By Katsiaryna Pazniak.
While the global pandemic is slowly backing down, its influence on the world dynamics will stay with industries for quite some time. In parallel, global law firms are currently thriving as they maximize their efforts and excel in the best service delivery, giving away the precious BAU. 2021 appears to be more demanding in comparison with the previous year, setting higher expectations on how to juggle technological breakthroughs, management of internal and external cultural stability, threats to data and constantly evolving regulatory changes that affect their clients. In particular, financial services firms are now looking for law firm guidance on the global changes, a holistic view on live updates to the regulations and technological transformation to keep up with the times. Acknowledging the current state of financial services affairs and to a certain extent foreseeing the implications will help legal service providers to be better placed to support their clients.
Financial companies and institutions rely on law firms as their right-hand in supporting operations, daily compliance, and future strategy planning. In response to pandemics, financial services and regulatory mechanisms have developed their own organic approach to managing the direction of 2021 priorities, and they require continuous support and leadership of legal firms to implement. The profound effects of COVID-19 have resulted in a number of industry changes, however, most of them have been underway for years. This year coincidently happened to be the critical one in keeping on tight with changes and consequences.
During the crisis, legislators, government officials and business leaders had to take several new strategically important decisions and at the same time preserve the legacy. These decisions resulted in difficult ethical dilemmas that affect society now and will have a greater impact in the future. In the modern legal world, it doesn’t seem realistic to digest and analyse all industry changes at once, however, that’s what clients abstemiously demand. Below, we have prioritised the top four focus areas that law firms need to keep an eye on to ensure they are in a good position to support their clients.
1. Horizon view: operational resilience
More recently, the global regulatory perspective on operational resilience has fundamentally shifted. Since 2018, the UK regulators have taken a much broader view, covering all risks to the provision of critical and important business services, and focusing increasingly on the continuity of services in the event of disruptions. The UK regulators published the final rules and guidance on 29 March 2021; they will come into force on 31 March 2022. By this date, firms must have identified their important business services, set impact tolerances and carried out testing to demonstrate that the tolerances are appropriate.
In the US, Europe and the Asia Pacific region although not (yet) specifically committing to new rules, the mood music from regulators is mirroring the UK regulatory view – the range and depth of new requirements relating to operational resilience are expanding, with the topic moving to the top of supervisory agendas. The consequences of Covid-19 are already increasing the regulators focus on operational resilience.
While looking closer at operational resilience, firms expect to benefit from the upcoming regulation in many different ways from cost-cutting to an increase in operational efficiency. If properly managed, there is an opportunity to create synergies across all risk types, lowering the overall costs of compliance and risk management. In one turn, this will contribute to operational effectiveness and ensure a more consistent approach for service delivery. firms expect to benefit from the upcoming regulation in many different ways from cost-cutting to an increase in operational efficiency. If properly managed, there is an opportunity to create synergies across all risk types, lowering the overall costs of compliance and risk management. In one turn, this will contribute to operational effectiveness and ensure a more consistent approach for service delivery.
Operational Resilience is a complex measure, and firms already manage risks that fall under the broad view of operational resilience, relying on long experience in business continuity planning and incident management. However, to a large extent these activities have been vertically discrete, focuses on individual processes or systems, or narrowly focused only on technology. As a result, the broad view of operational resilience is expected to augment these existing activities, creating an end-to-end holistic view of key risks and the most considered approach to risk management.
In response to this, firms have already started juggling three key activities to establish and maintain resilient operations: manage risks, manage data, and manage costs. It provides the foundations upon which operational resilience is based. However, these activities cannot be addressed in a silo. Different companies will face challenges while creating an individual corporate view to that, but one of the main struggles for all impacted firms is doing these activities in unison and ensuring intersecting benefits do not fall behind.
