Legal department leaders share their strategies for assessing and mitigating increased risk
Kikelomo Lawal, chief legal officer, ombudsman and corporate secretary at Interac Corp., a Canadian financial service brand that facilitates secure financial transactions.
Megan Evans, chief legal and risk officer at The Hospital for Sick Children (SickKids) in Toronto, which is recognized as one of the world’s foremost pediatric health-care institutions.
Chris Harrs, executive vice president, general counsel and corporate secretary at Spin Master Corp., a Canadian global toy and entertainment company that markets consumer products for children.
Philip Milley, senior legal counsel at Mastercard Foundation, a non-profit organization guided by its mission to advance learning and promote financial inclusion for people living in poverty. The charity focuses on providing aid to African communities.
The 15th annual InHouse General Counsel Roundtable focuses on the issue of risk management from the perspective of in-house counsel. Representing four diverse industries, our legal leader panelists came together remotely to share views and strategies for monitoring, assessing and preventing risk within their organizations. Factors such as reputation, privacy and data security are a concern for all, while other risks are unique to specific industries. While the risk of a product recall or a liability claim over a defective toy are concerns at Spin Master Corp., risks to patient and staff safety are top of mind at SickKids Hospital.
The pandemic that rocked the world this year created a slew of new risk factors as financial security was threatened for many organizations, and a remote working environment added new cybersecurity concerns.
Chris Harrs, executive vice president, general counsel and corporate secretary at Spin Master Corp., describes COVID-19 as “the greatest single risk factor that’s arisen in my working lifetime,” citing factors such as growth, supply chain issues and employee engagement as areas of concern. A class action lawsuit or a government recall could pose a significant financial risk for his organization.
“The way we measure risk is really about the financial effect on the company,” says Harrs.
Risks to patients is the foremost focus at SickKids, together with risks to staff, as well as financial and reputational concerns. The COVID-19 crisis created additional concerns for frontline staff at the hospital, particularly in view of the shortage of personal protective equipment that medical professionals were facing at the start of the pandemic.
“It’s a challenging environment, but I think we are taking on an incredible amount of risk in order to do our part to stem the tide,” says Megan Evans, chief legal and risk officer at SickKids. “From the CEO of the hospital down through all levels, the question is constantly ‘is this what’s best for the patient?’ and if it is what’s best for the patients, we find a way to manage the risk and to make sure that our staff are safe while so doing.”
Increased communication between members of the legal team is a strategy being deployed at Mastercard Foundation, together with the implementation of new contract templates to support members. The continued success of the program is a critical risk for the foundation.
“If we are not making the impact that we exist to make as a charitable trust, that’s a significant concern for our board of directors,” says Philip Milley, senior legal counsel at Mastercard Foundation.
Reviewing existing contracts and looking more closely at business continuity plans and disaster recovery are strategies used by the legal department at Interac Corp. Reputational risk, regulatory risk and data security risks continue to be key concerns at Interac due to the nature of the financial information being handled.
“We cannot afford for information to fall into the wrong hands. We cannot afford for information to be mishandled in any way, and so I would put data security close to the top for us,” says Kikelomo Lawal, chief legal officer, ombudsman and corporate secretary at Interac.
Our panelists agree that risk is a shared responsibility. As Milley states, “It’s important, I think, to have a culture of good governance, ethics and integrity that is really permeated throughout the organization.”
InHouse: How do you view and manage risk in your organization?
Lawal: At Interac, risk is very much a shared responsibility. We consider it to be essential from several perspectives: from strategic, security and product development to service delivery, compliance, governance and brand. All these perspectives really need to be informed by risk. It’s a responsibility that everyone in the organization shares — led, of course, by the chief risk officer and the risk team at an enterprise level — but we all have a responsibility in keeping the organization safe on that front.
Evans: From my role at SickKids, in terms of trying to make everyone feel accountable for managing risk, it goes beyond the legal department and risk management team. Every single staff member has a role to play and I think we had some real successes here when we took our enterprise risk register and assigned executive ownership to all the risks that are in the register. Right away that creates an accountability. It’s not risk management or legal owning a particular risk. It is the operational area that is most closely associated with whatever the risk might be, and we engage those leaders and their leadership team in our plans to mitigate and manage those risks as we move forward.
