To successfully protect their organizations in an increasinglyrisky and litigious world, it’s imperative that risk managers andin-house counsel partner closely with each other. NU spoke withseveral members of our Risk Managers Advisory Board to hear aboutthe most pressing challenges their legal and risk departments areworking collectively to solve; and to get their advice on how riskmanagers can most effectively communicate with their attorneycolleagues.

Karl Zimmel
Director, Risk Management Services
UniSource Energy Corp.

What are the top issues this year that UniSource’srisk-management department is working closely with yourorganization’s legal department to address?

To develop a policy and procedure regarding how to respond tocustomers and employees potentially affected by a database breach;and developing a process to preserve claim investigations asattorney-client privileged information.

At UniSource, how do you communicate with the legaldepartment in identifying issues and addressing themcollectively?

I work more closely with our general counsel on a daily basisthan with any other officer. I primarily work with legal on claims,contracts and various laws. Risk management self-administersliability claims; legal doesn’t formally get involved until theyare litigated. However, informally I keep them advised ofsignificant claims prior to litigation in order to both seekconsultation and get them prepared if they go into litigation.

I also use the legal department’s research regarding riskidentification and new issues. For example, in my development ofprocedures to handle potential data breaches, I asked legal toprovide me research on our regulatory requirements for notifyingthose who may have been affected by a data breach. However, it isjust one of several departments risk management needs to work withto complete the project. We will also be working with IT, customerservice and our [executive] group on this project.

What advice can you give to other risk managers aboutthe most effective way to interface with the legal department?

I have found at many different employers, corporate attorneysrarely have an in-depth understanding of insurance because it israrely addressed in law school. Therefore, risk managers need tohave confidence to step up as the insurance expert and not beintimidated by attorneys when addressing insurance matters.

It’s helpful to educate corporate counsel on the basics ofinsurance such as first-party versus third-party coverage,subrogation, etc. When advising why you take a particularposition regarding insurance language in a contract, it helps toexplain how an insurance policy will respond to specific lossscenarios. That’s when the light bulb goes off for attorneys.

Handling insurance education with corporate counsel can make orbreak your relationship. It needs to be done without beingcondescending or confrontational. If you initially approach counselin a friendly, helpful manner, they will often admit they don’tunderstand insurance but appreciate your expertise, and it will bethe start of a very good, long-term relationship. Conversely, riskmanagers need to admit to legal when they need help understandingsome legal and/or important regulatory principles that will be thefoundation for many future transactions.

William Montanez
Director, Risk Management
Ace Hardware

What are the top issues of 2012 that Ace’srisk-management department is working closely with yourorganization’s legal department to address?

Most of our legal issues are focused on vendor-indemnificationagreements and contractual reviews. The risk manager reviews anysignificant contract that comes through Ace’s doors, whether acontract for materials that we purchase for resale or services thatwe purchase for IT, consulting, etc. Ace Hardware has a processthat reviews the risk implications of every significant contract,and the legal department does the final review on thecontract.

How do you communicate with the legal department inidentifying issues and addressing them collectively?

We interact with the legal department from an insurance andcontractual-compliance point of view, and the legal departmentnotifies us about a case or a suit that is being filed where weneed to get involved to explain our insurance policies and coveragetriggers.

We communicate regularly and often with the members of ourin-house legal team. We respect each other’s expertise; we knowwhat the legal department’s viewpoint is, and vice versa. As we arefond of saying: “We don’t practice law, and they don’t practicerisk management,” but we always consult one another.

Can you talk about an example wherethe two departments successfully worked through a situation withboth legal and risk-management implications?

We introduced a Cyber Liability policy a little over four yearsago that we developed with the IT team. We sat down with the legaldepartment and discussed the various coverage triggers of thepolicy.

What advice can you give other risk managers about themost effective way to interface with the legaldepartment?

Both the risk-management and legal department have to understandthat there is value in both processes, although there are alsoborders between them. Make sure that everyone has the rightmotivation in place, because at the end of the day, our overlap isthat we are both trying to protect the company. The workflow andrelationships don’t develop overnight, but they eventually will ifyou are both willing to be transparent and open.

Michael Liebowitz
Director of Risk Management and Insurance
New York University (NYU)

What are the top issues this year that NYU’srisk-management department is working closely with yourorganization’s legal department to address?

The overarching issue is to get all of NYU’s contracts throughreview by the legal department and risk-management office. Manycontracts bypass review and are signed by people who areunauthorized to do so. We’d love to make this a mandate, but thenpeople would be loathe to comply. So from a grassroots perspective,we’d like to get people to understand why bringing contracts toboth departments is important—because we can explain theirrepercussions, [potential] losses and risk-transfer mechanisms.

How are you working with the legal department to manageCyber risk?

