Enterprise Risk Management - The New Frontier

Thursday, June 1, 2006 - 01:00
Lori Nugent

Editor: I understand that Cozen O'Connor recently created the Enterprise Risk (ER) Practice Group, of which you are chair. Please define for our readers what ER is intended to cover.

Nugent: When a business is faced with an enterprise-level risk to the bottom line, it needs a solution that works. We have decades of experience in containing enterprise-level risks. We have developed solutions that work. Our ER group contains and controls enterprise-level litigation risks. In part due to Sarbanes-Oxley, companies are focused as never before on identifying risks that extend beyond operating units or otherwise have the potential to have a negative material impact on the company's bottom line. When exposures of this caliber reach management's attention, swift action often is needed. We are experienced in obtaining critical information quickly, preparing action plans that create favorable traction for our clients, and implementing proven strategies that favorably impact outcomes.

Editor: What practice areas are involved in the ER group?

Nugent: We have nine ER lawyers experienced in quickly addressing the unique challenges presented by enterprise risks. There is no single substantive area that all enterprise risks involve. These risks arise in a wide variety of contexts, but enterprise risks require special handling and creativity. One-size-fits-all solutions are not effective. Our decades of experience in addressing problems of this scale expedite containment efforts, assist in avoiding pitfalls, and enhance the likelihood of success.

ER lawyers frequently are involved in containing cyber-perils and punitive damages. For punitive damages, we often are first retained after a substantial adverse verdict is rendered. For example, we were retained following a run-away punitive damage verdict that was awarded by an Arkansas jury. Our appellate arguments convinced the Supreme Court of Arkansas to order a $42 million remittitur. Since defense counsel objected fewer than ten times during the two-week trial, many appellate issues that otherwise would have been available had been waived. As a result of that initial assignment, we regularly are retained on the company's punitive damage claims that are slated for trial because they cannot be settled on reasonable terms. We ensure that strong fact and expert testimony on key punitive damage issues is developed and presented, pretrial motions are filed on constitutional issues, and mistrial motions and appropriate interlocutory appeals are taken when appropriate. In a two-month span, defense verdicts were attained in Florida, Mississippi and Texas. Our punitive damage defenses are effective.

In response to emerging cyber-perils, ER lawyers were involved in developing one of the first insurance policies expressly providing coverage for cyber-risks. These insurance policies permit companies to shift cyber exposures from their bottom line to an insurer. We have over a decade of experience in cyber-peril litigation. We know how to resolve these problems quickly, efficiently and cost-effectively.

Because the substantive areas involved in an enterprise risk vary, the ER group regularly involves lawyers with particular, relevant expertise who are not in the ER group. For example, when our client was threatened with a temporary restraining order that would have required all of its new video games to be removed from stores, we involved our intellectual property lawyers, who prevailed at the TRO hearing and successfully resolved the dispute.

Also, lawyers outside of the ER group frequently involve ER lawyers when their clients are faced with critical situations. For example, one of our corporate labor and employment lawyers involved the ER team immediately upon receiving a call from his long-standing client. The client had just been informed one of its low-level managers was charged with sexual assault of a minor, also employed by our client. We provided direction and strategic advice to ensure that the client addressed the situation in a way that would contain its exposure to punitive damages. Caring and appropriate action was taken and documented. The situation was resolved quickly, sensitively, fairly, and without litigation. Because of the company's sensitive and upstanding conduct in working with the victim and her family, the company's good name in the community remained intact.

Editor: What are the other overall enterprise risks that companies face?

Nugent: Because of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) initiatives, Sarbanes-Oxley (SOX) and enterprise risk management standards, companies now more than ever understand that risks do not fit neatly into operating units. These regulations have helped organizations identify broad-based risks that - in our past experience - companies ignored because there was no one person or operating unit with clear responsibility.

Most companies face four key enterprise-level risks: 1) cyber peril, 2) brand name and reputation protection, 3) punitive damages, and 4) intellectual property protection. In the past, companies would have been blindsided by these potentially financial damaging risks. Today, while it is challenging for organizations to identify enterprise-level risks, identification is the first step in containment.

These risks can be managed effectively, but an every-day approach does not work well. A SWAT team approach often is effective for pinpointing the problem quickly and determining the most effective action plan to implement in providing a solution. When a risk of this magnitude is identified, members of the board and shareholders are keen to have action plans in place to address the problem and get it resolved.

Punitive damages cases - arising in litigation as a result of alleged gross negligence or malicious conduct - are great examples of this type of risk. Any operating unit in an organization - from production to human resources, etc. - can be responsible for creating a punitive damage risk. With plaintiffs typically asking for punitive damages in an amount that is material for a company in order to "send a message" to the boardroom, these cases can have a substantial negative impact on a company's bottom line and its good reputation. We have developed certain steps that have proven effective, even in the worst jurisdictions, to protect a company's financial health from punitive damage risks.

Editor: Do you suggest that your clients follow the COSO Guidelines?

