September 13, 2019

In-House Counsel in the Wake of Enterprise Risk Management: Implications for Legal, Compliance and Risk

In a recent article by Thomas C. Baxter Jr. entitled “The Rise of Risk Management in Financial Institutions and a Potential Unintended Consequence – The Diminution of the Legal Function”, the author posits that the legal function for in-house counsel has, in fact, been diminished by the rise of the risk management function. The article addresses and we summarize below why these changes have occurred and what can be done to remediate them.

After the global financial crisis, the financial community has responded to one identified cause of the financial crisis with a much more resilient banking system, including a revolutionized discipline of risk management. As required by the Dodd-Frank Wall Street Reform and Consumer Protection Act, financial institutions in the U.S. overhauled their risk management functions from top to bottom, but such change may also have brought out an unintended consequence – the diminution of the legal function. Such diminution is directly attributable to the ascendancy of the risk function, instead of other factors like a decline in the importance of legal function in the financial institutions.

More specifically, there are seven risk management conditions that might be causing a diminution in the role performed by the legal function. The first is the imprecision in the definitions of legal and compliance risks. Legal and compliance risks have overlapping definitions, but as separate risks they are assigned to difference roles within a financial institution. This could lead to the compliance encroaching into the functioning of legal, as demonstrated by the AIG Shareholder Litigation. Another potentially contributing factor is the three lines of defense framework, which overlooks the importance of the legal function by placing the legal function under the broader category of operational risk, and leaving it in a kind of “twilight zone”. Third, the modern trend in financial institutions for compliance to report up to the chief risk officer rather than to the chief legal officer also might tend to contribute to the diminution of the legal function. Fourth, in practice, bank examiners have a generalized antipathy toward the legal function, which will raise attorney-client privilege with the examination staff and the latter will often see it as an obstructionist tactic. Fifth, some financial institution lawyers cast themselves as “mere” advisors and thus not consequential, which can further lead to the decline of legal function in financial institutions. Sixth, the new risk governance framework post-financial-crisis also excludes legal risk, which might send an unwelcome message that legal is unimportant. The final factor leading to a potential diminution is the role of the legal function in risk reporting. The typical format of risk reporting does not typically contemplate a role for legal or the reporting of risks arising from legal judgments.

To take affirmative actions to reverse the decline of the legal function and repair the damage, the article discusses seven remedial strategies corresponding to the seven risk management conditions.

First, as it concerns risk typology, the legal function should be interested in any risk type that is affected by the exercise of legal judgment. Beyond providing legal advice,

lawyers in the legal function should be active in identifying, measuring, monitoring and controlling the risks that may arise from legal judgment. Second, we should recognize that the three-lines-of-defense model does not sufficiently capture the role of legal in the risk management process. Further, the organizational dynamics between legal, compliance and operational risk officers should be recognized and amply addressed. With respect to interaction with regulators, financial institution lawyers should closely examine privilege assertions. As for legal “meremanship,” financial institution lawyers should stop arguing that the legal function is not important. Lawyers should also work to fashion our own unique risk governance framework with respect to the exercise of legal judgment. Last, with respect to risk reporting, the legal function should work closely with the chief risk officer on reporting, such that the risk report properly respects legal judgment and protects legal privileges.

The article concludes that the ascendancy of risk management may have resulted in a relative diminution in the role of the legal function. This unintended consequence is dangerous, as the legal function is critically important in the functioning of financial institutions.

The ABA panel, while representing a myriad of opinions, will focus particularly on whether compliance risk, traditionally managed by lawyers, should be managed by risk professionals given the significance of the legal function. While exploring the normative question of whether compliance management should be a legal or risk function, the panelists hope to guide a spirited discussion of what in-house counsels can do to solidify their roles in the wake of enterprise risk management.

Premium Content For:
  • Business Law Section
  • CL1909SAM - 2019 Business Law Section Annual Meeting