The Board's responsibility to manage risk: Key legal and compliance issues – A disputes perspective

At this recent conference, held by Herbert Smith Freehills and attended by close to a hundred clients, we explored some key legal and compliance risks facing major corporates and how those risks can be mitigated.

After opening remarks by dispute resolution partner and conference chair David Reston, presentations took place on corporate governance, financial crime, cyber security and risk transfer through insurance, as well as a panel session on business and human rights, class actions and investment protection. The morning concluded with Andrew Procter looking at the practicalities and challenges of designing and operating a risk control programme, from his perspective as a former regulator and compliance head at a global financial institution.

A summary of the conference is below. You can jump down to read more detail on any of the sessions by clicking on the relevant heading.

Corporate governance context – Corporate partner Gareth Roberts set the context for the morning by outlining the key corporate governance requirements relating to risk, including the increased focus on risk under the UK Corporate Governance Code.

Financial crime risk – Susannah Cogman and Rod Fletcher outlined some hot topics and some issues on the horizon which are giving rise to new and increased risk in the anti-corruption and sanctions space, as well as providing insights on the management and governance of multinational investigations.

Cyber security: responding to a global threat – Jeremy Garson and James Farrell considered the legal and regulatory framework relating to cyber security and the type of liability that may result from an attack, as well as looking at best practice in managing the risks proactively and responding to a cyber attack.

The changing face of disputes risk in emerging markets – In this panel session, Dan Hudson, John Ogilvie, Damian Grave and Vanessa Naish looked at a number of topics which might seem to be quite separate – business and human rights, class actions and investment protection – but which combine to increase financial and reputational risks for companies, particularly (though not exclusively) where they are doing business in emerging market jurisdictions.

Effective risk transfer through insurance: new opportunities and coverage that's fit for purpose – Alexander Oddy looked at the insurance solutions available to mitigate risks discussed in earlier sessions, as well as outlining key changes under the Insurance Act 2015 and how corporate policyholders can prepare to take advantage of the new law and reduce risk of insurance failure.

Designing and operating a risk control programme – Andrew Procter looked at the practicalities and challenges of designing and operating a risk control programme, from his perspective as a former regulator and compliance head at a global financial institution.

Corporate governance context - Gareth Roberts

• Equity investment does involve risk; the Board's aim should not be to eliminate risk. However, a Board needs to ensure that the company has effective processes and procedures in place to enable it to understand, identify and manage risks and to make appropriate disclosure to investors.
• A Board does not have perfect knowledge of everything that happens within the company. Identification of risk is in many ways a "bottom up" process. The right people in the organisation need to be empowered to feed information up, and need to have regular training as to how they are expected to react and what they are expected to report.
• At the same time, there needs to be a corporate culture that allows people to report appropriately; processes and procedures will not work if there is a culture of corporate fear. The "tone from the top" is crucial.
• Recent changes to the Corporate Governance Code, which applies to all premium listed companies in the UK, have increased the focus on questions of risk and risk management in corporate reporting.
• Under the Code, the annual reporting exercise of a company should be designed to present a fair, balanced and understandable assessment of the company's position and prospects. There is an express expectation that the board is responsible for determining the nature and extent of the principal risks it is willing to take in achieving its strategic objectives.
• The objective of the Financial Reporting Council in introducing this change was to lead to better and shorter disclosure. It has not had that effect – generally disclosures have become much longer. Whether they have become better is a matter of debate.
• A new provision applies for financial years beginning on or after 1 October 2014. Directors will be expected in the annual report to make positive confirmation that they have carried out a robust assessment of the principal risks including threats to the company's business model, future performance, solvency and liquidity, and how those risks are being managed or mitigated.
• Most well-run Boards ought to be conducting such an assessment anyway, but the new requirement is likely to lead to more disclosure, in particular as to how risks are being managed or mitigated, which may itself make companies revisit their processes to ensure they are comfortable with what they are going to disclose.
• There is also a new requirement, applying for the same financial years, for the board to make a viability statement, going beyond the going concern period, so that investors can form a view on the continuing viability of the company. It is for the Board to decide on the appropriate period, and most Boards appear to be considering periods in the region of three years. The extent of any qualifications or assumptions underlying this statement is currently a matter of active debate.
• Risk is not purely a Code issue, of course. All company directors have always been required to be able to deal properly with corporate risk, ensuring there are mitigation and control systems in place for planned risks and adequate fall back systems for dealing with the unexpected. The strategic report, for example, is required by the Companies Act to address the company's principal risks, and it is a basic part of the duties of directors that risk is something which must be managed.