Nugent: While COSO Guidelines are widely adopted, we do not require, recommend or suggest that a company follow any particular form of evaluating enterprise risks. Companies already receive considerable advice in this area from their accountants and other consultants. While the various guideline systems and procedures help companies identify these risks, there are many different ideas about the best way to comply with SOX. Some involve more traditional risk management methodologies and others are more fluid. Rather than advising companies on the type of enterprise risk analysis that they should use, we come in at the point when the risk has been identified. Our job is to help the company contain and control the risk.

Editor: What are examples of how ER handles enterprise risk?

Nugent: One of the best examples of the way our ER lawyers work is in the cyber peril area. Years ago, as e-commerce emerged as a legitimate marketplace, we were struck by the fact that companies had no vehicle for shifting these exposures from their balance sheets to insurers. As cyber exposures proliferated, we worked with emerging technology companies impacted by these risks, insurance brokers, and insurers to create a workable solution. The first insurance policy we were involved in developing was issued 10 years ago. Since that time, we have handled hundreds of cyber peril suits and claims. We continue to work closely with technology companies, traditional brick and mortar companies with Internet operations, and insurers and brokers as the market continues to address emerging cyber risks.

In other contexts, ER lawyers frequently address a category of problems, rather than being retained to address a single claim. In this way, it sometimes is possible to contain the exposure by addressing the root of the problem.

Instead of handling a specific litigation matter, ER lawyers frequently are retained to help a company address its overall risk categories. For example, we were retained to evaluate a company's handling of litigation in the aftermath of a large punitive damage award. We provided specific recommendations, which the company adopted. The company's outside counsel costs decreased substantially, the accuracy of its litigation reserves improved, and its overall litigation results improved so dramatically that it triggered an internal audit. The audit proved that the improvements adopted by the company in fact generated the favorable results.

Editor: How can in-house counsel work with management to handle overall enterprise risks?

Nugent: We are seeing in-house counsel involved more with the enterprise level risks as they are identified through various processes. The Board of Directors and shareholders increasingly expect in-house counsel to find a solution, often working hand-in-hand with risk management. We usually see involvement of risk managers, in-house counsel and outside counsel in a team effort to craft effective action points for containment of the enterprise level problems.

Editor: Are more companies taking measures to identify and carefully evaluate their enterprise risks today?

Nugent: Absolutely. As a result of SOX and enterprise risk analysis, companies are better able to identify these risks in advance, allowing them to better handle exposures that arise.

A significant example is the new focus on data theft. With some well-publicized incidents of personal data being stolen or accessed and resulting litigation, we have seen an increased emphasis on this area. There are now over 20 states requiring reporting to individuals if their personal data has been accessed, with a strong likelihood of federal legislation as well.

One interesting question at an enterprise level is if the company notifies individuals that their personal data may have been accessed, what else should the company do to address the situation? Just telling someone that their personal data has been accessed is not a satisfactory resolution and is likely to generate litigation. One thing that companies are doing is setting up call centers that victims can contact to gain a better understanding of the situation, and to provide some degree of assistance if the impacted individual experiences identity theft. A call center is a great first step.

Call center training, however, may be critical to the ultimate success of the effort. For example, if a call center employee is less than truthful in responding to an inquiry from an impacted individual, the interaction could form the core of a deceptive trade practices suit. It is important for companies to create the solutions carefully and thoughtfully before implementation - and in advance of a live situation.

A recent FBI report indicated that nine out of 10 organizations in the U.S. were victims of computer security incidents. One out of five was hit more than twenty times during the year, with two-thirds suffering financial losses. The scale of this problem is substantial.

Editor: The Internet provides an inviting mechanism for those who would commit fraud.

Nugent: One of the risks that we have seen increase substantially in the last year is cyber extortion. Criminals are using denial of service attacks for extortion. They will shut down a company's system for a short period to prove that they are able to do so. They threaten to "go live" with a denial of service attack that could freeze the site for a considerable period of time if their demands are not met.

Editor: How do companies hedge against these risks?

Nugent: These are risks that are difficult to address. There are vendors with whom we regularly work that help companies avoid these problems, and are skilled at crafting technical solutions if the problem arises. From a risk management standpoint, companies need to be aware of these risks, determine their risk appetite, and use available insurance coverage to shift risk to insurers. Risks like cyber extortion are significant and the market for insurance is evolving. Part of what we do at Cozen O'Connor is to work with companies and insurers to create new wordings addressing these problems.

Editor: How do you mitigate punitive damage awards?

Nugent: Cozen O'Connor has successfully contained punitive damage exposure for decades. Over the years, we have found that there are ways to avoid punitive damages and contain them. It is important to have a focused punitive damages defense - quite a different endeavor from simply defending each case - and to create internal and external steps to minimize exposures. We have developed effective, pointed defenses that have saved hundreds of millions of dollars for companies over the years.

Please email the interviewee at lnugent@cozen.com with questions about this interview.