Quantifying Risk - Ask An Expert

Monday, September 1, 2008 - 00:00

Editor: Frank, please give our readers a snapshot of your background.

Wu: I am a Managing Director at Protiviti and work with our clients' legal departments and law firms to manage appropriately the risk of litigation and investigations. Businesses face risks from a host of internal and external events: mergers and acquisitions, insolvency, fraud and money laundering, financial restatements, protracted litigation and the cost of electronic discovery. While each of these risk events is unique, they all must be understood starting from their root causes and managed with expediency to limit exposure. To do this effectively, it's just as necessary to understand a company's culture and existing controls as it is to understand the industry and regulatory environment within which it operates.

Editor: Why is Sarbanes-Oxley credited with highlighting the need for services such as those performed by Protiviti's experts?

Wu: Sarbanes-Oxley threw, and continues to place, a bright spotlight on the broader and long-term need for strong corporate governance. Formal and legal requirements for increased transparency, such as those set in place by Sarbanes-Oxley, have put greater pressures on all organizations, public and private, to get compliance right, particularly when it comes to the disclosure of their controls and procedures.

Editor: Now that Sarbanes-Oxley has been on the books and shaping management's approach to fraud for more than five years, what new developments and risks are affecting legal departments today?

Wu: Litigation and financial investigations have, in many respects, become inevitable in today's environment. All companies, even the best managed ones, must expect and prepare for that eventuality. Corporate legal departments are particularly concerned about the burdensome cost, time and effort associated with electronic discovery. Discovery can represent over half of a company's total litigation budget, and e-discovery can rapidly consume more than half of the discovery budget. This means that e-discovery can easily become the single largest cost of responding to litigation. It is certainly the fastest growing cost associated with litigation. But not only are the costs of discovery growing, so are the consequences of mishandled production in response to discovery requests. At the same time, inadequate or dilatory responses have become more likely because the timetable for e-discovery responses and scheduling begins earlier and moves faster than ever before.

Editor: What are the developments and risks affecting IT departments?

Wu: Advances in tools and technologies are making it easier to create a tremendous volume of data and highly specialized records, which greatly complicates the management of information generated within an organization. In litigation, potentially relevant and responsive information can include anything and everything created and stored by a company. This electronic information can be physically located anywhere and everywhere, in any number of formats on a multitude of devices and media, sometimes without the company's prior approval orknowledge.

Editor: What are the key issues affecting both legal and IT departments?

Wu: At Protiviti, we are finding that more legal and IT departments are becoming very aware of the "whys" and the "whats" around e-discovery but are having issues addressing the "hows" in three key areas. First, they want to know how to be prepared for litigation and investigation in the event that they are compelled to preserve and produce information. Second, they want to know how to operationalize their organization's records retention program. Third, they want to know how to properly dispose of records and data no longer needed by the organization. Between Legal and IT, the central issues and practical considerations focus on the ability to store, search and retrieve e-mail, e-files and backup media.

Editor: What can companies do to counter these risks? What do companies need to know before they can put mechanisms in place to counter these risks?

Wu: We recommend that companies consider the following:

• Risks - What risks have been identified , how are they currently being managed , and how do we know that they are managed?

• Preparation - What challenges or eventualities must be prepared for? How far back into the company's history and records does a reasonable search and management plan need to go? What technology does the company have, and what additional technology does it need?

• Management - How can six key areas of management - policies, practices, roles and responsibilities, reports, approaches, and tools and technologies - be linked to create a sustainable, effective litigation risk management and readiness program?

Editor: What resources are available to aid companies?

Wu: One of the most important resources that IT and legal departments have is each other. Legal can be a significant resource for IT in defining the regulatory standards and requirements that must be met while IT can be a significant resource for Legal in assessing, developing and implementing the appropriate technical solutions. Another internal resource, which is too often overlooked, is the ability to leverage existing technology investments. This sort of leverage can significantly clarify whether proposed new investments are actually "must have" vs. "nice to have" technology.

Of course, a wide variety of resources are now available from professional service providers and technology vendors. Companies are increasingly availing themselves of tools and technologies that improve records and content management, e-discovery solution vendors, third-party training resources and study programs.

Editor: What inherent and outside risks are companies most likely to overlook?

Wu: All organizations have litigation "hot spots," but they also have "blind spots," which, if ignored, can become "very hot spots"! IT and legal departments often have different perspectives, priorities and vocabulary. Because of these differences, they can misunderstand one another's concerns and fail to recognize - let alone communicate about - hot spots that are vital to the other department.

Many organizations have undertaken litigation-readiness initiatives in the last couple of years. However, preparedness is not the same as effectiveness. Some are finding that their policies and practices may not have been carried out as designed, or that the solution was not sufficient for the type or quantity of challenges they faced. Others have found that the actual cost of their readiness significantly exceeded their original budgets.

Since we cannot predict with certainty how litigation, legislation or markets will evolve, any litigation risk management program must be strong but flexible, reliable but resilient, sustainable but adaptable. This balance is not always achieved easily.

Editor: When addressing litigation and investigatory risks, what considerations should be brought to bear?

Wu: When addressing these risks, we recommend that organizations consider the following:

• How does a company implement and sustain solutions in a way that makes sense in light of their existing business priorities? Where do they want to go given where they are now?

• In supporting the business operations and operations within and between the legal and IT departments, what's critical and what can be ignored?

• What capabilities need to be brought in-house, and what functions should be outsourced?

• Can and should a specifically identified risk be monitored, patched, fixed or just left alone?

Editor: Are "best practices" always the "best" panacea to counter all risks?

Wu: This has been a subject of quite a few lively debates. In this particular area, I don't think that best practices are always best. Sometimes good enough is good enough. What's important is the ability to demonstrate reasonable practices and good faith efforts in responding to litigation and investigations. Requiring best practices can result in creating demands, obligations and concomitant expenses that the organization would not otherwise have. We have seen multiple occasions where implementing "best practices" resulted in overspending and overkill. It can also distort business priorities and have an unnecessary negative effect on the bottom line.

Editor: What can be deduced from this overview of managing risks on the part of legal and IT departments?

Wu: These are serious risks that demand an equally serious response. In today's changing legal and regulatory environment, the cost of compliance and the harsh consequences of noncompliance have grown exponentially and are not likely to ease any time soon. Senior executives and key stakeholders are demanding more proactive management of this risk. Although the demands may not be avoidable, the excessive cost, burden and duration certainly can be. Organizations are looking to transform the challenges of litigation, official investigations or other legal crises from ad hoc responses into sustainable processes.

Editor: What do legal and IT departments need to accomplish?

Wu: Legal and IT tend to have very different responsibilities, needs and viewpoints. This makes clear communication essential in creating a common ground where both departments can share their expertise and experience, build on points of agreement, and discover points of disagreement.

In developing policies, procedures and strategies to manage the risk of litigation and official investigations, legal and IT departments need to work together in four key areas: (1) establishing defensible processes in routine operations, (2) demonstrating reasonable and good faith efforts to comply, (3) driving significant cost savings from practical solutions, and (4) implementing efficient ways to minimize disruptions and distractions to the organization and the people who perform its work.

Editor: Do you have anything to add?

Wu: In today's risk environment, it is becoming more critical for legal and IT departments to work closely together to figure out not just the "whys" and the "whats" but also the "hows." There is a growing need to be aware, be prepared and be involved.

For more information, contact the interviewee at (213) 327-1509 or frank.wu@protiviti.com.