Harrs: We’re a public company and responsibility for risk management ultimately falls to the board of directors, but they, in turn, appoint a committee, which is responsible, then that falls to the executive team, and they create an executive risk management team, which is comprised of risk champions from the entire organization. People from IT, product development and legal will each have a risk champion who’s supposed to isolate and assess the various risks within their department and within their division, and they bubble that up to the committee, which then assigns values associated with those risks: the inherent risks, the residual risks and then they obviously suggest risk-mitigation strategies. We have a legal obligation to inform shareholders of the risks.
Milley: It’s essential to have an organizational view of risk. The risk and audit committees, the legal counsel and the board of directors don’t have insight really into the daily tasks that employees are really engaging in, so, it’s important, I think, to have a culture of good governance, ethics and integrity that is really permeated throughout the organization. It’s everybody’s responsibility and everybody has a unique insight into the work that they’re doing. It’s not owned by legal. It’s informed by legal. It’s informed by every employee, so, at the foundation, having this strong corporate culture is very, very important.
InHouse: What are the key areas of risk that cause you the most concern from a legal perspective?
Evans: We are a public hospital providing care to patients, and it may not be known by everybody, but there are studies that show that three to four per cent of pediatric patients that are admitted to hospitals suffer significant preventable harm during their stay at the hospital. Whether that’s a medication error or a wrong-sided surgery, these are significant concerns that arise in the course of care that could have been prevented. So, I would say risk to our patients is probably our foremost focus.
The other area that we focus on a lot are risks that affect our staff. We know that we are a great hospital because of the people that we have working here. We need to do everything that that we can to ensure that they are safe. This has become incredibly important in COVID-19 times because of the risks that are associated with that, particularly in the health-care setting.
Another category that we keep a close eye on would be financial risks. If we can’t keep ourselves in the position to continue to do the work financially, that’s an issue. And, lastly, reputational. We are an organization that’s out in the public eye and it’s important that our patients and their families have the utmost of confidence in the care that we’re providing.
Lawal: I must echo the reputational risk. Interac is very much based on trust and these are pillars that are closely identified with us, so, we are vigilant when it comes to reputational risks. I think for us, I would add regulatory risks. I would also add data security risks in particular, because of the nature of the information that we handle. We cannot afford for information to fall into the wrong hands. We cannot afford for information to be mishandled in any way, so I would put data security close to the top for us.
Milley: Regulatory risk and task compliance risk are significant concerns for us as a charitable organization. Certainly, there’s multi-jurisdictional issues that arise. Privacy is a significant concern, but I think it’s important to really ground risk in the goals that you’re trying to achieve. As a charitable organization, we’re working to help beat poverty and to advance education and so the success of our program is a real, real risk. If we are not making the impact that we exist to make as a charitable trust, that’s a significant concern for our board of directors.
Harrs: A couple of years ago, our enterprise risk management committee came up with 131 global risks. We manufacture in China and Mexico and France, so there is geopolitical risk and there’s tariffs. I’m constantly fighting internally with the committee to try and escalate what I see as legal risk.
There is the risk of litigation, the risk of product recall, the risk of data breaches or privacy violations. I think that if we had a product liability claim over a defective toy or if we had a recall of a particular item and we got in trouble with [a] consumer product safety commission, it could mean $50 [million], $60 [million] or $70 million in damages. I find there’s a constant tension between making sure people understand risks that you control and mitigate and risks that you can’t control. Although it might not seem like a great risk, if you were to have a lawsuit or have a class action suit against you or you have a massive government recall, you’re looking at a very large financial risk and large financial repercussion. The way we measure risk is really about the financial effect on the company.
InHouse: How is your legal department adapting to handle increased risk caused by the COVID-19 pandemic?
Lawal: It’s about reviewing the existing contracts and making sure that we are examining performance obligations on both sides and looking at what adjustments need to be made on that front. For example, it might be the case that delivery times need to be extended. We even have some contracts that are affected because they had to deal with conferences that cannot be held anymore so we need to look at alternate channels.
All these things need to be considered by the legal team. We’re also looking at things that need to be embedded into contracts going forward. We are looking more closely at things like business continuity plans and looking more closely at disaster recovery — both for purposes of our own delivery and for those of our vendors.
Milley: The issue of contracting is a significant piece because that’s how we really engage with other parties. Looking internally within the legal team itself, we are ensuring that there’s increased communication among team members as well as the organization. COVID-19 has required each of us to work from home so that brings a whole new set of challenges in terms of managing and understanding risks that may arise, so increased communication is certainly a method that we’re using. We’ve implemented targeted education and supporting guidance tools and new contract templates in some instances to support our team members.