2. Catcher in the world of intangible assets: data management
The digitalisation of the pandemics-like world has increased the value of data more than ever. There’s a growing appreciation of data as an asset to be protected, and for companies to transform the way they share, collect, and utilise data. According to the research, 20% of leaked commercial data is sufficient to cause bankruptcy, and it's no surprise a data breach can be fatal to any organisation. The reputational damage is correlated with the financial risks and impacts due to the negative perceptions of the company’s positioning. The number of data leaks caused by hacking, malware and phishing in 2020 increased by 30% compared to the previous year. In aggregate there have been more than 281,000 data breach incidences reported since the application of GDPR on 25 May 2018. For the period from 28 January 2020 to 27 January 2021, there were, on average, 331 breach notifications per day (a 19% increase) in Europe. Although these numbers are high, it can also be said that companies are taking the legislation seriously. Therefore, today companies are making significant investments in data protection. According to a 2021 report by Cisco, corporate data privacy budgets doubled to an average of $2.4 million in 2020 as businesses raced to ensure that they stay on the right side of the GDPR.
Most often, personal data is leaked due to erroneous or malicious actions of company employees. To mitigate risks, it is necessary to take a more responsible approach to the assignment of security levels and to implement additional measures, which might include penetration tests, timely security audits, adoption of conformity-assessed security systems, or separately protected communication channels, and measure it at least once a year to govern the security level of the infrastructure and internal databases. Each organisation must focus on their individual solutions to protect itself against data leaks.
Additionally, the rapid adoption of technology, and more specifically AI, which has flourished during Covid-19, creates further challenges. Organisations need to ensure they adhere to regulations such as GDPR and protect the rights and freedoms of individuals while protecting against biases if a robot processes streams of data for them. In this context, understanding data flow is key.
The data privacy remains an emerging and growing challenge. During the first three years of GDPR, enforcement has not been at the levels expected, but enforcement to date has placed an emphasis on culture and processes of data protection overall and not just on actual breaches. Meeting GDPR compliance can be challenging, and it definitely is not a “do once and forget” activity. Notwithstanding other distractions (such as Covid), indications suggest that the focus is coming back on the completeness and effectiveness of Data Privacy mechanisms. Ensuring that privacy mechanisms are well-designed, embedded and operating effectively seems to be high on most organisations’ to-do lists.
3. Ethics and culture
The global crisis has revealed ethical and corporate weaknesses in many ways and served as a test for some of the norms of business ethics. The main question on the agenda is how companies can recreate, promote, and maintain their ethics and culture in the digital and hybrid workplace. According to the statistics, 82% of the ethics and culture survey respondents have identified that company values are crucial at motivating the employees to act in accordance with the standards in unprecedented circumstances. Ethical behaviour and immaculate compliance are critical for the business of financial services, and even though most companies always have been more than serious about these, a stronger focus is now on the agenda. And, while the level of seriousness may vary country by country, we have identified some global commonalities and areas of active engagement that help companies to ensure their ethics and compliance culture are above the industry benchmark.
Since pandemics exposed companies to an expanded risks matrix, reattending and rethinking risks management strategy exercises moved to the top of to-do lists. According to the research, the majority of organisations are confident in their risk assessment mechanism and find it effective, however, most of them still think there is room for an implementation of a more holistic approach.
This gap is caused by constantly changing rules and upcoming regulatory updates that keep popping up without giving organizations time to absorb the previous ones. Apart from managing risks, companies are also obliged to keep policies, procedures, training, communications, reporting, investigations, and misconducts under control.
The magic pill for this holistic approach is under development. Yet, the analysis of the existing documentation on compliance programme evaluation helps to set clear DOJ expectations for designing a compliance programme in the most comprehensible way. To achieve that, it’s recommended to consider assessing the compliance programme against three core questions.
The first one – “Is the compliance programme well designed?” – enables a broader look at core compliance elements and to evaluate these in a silo. For example, ensuring a compliance program is tailored based on risk assessment results and periodically updated with incorporated lessons learned will help with a diligent risk assessment. For some companies, it opens an opportunity to encourage timely and regular use of lessons learned, as well as documenting the results and program changes.
