Legal Assurance in the ERM Framework

There are two ways to approach the problem of risk. The first one is trying to understand the dynamics of the world. Interesting, but you’re not going to get very far. The second one is to make sure your contract insulates you from it. In other words, what do you need, a statistician or a lawyer? You need both, but I’d rather have 10 lawyers for every statistician.

— Nassim Taleb, statistician and author of The Black Swan.1

This is the second part of a two-part article on the role of in-house counsel in enterprise risk management (ERM), specifically as to how we function in and around the “three lines of defense” model (3LD) that is providing much of today’s structural ERM framework. As we discuss in Part I, 3LD consists of a first “business” line of defense, a second “risk” line of defense, and a third “independent assurance” line of defense. Unfortunately, the non-lawyers who are designing 3LD often misunderstand the role of in-house counsel, which can lead to some outcomes that are actually the opposite of sensible risk management. As we discussed, attitudes regarding how in-house counsel operate in civil code jurisdictions can impact ERM frameworking in the United States, United Kingdom, and other common law jurisdictions. In this part, we explore the in-house lawyer’s role in the third line of defense, Independent Assurance, where we also consider privilege and lawyer independence, and their significance to how we execute in the third line.

As is obvious from our own professional experience, companies deliberately bring admitted attorneys in-house and require them to maintain their bar admission status so that the companies can receive advice on a privileged basis and, when litigious circumstances require, those attorneys can conduct investigations that are subject to work product protections. Moreover, those in-house attorneys are expected to behave independently and are ethically required to “step out of line” if circumstances warrant. These essential role attributes of privilege and independence have received little attention in the ERM roll out, in part because lawyers have not been vocal ERM participants, but also because other stressors affect the ERM discussion.

For example, in-house privilege has been under significant prosecutorial pressure for the past decade. Privilege waiver was a common “ask” a decade ago, as the US Department of Justice took a very aggressive stance toward companies under investigation. Deferred prosecution and similar agreements (DPAs) dating from this period often sought privilege waivers, so that expectations of confidentiality were eroded for the duration of the agreement, creating interesting questions for in-house counsel operating in the subject business. The pressure has abated since then, as federal prosecutors have accepted that, as long as the underlying facts are made available, legal advice remains out of bounds. Indeed, more recent DPAs seek only the facts, not the advice. Still, the perception remains in some quarters that privilege has been permanently hamstrung, which is a dangerous belief in a time when an active plaintiff’s bar stands behind each regulatory inquiry.

Also, the prosecution of a few errant general counsel and compliance officers has served to erode perceptions of lawyer independence and created room for non-lawyer consulting firms to sell governance, ethics, and compliance services just as ERM has begun to boom. Further, those firms are content to ignore the bar’s special aptitudes when selling their own assurance services, and it is consulting firms that perform the lion’s share of ERM marketing. The assurance field is crowded.

Nonetheless, the legal profession does indeed have a strong and compelling third line assurance function, whether in advising internal audit as a client, assisting in conducting quality assurance reviews, or in providing management and boards with independent assurance around the existence and degree of any given legal risk. While this article examines this function through the lens of the insurance industry, without question the same mindset and touchpoints apply across industries. [See sidebar.]

Advising and working alongside internal audit

A lawyer’s role in the third line of defense typically will be in counseling the Internal Audit Department (IAD). That counseling can come about in several ways. A good practice is for IAD and the legal team to meet quarterly to review potential systemic issues, which legal, because of the breadth of its involvement in the first and second lines, ought to have an excellent sense. This process helps IAD in scoping and re-scoping its audit plan to serve high-risk areas.

In the course of auditing, IAD will develop legal questions that lawyers can help resolve, or IAD will identify legal issues for the lawyers to take away and resolve within their own processes. Moreover, the legal department can provide valued word-smithing service to IAD when it comes to producing an audit report, so that IAD doesn’t fall into the traps of using conclusive or absolutist language about samplings, or worse, rendering gratuitous legal opinions. By the same token, in-house counsel must respect that IAD’s purpose under the ERM paradigm is to report the facts to the CEO and board, and not get in the way of the truth. Rather, everyone is better served when legal wisely alerts them that, in this cyber-age of “no forgetting,” any opinion about any particular facts should consider the perimeter of all interested parties, including plaintiff’s lawyers that may be doing e-discovery in three to four years’ time.

