When third-party risk gets murky

What can a legal department do to manage bigger risk exposure?

Security for financial firms all too often extends beyond a firm’s borders, and beyond the risk function’s scope. A financial firm’s legal department, in particular, faces thorny challenges when it comes to managing risk across internal and external counsel.

Legal firms have different—and generally less stringent—risk management requirements, so data shared with them can be at risk. Cyber attackers keep law firms in their sites, because data gained in an attack is useful in and of itself, but might also tip investors about possible activities such as upcoming mergers & acquisitions. Reputation is also at risk: If a law firm is breached, word gets out about that firm and about its clients, such as financial firms.

What can a legal department do to manage this bigger risk exposure? Accenture’s report, Third-Party Risk Discipline for Legal Departments, offers ideas.

The path ahead

A comprehensive approach can also yield resource and budgeting insights.

Legal departments of financial firms would be well served to implement disciplined, systematized controls that balance costs and benefits across in-house legal providers, preferred outside providers and non-preferred outside providers. A comprehensive approach that tracks legal work across all providers not only monitors adherence to the risk methodology, but can also yield resource and budgeting insights.

What do the various options look like? Here’s a glimpse:

In house counsel: Likely presents the lowest risk, and should already use in-house systems and procedures. But, can in-house counsel adjust to variable workflow? Does this team have the required depth of knowledge for tricky legal issues?

Preferred outside counsel: By creating a preferred counsel list, a financial firm may find providers willing to undergo risk assessment and onboarding reviews. This approach may also support preferred vendor discounts. And, it could motivate select vendors to build a sustainable level of knowledge about a financial firm’s business, making for a strong partnership.

Specialty outside counsel: Specific expertise around unique issues or tied to certain jurisdictions could lead to hiring “non-preferred” outside counsel. One solution might be to choose vendors willing to submit to short notice vendor risk evaluation. An end-of-project off-boarding process might also be needed.

Five steps to light the way

Legal Third-Party Risk Management (TRPM) follows this five-step process: planning, vendor selection, contract negotiation, ongoing monitoring and termination.

Luckily, some high-tech tools can help automate and manage these five steps. New technologies useful for the job include desktop automation, Robotic Process Automation (RPA), and cognitive computing and digital assistants which, combined, represent Artificial Intelligence (AI).

Here are a few examples of new technology at work in a Legal TPRM program:

Desktop automation can help calculate a law firm’s risk rating, and supports pre-populating engagement questions for future, similar engagements.

When sensitive data is sent to an outside law firm, AI can better tag the data, clarifying what data was sent (and what was not) in the event of a breach.

During termination, desktop automation can help identify inactive firms, triggering a review to determine whether it is time to terminate.

For financial firms, a risk burden can be eased. Protection against regulatory and reputational risk is one solid gain from adding legal third-party risk discipline. A strong approach can better focus resources—and deliver greater value to a firm’s customers.

Samantha Regan

Managing Director – Strategy & Consulting, CFO & Enterprise Value

Daniel Maloney

Director – Financial Services, Finance & Risk


2019 Global Risk Management Study

Subscription Center
Visit our Subscription and Preference Center Visit our Subscription and Preference Center