Stakeholders’ commitment, resourcing and compliance incentives are strongly recognised and assessed with the help of the second question: “Is the compliance program adequately resourced and empowered to function effectively?". The importance of compliant conduct of the senior and middle management is proven to reinforce ethical standards and encourage employees to adhere to them and is an inseparable part of a strong ethical company. More and more senior employees are now investing their time and energy in compliance expertise and working on engaging initiatives, such as "speak up" campaigns.
And, even if the results of an assessment against the first two questions seem to put the company in the right position, it is still crucial to find an answer to the last question: "Does the compliance programme work in practice?". This question helps to acknowledge that not only a strong compliance program should be in place, but it is also expected to be continuously improved, tested, reviewed and analysed. In essence, developing and maintaining a consolidated view across an enterprise is a reasonable step to provide for an internal compliant culture.
It is fair to state that “too much compliance” does not exist, as even the minor non-compliance behaviour has consequences. The granular approach might serve as a good lifebuoy and can help with breaking down the compliance program into several smaller elements to ensure each of the pieces has its control and mitigation mechanism and vulnerable spots are duly protected. Even though the universal guidance does not exist, these recommendations are organic and might help with building a good compliance practice.
4. As tech as it gets: strengths of modern solutions
It is no surprise that in the world of online meetings and conferences, financial services are prepared for a boost of digitalisation from both the internal and external operations side. Even before 2020, significant investments in technologies have been trendy mainly due to a highly anticipated return on investment and industry pressure. Some companies placed technological development on the priority shelf, and some didn’t. The gap between those two expanded a few times when the necessity for tightened control, productivity and people management hit financial services firms during the crisis. The unprecedented environment didn't let companies easily catch up, and now most of them are reviving to overtake missed opportunities. That FOMO effect has been well-noted by the regulators. Therefore, they enhanced the way to monitor new technologies, including AI and machine learning.
New products and financial technologies on the market have been mainly focusing on data privacy and protection, data storage and processing, and cloud services. Nevertheless, one of the premier challenges is to find that piece of software that works for the nature of financial business, company size, and digitalisation level and which fits well into the change management strategy. The process of selecting the right technology can be simplified with the help of consultants and implementation specialists, but it still takes time to achieve the desired results. In a race of chasing leadership and competitive advantage, companies' risk overlooking steps such as end goal, due diligence or environmental and social governance.
The IT department today is the one responsible for executing the change, however, legal service providers are seen as champions at driving the technological strategy. Unlike 10 years ago, this process involves more and more parties, in some cases, most of the departments in the firm. This is the reason for such initiatives to be implemented with engagement across the whole company. The more complex the technological architecture gets – the more complex it is to control and maintain. The unanimous approach will help to solve this challenge and will be a decent strategy to increase the success level of new technology implementation.
Choosing the technology is one challenge, and once stricken out, the next one is ready to enter – the technology implementation. This step might surprise companies with many discoveries, including that the selected technology is unsuitable. The implementation stage might also get complicated by mobilising a team with the unfit skillset, failing to communicate an internal change on time and missing an opportunity to make the right first impression, and developing a training programme without due attention.
Today, technological growth is only about ROI but also about an ability to meet expectations and stay afloat. As a must, companies will be pushing for changes in the digital financial services field such as seamless connection with customers, intelligent process automation, and technological compliance with updated regulations on data and privacy.
About the author
Katsiaryna Pazniak is an Associate at Morae Global. She is a qualified lawyer and works closely in regulatory and compliance filed as a consultant. Her experience includes working on legal transformation projects including IT reviews, external legal spend management assessments, and working practice behavioural observations studies. Katsiaryna is a mentor of the University of Miami Law Without Walls programme, a founder of multiple start-ups and a member of the UCL BaseKX Hatchery start-up incubator.
Morae Global Corporation is trusted worldwide by leading law firms, legal departments, and compliance executives for the delivery of digital and business transformation solutions. Founded in 2015 by pioneers in the legal operations field, our vision is to execute legal + business strategies, resulting in lasting change, value and protection.
Comments