When using outside counsel, most companies, especially those that have affiliates or subsidiaries, need a comprehensive approach. Unfortunately, many companies hire law firms on a case-by-case or ad hoc basis. Sometimes divisions of the same company hire different law firms without thinking about potential issues of legal talent and failure to obtain high-quality legal services on a consistent and reasonably priced basis. Sometimes, divisions of the same company hire different law firms to handle similar legal issues or litigation.

If a company has an in-house Law Department, it is incumbent upon the in-house Law Department to develop processes to select and use outside counsel on a consistent basis with a focus on quality, reasonable fees, and, of course, success. Such success is normally the result of a long-term relationship in which outside counsel becomes a member of the company’s “team,” learns the business, and can, therefore, provide timely legal and business advice.

Centralization

A company either has in-house counsel or it does not. To successfully handle legal issues facing most companies these days (especially those involving litigation ), the use of outside counsel must be centralized. If a company has many divisions or subsidiaries, a department should be empowered to oversee all legal matters. There are numerous advantages to centralization of the legal function:

Advantages of Centralization

-One organization has an overview of all legal issues confronting the company and can properly advise management on legal issues.

-Efficiency: Whether in-house or outside, efficient and fast response to legal issues is necessary.

-Use of a single law firm as outside general counsel can result in monetary savings.

-Centralization of legal services lends itself to the centralization of the company’s legal records, documentation, and information, creating a more efficient process.

-Centralization of legal services allows for a more efficient review of data, resulting in the proper use of information and development of an appropriate strategy.

-Investment: Whether a company is large or small, it needs to look at use of outside counsel as an investment. Picking the right outside counsel and developing a long-term relationship with such counsel will pay dividends in the long run.

Efficient and timely use of outside legal services, whether such use of outside legal services is picked by an in-house lawyer or by a company manager or officer, relies on whether outside counsel is the right fit for the company. There are many law firms around, but not all are the right fit. Picking the right law firm or outside counsel depends on a number of factors. Many times, a company picks a law firm because of a personal relationship between a company officer and a lawyer in the firm. Or maybe the firm has done a good job in advertising. The trouble is, without going through a process to determine the acceptability of a law firm, picking outside counsel can be hit or miss. A centralized legal function is necessary to avoid mismanagement of outside legal counsel. 

There are several reasons why companies find it harder and harder to handle major crisis. These days, because of the internet, companies have to get out in front of a crisis, or the bad PR will kill them quickly. It used to be companies had time to react and get out front. Now they don’t. So, if companies don’t have a strategy in place to address the crisis, it’s hard to get out in front. In fact, by most accounts, a company has twenty-four hours to put a crisis management strategy in place once it becomes aware of the underlying event. This twenty-four-hour period is sometimes referred to as ‘the golden hour.’ If a company isn’t prepared, twenty-four hours is not long enough to think things through. Of course, In-House counsel have to understand their roles in a crisis as well. They have to manage legal liability and balance it with business considerations. They also have to help the PR team educate the public on the issues and make certain all legal regulations are followed. Normally, the In-House team hasn’t really thought about its role and responsibilities in the event of a major crisis. This can be a problem.

Another issue is that sometimes Management refuses to acknowledge the existence of a crisis until it is normally too late. Remember, a crisis unfolds in a series of stages and not in a vacuum. First, there are early indications of a crisis brewing followed then by actual warnings of a crisis followed by the crisis exploding and overwhelming management. It is at this stage that most companies try and resolve the crisis, but it is usually too late. The crisis morphs, PR gets really bad, the impact of the crisis deepens, the stakeholders and shareholders get very worried and upset. The key to properly managing a crisis is to acknowledge the existence of a crisis at the beginning and to have a crisis management plan in place. Legal needs to be heavily involved with Management to help resolve the crisis at this stage.

The major problem with handling a crisis is that communications play an important role. When you look at the timeline of the average crisis: a company not only has to determine what need for communications exist (internally and externally) but also must have the communications drafted and ready to go within twelve hours of the start of the crisis. Within twenty-four hours, Management should have a plan in place including a communications plan and should be talking to the media or have a third party talking to the media for it. If you don’t have a crisis management plan already in existence before the event, you probably won’t get your hands around it in time. Legal must also know what to do and when.

