Peter Kurer: The rise of corporate legal and compliance risks arises from a number of economic and sociological developments. Most obvious is the incredible degree of globalization we have experienced over the past 25 years or so. Global companies operate in many countries; say 60, 70 or even 110. They meet the various legal rules there but also many diverse moral and ethical concepts under which their activities are seen and judged. In many of these countries, there is no rule of law or stable institutions that we are used to in the West. We have also become a risk-averse society: we enjoy a lifestyle in which we incur new risks such as those associated with mass transportation, high energy consumption and artificially processed food. If these risks materialize, we however quickly cry “foul and shame” and want to take revenge against the culprit - who often is big global business. NGOs, politicians, prosecutors, regulators and the media ride on these waves of indignation against business. They demand new laws and begin prosecutions. They are aided by an ever more transparent business environment where scandals and crises travel around the globe within an hour thanks to social media and the blogosphere.
Peter Kurer: Lawyers advise on the content of legal rules; they draft contracts and other legal documents; they represent a client; and they manage legal projects such as litigation or M&A transactions. If this is done well, it goes a long way to shield a company from legal and compliance risks. Given the ever increasing risk level, and the sheer size of the modern corporation, more is needed. You need now to govern employees’ behavior by writing specific policies, and educating and training them. You have to monitor certain sensitive transactions, make specific investigations, and mine data. All this requires a different skill set than the one mastered by traditional lawyers. Hence the creation of compliance departments, first in regulated industries such as pharmaceuticals and banking, and increasingly now also in non-regulated industries.
Peter Kurer: I don’t think you can talk about it in terms of “profiting”. It goes far beyond this. In view of the high risk level, you can no longer run a serious company without a well-established compliance process including, in most cases, a compliance department. In creating and implementing opportunities for the company to make profits, senior and line managers must do so within legal requirements. In this sense, they bear primary responsibility for legal risks. Lawyers review and advise on the legal requirements and any limits to the opportunities. Compliance managers do a third and a different thing: they check that operations and staff conduct stay within the limits of legal, regulatory and ethical rules. Therefeore, ownership of legal risk by management, advice by lawyers, and the control activities of compliance are all integral parts of legal risk management. We must sit on a three-legged stool; two legs are not enough.
Peter Kurer: State-of-the-art legal and compliance risk management requires an integrated process. This starts at the top of the company and flows down through operations to the shop or trading floor. The board must understand the issues and set a strategy. It must then hammer out a legal and compliance risk framework. This framework defines the issues, allocates responsibilities to management, control functions and experts; it regulates reporting lines, provides for coordination and convergence activities, talks about the role of risk identification, audits and special situations such as whistle-blowing, self-reporting or investigations. If it is done well and implemented appropriately, the framework establishes a clear governance and effective organization for legal risk management.
Peter Kurer: Talking about risk versus opportunities is a slippery slope in the legal space. In many ways, compliance and legal risks are a zero tolerance area. Boards and management should be very serious about them and establish a solid legal risk management. Risk management in this area should be taken as seriously as business operations, marketing, human resources, quality production and all other key management processes. The rewards will come indirectly - in terms of lower legal costs, less litigation, an improved reputation. If successful, it might become a differentiator that sets apart the company from its competitors.
Peter Kurer: A good general counsel and a good head of legal should be both a trained lawyer and a solid manager. It is tough but you need both skill sets. If you are not a good lawyer you will not command the respect of your staff, because lawyers like to be managed on the basis of superior professional knowledge. If on the other hand you are a poor manager, you create a mess and lose credibility. Ideally, a typical in-house lawyer’s primary training should be as a lawyer, including substantial time with a law firm to learn the practical skills of the job, beyond the academic aspects taught at university. Management skills will be learnt on the job and through specific training which might include an MBA, EMBA, or at least an executive education in legal management.
Peter Kurer: They should teach them good analytical thinking beyond pure knowledge of technical rules. In other words, they should give students the basics to be intellectually robust lawyers who can express themselves in clear and succinct language. If they achieve this they have done a lot. The more practical part of the education should be done by the law firms, the companies and the executive management schools.
Peter Kurer: I would be sceptical about outsourcing in these areas. I would rather in-source support teams for compliance and legal activities, while outsourcing and off-shoring certain activities to law firms or alternative providers like the legal process outsourcing providers. This framework is important for the key task of establishing responsibility key. If I insource, I retain direct responsibility. If I outsource, I delegate responsibility on the basis of a clear service-level agreement which is subject to checking. The main governance principle should always be: how am I most efficient without losing impact.
Peter Kurer: Compliance is a broader concept than merely complying with legal rules. The view is now well-established that compliance activities should extend to ethical and cultural issues and sometimes even to such aspects as consumer protection or certain contractual terms. I only see a few authors - mainly in Germany - who adhere to the old view that compliance is about only the law.
Peter Kurer: Legal risks are a growing uncertainty for global companies. As a matter of fact, legal risks are for many companies the most serious threat to smooth operations. Boards and senior management therefore have every incentive to take this area seriously and to manage risks strategically - from the top and in an integrated manner. The challenge goes beyond just having a good legal department or appointing the best outside counsel. It is the in-house lawyers and compliance officers, rather than law firms, who have become the main operators in this space. They need an attitude and a skill set that goes far beyond a pure professional’s traditional expertise.
Peter Kurer: With this change of paradigm, new advisors become important in the area of legal risk. These include accounting firms, forensic analysts, specialized consultants and legal process outsourcing providers. Each – including law firms – must adopt its own business model. Technology, combined with knowledge of how people behave and how we can influence their behavior, become increasingly important. In other words, legal risk management goes much beyond traditional lawyering. It involves more than just good handling of legal cases and instead moves in the direction of informing and supporting a change of mindset throughout an organization.
© 2016 KPMG Holding AG is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.