Cyber risk is a three-pronged issue that belongs to the legaldepartment for licensing and IP agreements; the risk-managementdepartments for the evaluation of exposure; and, of course, our ITpeople, the real owners of that risk. It also ropes back around toour third-party cloud [vendors], who are legally responsible forproviding the policies and security procedures to protect our datathat lives in their hardware.

At NYU, how do you communicate with the legaldepartment in identifying issues and addressing themcollectively?

It’s a collaboration. We talk amongst ourselves in “legalese,”but the key is to get each party to put things down to a languagewe both understand. The general counsel and I sit down and talkabout our bifurcated issues. I don’t step into [legal] terms, andthey don’t step into indemnity, but we come out with an agreementthat is going to protect our organization. Unfortunately, we dosometimes have to walk away from a vendor because of indemnity andinsurance provisions. The two pieces of legal and insurance have tocome to an agreement as a single unit. If they don’t, that contractcannot move forward.

Sarah E. Pacini, R.N. J.D.
Vice President, Risk Management and Insurance
Advocate Health Care

What are the top issues this year that Advocate HealthCare’s risk-management department is working closely with yourorganization’s legal department to address?

Health-care reform is obviously a huge focus from a providerperspective, and it is also a major focus from a risk-managementperspective. Now that the Patient Protection and Affordable CareAct (PPACA) has passed the Supreme Court’s scrutiny, it isimportant for health-care risk managers to recognize theimplications PPACA may have on their insurance coverage, actuarialanalysis and scope of services.

Insurance coverage will likely be impacted by the potential forincreasing claims in the Errors & Omissions, Directors &Officers and Institutional Negligence arenas.

Merger-and-acquisition activity is also on the rise across thehealth-care sector as consolidation proves to be a potentialsolution in response to PPACA for hospitals as well as physicians.This means the health-care risk manager must have a seat at thetable during due-diligence analysis and must provide viable andvaluable solutions to meet the strategic needs of his or herinstitution.

Although due-diligence analysis is essential, the work ofM&A does not end with due diligence; it begins there. The realchallenge for health-care risk managers is 1) the integration oftwo insurance portfolios into one comprehensive program; and 2) thecultural transformation necessary for two independent entities tointegrate into one successful health-care program.

What advice can you give to other risk managers abouteffectively interfacing with the legal department?

I am a lawyer, so perhaps it is naturally easier for me tointeract with the legal department, but it should be easy foreveryone.

First, I believe it is important to present issues to the legaldepartment only after you have conducted your own due diligence.This way when you are asked specific questions, you will beprepared to answer in a meaningful way.

Furthermore, I believe it is essential to come to the legaldepartment with potential operational solutions already identified.This ensures that the attorney not only has the backgroundinformation but also understands the direction in which you want toproceed. Once the lawyer understands these two points, it is easierfor him or her to explain the most efficient and effective methodto achieve your goal.

Remember to begin your interaction with your legal departmentwith the end in mind: What do you want? If you want legal advice ona proposed solution, then you need to bring a solution that hasenough substance for the attorney to opine. If you want options toovercome an operational challenge, make sure that you have all thecurrent information on the operation and its challenges. It isimportant to remember that the legal department wants to supportyou in identifying creative and proactive solutions to eliminate ormitigate risks and advance the operations of the organization.

Gary Pearce
Vice President, Risk Management Group
Kelly Services Inc.

What are the top issues this year that Kelly Services’risk-management department is working closely with yourorganization’s legal department to address?

Compliance and globalization are the top issues. Compliance isfocused on wage-hour risk, employment eligibility, screeningpractices and safety management.

The globalization aspect revolves around deploying our bestpractices on a consistent basis across our worldwide organization,including litigation management, workplace-injury management,incident reporting and claim reserving.

At Kelly, how do you communicate with the legaldepartment in identifying issues and addressing themcollectively?

As for communication with our legal [department], we saw acompelling need for close collaboration in this regard—and so didour executive management. As a consequence, a few years ago weconsolidated our legal, risk, safety, security, workers’compensation and unemployment functions into one organization knownas the Law and Risk Management Division.

We saw substantial initial advantages in customer-contractmanagement and in launching an ERM program. But now thisintegration also spans many other issues such as liability-claimmanagement and legal/risk support of new-product development.

Our staffs are co-located, which not only [fosters] dailycollaboration but also affords cross-training and enrichmentopportunities that might not otherwise exist. We also report to theGeneral Counsel.

What advice can you give to other risk managers aboutthe most effective way to interact with the legal department?

Risk managers often interface with legal staff under theunspoken presumption of being the junior party in the relationship.Consequently, there is an elevated need for personal credibility onthe part of the risk manager: More than simply having a very strongunderstanding of business and legal principles, the risk managerneeds to bring distinct and accretive skills to the table.Effective risk managers can anticipate legal issues and are able tolead the legal/risk dialogue, yet perform effectively in asupportive or consultative role when appropriate.