March 03, 2009

Risk Assessments Recommended for Companies as SEC Prepares to Flex Its Muscles

The increase in the SEC's enforcement tone, coupled with mass layoffs, could be setting the stage for serious compliance risks at various public companies.

I just read "Companies in Dangerous Position as SEC Prepares to Flex Its Muscles", a National Law Journal interview with Michael Dockterman, a litigation partner at Chicago's Wildman, Harrold, Allen & Dixon, whose practice includes advising boards on corporate governance and compliance issues.  He spoke about why boards need to boost compliance, even amid corporate budget cutbacks.

A key take-away is that as the remaining employees are increasingly overworked as the result of mass layoffs, there are fewer people with less time to focus on compliance issues.  Meanwhile, the SEC appears to be gearing up via policy changes to boost the commission's enforcement powers.  This doesn't bode well for companies who may be spending less time on compliance in order to deal with more pressing issues.

Thus he recommends that directors should not reduce the amount of time spent on performing and evaluating risk assessments that should be at the foundation of all compliance programs.  "Companies should look at where their operations are rubbing up against legal requirements, financial or otherwise. How are we certain that the way in which we're conducting our operations is in compliance with laws, including labor laws, environmental, antitrust and securities laws -- the whole gamut?"

I'll add that in addition to the more obvious areas above, eDiscovery and litigation readiness are just as important in companies' compliance programs.  In all those areas listed above, electronically stored information (ESI) is going to be present.  The company's ability - or inability - to properly preserve, collect, review, and produce ESI could have far-ranging implications and impact.

I've heard from so many companies' attorneys that they know they have significant risks relating to eDiscovery and many feel that they've just been "lucky so far."  Typically, preservation, collection, and spoliation issues are keeping GC's and AGC's up at night.  As law department budgets are being cut by as much as 20%, their job is certainly made more difficult.

However, those with the appropriate balance of short-term and long-term vision are finding ways (and funds) to invest in the future of the company by addressing these issues before they blow up on counsel and IT.  When you consider the hard dollar costs, the blow to both the company's and legal department's reputations and position in the marketplace, and resulting fallout, one "compelling event" (as we tend to call it in the trade) can cost the company far, far more than any amount of proactive investment that could have prevented or greatly mitigated it in the first place.

Some are taking better stock of where they are, identifying their gaps, and then putting in place both procedures and technology, where justified, to address them.  For some, it's slow going, making only modest gains and inching along while hoping the recession doesn't stretch out too long, or the cuts become too deep.  And many, I suspect, are experiencing much quiet desperation hoping (and some might even say gambling) that they don't experience that "compelling event" before they are better able to address the underlying issues.

The problem is that in the current economic climate, between terminations of executives and increased SEC investigations, companies will likely experience more of these with upper management involved as both plaintiffs and defendants.  These tend to be higher dollar, higher risk, and higher visibility.

Especially with staff culling, many companies simply lack the internal expertise to have a broad enough understanding of industry best practices and the resources to define and implement them effectively - whether it's records management, information governance, or litigation readiness.  My suggestion is that it's better to spend a relatively small amount on addressing them now with outside help and making steady progress (even if it's not as fast as you'd prefer, it is still progress) and positioning it internally as a significant cost avoidance program.  It's also a metric that can be reported upward to the board as a sign of responsible management.

You might be surprised how much people are willing to listen about cost avoidance these days.  Be prepared to discuss ROI not so much in terms of estimable dollars (as we know these types of matters are very difficult to predict dollar-wise), but in terms of number of events avoided.  If you could make your money back by avoiding just a handful of these events, that's a very compelling ROI story to tell.  If pressed for dollar estimates, give ranges and tiers for enhanced credibility.

So while budgets are being cut, there is still a need for proactive risk management.  As internal resources dwindle, consider augmenting your efforts with outside expertise.  Compared to the cost of not doing it, it's actually a very responsible thing to do in the long run.

Topic(s):   Electronic Discovery
Posted by Jeff Beard