Financial crime risk – Susannah Cogman and Rod Fletcher

• One issue on the horizon which could be extremely significant for corporates is the possible reform of the "directing mind and will" test, which currently determines whether UK companies can be held criminally liable for acts of their employees and representatives. The director of the SFO, David Green, has been pressing for reform in this area, and it seems likely that at some stage there will be reform, though the shape and timing are currently very unclear.
• Currently under English law it is very difficult to prosecute large organisations for criminal offences because of the requirement to establish the relevant intention or knowledge on the part of an individual who can be identified with the company under the "directing mind and will" test – which generally means someone at Board level or occasionally immediately below.
• The exception is the corporate offence of failing to prevent bribery, under section 7 of the Bribery Act 2010. Under this provision, companies can be liable for acts of employees at all levels of the organisation, and indeed third party representatives, if they pay a bribe with the intention of benefiting the company. There is a defence if the company can prove that it had in place adequate procedures designed to prevent such conduct.
• David Green wants to see the section 7 offence extended so as to introduce an offence of failing to prevent any sort of economic crime (eg fraud, tax evasion, money laundering). Presumably, such an offence would need to be accompanied by a compliance defence. As a result, if such a reform was introduced, in addition to the additional legal exposure to which it would give rise, corporates may need to institute compliance programmes for all economic crimes - which would represent a very significant burden. It will be important for corporates to engage in any consultation process about the specific reforms introduced.  It seems likely that at some stage there will be reform, although the shape and timing are currently very unclear.
• Sanctions compliance is an area of particular difficulty for corporates, due to the volume and complexity of the legislation, the speed with which new provisions tend to be introduced, and the potential for uncertainty as to their interpretation. Going forward, all the indications are that sanctions regimes are set to become more, rather than less, complex.
• Sanctions enforcement in the UK has to date been fairly limited, particularly in comparison to the US where there has been very aggressive enforcement action. However, there are indications that the relevant agencies have been looking at how they can better take action in response to breaches, so in practice corporates may see some increased enforcement risk going forward.
• Concerns regarding sanctions issues are feeding through into commercial transactions. For examples, a number of lenders are extending the representations and covenants they require in relation to a borrower's sanctions compliance, and often conducting more extensive sanctions diligence. Covenants may require compliance with US as well as EU sanctions, even for borrowers who are not subject to the US sanctions (because they are not US persons) and where lending is not in USD. This can lead to difficulties for borrowers who operate their businesses in accordance with EU or other local law but in a way which would not comply with US sanctions (if they applied). Whilst the position of lenders is understandable, borrowers need to consider carefully the practical implications and risks associated with the terms to which they sign up.
• Enforcement risk in relation to financial crime generally has greatly increased in the past 20+ years. It used to be that there were a few high profile cases (eg Guinness, Maxwell, BCCI) but only one or two of them were on-going at any one time. The number of cases, and therefore the risk, has greatly increased in recent years. As an indication, the SFO has 80 active cases and the City of London police 150 overseas corruption cases.
• The SFO's approach has also changed under the leadership of David Green. Under the previous regime the focus was on settlement, civil recovery, trying to do deals with companies. That has now changed back to a more traditional law enforcement role with an adversarial process and an expectation that there will be trials.
• Another key development is the multi-national nature of enforcement. These days it is unlikely that there will be just one investigation by one agency in one jurisdiction; the likelihood is that because of increased extra-territorial jurisdiction it will be a much more complicated scenario. Dealing with the multiple requests and inconsistent approaches can lead to particular problems for Boards and those advising them.

