A Trial Lawyer's Perspective On Compliance And Risk Assessment

Editor: Please inform our readers about the scope of your practice and the practice of the firm.

Jorden: Our firm has an established national reputation for defending high stakes litigation for insurers, mutual funds, health care providers and other financial service companies. Over the past 15 years, I have been lead counsel for financial service companies, particularly insurers, in more than 50 class actions and have been lead trial counsel in at least as many individual cases. I have argued before the United States Supreme Court and 10 of the 11 Federal Courts of Appeals.

Editor: You have been referred to as a "Lawyer's Lawyer." What does that mean?

Jorden: That was the comment made by the general counsel of one of our clients. He generously said I was a "Lawyer's Lawyer" because I combined technical skills with the ability to translate complex legal issues into simple concepts. I hope he is right.

Editor: Why have the risk areas confronted by financial institutions risen to a much higher level of concern to the industry itself, to regulators and to the investing public?

Jorden: The consequences of inappropriate risk-taking can be devastating to the investing public and to the industry itself.

From an industry perspective, companies realize that investor trust is critical to healthy markets, and an operationally sound company is the best way to gain investor trust; in fact, some companies are actually using compliance and internal risk control as a marketing tool. From a regulatory perspective, investor protection is the paramount mission, and the company that operates outside acceptable risk levels is the company that creates the most economic danger for investors and the most red flags for regulators.

When we talk about risk assessments and risk taking, we're talking about projecting future risks and evaluating current controls and business practices. We believe that it is not just "what" you do, it is also about "how" you do it, so having the right processes in place is critical.

Editor: What operational risk cross-currents did you discuss at the LIMRA/LOMA conference which you feel should be highlighted for our readers?

Jorden: A variety of cross-currents fuel operational risk. Externally, we see increasingly aggressive regulatory activity, large settlements, changes in the capital markets, shifts in product demand, changes to reserving and other risk transfer requirements, and an increasingly competitive marketplace. Internally, operational risk is created by more complex products, more tightly engineered product designs due to pricing pressures and reserving requirements, more diverse distribution sources, and training and supervisory practices that require significant resources and attention.

These crosscurrents have resulted in enforcement activity in many areas, including: late trading and market timing; contingent compensation, steering and bid rigging; finite reinsurance and insurance arrangements; deceptive packaging, premium, expense and income calculations; suitability, and life settlements.

Perhaps more relevant is my message that what we have found to be "best practices" as we view them from a litigator's perspective require the Chief Compliance Officer and his staff to work hand in hand with all of the line operations of the company . Some companies seem to focus on the sales regimen, but we believe that, for example, in the insurance industry, the companies with the best practices incorporate their compliance team in all phases of the company's activities, not just sales, but also product development and administration, etc. We know from our litigation experience that good coordinated compliance reduces risks.

Editor: Your team of litigators at Jorden Burt devotes much time to working with its clients on identifying and mitigating many kinds of risks. Please describe the risk areas that they consider and mitigants that they advise be used.

Jorden: Our risk assessment activities typically focus on three categories of risk: litigation, regulatory and reputational. Within these categories, we address risks that touch all financial services industries and products, as well as specific risks relevant to the products, distribution channels and organizational structure of a particular client.

Our methodology includes four steps: developing the specific focus of the risk assessment; conducting the assessment; communicating results; and structuring and staging follow-up activities. In this process, we work closely not only with the head of compliance and inside counsel, but also with senior management on the business side.

Although mitigating actions depend to a large extent on specific client findings, we advise all clients to take the following steps to anticipate and minimize risks: 1) have a sound knowledge of current and emerging litigation and regulatory issues, and communicate these issues to senior business, legal and compliance management; 2) develop healthy working relationships between line operations and inside legal counsel, and routinely include legal counsel (particularly inside litigation counsel) in business decisions; and 3) conduct internal operational reviews, such as compliance audits, operational risk assessments and mock examinations, on a routine basis. While these activities won't guarantee the absence of problems, they will certainly provide an infrastructure to identify and resolve operational issues as expeditiously as possible.

Editor: Would this approach be described as one of Enterprise Risk Management? If not, how does it differ?