Harrs: Prior to COVID, we had taken our 131 global risks and narrowed it down to 17 priority risks. These are the ones that we hoped to try and mitigate to a desired level of risk. After COVID hit, it doubled to 32 so we had identified quite a few additional risks.
The basic one is growth. Risk is our failure to meet growth because of the economy when consumers are not going to stores, stores are shutting down and there is the disruption of the supply chain. Foreign exchange rates are being affected by COVID-19. A lot of retailers are out of business and asking for extension of credit terms during the crisis. Then there is the whole issue of employee engagement. When we have all these people working from home, how do we ensure that they’re working well and they’re collaborating and they’re engaged? Employee engagement is a huge, huge risk. Obviously, there is the issue of cybersecurity now that they’re working from home, so we’re making sure we have the requisite security measures in place. Those are just a few of the risks, but even within those categories, there’s a ton of other factors that are risks caused by COVID-19. It’s really the greatest single risk factor that’s arisen in my working lifetime for sure.
Evans: Like other businesses, we were forced to change the way we operate in a very short period. It’s a very unsettling time and there’s a lot of worry and concern expressed by employees about their own safety. I think you’ve probably all heard in the news about the PPE shortages that existed, so we weren’t actually able to plan in exactly the way that we wanted to in terms of addressing staff concerns and needs. We had teams deployed to figure out how to safely move people to the home environment where that made sense and another team of people who were working to ensure that people could come into the hospital and continue to provide safe care to patients.
All the while the government is doing its best to manage the crisis for the province and in so doing it is putting incredible pressure on the hospital sector to do things differently and to do things that we don’t normally do. It’s all fine and well for the government to be saying, “Hospitals, you need to go and do all these things,” but, at the end of the day, the buck stops with us. In the event of any issues with our staff or our patients, it will be the hospital corporation that’s on the hook.
It’s a challenging environment, but I think we are taking on an incredible amount of risk in order to do our part to stem the tide and I think that, from the CEO of the hospital down through all levels, the question is constantly: “Is this what’s best for the patients?” And if it is what’s best for the patients, we find a way to manage the risk and to make sure that our staff are safe while so doing.
Lawal: In all of the things that Interac is being asked to do — not just by government but also from industry organizations and by our issuers and our acquirers — all of it is in the vein of making things easier and better for the public, but there’s just an entire network that needs to be activated for some of these things to take effect. I think it falls to the legal department to support a lot of that, but the organization as a whole is being called upon as lots of industries are to do what they can.
InHouse: How is risk management formalized in your organization? Is there an executive committee with which you’re involved?
Harrs: We have an enterprise risk management committee with around 30 people from different areas of the organization. They meet every couple of months to discuss and assess the risks. It’s not only about identifying the risks but assigning an inherent risk factor to it. In other words, how likely is it to happen and how dangerous is it? It’s about assessing the financial impact. So, in other words, what’s the residual risk?
As an example, the inherent risk might be when your retailers don’t pay and that’s a high risk because that’s what we live off. We live off Walmart and Target and Toys"R"Us and Amazon paying their bills and, if they were to stop paying, that’s a huge financial risk. But what is our mitigation strategy? Well, we have receivables insurance. And so, when Toys"R"Us went bankrupt, for example, we had insurance covering those receivables.
Evans: We start at the board of trustees at SickKids as far as risk is concerned.
As a management team, we need to answer three fundamental questions for the board and keep them apprised. And those questions are: What are the key risks to the hospital? What are we doing to manage or mitigate those risks? How do we know that the strategies that we put in place are adequate and are working? That is the starting point and everything we do internally feeds up to answering those questions for our board of trustees. The board made the decision several years ago to maintain the oversight for risk within the hospital and, so, a big picture presentation up to the board happens a couple of times a year and then we have our board committee.
Lawal: I think of it from two or three different lenses. So, first there is the structural lens. We certainly have a lot of documentation that’s necessary. We’ve got defined governance, so there is a risk management committee. There is a board risk management committee — all that governance-oriented structure. We’ve got standardized tracking and reporting and that happens on a regular basis.
Then, there’s the behavioural lens. As I said earlier, the risk is a shared accountability. We all are responsible and, therefore, it’s embedded as part of the culture. Third is the procedural lens. There’s day-to-day management by the functional units. We have scheduled reviews by the committee and ad hoc ones that may take place as necessary. We’ve got things that are reviewed at a business unit level and then rolled out to the risk committee. Then, of course, we’ve got regular reporting and escalation to the board as necessary.