As In-House Counsel What Should Concern You?

Ask yourself the following questions:

-What happens if one of the machines in your company’s main manufacturing line breaks down? How long would it take to come back online? Or, what happens if as a major service provider you are unable to provide the service you are obligated to provide?

-Can you cover by finding alternative sources of supply, how long would that take to do? How long to cover the losses? What about the supply agreements?

-If you lose productivity and can’t supply customers on time you could lose everything. Are you able to absorb the losses? What obligations do you have under your supply agreements?

-Who should be the crisis manager?

-In case of a crisis do you know all of the relevant insurance policies and the appropriate notification deadlines? Or is this left up to the insurance department?

-If a crisis involves regulators, are you aware of the basic time frames in which to notify and/or involve the regulators? And, who are the appropriate regulators? Do you have contacts with them?

-From an in-house perspective have you thought about how to mitigate civil liability?

-So how do you minimize civil liability and perhaps criminal liability too?

-Are you prepared for litigation?

-What steps should you take to mitigate liability?

For In-House counsel in companies that could experience a major crisis, it is vital to have a plan in place. Think about the questions above. Ask more questions too. Be prepared.

The mounting layoffs, furloughs and job losses currently creating havoc in the US do not bode well for the US economy. But such job losses also force companies to face another stark reality – the potential loss of all of its ESI. Many companies in today’s economy require employees to use laptops, cell phones, tablets and other digital devices in the scope of their duties. What happens when massive layoffs take place? Companies lose control of the digital devices that contain the company’s ESI as former employees are now at home or looking for work elsewhere. Why is ESI so important to a company?

Electronically stored information (ESI) exposes a company to a myriad of risks. The multi-dimensional universe of data privacy of course comes to mind. Cybersecurity is also very important today as many companies and governments continue to get hacked. However, companies not only have to worry about getting hacked or running afoul of the latest data privacy laws and regulations, but also what data to even store, where to store it and how long to store it. Failure to take the where, when and how into consideration can expose the company to unforeseen ESI issues- such as violating US based ESI discovery laws as well as the associated document retention risks.

Electronically Stored Information- Document Retention Risks and Concerns

If a company is involved with litigation in the United States, it has a duty to locate all relevant information, data, and documents—including ESI that are relevant to the case. This can be quite onerous, as it requires:

Familiarity with document retention policies
Involvement with IT personnel
Communication to “key players” of the litigation hold
Location and retrieval of all relevant information wherever that information might be

The legal risks facing a company that fails to handle the above requirements in an economical/efficient manner can be tremendous. Companies have been sanctioned millions of dollars for failing to abide by ESI requirements or, even worse, have lost the respective lawsuits, costing even more. What can a company do to mitigate the legal risks surrounding document management to comply with US legal requirements?

1. Plan of Action

A company must take steps to develop an adequate data and document management plan. It is not too surprising that even the IT Department itself may not have an adequate understanding of where all of the electronically stored documents are considering the plethora of handheld devices that may store documents and other electronic information. Therefore, a company’s management and IT folks need to sit down and map out where all of the documents are located if possible. A document management plan should take the following steps into consideration:

Assess the company’s current use of technology documents.
Locate all in the company’s possession and as well as its employee’s possession.
Use technology to leverage legal requirements.
Retain experts or outside consultants to above or to help implement systems/processes.
Implement policies and procedures addressing all legal risks posed by ESI.

2. Risk Assessment of ESI

To implement an appropriate plan of action, a company must conduct a risk assessment of its processes and capabilities by:

Seeking proposals of vendors (outside experts)
A top-to-bottom analysis
• ESI and paper documents
• Hardware and software
• Management of data
• Retention of data
• Litigation holds
• Disaster preparedness

3. Current ESI Issues

The legal risks facing companies in today’s legal and regulatory climate, especially in the United States, are enormous. Failure to implement a data and document management program that not only addresses a company’s business concerns but legal obligations as well can be disastrous. Therefore, companies must be extremely proactive in this regard before laying off thousands of employees. Not only must companies implement processes to gain control of all digital devices or ESI related devices that it has given to employees, but companies must also take steps to prevent loss of ESI and IP as a result of losing control over such devices.