Cyber security: responding to a global threat – Jeremy Garson and James Farrell

• Approaches to law and regulation governing cyber security vary between jurisdictions. In the UK, there is no single law dealing with cyber security. Instead, we have a patchwork of laws and regulations that implicate this type of threat. Some of these apply to all businesses; others are sector specific.
• Businesses might incur loss or liability for a security breach in a number of ways, including direct financial loss where the business is disrupted, voluntary payments to mitigate reputational damage, fines imposed by regulators, and private law claims including potential class actions.
• Businesses should be taking proactive measures to reduce the risk of a cyber attack happening, or to reduce the impact of an attack, including the following:
  • Identifying the specific risks to the business and what most needs protection. For a manufacturing and R&D business, for example, intellectual property might be the most important asset which is vulnerable to cyber attack; for an online consumer retail business the stability of online platforms and the security of customers' personal data may be paramount.
  • Assessing the potential consequences of the various types of possible attack. For example, what would the impact be to the company's reputation, its share price, its goodwill? What is the litigation risk? What would be the impact on the business if its activities were disrupted for a short or for a sustained period of time? How much risk can the business accept?
  • Devising a strategy to address the identified cyber risks. This is likely to involve preparation of both a cyber risk management plan and an incident response plan. It is important to remember that cyber issues are not just the responsibility of the IT function; it is likely that key individuals from other areas including legal, corporate communications and HR will need to be involved.
  • Ensuring that the systems and security measures are properly and regularly tested, eg by penetration testing and ethical hacking, and that the compliance plan is workable in practice.
  • Implementing appropriate staff training and education. Many attempts to compromise information involve what is known as "social engineering", which is effectively the skilful manipulation of people and human nature to trick information out of a company. Proper training can help reduce this risk.
• When conducting corporate transactions, businesses should consider the risks posed by the vast amounts of confidential and sensitive information placed online in digital data rooms. Sellers should consider the security of such arrangements and protective measures such as keeping certain information offline. Buyers should ask suitable due diligence questions about the target company's cyber security policies, implementation of those policies, any cyber breach incidents, and the target's corporate governance history in relation to cyber risk.
• An important aspect of cyber security is the proper vetting of counterparties and business partners to ensure their cyber security policies and procedures are appropriate. Relevant contracts should include obligations on the counterparty to maintain appropriate information security and data protection systems. Appropriate warranties and indemnities may be considered as well as a right to audit counterparties.
• Businesses should also consider provisions to relieve them of their own obligations to customers or counterparties in the event of a cyber attack, eg by drafting force majeure provisions to include appropriate references to a relevant cyber attack.
• Where there is a serious security breach, it is important to detect, assess and contain the breach as quickly as possible; this is where the real damage limitation exercise comes in. Once the breach is contained, it will be necessary to undertake a fuller investigation and remediation of the issues. Depending on the severity of the breach, this may be handled in-house, or the business may need to parachute in external consultants. The response plan should include a short list of pre-vetted and pre-authorised consultants.
• Apart from the technical assessment, the wider stakeholder group will need to understand and assess the potential risks to the business resulting from the breach. Is the intellectual property at risk, or brand and reputation? Has there been a data loss? If so, has personal data been compromised, and does it belong to employees or customers who may need to be informed? What is the litigation risk?
• It is important to track through any relevant contractual obligations with customers and suppliers to identify, and then limit and manage, any contractual risks as well as to implement any business continuity measures to minimise disruption. The legal team will need to be involved in this exercise, and it is particularly important to ensure that the exercise is conducted in a way which attracts all available legal privilege.
• Insurance notification requirements should also be near the top of the agenda, as some policies will cover legal and remedial costs but only from the date of notification. Other notification requirements (for example to regulators or the Information Commissioner's Office), as well as the broader PR issues, should also be considered. In many cases the cost of the reputational damage to the company can quickly outweigh any direct losses and claims which result from the cyber incident.

