Law: a risky business?

‘Risk comes from not knowing what you’re doing.’

So said Warren Buffett. But when it comes to deciding who knows best about enterprise risk, how should a company decide? For some sectors, notably financial services, there might not be much of a choice. Regulators deem it essential that banks and other such organisations have an enterprise risk function separate from other business units, following risk-related scandals like the Barings Bank collapse of the 1990s, when banks began to form risk management departments. But a standalone function was not always a given. The early days of risk management saw the discipline often fall to the legal department, because it was seen as simply a matter of ensuring regulatory compliance, observes Michael Fahey. He is now general counsel at tech company Upside, but also has a background in financial services legal recruitment from his time at RSR Partners. He says that the global financial crisis caused regulators and businesses to see enterprise risk as a broad discipline, extending well beyond legal, and so the independent (and still-maturing) risk function came into its own. Nowadays, banks will have a chief risk officer whose appointment is subject to the approval of the regulator, reporting typically to the CEO or even the board.

But in less regulated sectors, enterprise risk is still often housed within the remit of the legal department, as is the case with Metricon, one of Australia’s largest residential home-building companies. Its general counsel Sam Gribble also runs risk, and he reflects that ‘lawyers tend to be the first port of call. It seems only a small step away – a lot of risks end up as legal problems, so there seems to be a habit of giving it to the lawyer.’ As a private company, Metricon enjoys more freedom of governance, and Gribble takes the view that legal is the appropriate owner of risk in this instance, so long as the legal and risk team is prepared to genuinely collaborate with management when making risk-based decisions. It is, however, carefully structured, and Gribble has established a board under which sit a variety of risk management committees focusing on trade practices, intellectual property, finance, and occupational health and safety, all reporting to him. He, in turn, reports to the CEO on matters of risk. This, he feels, ensures that risks are well communicated.

Gareth Williams, head of legal at UK-headquartered estate agency and property services company Countrywide, has seen the evolution of the risk function at first hand. When the organisation was private-equity owned, risk fell under the umbrella of Countrywide’s legal team, but when the company listed, regulatory input and an influx of non-executive directors meant that risk began to be viewed on a more holistic level. Williams established a group risk and compliance committee, comprising technical and operating directors of the different business divisions. As time went on, he says, ‘it was very obvious that we needed to bring in specialist expertise’. And so, in April 2015, along came Grant Dempster, chief risk and compliance officer, whose role is to take an overarching view of risk across the organisation.

But as the GC role has itself developed in recent years to become a broad-based C-suite position, engaged with the business on a strategic as well as a purely functional level, the creation of a ‘new’ (in many cases, at least) enterprise risk-focused role could be perceived as a conflict. ‘I’m not saying resistance is the word, but we did things perfectly well as lawyers for seven years, and I wasn’t convinced that there was the need for huge change,’ recalls Gareth Williams. However, he goes on: ‘I think that was wrong.’ At the heart of his learning curve was the recognition that legal and risk are ‘completely different skillsets’. Michael Fahey agrees that there is no inherent conflict, arguing that all C-suite leaders should have a broad perspective and an understanding of the pressures faced by other business disciplines that is grounded in functional focus, and the CRO (chief risk officer) is no different. But crucially, he says, having an overview of risk across a range of business areas provides a less ‘myopic’ view than might be taken by the legal head.

The size of the organisation will obviously affect its appetite for committing to the additional expense and coordination that establishing a separate enterprise risk function will entail. But assuming the organisation is of an appropriate scale, there are both benefits and drawbacks to situating enterprise risk in or outside of the legal function.

Sam Gribble cites the analytical and structured approach that lawyers have as an advantage when turning their hand to questions of risk. Fahey agrees that legal training is a great foundation for the role, and extols the skills that lawyers can bring to bear – providing they can switch their mindset from defending the organisation to providing strategic assistance. ‘Many lawyers excel at managing legal and reputational risk. They frequently serve as the conscience of the organisation. These are the building blocks for effective risk management,’ he says. Lawyers touch all parts of the business, and have a useful layer of objectivity thanks to their treatment of the organisation as client rather than manager.