The main concern a company should have during the Covid -19 related shut-down is whether or not it controls all of the company owned cell phones and laptops prior to laying off its employees. The implementation of a LRM program addressing these concerns is not a luxury but a necessity. It is highly recommended that a company implement a data and documentation management program that addresses ESI and all of its issues.

Let’s face it- COVID -19 is creating havoc for many businesses. It is upending markets, impacting the travel and tourism industries, hitting the transportation industry and of course negatively impacting the world’s supply chain. It is a crisis. Which means, that companies must treat it as such. Instead of waiting for an official government proclamation that COVID -19 is now a pandemic, it is time to treat this as a serious crisis.

From a risk point of view, what should companies be doing? Well, it’s time to apply risk management processes. Such processes should seek to mitigate and minimize the impact of the COVID -19 crisis. Such processes can include:

- Mitigation of the spread of COVID-19. Does your company have processes in place to minimize the spread of the virus? How are you protecting your employees? Have you considered the HR issues you might face because of the rate of infection? These questions need to be considered.
- Business Continuity Plan. Have you considered a business continuity plan (BCP) to save the company or minimize the impact of the crisis? A BCP would cover the following steps:

1. Analysis- What aspects of the crisis could hurt the company and why?
2. Design- How do you design a response to the crisis? What measures should be created to address the threats?
3. Implementation- How do you implement the measures?
4. Testing- How do you test the Plan to make certain it addresses the threats?

In order to create and implement the BCP, consider the following risk management processes:

1. Assess the situation- assess the threats by setting goals and priorities
2. Identify all of the major risks
3. Do a risk analysis of the major risks identified by conducting a critical risk analysis
4. Implement a Plan that provides countermeasures to mitigate the major risks – i.e. an Action Plan
5. Review the Action plan to confirm whether it adequately addresses the risks and helps mitigate or minimize the risks facing the company.

It is uncertain how long COVID-19 will have an impact on the world's commerce. However, if you take the appropriate countermeasures now and mitigate your risks the less likely your company will later face threats that could seriously impact it.

Before a crisis breaks out, it’s always a good idea for the company’s risk manager or the risk management department (RMD) if one exists to review his or her role, or in case of the RMD, its role within an organization. In today’s environment, including COVID 19 virus issues, it is very important. A risk management department may have multiple reporting lines within an organization or may report to one department head. Are those reporting lines clear? If not, it is time to clarify them.

In order to understand the risk management department’s area of responsibility within an organization, I think it best to for the head of risk management to work with his supervisor in drafting corporate guidelines covering the risk management’s area or responsibility which can then be disseminated throughout the organization. No only should the RM or RMD’s are of responsibility be covered but each individual within the RMD should have his or her position and are of responsibility described in detail as well. It’s best to have everything outlined before the RMD has to contend with a crisis, especially a pandemic.

Areas of responsibility should include the purpose and policy of the RMD in the organization, the functions and execution points of the RMD (who does what, when, how, reporting lines, etc.) as well as a detailed outline of the procedures and processes of the RMD. Procedures and processes can include:

-conducting risk assessments of the organizations’ divisions and departments
-developing solutions for the various risk management issues
-coordination with various departments to assist with compliance issues
-oversee loss control concerns
-develop training for the organization’s employees covering various risk related areas of concern such as product safety, etc.

