Legal and compliance risk: what is the difference and who should manage which?

-

One of the key deliverables of the project aiming to get into a relationship with a 3rd party is the contract. A contract typically consists of a Master Agreement and exhibits/schedules. Together they are the legal ‘translation’ of all intentions, obligations and requirements of the relationship. Many of the requirements are related to price, quality, governance, intellectual property, exit and a dozen of other topics.

The topics I would like to explore in this post is the difference between compliance and legal risk. The reason I think this is relevant is the different departments that typically deal with both types of risk. Not having a clear distinction might thus result in two departments managing and mitigating the same risk or not managing certain risks are all as both assume the other department takes care of it.

In more general terms are the following risk categories the most relevant to an outsource relationship (I leave out financial risk, as that is to me the result of any of the risks categories materialising):

  • Strategic Risk: loss due losing the capability to direct and control the services or due to deliberate, opportunistic behaviour by service providers or their employees (e.g. reusing the companies intellectual property, understaffing, overpricing or other symptoms of “asymmetry of dependence”). Some terms used in this context are ‘concentration’ or ‘composite’ risk.
  • Operational Risk: failed internal processes, people and systems or from external events. Some are specific for the ‘demand’ side and some for ‘supply’ side.
  • Compliance Risk: impairment of the companies integrity resulting in damage to the companies’ reputation, legal or regulatory sanctions, or financial loss. Sanctions can be the result of for example non-compliance to privacy laws like the Gramm-Leach-Bliley Act (GLBA) or Notification of Risk to Personal Data Act (NORPDA)Also known as ‘reputation’ risk.
  • Legal Risk: as the risk of loss to a company that is primarily caused by: (1) a defective transaction; (2) a claim (including a defense to a claim or a counterclaim) being made or some other event occurring which results in liability for the company or other loss; (3) a failure to adequately protect assets owned by the company; or (4) change in the law.

The following one from the Federal Reserve mixes however legal and compliance risk: The risk to earnings or capital arising from unenforceable contracts, lawsuits, adverse judgments, or nonconformance with laws, rules, and regulations. This is one of six risks defined by the Federal Reserve.
This definition I found on the web is also not making a clear distinction: The possible financial loss resulting from an action by a court or by a regulatory or legislative body that could invalidate a financial contract.
Even the Webster’s dictionary mixes regulatory and legal elements: The risk that a legal contract or financial transaction won’t be fulfilled because it breaks the law or there is a regulatory conflict. Other legal risks include documentation or contractual problems.

Or maybe am I wrong and:

  1. are legal and compliance risk the same (and can thus be handled by one department) or
  2. compliance risk should be called reputation risk

But looking at the first hit Google produced, I wonder whether Option 2 is a viable one. The definition given here is: reputation risk is the current and prospective impact on earnings and capital arising from negative public opinion. This affects the institution’s ability to establish new relationships or services or continue servicing existing relationships. This risk may expose the institution to litigation, financial loss, or a decline in its customer base. Reputation risk exposure is present throughout the organization and includes the responsibility to exercise an abundance of caution in dealing with its customers and the community.

I am still confused so I guess the only option is to start some discussions here and there to get some more clarity. To be continued.

Comments

Post a Comment

Popular posts from this blog

Beyond Two-Speed IT – Part 3

-
Summary This blog is about shifting gears and the ability to offer cars in other colors than T-Ford-black. It is the third and last part of a blog focusing on the importance of translating market and business context into the value proposition offered by IT. You can find the first part   here   and the second part   here .   FedEx and UPS dominate their markets,   again   using slightly different value propositions. Compared to UPS, FedEx offers its customer more flexibility at a slightly higher price point. More price sensitive customers opt for UPS and the more standardized value proposition that comes with it. More pronounced is the difference between Walmart and Amazon. The first has its roots in physical retail outlets while the second started as a native digital business model. Differentiation can also be observed at an operational level. Marketeers want to try new things on a daily basis, while the controllers and bookkeepers of the finance and administration (F&
Read more

Beyond Two-Speed IT – Part 2

-
Summary Markets move at different speeds and in different directions, constantly reshaping the technology-related capabilities required by the business. In the second part, the difference between Customer Intimacy strategy and Operational Excellence strategy is used demonstrate that ‘differentiation’ is more than choosing Agile over Waterfall development. The first part of this blog dedicated to market and business context is  here .   Dell was founded in 1984 and was added to the Fortune 500 in 1992. Its key to success was building direct relationships with the customer via the internet. At the time, most competitors targeting consumers via analogue sales channels, such as brick and mortar shops. Selling directly to the customer also enabled Dell to build-to-order instead of the traditional build-to-stock model. It kept waste to a minimum and allowed the customer to choose from a wide selection of configuration options. Dell’s pursued a customer intimacy strategy, cont
Read more

The importance to innovate as a supplier

-
Image
I spoke recently with a senior executive of a small external service provider. A service provider with a staff of 350+ in the year 2000 and some 75 today. So one of the main topics we discussed was how this happened. The founders of the company identified some twenty years ago a software niche in supply chain management. In this period manufacturers and their up-and downstream partners in the supply chain were looking for solutions to exchange information to optimize their logistics processes and stock levels. The founders came up with some very clever concepts and for many years the sky was the limit. What the founders and subsequent managers overlooked however is that every (software) product goes through a lifecycle. And at the end of the lifecycle the software product has become obsolete. It may become obsolete because of not anticipating on evolving functionalities, technologies (e.g. Cobol) or because business models. Functionalities. In the past many software vendor
Read more