Risk, compliance and back-ups
01 Mar 2022
Have all your bases covered….
For the entire month of February, we have been going on and on about the underlying basis or foundational principles of your business. We have stressed the importance of having a strong foundation in your business so that you are able to succeed with all your endeavours. Both your day-to-day small things as well as setting you up to succeed in catching that really, big elusive fish.
After all, if you don’t have a proper lead, line, and fly and if you are not using the correct reel (all basic foundational items in fishing) how will you ever catch that trophy fish?
To ensure success, we spoke about Practice Management in great detail in Part One and Part Two and went on to talk about Accounting and Reporting (ensuring your trust accounting and management reporting was seen to – after all the money and the metrics matter). And those are all well and good. But what about risk?
What is risk?
The Oxford English Dictionary defines Risk as follows –
Noun – a situation involving exposure to danger i.e. “flouting the law was too much of a risk”.
Verb – expose (someone or something valued) to danger, harm, or loss i.e. “he risked his life to save his dog”.
But there is more than one risk.
A blog on systematic vs. unsystematic risk, divides risk into systematic and unsystematic risk –
- Systematic risk is risk that is associated with the mechanics of (and therefore external to a company) that will have an impact on an entire market. In other words, it’s what investors refer to when they talk about “market volatility”. It is largely unpredictable and uncontrollable. Its manifestations usually affect financial markets across country borders and industries, vs
- Unsystematic risk is risk that is asset-specific or company-specific and is often referred to as aggregate risk. It is somewhat predictable and is mostly separated into external business risk, i.e. how the general public (and therefore investors) perceive a specific industry and their assumptions of how risky that industry is; and internal business risk i.e. risk that affects specific companies rather than industries and arises from a company’s internal affairs and performance.
The Corporate Finance Institute then breaks both systematic and unsystematic risks down further into the following categories (which they believe all risks analysts should consider) –
- Political/regulatory risk – The impact of political decisions and changes in regulation.
- Financial risk – The capital structure of a company (degree of financial leverage or debt burden).
- Interest rate risk – The impact of changing interest rates.
- Country risk – Uncertainties that are specific to a country.
- Social risk – The impact of changes in social norms, movements, and unrest.
- Environmental risk – Uncertainty about environmental liabilities or the impact of changes in the environment.
- Operational risk – Uncertainty about a company’s operations, including its supply chain and the delivery of its products or services.
- Management risk – The impact that the decisions of a management team have on a company.
- Legal risk – Uncertainty related to lawsuits or the freedom to operate.
- Competition – The degree of competition in an industry and the impact choices of competitors will have on a company.
What is clear from the above definition?
Legal needs to be both aware of and on top of both systematic and unsystematic risks that may affect the industry they serve and the businesses they operate in, whether they are in-house legal counsel or part of a larger law firm. In other words, legal needs to have their fingers in many pies to remain well and truly informed.
In fact, Deloitte Legal have said that there is a growing expectation in the financial services industry (especially), that legal get explicitly involved in all formal risk management processes from the very beginning. You see, where risk is involved, there is a growing belief that legal risk not only needs to be properly defined but also needs to have a broad definition to incorporate legal into more business operations. It makes sense if you think about, as risk is, as can be gleaned from the above, everywhere.
Legal needs to be enabled by their organisations and/or clients to do more than “just” their “day-jobs” to identify, manage and truly mitigate legal risks from the very start. Again, legal needs to have their fingers in all business’s pies. Legal needs to be included from the get-go, from the very point of departure of business decisions being made. And that may be a departure from how businesses currently operate by only including legal when hiccups arise, sort of like a clean up crew. The opposite should be the case – start off clean, compliant and risk free.
How should a legal risk be defined?
Defining what a legal risk is, should incorporate everything from reputational impact, operating or financial losses and issues affecting the organisation’s ability to actually do business to e-financial crime and contractual and intellectual property disputes (including everything in-between). Simply put, all conduct (and inherent legal risks) that arise from an organisation’s day-to-day operations. Legal, quite rightly, in trying to mitigate risk (which as we have seen above is literally “all around”) needs to be involved in it all. That may be a big ask from your legal team or legal counsel and a difficult concept for business ops to digest (let’s be honest).