Besides managing risk, risk managers must also have a knack for good stakeholder management. In fact, in order to provide effective leadership in today’s corporate world, risk managers and those who have a risk management function, must understand the significance of good stakeholder management. Considering the high employee and investor turnover rates it is no wonder that risk managers must take the lead in providing risk management information to various stakeholders not only from a compliance perspective but from a profit/loss perspective as well.
Who are the various stakeholders that a risk manager must concern himself or herself with? Of course the more sophisticated a company, the more stakeholders there might be. Nonetheless, the main stakeholders of any company or organization usually include:

1. Employees
2. Upper Management including the Board
3. Customers
4. Suppliers
5. Regulators
6. Investors
7. Business partners; and
8. Credit Analysts

The first step in leadership for any risk manager when looking at stakeholders is to ask the hard questions such as: (I) Are you prepared to handle risk events relating to your stakeholders or not? (ii) In a crisis management event, such as a pandemic, are you ready to address your customers? (iii) In case of litigation, do you have the right information to communicate to your regulators? , and (iv) What are the risk management process to use in case you have major employment related issues?
Providing effective risk management leadership requires the risk manager to understand what his or her role within the organization is as well as who the major stakeholders really are and what risk management reporting processes actually exist or should exist.

Once a risk manager can answer the questions, the manager as well as the RMD itself is ready to provide effective risk management leadership.

Management of litigation, like management of most business processes, begins with a business plan and a budget. In this case, prior to trial, when a company seeks an appropriate law firm to represent it, it needs an acceptable litigation plan and budget. Law firms many times will try to push back on the request of a budget, claiming legal costs are hard to predict. This, of course, is not the case. Experienced lawyers, whether in the United States, Europe, or Asia, are very familiar with the legal costs in their own geographic region as well as costs and expenses associated with the particular issue, such as patent litigation or class actions. Certain costs may be hard to quantify, such as defense litigation costs (which may depend on how aggressive a plaintiff is in trial), but for the most part, law firms can provide a litigation plan and budget using approximate or ballpark figures.

Effective management of litigation and therefore outside legal spend will depend on a well-prepared litigation plan and budget. This, in turn, depends on the proper identification of potential litigation issues and a plan for potentially adversarial proceedings. Questions that should be asked when discussing the plan and budget with outside counsel include:

Is this matter an actual or potentially adversarial proceeding?
Will this matter result in potential commercial litigation?
Will this matter result in potential regulatory litigation?
Will this matter lead to governmental litigation?

Kinds of Actions

An accurate litigation plan and budget will depend on the nature of the proceeding or legal matter at hand. Such matters can be classified as follows:

Commercial litigation
• Antitrust and trade disputes
• Bankruptcy and creditor actions
• Class actions (product liability, etc.)
• Labor and employment
•
Regulatory proceedings
• Governmental inquiry/informal visit
• Investigations
• Subpoenas
• Government enforcement proceedings
• Administrative tribunals
• Internal corporate investigations

Certain costs will be associated with the nature of the dispute. For instance, commercial litigation costs will be dictated by the cost of discovery, including: depositions, interrogatories, production of documents and things, and physical examinations, etc. Costs involved with regulatory proceedings will involve governmental investigations and internal corporate investigations and perhaps parallel proceedings, criminal as well as civil litigation.

Litigation Management Tools

Litigation management depends upon the in-house legal team or risk manager actively assessing and managing litigation by using an effective litigation management process. The litigation management process should utilize management processes as well as LRM tools.

For a corporation to effectively manage litigation, management needs to understand its role as litigation manager. If it hands over the entire litigation management process to the outside firm representing it, the costs will, of course, substantially increase! The law firm must be managed! The risk manager, corporate manager, or in-house lawyer (General Counsel, etc.) must understand his or her role as a litigation manager. That includes use of management functions and LRM tools.

Management functions
• Effective coordination of legal defense efforts to avoid duplication of costs
• Coordination of use of witness and discovery
• Serve as the central site for all facts, positions, and decisions in legal issues
• Development and implementation of a defense plan
• Internal assessment of facts
• Point of contact for regulators
•
LRM tools
• Litigation budget
• Coordination of documents
• Use of employee interviews
• Insurance
• Use of defense plan
• Early case assessment
• Alternative fees
• Outside billing guidelines
 
Only through the regular use of legal risk management tools can a company or organization effectively control its outside legal spend, especially when dealing with litigation.