The EBA in June provided final guidance on which types of operational risk loss should be recorded as legal risk. And in their Final Draft RTS on AMA Assessment for Operational Risk, they have addressed the most significant issues identified with their early definition of legal risk.
The guidance on which losses should be registered as legal risk losses, means that businesses can now begin to align legal risk with other forms of operational risk. The most significant issue with their earlier definition of legal risk – including the risk of being sued – has thankfully been removed from the final draft.
But the final draft is very light on real implementation guidance, so you must continue to find your own way to interpret and implement the guidance to minimise legal risk to your business, and maximise regulatory compliance.
EBA definition of legal risk
The EBA steers clear of providing a formal definition of legal risk in their guidelines. But we have pieced together the different elements of Article 4 into a useful top-level definition that matches the EBA intent:
Legal risk can be defined as operational risk events and losses that are triggered by a breach of obligations for the institution that derive from statutory or legislative provisions, of national or international origin, or from contractual arrangements, or internal rules and ethical conduct that derive from national or international norms and practices. From EBA final draft RTS on AMA assessment for operational risk.
It is important to note that both accidental, and deliberate or negligent (mis-conduct) breaches are considered to be in scope of legal risk. And of course important to note that “ethical conduct” survived the consultation period and remains in scope.
Three types of operational loss you should record as legal risk
The main purpose of Article 4 is to outline the forms of loss that the EBA expect businesses to record as legal risk losses. The three types of loss they identify are:
- Legal settlements, either judicial or out-of-court, such as arbitration, or claims’ negotiations.
- Customer refunds or discounts of future services offered to customers voluntarily in response to or to avoid future legal risk (including offered to customers due to same operational risk event)
- Losses due to errors and omissions in contracts and documentation
But recording loss after-the-event is a poor way to manage legal risk. Implementation of legal risk management is crucial to identify how the loss arises, and minimise the scale of loss that your business could face.
Article 4 provides some clues to implementation for legal and risk teams
If businesses are to get any benefit from these standards, it seems they must work out for themselves how to implement them to best effect. What guidance is provided in Article 4 is limited to legislative/regulatory risk, and to a lesser extent contractual risk in their legal risk libraries.
The EBA identify potential underlying causes of legislative/regulatory risk as:
- Non-compliance with legal or regulatory requirements (due to changes in legal or regulatory requirements, omission of acts necessary to comply with the rule, or deliberate non-compliance)
And potential causes of contractual risk as:
- Errors or omissions in contracts or [legal] documentation
It is still up to you to specify exactly how errors or omissions could find their way into your contracts (for example) and which types of error or omission are the most meaningful.
Create a robust legal risk taxonomy and management framework
We can help you to create a robust legal risk taxonomy and management framework to identify, analyse and mitigate your biggest legal risks. Our legal risk library, for example, has eight risk examples to consider within contractual risk, and four within legislative/regulatory risk. We have even more example risks that will help you to quantify your potential exposure to non-contractual rights, dispute and non-contractual obligations risks.
And because the link between ethical conduct of business and legal risk is now established, we’ve created a set of conduct risk coefficients that will enable you to use your legal risk analysis to pinpoint where in your business misconduct could next bubble-up to the surface.
Get in touch to find out more about how we can help you implement a robust legal risk framework in-line with EBA, FCA and other regulatory guidelines – and that will minimise your legal risk losses.