Managing risk: the in-house view

DAC Beachcroft and The In-House Lawyer recently conducted a survey to assess the role and influence of the in-house lawyer in managing risk. Is the role that of ringmaster – right at the heart of the matter – or more a side-line prompt? Essentially does the legal department have the necessary influence, associations, and information to fulfil the role of business adviser effectively? A picture emerges of the in-house lawyer as a key player in risk management and important contributors to the risk process, albeit that they own few risks.

A pivotal role requires strong relationships across the business. Respondents reported good levels of exchange with the traditional functions of chief operating officer, finance and HR. There was room for greater levels of engagement with other areas, particularly IT and procurement.

The risk environment

The survey shows an environment where risk is generally well managed and communicated. Over 80% said that risks are formally reviewed at least every six months. The majority felt happy about raising concerns relating to risk. Eighty percent of respondents felt a sense of responsibility in relation to risk. The majority (65%) had a risk officer, and this was not just restricted to the financial services sector where there is normally a regulatory requirement to have this role. In 89% of responses, the perception is that people generally feel comfortable about raising concerns about risk. There was only a slight dip in numbers when asked about responsibility for risk; the majority felt that ‘everyone is responsible for risk’ rang true.

Who deals with risk

In 61% of cases, risk is discussed and decided upon by the main board; in 29% of cases this role is taken by the audit committee.

In 68% of cases, the general counsel attends board meetings; 46% with the dual role of company secretary; 22% of general counsel attend in their own right. 27% of organisations have a single individual as company secretary.

Risks are no respecter of functional boundaries. The best management of risks comes from those organisations that have a wide and connected view.

Clearly acting as company secretary provides great access to the board and executive. Undoubtedly the role of both general counsel and company secretary have become more sophisticated, onerous and complicated. Is it viable to ask one individual to have the breadth of skills and the time to undertake these successfully? Also, the dual role can raise governance issues and potential conflicts of interest as the GC frequently advises the executive committee, while the company secretary usually reports to the chair and works with the board. Having a combined role has gone in and out of fashion but it is probably true to say that with the biggest listed companies the role of general counsel and company secretary are undertaken by different individuals.

Forty-one percent of respondents had had no formal risk training, although equal numbers have had training in the last year.

Process for capturing new and emerging risks

Recipients were asked to grade their responses 1 to 5, with 5 as optimal. The means for capturing new and emerging risks gave rise to the highest concerns about quality of process.

Legal departments involvement with risk management

In the majority of instances (84%) the legal department was felt to be pro-active and fully involved in the management of risk. Recipients were asked to grade their responses 1 to 5, with 5 as optimal.

The risk committee

46% of general counsel sit on the risk committee and attend meetings. 54% are not members of the risk committee.

62% of legal departments are asked for their opinion from the risk committee, regardless of whether they are represented on the committee. 33% are occasionally asked.

Quality of exchange with other functions

Risks are no respecter of functional boundaries. The best management of risks comes from those organisations that have a wide and connected view. Good reporting is a strong foundation; as is the quality of relationships that general counsel have with other areas of the business.

Survey recipients were asked to grade their internal business relationships from 1 to 5, with 5 as optimal.

Title 1 2 3 4 5
Chair 12% 16% 23% 28% 21%
Non execs 18% 20% 22% 23% 17%
COO 8% 10% 21% 24% 39%
CRO 20% 4% 22% 25% 29%
Internal audit 13% 8% 33% 34% 14%
Finance 5% 6% 24% 27% 38%
IT 10% 19% 38% 17% 17%
HR 6% 13% 20% 28% 35%
S&M 13% 10% 26% 30% 21%
Procurement 15% 14% 23% 29% 19%

The strongest relationships appear to be those with the COO, finance and HR, suggesting a strong link on the operations side and well-established functions.

Relationships appear less developed with IT and procurement. There is room for evolution here, especially when data ranks second in the list of risks that general counsel are most concerned about.

Ben Daniels, DAC Beachcroft A picture emerges of the in-house lawyer as a key player in risk management and an important contributor to the risk process.
Ben Daniels, DAC Beachcroft

The strength of relationship with the chair correlates with the numbers of general counsel who are company secretary. However, this is not carried through into relationships with non-executives. This is perhaps not surprising as the role of chair is now a significant one, particularly in a listed company, while the NEDs will have less of an involvement (although not an unimportant one).

Frequency of meeting with chief executive 64% of general counsel meet with the chief executive once a month; reflecting the strength of this traditional reporting line. However, a concerning 12% never met the chief executive or equivalent.

Ben Daniels is a partner at DAC Beachcroft.

About the survey

Half of the respondents came from listed companies. Although financial services dominated with 20% of the respondents, there was otherwise a broad spread of sectors.

The risks that most concern them are a very contemporary range of risk, with regulation and reputation especially significant. Every sector considers that the risk of non-compliance with sector regulations (21%) as the risk most likely to materially impact their business, followed by data at 18% and reputation at 15%. At 5% Brexit was not a particularly high concern.

Ben Daniels, partner, DAC Beachcroft, says: ‘These findings reinforce what we hear from GCs; that often where the financial risk or probability of a risk occurring is low but reputational risk is high if the incident occurs, it will be legal that ensure the business understands the implications.’