Jorden: In its purest form, this approach is indeed enterprise risk management. We strongly believe that a robust operational risk assessment should cross traditional boundaries and look at the organization as an integrated whole. "Silo" behavior, in itself, is responsible for creating many operational risks.

Having said that, we recognize that a company may not have the resources to conduct a full-blown, enterprise-wide operational risk assessment at a particular time. In these cases, we work with clients to scale the assessment appropriately, perhaps focusing on a particular affiliate, division or product, depending on the nature of the risks involved.

Editor: You have represented many clients in class-action suits. What measures do you advise clients to follow who may become the subjects of class-action suits in order to stay "below the radar" in avoiding these suits?

Jorden: To begin with, it is important to note that our counseling involves not just what may be illegal activity. Clearly, an activity that is illegal is an unacceptable risk. But some activities that fall into legal "gray areas," and others that have been tacitly accepted by regulators for years suddenly become the subject of regulatory scrutiny, and, in any event may not, in hindsight, prove to have been the "right" thing to do as viewed from the customer's perspective. Part of our job is to assist in making that evaluation of risk and conduct before problems arise. The team that conducts an operational risk assessment needs to have the industry knowledge, legal background and experience to identify and assess these areas as well as "black letter of the law."

Jorden Burt has a unique edge in operational risk assessment for insurance companies. We have the unique capacity for providing not just regulatory skills, we also have a track record of substantial class action and individual litigation experience, representing most of the major insurance carriers in the United States. And, we are fortunate to have substantial in-house compliance officer experience in Marilyn Sponzo, who has recently returned from serving as the Vice President and Chief Compliance Officer for Massachusetts Mutual Life Insurance Company in the distribution of their insurance and securities products.

Editor: The NAIC's Risk Assessment Working Group has recently designed a Handbook with a more risk-focused examination approach entailing new processes and procedures for those in the insurance and securities industry. If adopted by the state commissioners, how will this affect these companies in terms of reducing reserve requirements, operationally, etc?

Jorden: Although all of our primary regulators have initiatives to refine and update their regulations as necessary, I don't believe that the adoption of a particular examination approach, such as risk-based exams, will have any impact on reducing the inventory of regulatory requirements. A particular exam approach is designed to help examiners assess a particular company's regulatory compliance as efficiently as possible, and by focusing on risk and risk assessment, examiners should be able to identify operational vulnerabilities quite effectively.

Editor: How much is the type of work you do in risk-assessment tied in to the demands of Sarbanes-Oxley, COSO and the new Sentencing Guidelines?

Jorden: Our work, and the regulatory regimes set out in SOX, COSO and the Sentencing Guidelines, share a common philosophical premise - a stable, healthy company needs an operational infrastructure that has a process for identifying, evaluating and limiting various types of risks. Here are a few reasons:

Because resources are limited, because legal and regulatory violations can now have catastrophic results on companies, and because of attempts to reward or at least recognize good faith efforts at good behavior as a mitigating factor, what some may say are the burdensome requirements of SOX have renewed interest in risk-based approaches to corporate compliance at all levels.

Following SOX, the SEC required funds and advisers to have comprehensive compliance programs. The SEC expects such funds and advisers to document their risk assessment processes in the design, implementation and annual review of their compliance programs. The OCIE has said it uses a risk-based approach in the application of its inspection regime.

The SOX-established PCAOB is said to take a risk-based approach when inspecting accounting firms. In fact, risk-assessments have long been a key aspect of all internal and external financial and compliance audit programs, areas in which COSO has done important work.

Greater reliance on risk-based assessments of internal control over financial reporting is expected to help smaller companies comply with the unexpectedly costly and burdensome requirements of SOX 404 regarding management assessments of internal control over financial reporting.

Editor: Do you expect a diminution in the compliance regimen now imposed on companies as a result of the Democratic Party's control of Congress?

Jorden: Not at all. The viability of American business is a bipartisan concern, and robust compliance is an effective way to nurture business health. The investing public and the economic markets will continue to demand that companies maintain operational effectiveness through risk control.

Published December 1, 2006.