When legal is not advising IAD, very often they are working together to execute on an investigation. IAD will often possess forensic accounting and other skills invaluable to lawyers on their own fact-finding missions. IAD is thus often enlisted to support legal in executing an investigation. Conversely, when IAD and legal have established a true “enterprise risk-sensitive” relationship, IAD will know when a routine audit is turning into an investigation requiring lawyers, and tender the matter to in-house counsel. Typically, IAD will still stay involved, but the endgame changes from presenting the board with a healthcheck to presenting a gameplan for dispute resolution. The critical path to achieving this functional cooperative relationship is for both units to stay true to the principles of ERM (good risk culture, no silos, sharing) that could get lost in 3LD regimentation.

Regulatory and compliance investigations

For in-house lawyers working in a highly regulated industry like insurance, the potential for regulatory disputes, and the need for internal investigations, is an inevitable reality of life. To mitigate regulatory risk, a company’s objective is to avoid costly, even fatal errors by implementing a consistent discipline of self-policing and self-correcting practices aimed at preventing runaway regulatory issues or, at a minimum, effectively managing the risk of unforced errors in a company’s business practices and judgment. Once an investigation becomes necessary, either through self-audit or mandated by a regulator, it is extremely important to be intentional about preserving attorney-client privilege and any resulting work product, even where it is a priority for the company to maintain good working relationships with its regulators. US insurance companies are so closely regulated by the various states, that they may be faced with the paradox of having the results of a good faith internal investigation being used to “hoist them on their own petard.” Therefore, once great care is taken to establish privilege, it is usually in a company’s best interest not to waive it, except where a company feels secure in sharing confidential information with a regulator pursuant, for example, to a statutorily endorsed right to self-evaluative privilege or where counsel can count on the assertion of a governmental examiner’s privilege under, for example, a DPA. A potential consequence of waiving privilege, particularly in the absence of an agreement to keep the information confidential, is the likelihood that courts will view it as a general waiver as to any third parties rather than a selective waiver to a specific regulator. Another concern is the need for role clarity to be well defined within the company for privilege to properly attach to an internal investigation because it will likely involve additional functions (e.g., finance or IAD). Also, the ever-present challenge of herding the “cats” we commonly call witnesses, from current and former employees to experts, should not be underestimated. This is part of the process where a wise in-house counsel usually enlists the support of our esteemed counterparts — outside counsel — to assist with witness preparation and interviews.

The underpinnings of an effective internal investigation begin with implementing the necessary guardrails within which certain communications will be deemed privileged and remain privileged throughout the process. The protection is triggered once a communication is clearly identified as having the specific purpose of providing legal advice, and documents intended to be protected under the work-product doctrine must be created in anticipation of litigation. This means that, as discussed above, in the event of prosecutorial pressure, counsel must be prepared to provide the facts and withhold the advice. Therefore, in the event that the only factual records are those prepared by counsel, interview notes, and the facts sections of investigatory memoranda (just as we advise IAD) must as a matter of course be drafted as objectively as possible, without dangerous adjectives, adverbs, or conclusions, because there is always a risk of production.

In general, corporate entities are allowed to assert the right to attorney-client privilege pursuant to Upjohn Company v. United States. In Upjohn, the Supreme Court established corporate privilege where the purpose of the investigation is to obtain legal advice. The decision also created the “Upjohn Warning,” which clearly communicates to employees who may become witnesses that counsel represents the company, and any work done by counsel is on behalf of the company and privileged as between counsel and the company. The objective is to avoid stumbling out of the gate by creating a conflict where it may appear that counsel is representing both the employee and the company. While Upjohn stopped short of deciding the issue of attorney-client privilege as it may apply to former employees, a majority of courts agree that the privilege extends to former employees.

Due to the labyrinth of state and federal laws, and regulations pertaining to the business of insurance, insurers typically mandate robust compliance procedures to ensure that the company’s practices allow it to steer clear of any regulatory missteps, which may cause fines or litigation. The closer a company gets to launching an actual internal investigation, the more vigilant in-house counsel must be to preserve privilege. As discussed above, IAD’s processes may sometimes predate an internal investigation and routine internal audits, especially in the insurance arena, and can evolve in ways that may require companies to seek the protection of self-evaluative or other privilege even if counsel are not engaged in an investigation. Indeed, certain states recognize that there is a public interest in insurers conducting self-evaluations without fear of self-damage. The National Conference of Insurance Legislators (NCOIL), for example, supports a model act that protects an insurer’s ability to conduct audits and share the results with regulators without incurring the risk of being forced to disclose that information to adverse third parties in litigation.

