Special report: legal risk
Top ten legal risks | Keep your company on side with the law | The regulators: who's who | NatWest Three: could you be next? | What's my liability as a company director? | Get ready to be raided | Defective documentation | Survive an FSA investigation | Employers watch out

As businesses face up to an increasing likelihood of litigation or investigation by regulators, how can you minimise those risks? What can be done to ensure your business is adequately prepared should the worst happen?

The key is to put in place effective risk management procedures to prevent the incident in the first place, or to at least ensure your company responds in a professional, organised and timely fashion if it does happen, in order to minimise the damage. A significant number of businesses fail to do that and their response to investigations is often haphazard, unplanned and hurried.

In these days of increasing red tape there are several measures businesses can take to ensure they are prepared:

1. Identify, analyse and mitigate the risks your business faces. This includes determining what those risks are: legal (such as competition issues), financial (fraud, both internal and external), operational (health and safety), commercial (contractual) and reputational (arising from any of the above). Effective systems and controls designed to mitigate those risks particular to your business then need to be implemented.

2. Clearly delegate responsibility. First, you need a system to delegate risk assessment to the part of the business best qualified to identify and analyse those risks. In some cases, that will be the operational unit; others may be best dealt with at a central level. Then you need to decide which risks you need to or can actually deal with — taking into account that certain risk assessments are required by legislation. Weigh up the costs against the consequences of an incident. Then you should clearly delegate responsibility for dealing with the key risks. Also consider who would lead the team if an internal investigation was required.

3. Educate your staff. Regulations change quickly. You will need to keep the legislation under review in order to keep abreast of new risks and relevant employees will need to be made aware of their responsibilities. Staff can be kept up to date by attendance at external training seminars and reviews of electronic and hard copy sources.

4. Establish effective systems for monitoring and reporting. In larger organisations there may be a need or a business case for internal audit and compliance to review both the risk assessment and to monitor compliance with internal controls. Where failings are identified or issues arise, controls will need to be reviewed and amended where appropriate. The key to risk management is the communication and dissemination of policies and procedures. Employees should be encouraged to report issues as they arise, without fear of intimidation, and practical difficulties they encounter in implementing policies and procedures.

5. Prepare a manual for dealing with “dawn raids” by law enforcement. Dawn raids are often carried out by bodies such as Revenue & Customs, the police, the Serious Fraud Office and the Office of Fair Trading. Recently, there have been a number of dawn raids on financial institutions and listed companies for non-competition-related matters. You should have a dawn raid manual that ensures staff know what to do, sets out the different powers of the relevant agencies and establishes who to call for assistance. Reception and security staff need to be aware of how to handle a surprise visit. Failure to assist or appear co-operative can set the tone for the investigation. A failure by security staff to allow access while waiting for someone to accompany the investigators could lead to a charge of obstruction. Would your staff know whether the investigators were authorised to remove the original documents or whether they were allowed to take copies? Different agencies have different powers. What about legally privileged material? What about retaining copies of the material seized? A dawn raid manual can allow you to consider these and other issues when not under pressure.

6. How will you use external lawyers? Consider under what circumstances you would want external counsel to investigate a matter. In some cases investigations are conducted by an independent party. For example, American regulators can require issuers in the US to produce an independent report, or an auditor may require an independent report in order to finalise the audit opinion if there are concerns about management fraud. Alternatively, the business may want to use external counsel to ensure the results are protected by legal professional privilege, as recent European case law has confirmed that privilege is not recognised for in-house counsel. Even if external lawyers are used, they will require assistance and possibly guidance on how the firm typically responds. Input may be required from the HR department to consider employee issues; IT may be needed for access to current or archived e-mails/documents. An effective incident management policy should set out who, internally, will lead the team and who the relevant persons are who should form part of the committee or be consulted.

7. What about document retention and e-mail storage? What is the firm’s document retention policy? How easy is it to recover documents and e-mails that have been deleted, or to prevent further deletion? Who do you need to contact? What restrictions under the firm’s IT policy are there for reviewing such documents? If there is no express provision in the firm’s policies then you are likely to need to notify employees that a review is to be conducted, since failure to do so can lead to the firm being in breach of relevant data protection, human rights or employment legislation. Who do you need to contact to suspend standard document destructions policies? Time wasted could lead to documents being destroyed or not located, undermining the company's response.

8. Consider what issues the investigation team may need to consider. One of the first and most important issues is to determine if there is a reporting obligation about the incident which has arisen. This could be to the relevant law enforcement agency, under the Listing Rules, or to a regulator. Failure to make timely reports could mean that the firm or an individual commits a criminal offence. A voluntary report may also allow the company to take the initiative and lead the investigation rather than being on the back foot. The business will also need to consider what should be done about existing contracts in the interim. What are the firm’s usual terms of business and in what circumstances would they allow the company to suspend a contract?

9. Don’t ignore employment law. To prevent claims of constructive dismissal or breach of contract, any investigation will need to comply with employment law or the firm’s own HR policies. Failure to follow the internal procedures when conducting an investigation could lead to a firm not being able to use the results of an investigation to discipline a rogue employee.

10. Learn your lesson. After an investigation has been completed, the final stage is to consider whether any changes need to be made to the firm’s procedures in order to avoid the issue arising again. Ultimately, the risk assessment goes full circle. The cycle starts again, but hopefully the next time the incident will be avoided.

Peter Burrell is a partner and Nichola Peters a senior associate in the litigation and arbitration division at Herbert Smith

Explore Law

• Columnists

• Law Panel

• Law Reports

• Student Law

Times Recommends

• The best legal yarns this Christmas
• Legal school 'earned £1m by exploiting bar course'
• Axe may fall on 5,000 more City lawyers