Another significant operational risk faced by investment banks is from litigation following deals or public securities issuance that turned sour. In such cases, bankers, along with accountants, are frequent targets for blame. How can this risk be effectively mitigated?

What Is the Risk?

The cost of litigation faced by investment banking, most commonly on the equity and loan underwriting side, is one of the highest potential costs from operational risk across an investment bank's key lines of business. That is because when a company fails, investors who bought into the most recent stock or debt offering will naturally feel aggrieved at the unexpected turn of events and the resultant loss they suffered. In their grief they will ask questions and sometimes take the view, like it or not, that were it not for the incompetence of the bankers, they would still be whole.

A conspicuous number of the litigation settlements of the past few years are related to actions stemming from the 2008 Financial Crisis because of the sudden collapse of many firms due to the onset of the crisis. A firm that has collapsed is an inherent danger to its bankers as it lashes out in its final death throes. The common complaint from an investment bank's risk managers is that they are typically targeted as a result of having deep pockets rather than due to any wrongdoing on their part (see Table 10‐1).

One of the ways to protect against this risk is an executed engagement letter and broad indemnification clause. This is, of course, the standard approach to contracting in the United States: Provide a service, get paid for it, and then protect oneself against litigation in the event that the service is less than what was expected by the client. It is also perfectly rational to protect your business, however, given the litigious society we live in. It is expected for aggrieved investors to assert that their bankers should have known anything and everything about the company they are underwriting. In practice, this is impossible, and so in this context, the indemnity tool and engagement letter that spell out the scope of services are critical tools in reducing the cost of any settlements in negotiation or court.

On occasion, owing to “relationship” or “politics” or sloppiness on the part of the team, bankers do not always execute an engagement and indemnification letter. Good practice dictates the use of workflow tools to track production and execution of these documents. Investment bankers tend to work in more unstructured environments and investment is not always forthcoming in the sort of workflow and document management tools that make this easier to manage. Unfortunately, it only takes sloppy practices in one region of a global bank to create an issue.

The second key control to protecting against this risk is conducting due diligence on the company being acquired or underwritten. Due diligence comprises a review of the company by the bankers. This should include review of financial and management assets to help ensure that the buyer and shareholder are getting what they think they are getting. Over the years, due diligence has been managed on a fairly informal basis, but increasingly, risk managers have tried to move bankers toward a checklist, more formalized approach. Additional aspects, such as environmental risks, have also been introduced to the process in recognition of the fact that damage to the environment can be a subject of lawsuits, with potential consequences for advisors. Due diligence should be limited to the investment bankers' responsibilities and scope of expertise.

In addition, bankers should seek to minimize conflicts by ensuring independence in this process. One problematic but occasional practice has been for banks making an acquisition to appoint themselves as lead bankers in the deal. Due diligence is normally conducted by the leader in the deal, and the perceived conflict may be problematic should the acquisition be later litigated. The $6 billion Lehman bond offering that was led by Lehman Brothers shortly before its collapse in 2008 was one such deal. Members of the syndicate later settled with shareholders who claimed that advisers failed to disclose a catalog of important matters, such as high‐risk residential mortgage‐lending practices, increasing concentration of mortgage‐related risks, and allegedly inaccurate financial statements. Details of these alleged failures can be found at http://lehmansecuritieslitigation.com/.

The third risk control is a document management system that ensures all key documents are retained and organized effectively. When lawsuits are brought, documents need to be produced on demand, similar to if regulators demand documents. Engagement letters, for example, generally go through many different versions, and computer files end up with multiple versions. Therefore, it is essential to maintain discipline and systems to be able to access the final version executed by both parties. Bankers have in the past at least generally worked on deals without effective document management tools—for example, saving documents on their hard drives without saving to a common shared folder. In the past, banks have not necessarily had effective ways of storing and archiving data and documents so that they can be retrieved quickly and efficiently. A federal judge awarded significant punitive damages against Morgan Stanley in the 2005 Sunbeam case for allegedly failing to produce documents.¹ Although the ruling was subsequently overturned, banks have since taken steps to shore up controls in this area. Document management and managing the life cycle of data effectively is an important tool in the arsenal of banks in this time of massive data volumes.