In 1998, NCOIL developed the Insurance Compliance Self-Evaluative Privilege Model Act which provides that “an insurance compliance self-evaluative audit document is privileged information and is not discoverable, or admissible as evidence in any legal action or proceeding.” The Model Act provides protection in a minority of states for insurers sharing audit documents with insurance regulators, as well as protections for auditors potentially testifying in related proceedings.

Assisting claims in its third line function

To be sure, legal is not the only function besides IAD that performs third line operations. Often, a claims department conducts peer reviews and quality assurance (QA) audits to ensure good claims-handling. The role of in-house in that exercise is to provide legal risk management advice by evaluating the institution’s exposure to legal, financial, and reputational risk arising from a company’s most public activity — claims-handling — and creating strategies to mitigate those risks and create a culture of compliance. Insurers can more effectively ensure that claims are handled appropriately and deliver consistent, accurate, and efficient outcomes by developing training and best claims practices designed to optimize claims functions, facilitate application of relevant policy provisions, and to comply with state-specific requirements. Another way in-house lawyers can help claims mitigate risk is by analyzing legal and regulatory risk trends and suggesting ways to avoid, mitigate, or remediate emerging risks.

Given the highly regulated and litigious environment where insurance companies operate, arming claim professionals with the training and tools they need is wise and fundamental risk management. Ideally, once comprehensive training and claim standards have been developed, a claim quality and compliance audit process would be introduced to measure adherence to best practices and help achieve high performance levels. Nonetheless, some carriers may struggle in considering the relative benefits and risks associated with adopting a comprehensive claim quality audit process. Internal QA and compliance audits may effectively serve to protect carriers from future liability by identifying errors, delays, leakage, or compliance concerns, but on the other hand, despite all intentions being to the contrary, they may also provide potential adversaries with the evidence they need to bring a bad faith claim or class action alleging institutional bad faith. To encourage insurers to institute audit programs to evaluate legal and regulatory compliance, and cultivate a culture of compliance that would benefit insurance consumers and the public — as discussed above — a number of states have adopted statutes recognizing that a self-evaluative audit privilege applies to documents that are generated by a self-audit and protects them from discovery. Self-audits may also be protected by the attorney-client privilege or the work product doctrine, but unlike either of these, the self-evaluative audit privilege applies without an attorney.

The privilege is not as sweeping as one might expect and it generally only protects opinions, observations, and recommendations and may not protect factual data. The self-evaluative audit privilege has been codified by 11 states and the District of Columbia. In the order of the passing of their relevant statutes, the list includes Illinois, North Dakota, New Jersey, Oregon, Michigan, Washington DC, Kansas, Texas, Hawaii, Washington, Colorado, and Arizona. Most statutes indicate that disclosures made under the self-evaluative provisions do not abrogate the protections otherwise available under the attorney-client privilege, or work product doctrine. Also, if the judge determines, in an in camera review, that the company did not take appropriate measures to rectify a problem, the privilege may be lost. There is also variance across the states that have codified the privilege on whether all voluntary disclosures are protected or only those produced during an ongoing regulatory insurer investigation are protected.

In his article “Legal Development: The Privilege of Self-Critical Analysis: A Survey of the Law,” Donald P. Vandegrift recommends the following strategies when developing audit reports: clearly mark the document, including titles and sections, as subjective analysis or opinion; mark the document as confidential; and limit the internal and external distribution of the document. Vandegrift also recommends exploring the use of alternative methods for protecting the document: protective orders, Rule 407 of the Federal Rules of Evidence, and the use of attorney-client privilege.

No doubt, the legal department’s role in counseling claims in its QA work is a very important function in a litigious United States, and increasingly litigious world.

Fraud and employee investigations

With the proliferation of legislative and judicial activity in the field of labor and employment law over the last several decades, the role of in-house employment lawyers in fulfilling the third line of defense function has taken on greater importance. It was not so long ago that US corporations, even those in the Fortune 500 with sizeable in-house legal departments, assigned responsibility for ensuring compliance with employment laws to a generalist who was often asked to wear many hats. These lawyers would regularly be required to opine on a corporation’s legal obligations under an ever-expanding web of federal, state, and municipal laws addressing all manner of labor, employment, and employee benefits matters, in addition to their “day job” of advising management about issues of corporate governance, negotiating contracts with vendors and suppliers, managing commercial litigation, and so on. Today, however, most companies employ lawyers with specialized knowledge and backgrounds in employment law who are focused exclusively on the legal risks arising under the vast array of laws directed at the employment relationship. The functions these lawyers perform as part of the third line are of both the proactive and reactive variety. Below are examples of each.