But it is important for an organisation to do a business wide assessment of legal risk exposure to both ascertain and understand each area of legal risk (and therefore take the necessary action to avoid it as best as one can).
Once legal risks have been identified, what happens next?
Identifying legal risks can be a highly subjective exercise, but when using a common framework of risk factors such as regulatory, customer, financial and reputational implications, historical loss data (where available) all while considering different risk event scenarios, the process is given structure and order, resulting in more objective results. And these factors all relate (in one way or another) to compliance. The question of controls i.e. the management of different legal risks then comes into play.
Management of these legal risks will, quite obviously, vary from risk to risk. Where legal risks are low, the risk may be easily dealt with by each organisation’s in-house legal teams with minimal investment required to mitigate, manage, or control the issues. But when a higher legal risk arises, such as competition risk, more resources and investment in controls will be required to proactively bring the risk within the organisation’s ambit of control. This could require policy setting, comprehensive training programs across the business and more active review and involvement from lawyers embedded in business processes to address competition risks proactively.
Managing legal risks and imposing a set of controls to address these risks will form an important part of a legal risk management framework. The legal department will need to consider whether the legal risk controls that are put in place are effectively managing the respective risk to an acceptable level for the organisation and furthermore, whether or not more or less risk management is required.
The use of contract templates (as an example) to manage contractual risk, with responsibility for using and complying with these templates, being the responsibility of business teams, not just the legal department (who will have set the parameters for compliance). In addition, where contract risk is owned by the business, controls may require that any contract over a certain value is reviewed by the legal function. Moreover, what checks are in place to make sure this happens? If referred to legal, is their review checked by another lawyer, or is the organisation happy that someone outside of legal just checks that the review has occurred?
All the steps set out above are perfect examples of what would essentially form part of a legal risk management framework based on mapped processes and implemented controls.
Of course, legal should not be expected to decide on and enforce the legal risk management framework alone (especially when developing a more mature approach to legal risk management). It is essential that organisations adopt a multidisciplinary approach to effectively advise on the best controls and mitigations on a risk-by-risk basis.
Once a legal risk framework is in place, a monitoring and reporting regime can then be established which will cover both the effectiveness of the legal risk management framework and flagging emerging exposures and the remediation of failures. Whether monitoring and reporting is enabled by technology or not, legal practitioners need to understand what must be monitored upfront. And this, it would seem, takes us straight back to the importance of management reporting as we set out in our article Accounting and Reporting. All the foundational principles once again coming into play.
Compliance steps into the room
Compliance is the act of complying with a command, desire, wish, order, or rule. It can also mean adhering to requirements, standards, or regulations.
Compliance is also a fickle friend – it serves to both identify and avoid possible red flags in your business, but also shines a very bright light on any failure to comply with either law, regulation or any other standard set by governing bodies which can result in costly fines, penalties and in some cases jail-time for a business that finds itself on the wrong side of compliance.
Put quite plainly, compliance in a business or in a company means adhering to government laws, health and safety standards, or data and security requirements. Compliance therefore becomes essential to the very existence of a business or company and therefore requires conscious recognition of the said rules and policies in place.
When you clearly meet regulatory requirements, you create a positive business reputation. And when you identify and take the necessary steps to comply with policies, relevant laws, and regulations, you can define under which framework your company should operate.
Therefore, to be compliant a company needs to meet certain requirements to run both legally and safely. And this in turn involves identifying risks and ensuring proper use of and management of the legal risk framework. The two concepts are inexplicably interlinked and yet different all at the same time.
How is risk and compliance linked?
Compliance and risk management are closely linked. That should be quite evident. Compliance with established rules and regulations helps protect organisations from a variety of unique risks, while risk management helps protect organisations from risks that could lead to non-compliance (which is, no doubt, a risk in itself).
