Proactive Risk Management Is Crucial In Era of Big Fines, Ex-Law Enforcers Say

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Yin Wilczek

Dec. 3 — In an era of escalating government sanctions and increasing globalization, it is more critical than ever for companies to focus on building proactive risk management programs, lawyers who are former law enforcement officials said Dec. 2.

In the current heightened enforcement environment, a small matter that starts as a “spark” can end up becoming an “inferno,” said Lawrence E. Ritchie, a former vice chairman of the Ontario Securities Commission who now is a partner at Osler, Hoskin & Harcourt LLP in Toronto.

Another challenge is that companies often are organized in “silos” based on their products or business models, or even by the countries in which they do business, Ritchie said.

Accordingly, the more solid a process an organization has to deal with problems before they become major issues, and the more it understands what needs to happen and is going to happen, the easier it will be for it to obtain “buy-in across all” its different silos when something goes wrong, he said. “People will know in advance that when something happens, this is how the company will respond.”

Overcoming Organizational Silos

Silos within corporations are a particular problem in terms of handling issues, agreed Nancy Kestenbaum, a former federal prosecutor who now is a partner at Covington & Burling LLP in New York.

How a problem ends up often hinges on how the initial allegation or complaint was dealt with in the first place, Kestenbaum said. For example, if human resources handled the issue without bringing it to the attention of the compliance function or the legal department, it could result in steps taken that may later impact the company's liability, such as the loss of privilege, she said.

The attorneys spoke at an ethics and compliance panel at the National Law Journal's Regulatory Summit in Washington.

Defense attorneys and others have pointed to the ballooning sanctions imposed by U.S. law enforcement agencies. In November, Attorney General Eric Holder announced that the Justice Department collected more than $24 billion in civil and criminal penalties in fiscal year 2014 (12 CARE 1570, 11/21/14). That amount is more than three times the $8 billion collected in FY 2013, the DOJ said.

`Unprecedented' Penalties

More generally, the Committee on Capital Markets Regulation has found that U.S. financial firms continue to face “historically unprecedented public financial penalties.” CCMR, a group that advocates for the competitiveness of U.S. capital markets, tracks sanctions imposed on U.S. financial institutions through state class action lawsuits and federal regulatory actions.

In its latest quarterly penalties update, the CCMR said in October that financial penalties imposed on U.S. financial firms in the third quarter totaled $29.9 billion, fueled in large part by a $16.7 billion settlement with Bank of America Corp. (12 CARE 1398, 10/31/14) and a $7 billion settlement with Citigroup Inc. The third quarter amount pushes the year's total to $57.1 billion, which already exceeds “the record annual total of 2013 with one more quarter left in the year,” the group said.

Proactive Risk Management

Meanwhile, a recent survey by AlixPartners LLP found that compliance and legal departments in U.S. and European corporations are recognizing the benefits of proactive risk management (12 CARE 1357, 10/24/14).

In its 2014 Litigation and Corporate Compliance Survey, the group found that 71 percent of the respondents had implemented education and training programs to reduce litigation risk to their corporations. Fifty-six percent of the respondents also said they had reviewed existing compliance programs to identify gaps. Almost half the respondents—45 percent—indicated that proactive risk management was the most critical issue for their legal departments during the past 12 months.

‘Ratcheting Up.'

At the panel, the speakers suggested that penalties and regulatory enforcement will continue to increase. The fines “seem to go only in one direction,” Kestenbaum said. They're “ratcheting up.”

“The reality is that we shouldn't expect a downturn in enforcement activity” by either the Securities and Exchange Commission or the DOJ, added Lorin L. Reisner, a former federal prosecutor who now is a New York-based partner at Paul, Weiss, Rifkind, Wharton & Garrison LLP.

Moreover, companies shouldn't labor under the “misapprehension” that the SEC and the DOJ target only the financial services industry, said Reisner, who also formerly served as deputy director of the SEC's Enforcement Division. He predicted that although financial firms will continue to be of great interest, there will be a “widening scope of interest” by federal prosecutors and the SEC in other industries.

Benefits of Proactive Management

A good proactive risk management program has many benefits, Ritchie said. These include helping the company to:

• decrease its vulnerabilities,

• identify hidden risks,

• aid the board in its risk management duties,

• obtain credit for cooperating with regulators and

• beef up its class action defenses.

Reisner also observed that proactive planning is particularly useful for general counsel, who often find themselves in a tough position during a crisis. Among other problems, the general counsel wears many hats and has to simultaneously balance the interests of a number of clients—including the company and its board—when a situation arises, he noted.

“General counsel who succeed in crises” are those who have anticipated and planned in advance for problems and who have identified outside counsel they want to reach out to and discussed contingency plans with them, Reisner said.

That advance planning may help the general counsel find opportunities in which to “freeze the frame” and calm the situation before it escalates to a “three-ring circus” involving management, the SEC and the DOJ all moving in different directions, Reisner said.

He suggested, for example, a scenario in which the DOJ tells the general counsel that it has obtained a warrant to search one of the company's premises. The general counsel then calls the outside counsel with whom he has engaged and that counsel can be present when the DOJ executes its warrant. The outside counsel can talk to the federal agents to scope out the size of the problem facing the company or ensure employees aren't making improper statements that may later surface to hurt the company, he said.

Reisner urged companies developing a proactive risk management program to look to guidance issued by the DOJ and the SEC, including the DOJ's Principles of Federal Prosecution of Business Organizations, and the SEC's and the DOJ's joint resource guide on the Foreign Corrupt Practices Act.

However, should a problem occur, Ritchie suggested that companies take certain critical steps in managing their risks, including:

• identify the real issue;

• report to the board;

• understand the risks and potential consequences of the issue; and

• leverage experts such as outside counsel and others. 

Ritchie also offered three important words: “Investigate, report, act.” Companies should not “hide, or run from,” a crucial issue, he said. “That should be, in my view, the hallmark of any effective compliance regime.”

To contact the reporter on this story: Yin Wilczek in Washington at

To contact the editor responsible for this story: Mike Moore at

CCMR's quarterly penalties survey is available at

The AlixPartners survey is available at


Request Corporate on Bloomberg Law