Risk management – fed up with compliance yet?
It’s getting tougher for legal departments to keep on top of risks such as data protection, technology and the ever-rising tide of regulation
Q: What are the biggest issues facing in-house legal departments when it comes to risk management?
Richard Kemp, founder, Kemp IT Law: Getting to grips with regulation as it increases in volume and complexity.
To give an example in the financial services sector, for the G20 countries alone there are 128 bodies involved in the creation, monitoring and enforcing of financial services regulation; 14 global bodies, 36 in Europe, 30 in Asia and the Middle East, 49 in North and South America and two in Africa. The industry has processed more than 55,000 regulatory documents since 2009. In the UK the Financial Services Authority published 278 documents in 2009 and by the end of the year will have published almost 3,000 in 2014.
Q: In August the Information Commissioner’s Office warned lawyers about the need to keep personal information secure, especially paper files, in the wake of “a number of data breaches”. How are in-house departments responding?
Kemp: At a time of increasing anxiety over data security generally and privacy in particular, big clients often say they see their external lawyers as a particular risk area to manage, in infosec terms. This is because law firms hold a lot of sensitive, confidential data about the client but may not be as used to meeting such exacting standards as their clients.
Good information security therefore becomes an advantage to law firms that get it right and a real headache to those that don’t.
Most, if not all, the information going to the outside firm will flow through the legal department, so keeping tabs on the confidential data that has left the building is increasingly important. This means good tools to record and audit what’s gone where.
The reminder from the ICO about paper files and data breaches just shows how all-encompassing the rules are – and this is something the SRA is increasingly concerned about too.
Q: How difficult is it becoming for in-house departments to stay compliant as the regulatory burden increases?
Kemp: This goes to what is expected of the legal department and how it is communicated. As regulation becomes more prescriptive and intrusive, and the compliance burden gets heavier, the legal function needs to be more clear about its responsibilities and authority levels. This varies from organisation to organisation, but the real risk is that the legal function ends up with responsibility for things it has no authority over at a time when sanctions are being applied at an individual as well as a corporate level and regulation is developing quickly.
Q: Is compliance fatigue setting in?
Kemp: The pendulum is still swinging towards more regulation and compliance so it’s a bit dangerous if fatigue is setting in.
In the financial services sector, high and increasing fines and the granular sign-offs top management are now required to give to regulators are seeing a more robust compliance structure developing that still has a long way to go.
Q: What steps can in-house legal departments take to assist the business with this problem?
Kemp: Again, this goes to the role of the legal department. As the compliance team grows, legal has a big role to play in helping shape internal policies and procedures. Legal can clarify roles, functions, responsibilities and authority levels from both the organisational and the legal/regulatory perspective.
You can read the original article, published by The Lawyer, here.