Taking a risk on risk management

A law firm's new subsidiary bets on the growing interrelationships in operational risk

Greg Kaden is a lawyer specializing in corporate bankruptcy at Goulston and Storrs. Seeing changes and trends in risk management and insurance, Kaden and a few colleagues pitched the creation of a subsidiary called Fort Hill Risk Management.

Kaden spoke with CSO about how internal controls and insurance work together for effective risk management.

CSO: Are more companies thinking more about risk management in these turbulent times?

Greg Kaden: It's difficult to generalize from my perspective, which has been on a case-by-case basis. Some organizations are very sophisticated and have very detailed operational controls, and some others are more averse even to purchasing insurance--they may think it's not worth the expense, and it isn't clear whether they've actually done a cost-benefit analysis or have a strong sense of their own internal controls. Some are flying by the seat of their pants.

Goulston and Storrs is a big firm--about 200 lawyers. Why create Fort Hill, a risk management subsidiary?

There were three or four of us with some insurance bent to our practices--[together these amounted to a] very fragmented practice that had developed in the firm on almost an ad hoc basis. So it made sense to institutionalize that practice and organize our thinking.

[Also read What are your insurance risk managers thinking about?]

But the idea also stemmed from a couple of other considerations. At a law firm, you are very much tied to hourly billing. There's little flexibility in terms of fee arrangements, or bringing in non-lawyers to assist with work. So setting up a subsidiary allows us to do flat-fee engagements, contract with people who aren't affiliated with Goulston and Storrs who have some specific expertise, and so on.

Additionally, in the traditional risk management world, there's a lot of confidential information that gets exchanged, and there are nondisclosure agreements providing some protection for that information. But a nice thing about our Fort Hill operation is that we can make the additional argument: If there's a subpoena, some of the discussion is in the nature of legal advice, and so it can be covered by attorney-client privilege. So that provides an additional layer of protection for some of that confidential information.

There seems to be a poor connection in many organizations between risk managers and the people in charge of in-house security. Do you think that's true?

Part of the philosophy that we want to bring to the table recognizes that very disconnect. One of our primary approaches in providing services is to take a very holistic view--broader probably than the typical straight insurance broker would take.

We want to understand the business operation, look at the indemnification agreements that are in place, the key contracts. Broadly speaking, what are your real exposures? What can be mitigated by a non-insurance contract, or by insurance policy? What risks can be assumed or ignored? The fact that we think that's a relevant approach speaks to the idea that we observe that same disconnect between internal risk management elements.

I don't have a magic identifier as to what constitutes a strong internal risk-control environment--it seems to be based on the people. I have seen companies with thoughtful, risk-averse people who are also good business people and who can strike the right balance. I have also run into very successful businesses that are well run and have good management overall, but for some reason have underdeveloped insurance programs.

For executives, insurance at times can be very much a check-the-box exercise. "OK, we have a management liability policy, a general liability policy, so our risks are covered." They don't focus on whether the policies in place are really compatible with the needs of the business, or the risk appetite of the business.

You would think that with the last decade with Sarbanes-Oxley and Dodd-Frank, that would be changing.

Why is it valuable or necessary to have the flexibility to bring in outside experts?

Part of our philosophy is that we want to work collaboratively with existing brokers or partners. We don't want to displace others just for the purpose of getting all the glory, or telling people they've been doing it all wrong. So in that spirit, we recognize that there are going to be situations where either our expertise is limited, or the engagement would benefit from the help of a non-lawyer.

[Get the best security risk management coverage with CSO's Risk Management newsletter -- sign up now!]

For example, in a situation where we might be having difficulty making headway with an underwriter, it could help to have someone with an underwriting background brought in. We interviewed a guy who is a retired lawyer with excellent crisis-management skills, so if there is an engagement with a PR crisis brewing, we could call in his experience.

How does your personal specialty of bankruptcy law fit into this equation?

My interest in insurance developed from being a bankruptcy lawyer. Any time a company failed, the executive team inevitably wound up in trouble. Fingers were pointed at them by creditors. So insurance policies need to be targeted at the gap between the balance of obligations to creditors and the ability of the company to repay those obligations.

In creating Fort Hill, we saw three areas of insurance that are particularly relevant in today's environment: management liability, data security, and environmental. Among the three founding members, we have those areas well covered.

Being that we're still in difficult financial times and lawsuits from 2008 are still working their way through the systems, and there are increased concerns and regulations following Dodd-Frank. There are all kinds of personal risk for directors and I felt that was an important area to address.

Bankruptcy lawsuits from 2008? I hadn't considered the long slow grind of the legal system in that regard.

In litigation, the job is to maximize compensation in a world where complete satisfaction of an outstanding debt is impossible. Which means these things drag out in the effort to leave no stone unturned--identifying assets, sorting out claims and so on.

Join the CSO newsletter!

Error: Please check your email address.

Tags risk managementGoulston and Storrsbusiness management

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Derek Slater

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place