Speakers from Cineplex, Laurentian Bank, Canadian Pacific and Torkin Manes share ideas
Leading general counsel from a range of industries came together at the Legal Marketing Association’s annual General Counsel Panel on Nov. 24 to discuss the latest trends in risk management, the growing importance of data protection, and the role of external counsel partners.
Thomas Santram, senior vice president and general counsel at Cineplex; Bindu Cudjoe, chief legal officer and corporate secretary at Laurentian Bank of Canada; and Nizam Hasham, general counsel and assistant corporate secretary at Canadian Pacific Railway were joined by Roland Hung, counsel at Torkin Manes LLP and former senior legal counsel & global privacy officer at Finning.
Moderated by Tim Wilbur, global managing editor for Key Media’s law publications, the panel touched on the changing nature of risk in the aftermath of the pandemic.
Canadian Pacific Railway has a standalone risk function that works closely with legal and the corporate secretarial functions. Hasham spoke about the interplay between risk management and ESG.
As a railway company, Hasham said that CP faces risks involving weather and climate so legal is one group that works closely with the environment group, supporting the group as it makes submissions to the CDP and the Dow Jones Sustainability Index every year.
"We see climate emerging as an important area with advice provided by both legal and corporate secretarial departments," said Hasham. "We see the ESG area permeating various parts of the business, through the board level and into the business iteslf."
At its 2022 AGM, CP's shareholders voted in favour of CP's approach to climate change, with 86.88 percent approval, indicating its significance.
At Laurentian Bank, Cudjoe and her team navigate an operational risk management framework that incorporates at least 17 different types of risk including legal risk and regulatory compliance risk. Cudjoe said that team monitors risk through two different lenses.
“We manage risk in contractual relationships and service relationships that we have with customers, so we manage risk through the language in contracts,” said Cudjoe. “Then of course, we also manage risks for the organization, so we look at what we’re doing to meet our public company disclosure obligations.” They also monitor risk involving third party procurement and suppliers. The team works closely with risk colleagues across the organization, which allows them to share information and gain knowledge on a broad range of risks.
At Cineplex, Santram’s team also navigates a wide range of risks, the greatest threats being health & safety, insurance, securities law, and IT security.
“IT security became even more of an issue for us during COVID because of lockdown,” said Santram. “With everyone locked down we were seeing a greater incidence of online attacks, people getting into our ticketing system, and basically trying to get into our network.” The team is also vigilant when it comes to mitigating risk surrounding customer and employee data.
Risk has evolved considerably, with data playing a far greater role than ever before. As a joint owner of the Scene loyalty program – one of the largest loyalty programs in Canada – Cineplex gathers customer data to deliver promotions and enable simplified online purchases. This creates challenges for the legal team as they work to ensure the data is safely used and stored, Santram said.
“One of the things the legal department has been very active about is how much information do we actually need, because I see every one of those little data points as a risk,” said Santram. “Unless we are mailing you a physical card, we shouldn’t really ask for addresses.”
The legal department should not be a place where dreams go to die, Santram added. “Our default answer should be ‘yes’ but it’s sometimes ‘yes’ with a little asterisk next to it, so we’ll get you where you need to go. Let’s just do it a slightly different way.”
Data is also top of mind for Cudjoe at Laurentian Bank, with vast quantities of sensitive customer information collected and stored, in some cases for almost 200 years, raising significant risks for the bank. Breaches are happening across every industry, raising the question of what can be done differently.
“Fundamentally as lawyers and professionals in this space, we owe it to ourselves in our organizations – and to our consumers – to really try to rethink how this can fit together as a paradigm, because the old ways of protecting are not working,” said Cudjoe.
As counsel in the technology, privacy and data management practice at Torkin Manes, Hung’s practice has been very busy dealing with client breaches and ransomware attacks during the pandemic.
“What I would recommend as a mitigation to that risk is to do training and table-top exercises to the extent that you can afford,” he said. “We know you put proper policies and procedures into place to ensure that you’re prepared if there was an attack, but in addition to that, make sure you are training your teams and various stakeholders on how to respond to these risks.”
Hung spent five years in the legal department at Finning before joining Torkin Manes early in 2022 so he spoke about his involvement with risk management during his time in-house. The risk department function at Finning did not reside with legal, Hung said, although they were heavily involved. A separate department was responsible for risk management, and all stakeholders participated in quarterly meetings to update the risk register. As the privacy officer, Hung provided an update on all risks relating to privacy matters.
At Finning, Hung said his goal was to be intentional about using the risk around data and turning it into a risk opportunity.
“When we developed the risk framework, we wanted to signal to customers that you can trust us with your data and use our platforms, and we will take it seriously and we won’t share it. It became a selling feature,” said Hung.
Panelists agreed that external counsel play a vital role in risk management for their clients.
“One of the biggest things that our external counsel have done is they learn our business, and they learn what our pressure points are, and what we care about,” said Santram. As a cross-border company, Cineplex operates in businesses including advertising, loyalty, gaming and arcades, in addition to the cinema business, so it is important for external counsel to understand all these areas, he added. Santram also values partners who tell him what they think.
“Don’t say, ‘hey, you’ve got two choices, so pick one.’ For the hundreds of dollars an hour that we are paying, I think our external counsel should tell us exactly what they think we should do and why we should do it,” he said.
Hasham also spoke about the importance of strong relationships with external counsel partners. Proactive thoughts and advice can go a long way in terms of helping manage risk, he said.
"Sometimes even just having somebody send you something as simple as an article that says 'hey, have you thought of this?' can be very helpful and help you focus on an issue," said Hasham. "For example, I deal in the securities space quite a bit, and so knowing what's coming next – whether its from the Securities & Exchange Commission, or the regulators in Canada – and having access to that before you're asked by your managment or your board so you're equipped to deal with these things is important."
Cudjoe commented that she enjoys working with law firms and lawyers who provide her with advice that goes beyond the law, and those who are not focused only on worst-case scenarios.
“The external counsel that I go back to over and over again are the ones who make it clear enough to me that they know what the worst case scenario is, but they help me live in a place of where the likelihood is, and the more realistic and pragmatic approach, and then help me communicate that back to my colleagues,” said Cudjoe.
