One risk manager shares his views on the challenges of accounting for legal risk losses.
Legal risk is a well-recognised sub-category of operational risk. Many organisations will already be collecting data on litigation-related loss events, litigation costs, and other events with a legal flavour. Scenario analyses may often include an element of legal risk to a degree or even include a specific scenario dedicated to a litigation or legal ‘could happen’ story line. However, legal risk is arguably the only sub-operational risk category where there are elements that are in direct conflict with the value-add, proactive risk management concept at the heart of operational risk management.
This article briefly looks at some of the key components of the operational risk framework and considers the challenges that legal risk brings.
Effective operational risk frameworks should be designed to allow an organisation to view its operational risk profile across a number of parameters (quantum, business line, entity, geography, function, etc) to allow support decisioning and risk management/mitigation actions accordingly. This requires a number of ‘ingredients’ for analysis and reporting/messaging. These include:
➤ The timely reporting of operational risk events, appropriately mapped to business lines, functions and risk categories;
➤ Monitoring Key Risk Indictors (KRIs) for each business line and function, which are also mapped to risk categories;
➤ Identification and tracking of risk issues or risk themes through Risk and Control (Self) Assessments, including those flagged by Internal Audit or other risk and control functions; and
➤ Scenario Analysis: the ‘theoretical’ exercise of constructing plausible storylines where there could be high-impact losses supported by the quantification of the loss amounts and their probability, based on knowledge of the business and the various risk and control deficiencies that are perceived/ palpable.
These are the basic ‘pillars’ to feed the operational risk framework and each are fraught with challenges from a legal risk perspective, all of which are linked to an organisation’s need to minimise the chances of litigation risk (the risk of a loss/payout due to legal actions being brought against an organisation, whether through a formal court judgement or through settlement).
OPERATIONAL RISK EVENTS
From a pure reporting perspective, an event should be reported when the control weakness occurs or otherwise manifests itself. This facilitates an examination of the root cause as well as the monetary impact, if relevant, which also feeds the operational risk capital considerations.
Events with a legal or litigation scent however may not manifest themselves in a monetary ‘award’ for a good number of years. At best, a provision may be made in the accounts but that brings us on to the key area of conflict – admission of liability. If an event were to result in litigation, legal departments will adopt the natural stance of minimising the admission of liability. An operational risk event that seeks to quantify the monetary impact by reference to a provision, where relevant, may be deemed from a legal standpoint to be admitting liability and provide opposing counsel with a starting figure for damages. As a result, many organisations choose to keep the provisions ‘off the books’ and moreover make the conscious (albeit undocumented) decision not to disclose the event to the operational risk teams for fear of the information becoming discoverable, or wait until settlement. At best this results in a significant timing issue for operational risk data and at worst, a material gap in the completeness of the data and therefore the sanctity of the overall risk profile.
KEY RISK INDICATORS AND OUTSTANDING RISK ISSUES
A similar conceptual argument exists for KRIs and risk issues (RCA and Audit issues) and is related to the quality of business oversight. If a certain KRI exists that has been mapped to legal risk or otherwise ‘enjoys’ a nexus with legal risk and has been deteriorating or trending negatively but has not been appropriately reviewed or acted upon by its owner, this also puts the organisation in a precarious position from a litigation standpoint. In the minds of litigants, the defendant firm was either negligent in its review and follow up or otherwise did not have adequate oversight processes in place to monitor the risk in question.
With risk issues raised by operational risk teams, audit or other control functions where defined actions were necessary, the ground is similarly creaky from a legal standpoint. These issues point to known weaknesses in the systems and controls and will be accompanied by defined remediation actions. If the actions are still outstanding, this is a beacon stating that the weakness still persists. If the actions have been closed, opposing counsel may argue that they have been ineffective.
The area of scenario analysis has a heightened risk from a legal standpoint for a number of reasons. However flawed, and regardless of where scenario analysis sits in the framework or what it is used for and the type of ‘OR capital calculation’ organisation, it is the only pillar that looks forward to what ‘may’ happen. If executed ‘effectively’ from an operational risk discipline standpoint, the story lines are well documented, front office and functions are part of the discussion and provide their input and therefore the storylines are credible, details of control weaknesses are consolidated, and impact and likelihoods are explicitly documented by reference to internal and or external data. The scenario analysis documents can therefore be seen as a firm, discoverable blueprint for opposing counsel’s litigation lawyers with a typically high-value starting number for the ‘award.’ This naturally makes in-house legal teams nervous.
There is a clear conflict between the litigation risks that an organisation’s legal teams are trying to mitigate and the mandate of an effective operational risk department with a solid operational risk framework. To the purists (and regulators), it is a simple case of wanting to understand, challenge and report on the operational risk profile of the organisation, and this involves a complete view of all sub-categories and any associated data. The mandate of the legal team however is to reduce the risk of making large awards as well as reducing the risk of actions being brought per se, particularly where these are fought in the public arena. Firms across the industry jockey this conflict in different ways, (provided the existence of this conflict is understood in the first place!). Regardless, there is an inherent risk of operational risk completeness and this conflict will always be present to some degree.