Gribble feels that lawyers don’t have the monopoly on these skills, however, and there are other professional disciplines that might serve just as well – an engineer, for example, in the building sector. In the experience of lifelong risk specialist Grant Dempster, risk officers often come from an operations background, although he finds that it’s more about horses for courses than mandating that a CRO must have a risk degree or come from a particular professional discipline. ‘It’s about the individual and the organisation,’ he says. ‘Round pegs and round holes would be where you would find chief risk officers who have got a legal background.’ Nevertheless, in banking it is atypical for the CRO to be drawn from a legal specialty, according to Peter Whitelaw, CRO at Bank of New Zealand (BNZ): ‘Although you will find lawyers who move into CRO roles, studies suggest that it is a minority, certainly in financial services. As a CRO you are trying to ensure that a whole range of different types of risk are managed well – credit risk, operational risk, risk to changes of interest rates, foreign exchange risks, compliance risks, health and safety. It helps to have a fairly broad understanding of the operational elements of the bank, so a CRO will tend to emerge from one of the business lines or from the bank’s own risk team.’

BNZ’s own chief general counsel (CGC), Chris Reid, spent three months seconded to the role of chief risk officer following the Christchurch earthquake in 2011. But Reid views this more as an opportunity to broaden his skillset within the business than an obvious progression, and it provided him with an increased awareness of the greater scope of the risk role compared to that of legal. ‘The CRO role is a hugely diverse and broad role with specialised units reporting into it. That was really the challenge in my case for a lawyer going into a general management role: you have to take off one hat and put on another hat to deal with the advice you’re receiving from your specialists within those areas,’ he says.

 

 

Of course, in industry sectors where there is less systemic risk, giving enterprise risk a home of its own might be deemed simply unnecessary, and housebuilder Metricon falls into this category, according to GC Sam Gribble. ‘The company’s greatest risks aren’t financial, but are in procurement or occupational health and safety,’ he explains. ‘We’re the biggest competitor in our market, but justifying a single person dedicated to risk management would be negatively perceived as constraining entrepreneurialism. The risk function needs to be seen as one of the valuable contributors to management decision-making, rather than an isolated unit that seeks to prevent risk altogether.’

At Canadian-headquartered agricultural products company Agrium, chief legal officer (CLO) Susan Jones works closely with the CRO, who held the top legal role several years previously. She feels that for companies who opt for a CRO, whatever their background, the key is to be surrounded with a range of complementary skillsets. ‘So if you are more from a legal bent, surround yourself by a team that has a higher commercial bent,’ she says. ‘I do think there’s a lot to be said for a multifunction team within the chief risk officer portfolio.’ Jones highlights that when moving risk or aspects of risk outside of the legal remit, one should be mindful of the need to maintain privilege around legal compliance. Rather than precluding such a move, however, it just requires coordination and extra vigilance, she says.

Having a separate CRO and GC inevitably means a wider range of opinions being presented to the CEO and the board, necessitating some cultural adjustment. However, says Michael Fahey, to involve the top level of management in such a dialogue is a business advantage rather than an inconvenience, and one that GCs are not threatened by. As Grant Dempster at Countrywide says, ‘it’s a relationship that you work at and you have a respect for both areas. I think it’s fair to say that you don’t always have to agree: it’s part of being grownups.’ The nature of any disagreements might be down to a difference in functional roots, as a legal practitioner might overweigh the legal risks, whereas ‘an expert in risk assessment who looks at probability and impact might actually think “we can take on a bit more risk, given the enterprise strategy,”’ says Fahey. He takes the view that a legal function-based perspective could result in less objectivity than that of a role which deals purely in corporate objectives. At Metricon, Gribble acknowledges this perception of lawyers as being more conservative, alongside the fact that they are also bound by ethical restraints arising from an ultimate duty to the court above that of the business. He stresses that his own approach, however, is to not fear risk: ‘You’ve got to take risks to create value – risk management is not a risk elimination exercise; it’s a risk balancing and a risk mitigation exercise,’ he says. At BNZ, CRO Whitelaw sees the common ground, and points out that both roles are there to provide advice to the business that it might not want to hear. He acknowledges the potential for divergence in both camps but, like Fahey, feels that ‘having the two separate roles creates the right degree of healthy tension within the business.’

