How Should Legal Risk Be Integrated into Banking Risk Management?

January 31, 2025

In the ever-evolving landscape of banking, managing legal risk has become a critical component of a bank’s overall risk management framework. Richard Ostrander, the general counsel and head of the Legal and Compliance Group at the Federal Reserve Bank of New York (FRBNY), has provided valuable insights into this complex issue. His perspectives shed light on the challenges and strategies for effectively integrating legal risk into banking risk management.

Background and Legal Risk Management Expectations

Evolution of Legal Risk Management

Since the mid-1990s, the Federal Reserve has required banking organizations to manage legal risk adequately. Legal risk encompasses the potential for unenforceable contracts, lawsuits, or adverse judgments that could disrupt a bank’s operations. This definition differs from the Basel Committee on Banking Supervision’s broader definition, which includes exposure to fines, penalties, or punitive damages from supervisory actions and private settlements. The varying definitions across organizations complicate the integration of legal risk into a unified risk management framework.

As the risk management profession has advanced, there has been a push to integrate multiple risk categories into a single framework. The Office of the Comptroller of the Currency (OCC) has developed heightened risk management standards, requiring large banks to implement quantitative limits, organization-wide data aggregation capabilities, and define a risk appetite for all risk categories, including non-financial risks like compliance and reputation risk. However, integrating legal risk into this framework presents unique challenges, as banks typically have a negligible appetite for intentionally violating laws, despite the inherent legal uncertainties.

Regulatory Standards and Challenges

A significant part of the regulatory standards focuses on ensuring that large banks adopt comprehensive and coherent risk management frameworks. These frameworks should be capable of handling legal risks alongside other types of risks such as market, credit, and operational risks. Despite this, aligning legal risk management with existing frameworks involves complex considerations. Banks must navigate differing regulations across jurisdictions, leading to varying legal risk management approaches.

In an ideal scenario, integrating legal risk into existing risk frameworks would enable organizations to monitor and mitigate these risks before they materialize into serious consequences. However, Richard Ostrander notes that the dynamic nature of legal risk, compounded by constantly changing laws and regulations, makes it challenging for banking organizations to maintain a risk appetite reflective of real-world complexities. He suggests that successful integration requires ongoing adjustments and a deeper understanding of how legal risk impacts broader organizational objectives.

Integrating Legal Risk into Risk Frameworks: The Three Lines of Defense Model

The Three Lines of Defense Explained

The three lines of defense model is widely accepted within banking, mandating that all functions and personnel align with a specific “line.” The first line of defense involves business unit managers; the second covers risk management and compliance functions; and the third involves an independent audit function. This model raises pertinent questions about where legal functions should be situated and how their activities should be reviewed.

According to this model, the first line comprises those directly involved in day-to-day risk management—usually operational management. These individuals are expected to identify and manage risks within their immediate working environment. The second line of defense includes risk management and compliance functions, tasked with overseeing risk management activities and ensuring that the first line is following established processes. Finally, the third line encompasses the independent audit function that reviews and evaluates risk management practices across the organization to provide additional assurance.

Legal Function’s Unique Position

According to Mr. Ostrander, the legal function does not fit neatly into the three-lines-of-defense framework. Instead, he presents a nuanced view that the legal function should operate across and outside of the standard three lines. He argues that the legal function should take ownership of identifying and analyzing legal risks, as first-line managers are not qualified to conduct legal analyses themselves. Additionally, the legal function serves a second line of function by ensuring that the first line adheres to proper procedures for managing identified legal risks.

The legal function’s distinct role within banks highlights the importance of adaptable frameworks. Banks must recognize that legal risk management requires specialized expertise and collaboration between legal professionals and other business units. By taking ownership of risk identification and analysis, the legal department ensures risks are appropriately assessed for potential impact and mitigation strategies. This adaptive approach allows banks to address the unique challenges posed by legal risks without undermining the broader risk management framework.

Concepts of Legal Risk and Legal Risk Management

Defining Legal Risk

Mr. Ostrander articulated FRBNY’s internal definition of legal risk, which encompasses three main risks: exceeding legal authority or failing to fulfill obligations, legal disputes arising from such allegations, and failing to protect legal interests. He argues against viewing legal violations and fines merely as costs of doing business, emphasizing that a bank’s legal risk tolerance should not be zero. Legal risks manifest variably, can be mitigated differently, and, at times, might be in an organization’s best interest to accept.

In addition to understanding the different types of legal risks, banks must also consider how these risks intersect with other business operations. For example, certain contractual obligations or regulatory requirements may carry inherent legal risks that need continuous monitoring and proactive management. Effective legal risk management requires a comprehensive approach, ensuring that all aspects of legal risk are identified, analyzed, and managed in close coordination with other risk management activities. This holistic view enables banks to address legal risks proactively and minimize potential disruptions.