As we know, one of the primary responsibilities of an in-house employment lawyer is to identify potential risks arising from a company’s employment practices and address them before they progress to an administrative charge or lawsuit. The earliest point to identify risk is at the time of hire. Consequently, in-house lawyers often play a significant role in developing and administering a company’s background investigation process, which is intended to ensure the company only hires candidates that do not present a substantial risk to the company, its customers, or business partners. This function is particularly important in the insurance industry because federal laws and state insurance regulations restrict applicants with certain criminal convictions from performing specified roles in the industry. This is no small task considering that employer background investigation processes have come under attack recently on several fronts, including the US Equal Employment Opportunity Commission, which has developed strict guidelines that are intended to govern employers’ background checks and ensure they do not result in an adverse impact to protected individuals or groups. Other challenges exist in the form of “ban the box” legislation, which prohibit employers from inquiring about or considering an applicant’s criminal history until after a conditional offer of employment has been extended.

The lawyer’s job is to partner with the company’s HR department to ensure that the company’s employment application, offer letters, and all other documentation provided to job candidates complies with applicable laws, including the Fair Credit Reporting Act. The lawyer must also assist HR and IAD to develop the guidelines that will be used to assess job candidates’ educational, employment, criminal, and (in some cases) credit histories to ensure a consistent approach and achieve the objective of risk minimization. Finally, the lawyer needs to partner with HR and IAD to provide counsel on specific issues that arise during the course of the background investigation. This may require, for instance, that the lawyer provide advice regarding a job candidate’s plea to a criminal matter and its implications to the candidate’s prospective employment.

Another example of a situation where in-house counsel play a critical proactive role is ensuring that the company’s wage and hour practices comply with the federal Fair Labor Standards Act, and applicable state and local laws. Unlike other types of employee litigation, which involve a single employee and where the range of potential damages is limited, wage and hour class actions often involve hundreds, if not thousands, of employees and “bet the company” levels of damages.

It’s no surprise, therefore, that this function has garnered additional attention at the board level in recent years, given the surge of class action litigation and governmental audits involving claims of employee misclassification and unpaid overtime. The in-house lawyer’s role is to monitor the legislative, regulatory, and judicial developments in wage and hour laws at the federal and state level and partner with HR, compensation, IAD, and compliance to ensure the company’s compensation practices are properly aligned. This may include third line activity like overseeing random or targeted audits of certain job classes where there may be a question as to whether the positions are properly classified as exempt from minimum wage and overtime requirements. Similarly, in-house counsel may need to spearhead an audit of a company’s timekeeping practices where there is concern that employees designated as non-exempt and overtime eligible may not be accurately recording their hours worked and thereby placing the company at risk of claims for unpaid overtime for work performed “off-the-clock.” In either case, the lawyer plays a critical role in ensuring the audit is properly focused to address the legal requirements and to assert, where applicable, attorney-client or work-product privileges.

In addition to the proactive services in-house employment lawyers provide to their clients, they frequently play a reactive role where they are called on to assist in coordinating company investigations into reported violations of company policies. These investigations may take many forms depending on the nature of the policy at issue. For instance, corporate codes of business conduct are now ubiquitous in most industries, including insurance, and are intended to ensure appropriate standards of employee behavior with regard to such areas as expense management and conflicts of interest. Likewise, HR policies are designed to align employee behavior not only with company standards, but also with applicable laws. An example of an in-house lawyer’s third line role in this area is where the lawyer must coordinate the company’s response to a report of discrimination or sexual harassment. The lawyer’s work here is critical as he or she must balance several objectives that are often in conflict with one another: the need to ensure a thorough and fair investigation, and to recommend appropriate remedial measures, where necessary, with the goal of properly positioning the company in the event of a subsequent administrative claim or lawsuit whether from the subject of the investigation or the accuser, as well as to forestall future, addressable problems.

The lawyer’s role in these situations is to formulate the investigative strategy, including identifying witnesses that should be interviewed, determining what form those interviews should take and whether to memorialize them by way of written statements. When the lawyer is not asking the questions, the in-house lawyer also provides advice to the non-lawyer investigator who may be a HR generalist or internal auditor with varying degrees of expertise as to the process of conducting employee investigations. Lastly, the lawyer makes recommendations for appropriate specific remedial and, at times, enterprise-wide measures.

Considering the in-house lawyer’s knowledge of the relevant substantive law and familiarity with the facts from having overseen the investigation, it is not surprising that his/her recommendations are afforded significant weight by the ultimate decision-maker. Given the great distributive power of communications on the internet and elsewhere, HR counsel have a key role in the management of a company’s reputational risk.

