Entity ABC allowed its website users to make payments through a payment gateway present on its website, but failed to insulate itself in case of leak in data security of payment gateway. It had to compensate for 50% of losses suffered by the user on account of leak in data security of payment gateway
Entity DEF did not know it was supposed to report KYC of its directors every year to Government. It had to pay a heavy remedial fee to rectify the non-compliance
Entity XYZ understood they were supposed to maintain several registers under various labour laws only after being penalised by Labour Inspector
Neither of the above situation an unimaginable one, though all of them could have been averted had the key managerial persons being made aware of existing regulatory and legal compliance at the right time. In the current world, running a successful business goes beyond yielding the capital value and tallying the books of accounts. Recognising, analysing and managing various risks associated with a business have gained equal importance.
Within the umbrella of Risk, financial risk is most commonly recognised (for obvious reasons). Conventionally, legal and regulatory risk is considered a non-financial risk (and therefore its impact is undermined), however, with continuously changing rules & regulations, heavy remedial penalties and civil as well as criminal liability associated with non-compliance of applicable laws, not to forget loss of reputation, a time has come to change this long-established viewpoint.
To take the very first step in right direction, it is necessary to create a strong internal culture within an organisation to recognise legal and regulatory risk. The change in viewpoint shall preferably be initiated at top and mimicked through all the layers of organisation. One way to do this is to publish views of the management about prevailing non-financial risks and steps taken by the company to mitigate and manage it in the same set of documents (Annual Report, CEO/MD’s address to employees, etc.) where information about prevailing financial risks is published. This will send a strong message across the organisation that a new culture is being developed and is to be adopted.
The next step is to document various Standard Operating Procedures (SOPs) to support the newfound culture. The SOPs could include procedures for executing and maintaining documentation i.e. agreements, memorandums and deeds, including the designations of authorities who could be permitted to represent the company and limitation of their representation. It would also include a list of laws required to be followed by the organisation and also a list of registers which are required to be maintained. Initially this exercise would also include doing an audit of past agreements, legal records and registers to understand existing legal and regulatory risk. The next task would be to rank the risks with the ones with heavy repercussions (taking into consideration financial liability, civil liability, and/or criminal liability) being given highest priority. Accordingly, remedial measures can be undertaken.
The next step would be to conduct a legal and regulatory audit on annual basis to understand abidance of SOPs, and that of the applicable laws. The observations of this audit can be used to revise the SOPs (if required) and also to take remedial measures in case of non-compliance.
Therefore legal & regulatory risk evaluation, mitigation and management becomes a continuous process which in long term reduces the chances of an organisation suffering from heavy penalties, unanticipated legal claims from other parties and of being defamed publicly for not abiding by applicable laws. An added hidden advantage is earning the public goodwill.
Last but not the least, this will help the organisation in instituting transparency, accountability and sustainability through legal & regulatory corporate governance.