Legal Risk Tolerance and Decision-Making

Legal risk tolerance involves making informed decisions based on thorough legal analysis. For instance, a legal analysis might determine that offering a new financial product doesn’t require a particular license based on a strong argument. If ultimately a license was required and a fine imposed, the legal risk might still be deemed acceptable if the risk had been correctly analyzed, communicated to, and accepted by the proper decision-maker consistent with the organization’s risk management procedures.

A well-defined legal risk management strategy allows decision-makers to weigh the potential benefits and consequences of accepting certain legal risks. By fostering transparent communication and documenting the decision-making process, banks can ensure that appropriate levels of responsibility and accountability are maintained. This approach not only helps mitigate potential legal risks but also strengthens the organization’s overall risk management culture. By embedding legal risk considerations into every aspect of business operations, banks can achieve a more resilient and responsive risk management framework.

Structure of Legal Risk Management within a Banking Organization

Legal Function’s Role Across the Three Lines

Addressing the integration of the legal function within the three lines of defense model, Mr. Ostrander posited that the legal function spans across and operates outside this framework. Legal risk requires first-line managers to consult legal professionals since they are not qualified to conduct legal analyses themselves. Consequently, the legal function should take ownership of identifying and analyzing legal risks.

The legal function also needs to ensure that its risk assessments are aligned with overall organizational risk management strategies. This involves maintaining open lines of communication with first-line managers and other key stakeholders. By doing so, the legal department can provide timely and accurate legal advice that helps mitigate identified risks. Furthermore, this integration helps prevent any misinterpretation or mismanagement of legal risks that could arise due to a lack of specialized knowledge within other business units.

Ensuring Effective Legal Risk Management

The legal function serves a second line of function by ensuring that the first line adheres to proper procedures for managing identified legal risks. Given that only the legal department can provide legal advice and interpret legal risks, its judgments cannot be subjected to review by another function, such as the third line, which would require inappropriate legal advising capabilities. Nevertheless, the second and third lines can review the legal function for adherence to internal processes, budgeting decisions, and other non-legal corporate issues.

This structure ensures that the legal function is appropriately integrated while maintaining its unique advisory role, distinct from risk management and audit functions. By clearly delineating the responsibilities and authority of the legal department, banks can create a more effective and integrated approach to managing legal risks. This, in turn, supports the organization’s overall risk management objectives and contributes to building a robust and resilient risk management culture capable of navigating the complex legal landscape.

Cultural Aspects of Legal Risk Management

Collaboration Between Legal and Business Units

Mr. Ostrander emphasized the cultural aspects of legal risk management, underscoring the necessity for business units to work closely with the legal function to identify and mitigate risks. It is equally important for the legal department to understand the business unit’s objectives, be responsive, and foster a problem-solving mentality. This collaboration ensures that legal risks are effectively managed while supporting the organization’s goals.

A successful collaboration between legal and business units requires establishing a culture of mutual respect and understanding. Business units should see the legal department not just as an enforcer of regulations but as a valuable partner in achieving their goals. This perspective shift helps create an environment where legal risks are proactively identified and managed, rather than reacted to post-incident. It also encourages innovation, as business units feel supported in exploring new opportunities within a controlled legal risk framework.

Mutual Understanding and Proactive Management

The legal department, in turn, needs to be attuned to the operational realities and strategic ambitions of the business units. This involves actively participating in strategic discussions and decision-making processes, providing clear and practical legal advice, and helping navigate complex legal landscapes. By being proactive and engaged, the legal function can anticipate potential legal risks and work with business units to develop effective mitigation strategies that align with overall organizational goals.

A strong partnership between the legal function and business units fosters a holistic approach to risk management. It enables the organization to leverage the expertise of legal professionals while ensuring that legal considerations are integrated into every aspect of business operations. This collaborative approach not only enhances the effectiveness of legal risk management but also contributes to building a resilient and adaptive risk management framework capable of addressing the evolving challenges of the banking industry.

Concluding Thoughts and Practical Implications

In the dynamic world of banking, managing legal risk has become a pivotal aspect of a bank’s risk management strategy. As the general counsel and head of the Legal and Compliance Group at the Federal Reserve Bank of New York, Richard Ostrander provides crucial insights into this intricate issue. He emphasizes the importance of understanding and incorporating legal risk into the larger risk management framework of banks. According to Ostrander, effectively managing legal risk involves not only identifying potential legal threats but also developing strategies to mitigate them. His perspectives highlight the necessity for banks to adopt comprehensive approaches that integrate legal risk with other forms of risk management to ensure stability and regulatory compliance. Ostrander’s insights are particularly relevant in today’s environment, where the banking sector faces continually evolving legal challenges. By drawing on his expertise, banks can better navigate the complexities of legal risk, which is vital for their overall operational resilience.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later