Cybersecurity assessments

While not solely the responsibility of in-house counsel, cybersecurity assessments and general risk assessments of a vendor’s processes and procedures are important aspects of in-house counsel’s duties. A lawyer usually is engaged in the first line of defense in the vendor selection process, or when negotiations with a vendor begin. Negotiations with a vendor include numerous stakeholders such as IT, procurement, IAD, business resiliency, and compliance, not just lawyers. The stakeholders have different roles and responsibilities in protecting a company’s interest when entering a contract.

With the inception of ERM, these stakeholders provide pieces of the total risk assessment used by the company in conducting its evaluation of the vendor risk. Excluding any of the stakeholders, including in-house counsel, from the ERM framework could lead to a poor risk assessment. Working with the stakeholders, in-house counsel will create a standard contract template to be used to negotiate with a vendor. The terms and conditions of the contract template will provide the framework to protect the company from identifiable risks, including cyber risks. The contract template will also provide the framework to allow a company to conduct and continually reassess a vendor’s risk profile.

Initially a vendor will undergo a risk assessment, including financial stability, business resiliency, cybersecurity, employee background checks, compliance with statutes and regulations, and other potential risks identified by the stakeholders. Vendor risks may be different based on the type of services the vendor will perform. For example, if a vendor will store a company’s customer data, there will be a heightened sense of cybersecurity risk and the general risk assessment performed should be more robust.

During negotiations, the role of in-house counsel should be to educate the business and other stakeholders on the risks posed by a vendor, including a vendor’s proposed changes to a company’s standard contract template. The business and stakeholders may not realize the impact of the vendor changes and in-house counsel needs to be part of the internal discussions.

When it comes to the third line of defense, in-house counsel are tasked with reviewing and updating the contract templates to make sure these templates keep up with changes in technology. The use of third party providers to provide cloud storage services, or software as a service (SaaS) application, where a company’s data is processed by the SaaS vendor outside of the company’s network, pose unique threats that need to be addressed. Working with the stakeholders, in-house counsel need to continually update contract templates to include not only initial assessments of a vendor’s cyber security and security procedures (vendor security) but also ongoing audits of all of the vendor’s security to address new risks as they arise.

Lastly, when it comes time to assess whether the company has actually been exposed to any “live” and ongoing cyber-breaches, lawyers have a very important role in shielding the investigation, identifying legal risks, internal and external stakeholders possibly affected by a breach, advising management on compliance with breach notification laws, and preparing for any resulting litigation. Because of the complex issues that may arise in the event of a breach, both the US Department of Justice (DOJ) and the National Cyber Security Alliance (NCSA) have recommended the early involvement of counsel when venturing out into the cybersecurity minefield. The DOJ has remarked: “[h]aving ready access to advice from lawyers well acquainted with cyber incident response can speed an organization’s decision making and help ensure that a victim organization’s incident response activities remain on firm legal footing.” The National Cyber Security Alliance (NCSA) notes that risk assessments are best safely done under privilege:

[P]erforming risk management responsibilities may inherently reveal sensitive information about the firm’s risk posture. Most firms are concerned with such information being discoverable in a lawsuit that results from a security breach, and thus working against the firm whether the risks were caused intentionally or accidentally. For this reason, it is advisable to work through internal or external counsel so the data may be controlled under attorney-client privilege.

Just like any other company asset, reputation needs the early attention of the company’s lawyers, who are best suited to balance its preservation against the dictates of breach disclosure and other law.

Conclusion

We began this article with a nice pat on the back for the lawyers from one of the leading minds in risk management, Nassim Taleb. In his most popular book, The Black Swan, Taleb warned his readers of the dangerous human predeliction for the oversimplification of reality; he called it the “narrative fallacy.” Because 3LD is an over-simplification, the 3LD story can likewise become a fallacy, unless we see it as malleable guidance, not inflexible law, and we continue to advocate for the profession in this new developing regime. In-house counsel must be mindful that to stay useful within their organizations, they need to operate beyond the bunkers that management theory wishes to construct across industries, and ensure that lawyers have a voice when others are designing their roles for them. Without doubt, lawyers have roles in each line of defense, sometimes simultaneously, and it is imperative we demonstrate our own special functionality within the ERM system.

---

The views and opinions expressed in this article are solely those of the authors and do not necessarily represent or reflect the views of The Hartford or Hinshaw & Culbertson.