The changing face of disputes risk in emerging markets: A panel session on business and human rights, class actions and investment protection – Dan Hudson, John Ogilvie, Damian Grave and Vanessa Naish

• The topic of business and human rights has gained greater momentum in recent years with publication of the UN Guiding Principles on Business and Human Rights in 2011. The Guiding Principles are based on three "pillars":
  • Protect – States have a duty under international law to protect against human rights abuses within their territory. This means they should take appropriate steps to prevent human rights abuses by businesses and to punish those who transgress.
  • Respect – All business enterprises have a responsibility to respect internationally recognised human rights wherever they operate. This means that they should act with due diligence to identify their actual and potential human rights impacts and ensure that adverse impacts are avoided / mitigated.
  • Remedy – Victims of business-related human rights abuses should be provided with access to effective remedies, through both judicial and non-judicial means.
• There is a clear trend toward heightened scrutiny of human rights issues, with an increasing body of NGOs who are willing to shout out about human rights abuses and to name and shame companies they feel are causing, contributing or connected to those abuses.
• Particularly where companies are active in high risk jurisdictions (eg in Africa, Asia and to some extent South America) or high risk industries (eg extractive industries), they need to think about how their operations expose them to risk and how best to ensure those risks are mitigated or avoided.
• Corporates need to ensure they have due diligence in place in relation to their supply chain, making sure that all businesses both up and down the chain have appropriate policies in this area and that there are appropriate contractual obligations / protections. Monitoring supply chain relationships and the performance of those obligations is also key to how corporates should be protecting themselves in this area. A failure to achieve sufficiently high standards can expose a business to non-judicial remedies, eg via a complaint to the UK's National Contact Point on Human Rights (NCP) administered by the Department for Business, Innovation and Skills (BIS), as well as potential civil claims.
• When a complaint is made to the NCP, assuming it passes the initial assessment stage and the panel decides that it should proceed to a full examination, the case becomes public at that point. Any documents or information submitted to the NCP will potentially go out into the public domain and could be used in legal proceedings against the respondent. Accordingly, the NCP process can increase the risk of civil proceedings, either on an individual or group basis.
• The NCP will not award damages but, unless the case is resolved by agreement, will make a final statement with recommendations, setting out the reasons for its decision. About a year after the final statement, the NCP will go back to the respondent and ask what has been done to follow up on the recommendations made, and the result of that process is also published. The potential reputational impact is obvious.
• Another trend that appears to be on the rise is "class action tourism", where multiple claims are commenced against UK based corporate defendants in the English courts relating to the conduct of the defendants, or their group companies, abroad.
• NGOs are active on the ground in many emerging market jurisdictions and have a close connection with claimant law firms who have interest in prosecuting or sponsoring these claims. Litigation funders are also now becoming involved in investigating and prosecuting these claims, which increases the risk of claims being brought.
• There are some practical steps corporates can take to manage or mitigate these risks, including being clear as to the degree of autonomy enjoyed by the relevant operating companies and the capacity in which decisions are being made, as well as engaging meaningfully with the local community and relevant NGOs as early as possible, which can often help to resolve matters before they become a problem.
• Businesses investing in emerging market jurisdictions should be aware of investment treaties and the protections (and enforcement rights via arbitration) that these treaties provide. Structuring investments to take advantage of investment treaty protection provides a business with options, particularly when faced with a "bet the company" case.
• While traditionally investment arbitration was a private process, recent years have seen increasing transparency. Most recently the UNCITRAL Transparency Rules, introduced in April 2014, give public access to documents generated during an investment treaty arbitration and the proceedings themselves (subject to certain limited confidentiality exceptions). States that sign up to the Convention on Transparency in Treaty-Based Investor State Arbitration will apply these transparency rules to all investment treaty arbitrations in future where an investor comes from that state. Eight states have so far signed (the UK included) with more anticipated.
• Corporates will therefore be subject to increased scrutiny where they bring investment treaty claims seeking to enforce their own rights under international law. Where claims have an environmental element or could be viewed as impacting on human rights, investors will need to consider the commercial and reputational risks very carefully, particularly where there is a risk that arguments made publicly in that forum could ultimately fuel the sorts of actions on human rights discussed earlier.

