Ioannis Voskos, Legal Director at Hellenic Petroleum’s Retail Legal Division in Greece, talks about the role of senior in-house counsels in a world where risks can no longer simply be “controlled.”
The number and diversity of risks are growing as companies expand, introduce new products, diversify the supply chain, and face evolving “black swans,” leading to dramatic changes in the current regulatory framework, both locally and globally. Our ability to manage these risks has not kept pace.
We must understand the source of such risks in order to predict them and identify appropriate responses. The days when risks could simply be “controlled” are over. Not only is control a costly and sometimes ineffective response to risk, but it is also often the wrong approach. Instead, we must be proactive, identify the risks, and take measures to mitigate them.
In addition, we need to focus on risk as an inherent driver of innovation and business development. Ships are safe in harbor, but they are built to sail the open seas. Calculating the risks allows them to do this.
Providing internal clients with business-oriented advice requires a combination of commercial awareness and legal knowledge.
We need to know our company and the industry in which it operates, and we must make sure that we are taking advantage of both public and internal information before we draft legal advice.
A legal counsel needs to know the group he or he is advising much better than any other third party does, and must be able to provide more than mere technical advice. Instead, we must furnish internal clients with legal advice that combines input from all interested group stakeholders and identifies the consequences of business decisions executed in the relevant legal and regulatory framework.
Instead of answering with a mere yes or no, or explaining the range of grey in between, legal counsels must provide the client with a full explanation of the risk curve. We need to provide answers that explain the probability and level of exposure, proactively mitigate risks, and suggest action plans in case the risk materializes.
Risk management in legal analysis enriches the counsel’s knowledge with know-how from other business sectors, enhances the decision-making process, and improves the perception of the legal counsel as a trusted legal and business advisor.
A legal counsel serving as Data Protection Officer provides a typical example. The legal counsel must not only provide the organization with a typical memo summarizing the legal rules and explaining potential fines for breaches. The DPO must also minimize the level of risk tolerance, taking into consideration the harm that a violation may cause to the client’s reputation, and propose mitigating measures, such as internal audit procedures, training of involved stakeholders, drafting policies, acquiring the necessary certificates, performing regular audits, etc.
Legal Counsels in a DPO role must also take advantage of publicly available information and engage IT-AI Data Protection Systems for support. Technology can enable the creation of a risk profile from a vast array of otherwise unrelated information and provide a holistic approach to legal questions.
The Hellenic Petroleum Group of Companies’ Code of Business Conduct is an excellent example of how to understand other zero-tolerance risks and suggests that legal counsel must be extra careful when addressing relevant matters. The Code of Business Conduct focuses on principles of safety, adding value to customers, operating responsibly towards society and the environment, respecting colleagues and partners, promoting meritocracy, encouraging teamwork, innovation, continuous improvement, and results-orientation. It also focuses on investment for sustainable development and continuously enhancing competitiveness by applying high standards of corporate governance, while creating value for shareholders and focusing on the continuous improvement of results and cash flows. Last but not least, the code addresses the attributes of integrity, professionalism, commitment, judgment, initiative, and extroversion.
Finally, we must ask how we should train our team to not only identify risks but also assess their potential impact, to decide if they need to escalate those risks internally.
To start, we need to acquire a deep understanding of our client’s organizational chart and relevant people and study internal processes and group policies, available IT systems, and whistleblowing channels. We also need to be extroverted to the extent necessary to inform the organization promptly of emerging risks, taking under consideration the need to safeguard the requisite level of confidentiality.
We must also invest more time and effort into training. Seminars, teamwork, exchanges of knowledge between various stakeholders, mixing teams of experienced colleagues and young members, using case studies – all should be considered. To make it more personal: in order to enhance my knowledge during the current pandemic, I focused on seminars, book and article reading, case studies, and online research. I had watched many presentations and opinions publicly available on YouTube or other online platforms while at home, and listened to various presentations while walking alone, wearing my mask.
By Ioannis Voskos, Legal Director at Hellenic Petroleum’s Retail Legal Division