Systemic Risks from Big Data

The underlying problem for banks comes back to data and the sheer amount of it. According to a 2011 McKinsey study, “90% of the data in the world was created in the last two years.”² Most experts believe that for most organizations, the volume of data will double every two years. There is significant operational risk associated with this increase in data as demonstrated by the increases in litigation from investors and state and federal regulators over the past decade. That has been coupled with a general increase in regulatory curiosity, as evidenced by the increase in examinations visited upon banks on a routine and extraordinary basis, mortgages, LIBOR, and FX, to name a few of the more recent examples. In the case of the LIBOR investigations, one large bank estimated that its internal systems retrieved 100 million documents and reviewed them using 1,000 different search terms, according to a March 2014 Financial Times article.³ Careful risk management is needed to address two related aspects of the parallel increase in data and litigation:

1. Banks have to manage the process carefully by which data and evidence required by litigants and regulators are retained and collected.
2. Banks have to review their stored data in relation to legal and business criticality retention requirements.

Whatever data, then, that do not need to be retained, should, as a general rule, not be kept and banks can save money and reduce risk accordingly. Most, however, have failed to dispose of unnecessary data accumulated over the last decade and have excess applications, servers, data, backups, storage, and tapes that no longer have any utility but that add cost and risk. Fines have been imposed by regulators on banks, which have proven unable to retain and dispose of its data within a well‐ordered governance and legal framework. A rather different case is that of Arthur Andersen and the alleged attempt that was made to delete email evidence. The deletion of old data can be legitimate, of course, if it is managed within a published archive and deletion schedule. Emails deleted within that context of a broader policy framework can be legitimately defended. Without such a framework, deletion of emails can appear suspicious and difficult to defend against.

When lawyers set out on the process of litigating a case only a few decades ago, before the advent of email, the process was very different. Identifying and collecting evidence was a matter of combing through physical documents. Today, while the volume of documents to review has gone up considerably, the process of mining documents for relevant information is far easier due to computer technology and keyword search techniques used to identify the relevant data and information, known as eDiscovery.

There are, however, still many obstacles to making the process efficient and fail‐safe. First, once a new case has been brought, there must be a process for ensuring that all related information and data are put on hold (i.e., not deleted). The process also requires that such individuals confirm receipt of the hold request and that they will comply with its requirements. For a large and complex company, this can be challenging because it is not always clear who is a party to an action—people leave and new people arrive, and computer hardware gets replaced, all of which make it hard to keep track. Second, relevant data must be identified and then retained until the case is closed, which again needs to be tracked and then acted upon at the appropriate time. That is far from straightforward, and, furthermore, for banks that have retained data that could have been deleted from a legal and business perspective, its continued retention can pose additional risk by making it subject to litigation where it need not have been.

What should banks be doing to address the costs and risks associated with storing its data? Banks need to build discipline around the information lifecycle and the process of deleting data that are no longer required from a legal and business standpoint. This is more complex than it sounds, since different types of documents are subject to different legal and regulatory retention requirements. Given this complexity, it behooves banks to ensure that they have access to an authoritative source of laws and regulations for each country they do business in and link their retention schedules to that legal and regulatory framework. Such a link should be clearly documented and traceable within a database that is internal to the bank. This process, known as defensible disposal, can help to ensure that banks can justify their data deletions to regulators, judges, litigants, and other interested parties. Second, banks should consider tools to support the eDiscovery process and its associated requirements—for example, by automating the process of notifying the custodians of the data that are subject to legal hold; automating the confirmations that they will abide by the request; and automating the process of identifying and retaining the data that are associating with the case. Furthermore, banks should put in place a central repository for storing all types of communication to enable the rapid retrieval of such communication pertaining to new cases and regulatory enquiries. The availability of increased computing power and modern elastic search capabilities makes this possible even for the largest universal banks with several hundred thousand employees and over 50 different communication channels.⁴

Deploying these various tools and techniques linked to information life cycle governance and eDiscovery will help reduce both storage costs and operational risk exposure. Like the adoption of any tools and processes that involve change, this is hard to do, but in the long run it should pay off.