Effective risk transfer through insurance: new opportunities and coverage that's fit for purpose – Alexander Oddy

• Risk transfer through insurance is likely to be an element of most organisations' risk management strategy, but there is not a "one size fits all" approach. Every organisation will have a different view on its appetite for risk and the strength of its balance sheet, and so how it wants to approach risk transfer.
• Given the new and emerging risks facing directors and officers, and which may expose them to claims / liabilities, it is important to think about the organisation's D&O insurance policies and whether they are fit for purpose. D&O insurance is intended to plug gaps where companies are unable or unwilling to indemnify directors, as well as insuring the company in respect of sums paid out where it has provided an indemnity. So the questions of director indemnification and D&O purchasing have to be looked at holistically.
• The market for D&O insurance is currently very soft, so broad coverage is relatively inexpensive. This means organisations can either focus on driving down price or, which is likely to be more valuable, can enhance their coverage to try to get the broadest protection available. Policy wordings are evolving all the time and these issues should be discussed with an insurance broker.
• There is also a range of products that exist to protect organisations against political risks, particularly where investing in emerging markets, and against the credit risk of counterparties. Such policies tend to contain onerous terms and can be difficult to operate, but they may be worth considering in appropriate circumstances. They can form part of the range of protections to doing business in challenging jurisdictions.
• Cyber risks policies are available and interest is growing rapidly but the market is still relatively in its infancy. Such policies can cover both first party losses (eg the costs of restoring data that has been damaged, or the theft of digital assets, or business interruption where there is network downtime) and third party liability (eg arising from data breach issues).
• The Insurance Act 2015, which comes into force in August 2016, will introduce the most important changes in English insurance law for 110 years and all of the changes are in favour of policyholders. Some key changes are set out below.
• Currently, when arranging insurance each year, the business has a duty to disclose "all material facts" – ie whatever would influence the judgment of a prudent underwriter in deciding whether to accept a risk and, if so, on what terms. Knowing what that means is challenging for most businesses, particularly where a company has subsidiaries all over the world and tens of thousands of employees.
• The new Act will impose a different test. The key obligation will be to make a "fair presentation of the risk". The business will need to disclose in a clear and accessible manner every material circumstance which it knows or ought to know. If it does that, it will have given a fair presentation of the risk and so the risk of material non-disclosure or misrepresentation should be removed.
• Actual knowledge means senior managers and those involved in the insurance purchasing process – not everyone in the business. What the business "ought to know" means what would be revealed by a "reasonable search", which will be different for every business. It will be critical for businesses to work out over the next 12-15 months what sorts of searches they will need to carry out to gather an appropriate level of information.
• Currently the threat that hangs over a business if it fails to disclose all material facts is the possibility of avoidance of the policy, ie the nuclear remedy of the policy being completely undone with premium returned and paid claims unwound and repaid. The Act will change that by introducing a system of proportionate remedies. So in some situations, insurers will be able to avoid policies – fraud being the primary example. But in non-fraudulent situations where there have simply been errors, insurers will in many cases not be able to avoid policies. Rather they may be able to reduce the claim amount payable or impose additional policy terms as if they had been in place originally.
• Another critical change under the Act relates to warranties. Currently, breach of a warranty in an insurance contract brings the cover to an end. It is not possible to remedy the breach and reinstate cover, and it doesn't matter if the breach is unconnected with the loss. The new law will change warranties to become "suspensive conditions". That means cover will be suspended (lost) while the term is breached, but once the position is remedied cover will reattach. That is very much better for policyholders.
• Insurance policies are living documents; they can't sit in a drawer and be forgotten about. They only work if operational staff understand what is required of them under the policy and do what the policy requires, such as in relation to notification of claims. This is essential so that, when claims arise, the policy will pay out at an appropriate level. Realising the proper value of an insurance claim will require active project management by the policyholder and its team of advisers.

