The 20-second summary

Legal risk is a big issue. Over the last five years, conduct related issues have cost financial institutions around $300bn – according to recent figures published by the Conduct Cost Project. And our own analysis of litigation costs in the US shows that the cost of disputes for the top five US banks added up to $30bn in 2014.

Banks cannot bear these costs indefinitely. In 2014 one US bank’s share price suffered on news of unexpectedly high legal expenses (profits were eventually cut to 6% of analysts’ expectations). And last month in the UK regulators fined a high street bank £117m for failing to handle PPI claims fairly.

Overall, fines given out by UK regulators increased from £66m to £1.5bn between 2011 and 2014. And the additional cost of dealing with investigations could double that amount.

But what can banks do to reduce these losses? The financial services industry is of course reviewing its working practices in relation to the new Conduct regime. But there is no evidence that these efforts have resulted in decreased costs across the industry.

The industry urgently needs to find a new approach to cut out the increasing costs of litigation and mis-conduct. This will require new models for risk teams, and new ways of thinking for legal teams.

This article will:

  • explore in more detail the link between legal risk, and conduct and litigation expenses,
  • highlight in particular European regulators’ attitude towards legal risk, and
  • discuss the need for new risk models that reward businesses that run themselves well.

And it will outline three steps you can take to quickly pinpoint where your business is most exposed to legal risk – and prioritise where to act to reduce direct financial loss, and keep your business out of the headli

Legal risk exposure can result in both litigation and conduct related loss

The link between litigation and legal risk is well understood and well established. Legal disputes generally result when a legal risk has been mis-managed somewhere within the organisation.

But the link between behavioural conduct and legal risk is a more recent development. Conduct was brought into keen focus in the UK when the Financial Conduct Authority was created in 2013. They have adopted thinking from behavioural economists, to frame a new rule-set for banks in their product development, sales and purchasing processes.

In 2014 the European Banking Authority (EBA) included ethical conduct within scope of legal risks, in their definition of legal risk. And introduced a step-change in the roles and responsibilities of the in-house legal team.

The role of law in promoting and enforcing moral behaviour in society has clear parallels with the roles of law and regulation in managing conduct within industry. Lawyers have a key role in both cases, to interpret the way that human behaviour interacts with the letter and spirit of the law – and estimate the likely impact of that interaction.

Litigation costs and the cost of conduct are game-changers for legal risk

The cost of getting legal risk wrong has never been greater. To give an example, each quarter US bank holding-companies have to complete a quarterly financial summary, Form Y-9C, and file it with the Federal Reserve. One section of the 60-page form covers “Legal Fees & Expenses”. Earlier this year we reviewed nearly five years’ worth of Y-9C forms, and we have charted some of the results below.

The top five US banks all had rising legal bills, with a noticeable spike in the last 12 months. And litigation expenses alone went from around $9 billion in 2010, to just under £30 billion at the end of 2014.

And a new research group, The Conduct Cost Project Research Foundation, reported recently that the total cost of conduct to the Financial Services sector was $300bn over the last 5 years.

Financial analysts often strip out litigation expenses from their longer-term valuation models, because those expenses are typically one-off events. But if these costs arrive regularly – as seems to be the case with major banks – analysts may well decide to factor them into their reports.

And so the challenge for banks now is to analyse their operating practices and reduce significantly their exposure to these types of expense. These risks result from a failure to adequately interpret and comply with the letter or the spirit of the law. This could be inadvertent (due to a failure to correctly understand/interpret the law, or ambiguity in the law itself) or through individuals acting with reckless indifference to the law (due to rogue elements).

It is no easy task to pinpoint where in their vast operations businesses could have unknown issues – and businesses need to up their game in the way they identify, analyse and mitigate legal risk.

UK regulators are clear that in-house lawyers are the second-line-of-defence for legal risk

In 2012 the FSA held a meeting with General Counsels from the 20 largest Financial Institutions in the UK. In that meeting they highlighted to the attendees their role as a second-line-of-defence for legal risk and warned of the dangers of “group think”. In the same year the German regulator BaFin also expressed a greater interest in the approach their banks were taking to legal risk. Across the Atlantic, US regulators had similar conversations with their biggest banks.