Ultimately, both compliance and risk management help organisations maintain their stability and integrity on a variety of levels. In fact, an organisation can’t claim that they have a robust risk management program and legal risk framework without compliance having a major role to play.
The right risk management technology can address both risks and compliance issues. As we set out in our article Trend Spotting – The “Top 7” legal tech trends for 2022, regulatory tech is already on everyone’s forecast (or at least, should be).
Avoid risk and backup your data
Backup is defined as “a digital copy of computer data that is taken and stored safely on another computer system so it can be used to restore the original in the event of data loss”.
The reality is, not everyone knows why they need more than one data backup or why they even need to back up in the first place. But the fact is, data loss can be a disaster for any business and individual user alike.
Why you should do your own backup
Having your own (additional) backup provides true “peace of mind” in that even if something happens to your service provider (such as AJS’s managed cloud hosting system), you would still be able to restore your information, because it was backed-up. In addition, it is actually a requirement for all firms who host their accounting information on a remote server (they should also have a backup copy of the data on-premises).
Simply put, backing up your own data offers an additional layer of security and protection that even data centres cannot provide. Data centres (due to the very fact that they are connected) are still susceptible to virus attacks and therefore cannot really guarantee that your data will always remain completely secure. Whilst virus threats rarely affect sophisticated data centres, they do happen and just like any back-up plan, having your own backup is imperative to ensure business continuity. To be clear, it is always preferable to have multiple (and hopefully offline) backups.
What does a backup involve?
Essentially backing up your data involves (either by means of backup software, onsite storage and/or offsite storage) the copying of data from servers, databases, desktops, laptops, and other devices in case of user error, corrupt files, or a physical disaster that renders critical data inaccessible. It can also protect sensitive business data in the event of a hardware malfunction, hacker penetration, and many other threats posed to digitally stored information.
We acknowledge that there are many things that you can do to keep your data safe, from choosing a first-rate managed cloud hosting platform to installing every type of high-tech anti-virus software available. But the single most important step you can take is to perform data backups yourself — early and often, always having a recent backup of your data close at hand. That way, if your data centre is hacked or threatened with a virus, your chosen backup method can ensure that you are not caught with your pants down.
Remember cloud hosting will count as data backup. However, we are of the opinion that it should not be your only means of data backup. It is always better to be safe than sorry. The more places your data is backed up, the better. In fact, whatever method you use is fine if you have multiple backups, and you create them often. For maximum security, we recommend keeping several duplicate backups in different locations, and ensure that one of your backups is offline. That way, even if you lose one, you’ll have a backup of your backup.
Whilst some might say that less is more, we are of the firm belief that where data security is concerned – more backups are better!
As we close off our series on building strong foundations, we again urge you to see your legal practice differently. It is a business and needs to be treated as one. Likewise, you are more than a legal practitioner, you are also a business owner.
While technically a misquote from Field of Dreams – “If you build it, they will come”.
A metaphor for putting in effort to succeed. To us, this quote invariably means that if you put thought and energy into a project, you will increase the likelihood of its success. The more time, attention, effort, and thought you apply to an idea, to a project or to a practice, the more likely it is that something will come of it.
Again, if you liken your legal practice to a project (just like we did in Practice Management Part One), the same concept will ring true for you and your legal practice. If you start off with mastering the basic foundational principles of business by putting time, energy, and effort into it and then continue to build on those foundations again putting in time, attention, and effort, “they” as in clients, work and ultimately success will come to you too.
To help you in your endeavours, AJS has a wide range of products that will assist and support you as you master the basics by offering software that manages your practice, deals with your accounting (both business and trust accounting), assists with drawing reports (thereby averting risk and ensuring compliance) and supports the backup of your data.
AJS is here to ensure that you truly have all your bases covered. Thereby enabling you to not only practice law and grow your business but are also enabled to do the things that you love the most on your time off. Even if that is just putting your feet up and taking in the scenery.
If you have questions on any of the foundational principles, get in touch with AJS today to see how we can support you in getting your legal practice well and truly running (properly).
See also:(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)