InHouse: How do you approach mitigating risk?
Evans: You can’t manage and mitigate everything to zero, so I think it’s really important to spend the time that you need to really understand the risks and understand how likely is this that it’s going to happen, and what’s the seriousness of it if it does arise and then calculating your mitigation strategies accordingly. There’s a certain amount of risk I think that all organizations just inherently accept exists in the nature of their business and it doesn’t make sense to spend a lot of time on it. With other things like preventable harm to patients, as I mentioned, it seems like a no-brainer that we should be doing everything in our power to ensure that that happens as infrequently as possible and so we direct our resources there. I think it’s really about weighing up what kind of resources are going to be required to take this to the next level and whether it makes sense to deploy those resources.
InHouse: How much damage can be caused by social media and what policies do you have in place to mitigate against this?
Milley: Reputational harm is probably one of the most significant areas of risk for any charitable organization. If you lose the public confidence, the confidence of the donors and the confidence of the beneficiaries you’re trying to support, you might as well not be in existence. Social media is an area that has a potential to very, very quickly harm [the] reputation of an organization. We have several employment policies and social media policies that address the issue of social media use. We have a strong communications team that monitors social media. But, really, one of the strongest areas of mitigation can be through on-boarding and recruitment.
Harrs: There’s two facets of social media risk for us. There’s internal use and we have an internet use policy and very strict guidelines about that. We developed a certification program so every employee has to do an interactive program that provides knowledge on what they can and cannot do.
The other risk for us is in how we use social media for advertising. We must be very careful about collecting personal identifiable information for children. We’re in this grey zone because we want to reach out to kids, we love to have their information and they all use TikTok and Facebook and Twitter and Instagram, but they’re not supposed to because they’re under 13. So, we’re constantly walking that fine line between trying to reach the kids where they are but where regulation tells them they shouldn’t be.
InHouse: What kind of cybersecurity and data protection programs does your legal team utilize and have these protective measures been ramped up as people are working remotely during the pandemic?
Harrs: Given that everyone’s working at home, we’ve escalated the layer of protection on unwanted emails and phishing attempts. I’m sure everyone has seen that there has been an increase in phishing attempts and scams going on with COVID-19. Thankfully, we’ve been spared from that. We have a pretty good IT department in terms of their approach to security. You must make sure everything goes through the firewalls and you’ve got appropriate protections in place, you’ve got a good internet policy, usage policy and you’re working over a virtual private network that’s controlled and monitored. We’ve increased our monitoring of people’s usage of data as well.
Evans: Our primary programs are Zoom for Healthcare and Teams. At the beginning, there was a bit more variation and we had a challenge in that we had to stop bringing patients into the hospital whose care could be managed from outside. So, notwithstanding that, they still did need regular contact with their care providers. It’s just another example of an area where we, at the initial outset of all of this, assumed some additional risk because we decided we needed to keep interaction between the health-care providers and the patients going. In the informed consent process, we explained that this is the platform we’re using, and this is what we understand about its security and this is how it would compare to an ideal state. We’ve managed over the course of the last several weeks to get ourselves on to the platforms that we consider to be more compliant with the various requirements from a provincial health information perspective.
InHouse: What is the role of external counsel partners with regards to risk management and in what situations do you seek their help?
Lawal: I would say the primary areas for us would be in terms of contracts; making sure that we’ve embedded the right provisions into our contracts, specifically in terms of contract in project governance and then also change management.
Milley: We are a very small legal team at Mastercard Foundation and external counsel partners are very critical for us, particularly across the different jurisdictions within which we work. So, we really rely on them for expertise in many areas and sometimes support where we don’t have capacity to turn around requests as quickly as possible. Really, for us in terms of ensuring that we are rightsizing our approaches to risk management and getting some benchmarking information, external advisors have a bit of an advantage of seeing what industries are doing rather than specifically what individual clients are doing such as us. Whenever we’re engaging in change management, it’s always great to have external support and advice.
Evans: There’s a huge differentiator between a decent, solid external counsel and a great one. Where external counsel have an industry practice that they’re focused on or a practice area that they focus on, their ability to see risk — because they’re advising hundreds of clients in an industry or in a particular subject matter area — and to bring that to you as the in-house counsel proactively where it might be harder for you to see it because all you have is your company’s experience, I think, is a really important thing.