Designing and operating a risk control programme – Andrew Procter

• Most Boards struggle with the articulation of risk appetite, particularly in relation to conduct and behavioural issues and reputational risk. For example, it may be a great soundbite to say that an organisation has "zero tolerance for reputational risk", but that is no use in calibrating acceptable behaviour on the part of staff. The real challenge is to articulate risk appetite in terms that can be quantified, measured and reported on.
• Many organisations, including major financial institutions, have put a huge amount of time and effort into risk identification and mitigation. They may have huge numbers of staff in control functions, such as legal, compliance and risk. They probably have the "big pillars" in place or under development, eg business continuity plans, crisis management plans, anti-bribery and corruption plans, cyber security plans. And yet they keep failing to spot material risks.
• Most of the financial institutions and many non-financial institutions have said for years that they have a "3 lines of defence" strategy for dealing with risk, ie (i) front office supervision; (ii) control functions (eg compliance) making sure front office does the right thing; and (iii) audit checking that nothing has gone wrong.
• Historically, however, there has often been a lack of engagement of the front office in risk issues. The front office would be busy making money and leave it to the control functions to make sure nothing went wrong. That approach is no longer acceptable, but changing it requires behavioural change.
• It is crucial for the front office to be engaged in the risk identification and mapping process. No matter how good the control functions may be, the front office knows the business better than they do. There is a huge range of risks facing any business, many of which are new or emerging or becoming more critical. It is the front office that will understand the warning signs and see the real risks that are being run, so they need to be at the table in any risk mapping process.
• For the front office to succeed in this process, they need proper support. There have to be business managers who can support the senior managers in this process, and the data needs to be packaged in a way that allows patterns and issues of concern to be spotted.
• Risk maps have often been based on past experience, and so have necessarily been backward looking. To get the process right, it is essential to think about what has changed, what is about to happen, what are the emerging economic risks. This requires drawing on a much wider group of people to think about the risks, and coordinate it across the organisation.
• Once the risk mapping process is finished, it needs to be kept up to date. This requires a clear, structured approach. One approach that is seen more frequently these days is the identification of risk champions in particular areas – typically a group of people who are told they need to keep certain types of risk in the forefront of their minds, and to get together maybe once a quarter or every 6 months and just think about it, even if nothing has happened. So a much more serious approach is being taken to keeping the risks up to date.
• Historically risks maps have been put together by looking at the rules and regulations that apply to the business in relevant parts of the world and the typical kinds of risk the business expects to see (eg conflicts of interest, market abuse, etc). It is now recognised that there needs to be a "third lens", which is to examine the business's activities and processes and look for issues that might lead to risk.
• This third lens cannot be applied to everything; there needs to be a way of focusing it in on the right areas. It is essential to think hard about the areas in which the organisation might be exposed, and to undertake a detailed review of activities and processes in those areas. This approach will still not identify every risk, but it has better prospects than the traditional approach.
• Boards also need to focus on how they communicate their cultural and other messages. You often see policies which are in reality a dumbed down version of the law, which are way too long and which fail to set things in their proper context.
• Policies need to be effective as communication tools, making it clear what is expected in terms of behaviour. They also need to be readily accessible and kept up to date. Policy documents should generally avoid setting out procedure – procedure should reflect and entrench policy but be separately documented so policies remain clear.
• Global policies can promote clear, consistent expectations across a group and for staff operating cross-border, but they must be replaced or supplemented where necessary to ensure local regulatory requirements are met.