And in 2015 in the UK, the Prudential Regulatory Authority started talking with in-house legal teams to see what approach they are taking to legal risk – and in some cases actually auditing the approach and testing with business teams whether the lawyers are actively participating in risk based business decisions.

Businesses are clearly under pressure to redefine the role of their legal teams within the 3-lines of defence model, and step-up their efforts to identify where in the myriad of processes, controls and operating procedures they are likely to cross-the-line between what is legally or ethically right, and what is legally or morally wrong.

But are businesses equipped to take on this responsibility? Do their legal and risk teams have the skills and the resources they need?

How work is done is equally as important as whether it is being done

It isn’t enough to tick a box and say that work is being done by competent staff, or outsourced to competent companies. How work is carried out is equally important as whether it is being done at all.

Law and regulation are complex, and for people working under pressure at the front-line of business, it isn’t always clear how and where apparently standard operating practices could cross the boundary. There is a clear role for in-house legal teams here, to assess priority legal-risk areas and advise on how to modify business operating practices in light of current legal and regulatory focus.

And if litigation teams regularly and diligently tracked the root-cause of disputes back to operating practices within the business, they could advise on how and where standard operating practices lead to costly dispute. Changing the root-cause operating practices would reduce ongoing exposure significantly.

But this type of work falls outside the standard role of risk, compliance and the traditional legal department. And in our legal risk benchmarking report last year, we found that the majority of businesses lack confidence in their ability to manage legal risk.

8 out of 10 businesses expect to suffer material loss due to legal risk

In 2014 we published the results of our first Legal Risk benchmarking survey. One of the findings was an expectation that legal risk will result in material loss. Eighty percent of respondents to our benchmarking survey expected to suffer a material loss – through day-to-day operations – in the next operating year.

Bearing this in mind, it is clear that in-house legal teams will need support from risk management teams within the organisation, and from external experts and agencies, to prepare them for their new second-line responsibilities. What is less clear is whether existing risk models will reward businesses when they do improve their legal risk profile. The external environment is so perilous at the moment, and extreme scenarios so punishing, that new models may need to be created to free-up capital for the banks to invest in risk reduction programmes.

Operational risk models need to change, to reward well-run businesses with capital savings

In 2014 the EBA in their AMA standards re-defined the scope of legal risk and its position in the lexicon of business risk. They proposed two significant changes:

  1. Legal risk loss will be included in operating capital calculations: legal risk has been part of operational risk since 2003, but the EBA stance highlights, for example, that legal enforceability of security over assets will need to be taken into account for capital purposes
  2. Ethical conduct is in scope of legal risk: this seems obvious, as law and regulation are put in place to moderate behaviour and impose moral values on business. But many in-house legal teams have been reluctant participants in conduct risk programmes and need to now change their approach

Extreme scenario analysis is one of the more effective ways to identify forward-looking risks. When you contemplate the worst possible scenario, and then retreat to what is plausible, you force yourself to think analytically about the risk. But extreme plausible legal risk losses can add up to 100’s of millions of dollars – and bubble up seemingly out of nowhere.

Until risk models moderate extreme scenario analysis with the results of day-to-day expected loss, businesses will be incentivised to use other risk estimation methods that reduce the potential exposure – or give up on advanced modelling all together. But scenario analysis is a key tool to prioritise resource and pinpoint where to take action. Businesses should begin the work to quantify key areas of legal risk now.

Follow three steps to beef-up your legal risk analysis

Financial institutions have a sophisticated network of policies and procedures designed to manage operational, market and credit risk. But legal risk has fallen between the cracks for many years and the legacy operating practices that persist within businesses can result in significant legal risk incidents bubbling-up at any time.

The priority for businesses now is to analyse and predict where the next legal risk incident is likely to occur – and pinpoint where to allocate resource to maximise the reduction in risk exposure.

Follow these three straightforward steps, to identify the biggest legal risks for your business:

  1. Design a legal risk framework that will help you identify and analyse where your business’ operating practices could result in legal risk
  2. Carry out high-level legal-risk scenario workshops, to identify specific risks and develop an initial prioritisation matrix
  3. Verify the initial findings with a control and loss-data analysis, to be certain that you the scenarios you imagined are realistic to your organisation

These three steps will give you the structure you need to quickly pinpoint where your business is most exposed to legal risk – and prioritise where to act to reduce direct financial loss, and keep your business off next week’s front pages.