The pan-operational perspective of a separate enterprise risk function can assist in identifying legal risks originating from other functions that might not have reached the attention of the legal department otherwise, and facilitate a consistent approach to risk. As such, the objective of Dempster’s appointment at Countrywide was very much to align approaches to risk across business areas that had ‘operated in many fiefdoms,’ he says. He has found his lack of grounding in a particular area of the business to be an advantage (although it is worth making the point that the general counsel role itself is less specialist than many in-house legal roles that report in). At Agrium, the need for a risk head grew as the business itself became more complicated, necessitating a more centralised approach to material risk. CLO Susan Jones has found that this evolution has helped her own role: ‘It’s certainly easier from a GC perspective to work with a chief risk officer when the function is centralised, rather than trying to run around and figure out where all the decentralised risks are.’

To effectively function as an enterprise risk manager, Mike Fahey believes that, in addition to a shift in perspective, a numerical refresher might also be in order for those with a primarily legal skillset. ‘The trend for risk management is heavily quantitative, and lawyers are more qualitative,’ he says. ‘I think lawyers can be good at everything if they have the right mindset, so it’s not a rule. However, generally speaking, risk is part-art, part-science, and lawyers tend to be more on the art side. The lawyer must ensure they possess the ability to quantify risks in terms of hard numbers. It is that quantitative piece that is missing from formal legal education,’ he explains. This chimes with the experience of Countrywide GC Gareth Williams: ‘It became very obvious to me when we were looking at things like the risk register that risk management is more scientific, it’s more forward-looking, there’s an actuarial element to it, and it required a completely different technical skillset.’

Even so, legal should be strongly connected to risk, especially when designing the structure and compliance aspects of the risk function. Equally, legal has much to learn from the enterprise risk department about supporting risk within its own department, and, crucially, Fahey argues, that ‘it is conducting it in a data-driven, quantitative and qualitative way, consistent with risk management discipline best practice.’ BNZ CRO Peter Whitelaw seconds the importance of ‘a regular operating rhythm’ between the two positions, which in his own organisation has even translated to physical proximity. ‘Our teams are relatively closely co-located, and there’s also an organic interaction between the teams on a day-to-day basis. If we were in different cities, that would be hard to do,’ he says. Although Williams and Dempster at Countrywide are based in different offices, they too stress the importance of maintaining communication and sitting on joint committees.

Despite many areas of overlap, for both roles it is key to be clear where one functional responsibility ends and the other begins. Chris Reid, CGC at BNZ, advises in-house lawyers to ensure their teams are sensitive to where legal risk becomes another risk, particularly as there can be a tendency for other business units to think they have signed off on risk for a particular proposal, when in reality they have just obtained a legal sign-off. ‘Where lawyers can be very helpful is to make sure they are sensitive to, and educated about, all the other risk angles, and make sure risk specialists are engaged at the appropriate time,’ he says. And of course, as is always the case in a corporate counsel role, the lawyer must know when to be firm if a legal boundary is in danger of being blurred. Gareth Williams approaches this on a case-by-case basis, while characterising the risk function as focused a little more on process. But both functions intersect and feed into each other.

Fundamentally, whether or not the business has opted for a separate enterprise risk manager role, it is key that enterprise risk itself is managed as a discrete discipline, which considers risk at an organisational level, apart from each individual function. The way this is managed is, as Dempster says, determined by ‘the culture of the organisation, and not necessarily where the badge sits in terms of the risk responsibilities of the function.’ The principle seems to hold true that regardless of sector and whatever the background of the person charged with safeguarding the company’s risk, they must take that objective and overarching view, and avoid the hazard of being too mired in any function to see the wood for the trees, or the opportunity for the risk.