For a third consecutive year, Corporate Counsel Business Journal co-hosted a roundtable series on global risk with longtime contributor Clifford Chance, which provided subject-matter expertise and helped facilitate three dinner discussions with an esteemed group of general counsel and chief compliance officers.
What are the most pressing issues for today’s general counsel? Would it surprise you to hear the list is long and getting longer?
For senior leaders of in-house legal teams, the difficulty in protecting their companies’ reputations has reached new heights. Almost anyone can now post, share or find information on the internet, making crisis management – never an easy undertaking to begin with – an even tougher test for corporate counsel.
Not only is hacking more sophisticated than ever, it’s now being bolstered – and even financed – by governments around the world. At this point, who can name a general counsel not concerned about the inevitable data breach?
Or, switching gears for a moment, who can name a general counsel in this age of #MeToo who isn’t worried their company could be next in line to be impacted by an alleged ethical lapse by a senior officer?
For a third consecutive year, Corporate Counsel Business Journal met with general counsel and other leaders of in-house law departments from leading multinational companies as part of our annual Global Risk Dinner Series. Once again, we learned a great deal. And although we promised our dozen Washington, D.C.-area attendees we would keep them and their companies anonymous to allow for a more candid dialogue, we are able to share with you many of the key points in this article.
From the enactment of U.S. trade sanctions to the uncertainty of Brexit to growing concerns about privacy, the current phase of global disruption has given rise to a slew of risks and legal questions that don’t always have clear-cut answers. Most who attended the series agreed it’s a challenging period, especially for multijurisdictional companies.
"More countries are following the U.S. model and are applying its laws and regulations with increasing extraterritorial effect, which has materially heightened enforcement risk just through the sheer volume of what’s now required to be in compliance," said David DiBari, Clifford Chance’s U.S. Head of Litigation & Dispute Resolution.
DiBari, who served as CCBJ’s co-host of the Global Risk Dinner Series for a third straight year, discussed the dramatic impact compliance missteps – both domestically as well as internationally – can have on a company’s reputation and bottom line.
"Not all in-house teams have boots on the ground everywhere they do business," he said. "In many cases, global regulatory changes are expanding faster than the in-house teams responsible for addressing them. This is a board-level issue general counsel must stay on top of."
Culture and Ethics
The first dinner of CCBJ’s most recent series focused on the importance of culture and ethics in managing an organization’s risks. Joining DiBari and the dozen in-house attendees were Clifford Chance’s newly elected Senior Partner, Jeroen Ouwehand, and former federal prosecutor Dan Silver, who practices out of New York.
Questions from the table were broad in scope – for example:
- Who is best suited to conduct ethics training?
- Is there an ideal way to embed corporate culture following an acquisition?
- What’s the best way for an organization achieve "ethical health"?
"I’m a strong believer that ethics training is best conducted by managers, not by ethics people parachuting in and leaving the next day," said Ouwehand. "It’s important to train for moral judgments. Culture is constantly evolving, but every organization has a core set of values that guide it, and the training should be in tune with those values."
Ouwehand also noted a key learning from work being done at Harvard on culture and diversity: nudging – that is, regular reinforcement – works better than training.
With all of the risk dinner attendees working in senior roles at large, multibillion-dollar organizations with locations across the world, a common point of interest was how best to assess behavior and achieve compliance, especially in countries where western sensibilities don’t always apply.
"It’s not unusual to see conflicts in isolated locations, especially if it involves strategic partners at smaller sites where performance has long been valued over behavior," said Silver. "In order to spot systemic issues, you can’t emphasize enough the need to have strong ties on the business side – it can’t all be done by the legal teams. Take the time to nurture those relationships."
Attendees agreed that reinforcement is a key component of driving the right type of culture and ethics. This includes communicating the monetary value and competitive advantage of compliance, and mixing it in with other types of storytelling, including a combination of compliance successes and the consequences for those who made poor decisions.
In an era of “alternative facts‚”separating what you believe from what you know is imperative in crisis management.
Data and Cyber
The second dinner in the series focused on a topic that – regardless of industry – is now a key priority for all general counsel: data privacy and cybersecurity.
Joining DiBari and the attendees for this dinner discussion were Megan Gordon, Clifford Chance’s U.S. Co-Head of Cybersecurity, and fellow subject-matter expert, Partner Ines Keitel from the firm’s Frankfurt office.
Gordon told the group that more than half of today’s cyber-related attacks come from phishing and noted that even small attacks are resulting in significant monetary and reputational damage.
"Phishing has become low-hanging fruit for criminals," she said. "Even the best companies are vulnerable because it just takes one careless moment – one breach in the right area – to create havoc. You can’t communicate frequently enough to your organization how important it is to stay alert when working online."
Gordon noted that no one is immune, having advised two companies with iconic brands in the past year alone.
Another major topic of interest for general counsel working for multinational companies is the General Data Protection Regulation, or GDPR, which has dramatically affected how all organizations doing business in Europe now manage and use their data.
Keitel underscored the seriousness with which European regulators are treating GDPR and noted the severe fines that can be levied for noncompliance – up to 4 percent of gross annual revenue of the group.
"In addition to the reputational blow, the maximum fine would be a significant financial hit," said Keitel. "Obviously, the board, shareholders, employees – no one is going be happy if that happens. GDPR went into effect less than a year ago, and we saw an immediate focus on enforcement in various countries.”
"As with most new regulations, companies have been seeking additional clarity around what is enforceable. But many of them have also been spending a significant amount of time and money to map their data, build structures that aid compliance and increase control over their data flows."
One attendee asked if – almost one year on – European regulatory agencies have given any thought to revising GDPR. Keitel said the EU seems to have received surprisingly little pressure from corporations to ease up – in part due to the culture in Europe. "U.S. citizens typically worry about government invading their privacy. The opposite seems to be true in the EU – they care about what corporations will do with their personal data."
DiBari added that privacy concerns around the world will only escalate going forward.
"They’re now putting voice-activated online assistant software in cars," he said, "constantly collecting data. Embedded in that is the idea that car owners will demand more privacy protection."
Reputation and Crisis Management
The final dinner of the series featured a robust discussion about reputation and crisis management. Joining the group were Clifford Chance Partners Celeste Koeleveld, former General Counsel of the New York Department of Financial Services, and London-based Luke Tolaini, who has broad experience in litigation, regulatory and investigative matters.
DiBari led off by noting that although today’s general counsel now lead during an era that gave birth to "alternative facts," the importance of accuracy cannot be overstated when managing a crisis. Separating what you believe from what you know is imperative.
"Presenting well-intentioned but inaccurate facts is a credibility killer that’s difficult to recover from," he said. "The best-run companies have a thoroughly tested system in place for gathering information and being able to respond quickly; running annual crisis scenarios that help designated crisis teams identify gaps in their plans and skillsets is priceless. You don’t want your first attempt at mitigating a crisis to be when you’re under siege."
Tolaini, a member of the Clifford Chance Global Risk team, noted that a regular dilemma for many organizations is deciding whether a crisis response should be guided primarily by public relations or legal considerations. That line of thinking is now being challenged by a third entrant.
Cyber and privacy considerations are now challenging the notion of PR versus legal. The reason is that cyber response plans come under regulatory scrutiny – and that has people’s attention.
One of the points discussed around the table was balancing the question of, "Is it legal versus is it right?"
Koeleveld noted that, as former general counsel herself, she always viewed her role as larger than being the senior in-house lawyer. "It’s broader than that," she said. "It’s a leadership role – one that’s responsible for helping to shape the culture of the entire organization."
Published September 2, 2019.