This website will offer limited functionality in this browser. We only support the recent versions of major browsers like Chrome, Firefox, Safari, and Edge.

Governance and Legal Risk Management – lessons from organisation failures

Picture of Brian Wong
By Brian Wong Lloyd Nail
10 Sep 2025 5 min read

Effective internal management structures, decision-making processes, and risk information flow (particularly up into and between the legal function, Audit & Risk Committee, Exec and the Board), are essential components for managing legal risk and taking informed and effective decisions.

From a Legal Risk Management perspective, recent events and scandals are driving renewed focus on ensuring that operational or strategic decisions are made with proper consideration of ‘legal’ risk.

ESG and Legal Risk Management share a substantial amount of common DNA. This is true in relation to leadership, board governance, effective organisational communication, securing cooperation and appropriate levels of skills and competence through the organisation. Monitoring, audit and review systems and practices are a further commonality. Embedding long-lasting change through organisational culture is critical to the longer-term effectiveness of both.

This overlap is well showcased in OFWATs report into Thames Waters’ wastewater treatment work breaches, recently resulting in a fine of over £100M for the company. But the fields of ESG and Legal Risk Management are also brought sharply into focus by other recent high profile organisational failures.

We now see a range of incoming regulatory measures bring legal risk aspects up to the top of organisational agendas. For example:

  • Organisations will likely now be preparing themselves for the full implementation of Provision 29 of the UK Corporate Governance Code creating Board level accountability for risk management via a mandatory ‘declaration of effectiveness’ in the Annual Report.
  • Recent change include revised SRA in-house guidance, including on the Code of Conduct (“the fundamental tenets of ethical behaviour that we expect all those that we regulate to uphold”), and the new Law Society ‘in-house ethics framework’.
  • In many organisations, ESG and Legal Risk Management have also found a common home. The role of Head of Legal and/or General Counsel is evolving. As the SRA recently stated, in a Note intended to assist senior management to understand the in-house lawyers role : “[Your in-house team] play a valuable role providing critical checks and balances to help your organisation behave legally, fairly and ethically, identify and manage risks and make sound decisions”. Many senior in-house legal professionals are now being asked to take an accountable role in compliance, ethics, risk, and ESG to name but a few.

The overlap between Legal Risk Management and ESG could potentially be advantageous. Some organisations have well developed ESG initiatives and are now looking to strengthen their Legal Risk Management practices. Others have strength in risk management and are looking to grow or embed ESG values. Consider therefore whether your organisation’s maturity and internal learnings from effective implementation of frameworks, policies and practices in one of these two areas might now be used the supercharge or at least cross-pollinate developing maturity in the other.

Water

OFWAT’s report into Thames Waters’ wastewater treatment work breaches

OFWAT’s report considers the role of a number of factors common to both ESG and Legal Risk Management.

  • Cultural and ‘speak up’ problems: A significant proportion of staff were not comfortable in raising environmental compliance concerns with management, and there was evidence of known instances where risks had not therefore been escalated to senior management.
  • Leadership approach to compliance risk: OFWAT suggested there was evidence that other risks (more directly affecting profitability) were prioritised.
  • Governance / Accountability problems: Governance arrangements for environmental permitting were “unevenly spread”. Governance was “not effective in setting direction or monitoring performance”. There was an absence of Senior Leadership Team oversight on Environmental Inspection performance and as well as into the complex regulatory landscape.
  • Lack of ‘right’ data to make effective risk-based decisions: For a substantial period, TW had relied on sub-optimal data points (generated by ‘FE/TDV monitors’ rather than EDM monitors) to inform risk-based decisions. This was not optimal data on which to base these decision. “[M]onitoring of performance was mainly aligned to EPA requirements and processes that existed under the previous consent regime that focus on the quality of wastewater treatment rather than flow management.”
  • ‘Wrong’ data to Exec / Board: Data escalated to Board was focussed on a narrow set of metrics. The relevant metrics for flagging the extent of FFT failures (relevant to environmental permit breach) were not escalated. “until recently, the information being reported to Thames Water’s Board continued to be heavily focused on metrics which impacted on the company’s EPA rating, or which were linked to its price review PCs, rather than on the full range of environmental legal obligations.”
  • Three Lines Defence: Failure to act on a succession of TW-commissioned audit reports which brought many of these issues to the Board’s attention (in addition to other issues).
  • Lack of Training at lower management and operational at site level: Immature awareness of legal requirements and permit compliance obligations, reducing confidence that important issues would be identified as needing action and escalation.
  • Misdiagnosis / oversimplification of areas of weakness: In part, TW maintained that its processes and procedures over the relevant period were adequate and that it was substantively only the (self-admitted) flaws in data gathering that were the main cause of the failure to take action. OFWAT’s finding suggest the data issue was only one part of the picture, as shown above.
Water

OFWAT’s report into Thames Waters’ wastewater treatment work breaches

OFWAT’s report considers the role of a number of factors common to both ESG and Legal Risk Management.

  • Cultural and ‘speak up’ problems: A significant proportion of staff were not comfortable in raising environmental compliance concerns with management, and there was evidence of known instances where risks had not therefore been escalated to senior management.
  • Leadership approach to compliance risk: OFWAT suggested there was evidence that other risks (more directly affecting profitability) were prioritised.
  • Governance / Accountability problems: Governance arrangements for environmental permitting were “unevenly spread”. Governance was “not effective in setting direction or monitoring performance”. There was an absence of Senior Leadership Team oversight on Environmental Inspection performance and as well as into the complex regulatory landscape.
  • Lack of ‘right’ data to make effective risk-based decisions: For a substantial period, TW had relied on sub-optimal data points (generated by ‘FE/TDV monitors’ rather than EDM monitors) to inform risk-based decisions. This was not optimal data on which to base these decision. “[M]onitoring of performance was mainly aligned to EPA requirements and processes that existed under the previous consent regime that focus on the quality of wastewater treatment rather than flow management.”
  • ‘Wrong’ data to Exec / Board: Data escalated to Board was focussed on a narrow set of metrics. The relevant metrics for flagging the extent of FFT failures (relevant to environmental permit breach) were not escalated. “until recently, the information being reported to Thames Water’s Board continued to be heavily focused on metrics which impacted on the company’s EPA rating, or which were linked to its price review PCs, rather than on the full range of environmental legal obligations.”
  • Three Lines Defence: Failure to act on a succession of TW-commissioned audit reports which brought many of these issues to the Board’s attention (in addition to other issues).
  • Lack of Training at lower management and operational at site level: Immature awareness of legal requirements and permit compliance obligations, reducing confidence that important issues would be identified as needing action and escalation.
  • Misdiagnosis / oversimplification of areas of weakness: In part, TW maintained that its processes and procedures over the relevant period were adequate and that it was substantively only the (self-admitted) flaws in data gathering that were the main cause of the failure to take action. OFWAT’s finding suggest the data issue was only one part of the picture, as shown above.

If you would like to know more about ESG and Legal Risk Management please contact a member of our team. This article was written by Brian Wong and Lloyd Nail who specialise in Legal Risk analysis, in particular in a dispute resolution context.

01
02

Related services

Related articles

01
10