Sarah Clark at The Legal Director explains why organisations need a legal risk framework
Businesses that fail to mitigate their legal risk pay the price. According to a recent survey by YouGov with CEBR, the annual financial impact to UK SMEs that have not adequately addressed their legal risks is as much as £13.6 billion.
When business leaders think about ‘legal risks’, they immediately jump to thoughts of litigation and spiralling costs of legal proceedings, but there are many other legal risks a business needs to consider.
So, what are the potential consequences for businesses of failing to undertake this important exercise?
Financial penalties: The regulatory landscape is becoming stricter all the time. Fail to comply with the relevant laws and regulations for your sector, and you’ll likely be hit with fines and penalties from regulatory bodies.
Reputational damage: If you’re exposed failing to do something you ought to be doing, your reputation will suffer. Negative publicity can hit businesses hard and winning back the trust of customers, partners and the public is neither easy nor quick.
Operational disruptions: Legal disputes or regulatory interventions can cause significant interruptions in business operations, wasting valuable people and financial resources.
Loss of licences: If these investigations unearth significant breaches or compliance failures, you may very well have your business licence or permit revoked, which is going to seriously hinder your ability to operate.
Increased insurance costs: Insurance companies don’t like high risk businesses. If you’re operating with scant regard to the legal risks in your business, you’ll be perceived as higher risk. At best, you’ll be paying higher premiums. At worst, you won’t get insurance coverage.
Poor employee morale and retention: Few people like working for businesses with maverick attitudes to their employees’ health, safety and wellbeing. Negative work environments can lead directly to decreased employee morale and loss of key staff. Not only is recruitment an expensive, resource-draining exercise, but the reputational damage of being a poor employer could mean that you fail to attract the best talent.
Market value impact: Investors like businesses that are well governed and reliable. Your stock prices or market value is at risk of dropping if you’re perceived to be instable with unsound business practices.
Resource drain: The diversion of resources (time, money and personnel) to address legal issues instead of focusing on core business activities impacts an organisation’s ability to function.
Regulatory scrutiny: If you’re not able to demonstrate good regulatory compliance, you’ll invite the regulatory bodies’ increased scrutiny and oversight, leading to more frequent audits and inspections.
Legal action: And of course, there’s the ultimate risk of lawsuits from customers, employees, or other stakeholders, leading to costly legal battles.
What should businesses be doing?
Know your business
You need to fully understand your business model, how it operates, the sector it operates in and the regulatory environment. So, start with strategic conversations with the senior leadership. Pull out the key strategic documents and have in-depth conversations with each leader about the functional areas they own, and the actual legal risks that are facing your particular business.
Don’t initially look at risk through a legal lens. Think carefully about what makes your business a valuable entity. Is it its intellectual property? Is it its positioning in the competitive market? Then consider what could potentially threaten that value. Decide what really matters to you as an organisation and what you’re precious about protecting. This will help you determine your risk appetite.
Map the risks
When you’ve identified the risks, organise them into areas, for example:
Next, set your risk appetite and Key Risk Indicators (KRIs) in each of the areas you have identified.
In each functional area of the business, identify the ‘owner’ of the risk in that area. They will be responsible for addressing the risks according to the agreed risk appetite and ensuring that all necessary regulatory and compliance issues are met, all policies are present and up to date and all contracts are workable and fall within agreed tolerances.
This information should be collated and assessed against KRIs. You can use a grading or traffic light system to log risks against the KRIs. Then you need to set up processes. Ensure sign off at the most senior level for anything the business wants to do which is outside of those agreed tolerances and record that decision. This ensures that a snapshot is always available showing where out-of-appetite risks sit, across the business.
Monitor
Internal checks (or the ‘second line of defence’: Identify someone outside each business function to monitor whether the risks are being properly recorded, signed off and treated. You should not be marking your own homework.
External independent assurance (the ‘third line of defence’): Schedule periodic audits (these may be annual or every three years) to investigate and feedback on your legal risks and the state of your compliance.
Report to the board
The board must be able to assure itself that the risk levels that have been set are being adhered to and that robust and reliable processes are in place. So, design a high-level report on legal risk, taking snapshots from each of the functional areas, on a regular basis, to report to the Board.
Review
If something is regularly failing to meet the risk criteria set, then perhaps your tolerance as a business has changed. So, you begin the process of reviewing your risk tolerances again and the wheel keeps turning.
A process worth investing in
Creating a legal risk framework may seem like a daunting process, but it is certainly a process worth investing in. Good governance supports growth delivery, engenders trust and attracts investors. And it also saves you time and money by avoiding the nasty consequences of not addressing your legal risk.
Sarah Clark is Chief People & Transformation Officer at The Legal Director.
Main image courtesy of iStockPhoto.com and bymuratdeniz
© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543