risk. First up is former Bupa GC Paul Newton, who sat on the seminar panel. He talks educating the business and how to handle mistakes.
As in-house counsel, what is your responsibility towards risk?
As general counsel for Bupa (I retired at the end of 2016), I played a key role as a member of the Bupa executive team risk committee in ensuring that the organisation was appropriately managing its risks around the world. I had responsibility for helping to ensure Bupa had clear line of sight regarding its legal risks and to define its legal risk appetite. I also considered it my role to help make sure the lawyers across the group adopted a risk-based approach to lawyering.
How can in-house lawyers understand and adapt to their organisation’s perception of risk?
There a number of basic things that you can do to align yourself to how organisations think about and approach risk.
1. Appreciate that risk and opportunity are highly correlated, and that most organisations want to maximise opportunity. Legal risk management is about helping an organisation to strike the right balance between risk and opportunity. Indeed, the role of an in-house lawyer is arguably to help an organisation to maximise opportunity within its risk appetite, not to eradicate risk. Failure to appreciate this can be a major cause of misalignment.
2. Understand that legal risk is not the only risk an organisation has to think about. There are many other risks that impinge upon an organisation or transaction. It is important for you to understand and evaluate legal risks relative to other risks. A cause of misalignment can occur if you appear to be overly focused on legal risks and legal process, in apparent disregard to other risks such as the strategic / financial risk of a transaction or project not going ahead.
3. Understand that it is not your role to decide whether or not to accept a legal risk. The organisation may well decide to accept a risk that a lawyer might not be willing to accept. Provided the organisation is not planning to do something illegal and the decision is being taken at an appropriate level, you should be relaxed in letting the organisation make the decision.
How can you educate the business on what risk is?
It is vitally important that an organisation understands its legal risks at both the enterprise and at the individual transaction level. Most organisations have a risk framework that identifies and assesses risk across the whole business. It is important for you to make sure all key legal risks are captured, so the organisation can see what needs to be done, if anything, to bring legal risk within its risk appetite. If your organisation does not have a framework, you should create one for legal risks. It is also useful to create a similar framework for material transactions.
Laying out risks as such is probably the best way for you to have an informed and structured conversation with your organisation about:
- what the key legal risks are
- their likelihood and potential impact
- what is currently in place or could be put in place to mitigate the risk
- what level of risk the organisation is prepared to accept.
What if the lawyer gets it wrong or makes a mistake?
‘Risk’ by definition concerns events over which there is some uncertainty as to whether they will occur or their impact, or both. To accept a risk means to accept that things may turn out worse than you would like. Assessing risk is difficult and often has to be done using imperfect data. It doesn’t follow therefore that if things turn out badly, you have failed to control legal risks properly. Making sure that your organisation is aware of its legal risks in the way I’ve described above is one of the best ways to avoid blame being laid inappropriately at your feet.
It is important to put your hand up and accept responsibility if you have been negligent in your approach to managing legal risk. However, everyone makes mistakes, and most organisations understand that. Indeed, the risk that a mistake could be made might be a material risk to draw to the attention of your organisation, especially in connection with complex transactions that are being progressed in difficult or challenging circumstances.
How do you factor in regulatory requirements and updates into your plans?
Regulation is a major source of legal risk, as are changes to regulations themselves. Obviously, the starting point is that these have to be identified and assessed like any other legal risk.
Often, the risk of breaching regulations cannot be removed entirely, nor would it be commercially viable to try to. This is because the risk of a breach is often broadly inversely correlated to the amount of effort and resource put in to avoiding the breach; at some point, the cost of trying to avoid a breach can be out of all proportion to the potential harm. This raises the question of how much resource an organisation should be prepared to put into mitigating a regulatory or other legal risk. A cost-benefit analysis needs to be done, and a balance struck between the risk of breaching regulations and the cost of mitigation. Where to strike this balance depends on a number of factors and requires a high degree of judgement. In-house counsel have a key role to play in helping their organisations to reach a sensible conclusion.
How do you report on and measure your and your team’s ‘value’ with regard to risk management?
I would recommend taking these three steps.
1. Demonstrate a thorough understanding of legal risk across the organisation and carry out a robust annual legal risk review. This will enable you to identify with a high degree of confidence the key legal risks facing your organisation, as well as the key actions that it should consider taking to mitigate risk. You should aim to carry out this assessment as good as anyone else assessing risk within your organisation, if not better. You should involve not just the legal team, but management, other risk management functions and outside counsel.
2. Try to show a mature understanding of legal risk, recognising that legal risk is something that has to be managed and that a balance has to be struck between risk and opportunity. For example, be prepared to challenge the thinking of the organisation if it is over-prioritising legal risk and not just when there is a danger it might be underestimating it.
3. Measure and track through annual internal surveys how successful the legal teams are perceived to be in the way they think about and approach risk. At Bupa, two key measures we used related to risk appetite (that is, the extent to which managers thought the legal team were focused on managing opportunity within risk appetite) and solutions orientation (the extent to which the in-house lawyers identified solutions to problems they identified).
Paul Newton led a multi-award winning team of 100 lawyers as GC for Bupa, the leading independent global healthcare group. Paul retired from Bupa at the end of 2016, after 30 years with the company.
Paul will be speaking at our annual conference on 18-19 June at Chancery Lane. To book your place, visit our Events page. Early booking fees apply until 16 May.