My introductory post about Legal Week’s Corporate Counsel Europe Forum was called Drowning in Regulation, and covered what its title implied. Apart from the panel which I was on, which was dedicated to the subject, there was little reference to information management at any of the panels which I attended or in the discussions in between. Some would simply take it for granted because their companies are good at it; perhaps those whose role involves firefighting litigation or investigations were back in the office fighting fires, whilst those with responsibility for the specification and implementation of enterprise content management and all its components and extensions are not those invited to conferences like this.
Since we know from the accounts of almost everyone who offers information management solutions to companies that the cost of electronic disclosure is a major concern, I can conclude only that this audience self-selected as having other responsibilities. I spoke to one or two for whom the idea of single-instance e-mail archiving (to take but one obvious data source) seemed a novel concept, never mind the flow from that through into electronic discovery and response to regulatory investigations.
IBM’s George Parapadakis seems to have come away with much the same impression. His article Lawyers are from Mars, Technology is from Venus expressed frustration that many of the non-discovery problems identified during the sessions were ones which could be mitigated by investment in appropriate technology solutions. He gives examples and, if I incorporate his article by reference, I can avoid repetition. My own conclusion lies in what I say above – there is a gap between those responsible for implementing information systems and those who could benefit from them, and a further gap between the people who generate and use information and those who have responsibility for identifying and producing documents to lawyers, courts and regulators or for the purposes of internal investigations.
The technology session was largely about this latter use of a company’s information. I talked firstly about developments in civil litigation, observing that the relevant parts of Lord Justice Jackson’s Litigation Costs Review, and the new eDisclosure Practice Direction and Questionnaire were driven from the top of the judicial system in response to demands by court users. Their focus, I said, was on reducing the costs of electronic disclosure by demanding the exchange of information about data sources at an early stage, by requiring co-operation as to the mechanics, and by encouraging judges to manage cases actively as the rules require. Some of the cases (I mentioned Earles v Barclays Bank and Goodale v the Ministry of Justice in particular) went to the same point – a focus on the things which matter rather than on plodding through vast volumes of data in purported compliance with the rules.
The message for corporate counsel, I said, was that the interests and objectives of a company and of its external lawyers were not necessarily identical. Even if you discount the possibility that law firms have little interest in reducing the scope of disclosure, they seem often to be fighting corners whose value to the client was minimal. You will hear lawyers say that their clients will feel betrayed by cooperation over disclosure – “My clients pay me to fight for them, not to be agreeable about anything” they say. It was worth asking, I suggested, what proportion of the last big litigation bill went on argument about disclosure points which were really of no value to anybody, however well they may have played as combative posturing.
The message from Earles v Barclays Bank was that companies should be ready for such litigation as their risk profile suggested was likely to come their way. That objective, and the practical steps taken to achieve it, were much the same as the information management component in the defence of “adequate procedures” in section 7 of the Bribery Act (the corporate offence of failing to prevent bribery). Both should be part of a company’s GRC (Governance, Risk Management and Compliance) policy.
Matt Ward, a Vice-President of the Information Risk Management team in the compliance department of Barclays Capital, has responsibility both for discovery / disclosure and for the hands-on control of that part of the company’s compliance policies which involve communications. New channels open up all the time, bringing advantages in terms of customer relations but also significant potential drawbacks. It was not a good enough answer, Matt said, simply to ban or deny access to all non-traditional forms of communication. A mixture of rules, training and control was needed – a specific example of one of the themes identified in the first session of the Forum.
Daragh Fagan is general counsel, EMEA, for Thomson Reuters Markets Division. His subject was broader governance of the company’s information, the positive benefits and the potential for growth. Many see the management of information as primarily a defensive task or, at best, an area for cost-reduction. Information itself, however, is part of a company’s asset base, with governance aimed at maximising its value for the business whilst remaining alert to the potential for risk and expense.
A lot of technology marketing, particularly in the US, is done on largely negative and defensive grounds. There is much to be afraid of, and nothing which I heard at the Corporate Counsel Europe Forum diminished the impression that risk management is a primary driver for in-house lawyers and compliance departments. Those who seek to encourage the uptake of technology solutions often see budgetary constraints as the barrier. Money clearly is tight, but these companies are spending fortunes anyway on legal and compliance departments and ought to be receptive to ways of reducing those costs.
One message which came across was that risk and compliance is not seen as purely a legal matter and that the lawyers’ remit is broadening to cover wider areas. That will bring them into contact with ever more functions which depend on information and which, individually and in aggregate, comprise a growing component of both cost and risk. Strategy, people and process are three of the required components of an integrated GRC approach. The fourth is technology, used not merely to create, store and retrieve large volumes of information but to analyse and use it for reasons positive as well as defensive.