Legal Practice Notes

This Practice Note examines alternative ways to resource work, including outsourcing, and links operational efficiency to law firm reward structures, for instance achieving cost control via fixed fees in commercial transactions, and stresses the need to promote value-add services to cultivate mutually beneficial, profitable partnerships with law firms. It does so in practice by pairing efficiency with remuneration structures too. What is innovation? ‘ Innovation’ is often over-used. The term comes from the Latin innovatus, the noun of innovare, meaning to renew or change. In delivering legal services within an in-house setting, four principal strands of innovative practice have appeared: incremental upgrades to service quality alternative resourcing approaches (eg Eversheds Agile, Axiom or Lawyers on Demand) adopting technology re-engineering processes Overcoming barriers to innovation A tougher economic backdrop is intensifying demands for efficiency and effectiveness. Consultancies and technology suppliers are keener than ever to help...

A risk management policy describes the risks a business faces and sets out the measures to prevent those risks from arising and to lessen their impact if they do occur. This Practice Note provides a guide to the features usually included in a risk management policy... What is risk? A widely recognised definition is: Risk = probability x impact. Therefore, for any risk confronting your business, there are two key questions to ask: how likely is it that the risk will materialise, that is, what is the probability? if the risk does materialise, how severe will it be, that is, what is the impact? Regulatory requirements General risk You are required to identify, monitor and manage every material risk to your business......

March 2026 Introduction Hong Kong stands as a leading international financial centre, regularly cited among the easiest places in the world for doing business. Its clear tax regime, established legal framework, solid financial markets, open flow of information, skilled workforce and the government’s enduring capitalist laissez-faire approach have encouraged thousands of multinational companies to set up a presence in the city. By the fourth quarter of 2025, Hong Kong demonstrated resilience, with real GDP for the quarter forecast to grow by 3.8% despite global economic headwinds. Today, the People’s Republic of China ( China) is the world’s second largest economy after the United States and remains one of the fastest-growing major economies. China is progressively shifting from “the world’s factory” towards a substantial consumer and financial market, supported by a more affluent population. Hong Kong’s geographic and cultural closeness to China, combined with its...

This Practice Note sets out the main digital advertising and marketing routes, such as website advertising (banners and tile ads), search engine optimisation ( SEO), social media advertising, email advertising, mobile advertising, streaming advertising, digital out-of-home ( DOOH) and virtual out-of-home ( VOOH), virtual and augmented reality advertising, affiliate marketing, and content and native advertising. It also flags the core regulatory and legislative frameworks, together with the outcomes of non-compliance. Digital, online and social media (together termed ‘digital’) cover a wide and continually expanding range of channels for delivering promotional materials. Each option carries particular benefits and drawbacks when it comes to managing legal risk. Digital technology can aid compliance by permitting closer control of campaigns than traditional media. However, this is a rapidly evolving field, with innovation frequently stretching the limits of current legislation. For fuller guidance on the topics...

This Practice Note explores how personal development benefits in-house lawyers. Gains include building business cases for higher pay, helping individuals to maximise their impact on the enterprise, securing the best possible delivery of legal advice to the business, and fostering ongoing individual growth and progression. Although many in-house lawyers regard legal advice as their chief contribution to the organisation, their colleagues in the business may not share that view. They are also appreciated for non-legal commercial skills and business savvy. A programme that concentrates on technical legal capability while overlooking these broader competencies appears skewed and misaligned with the full service in-house lawyers provide to their clients as a whole. Who is responsible for the development of in-house lawyers?......

Sanctions are designed to exert significant impact on the people, entities and regimes at which they are aimed. Consequently, there is an attendant danger that those designated will try to sidestep their effect. Grasping the risks of becoming entangled in sanctions evasion, and the warning signs and red flags to watch for, should be integral to your screening. You need not act as law enforcement, but, given the strict nature of your liability for any breach, you must stay vigilant. This Practice Note outlines risks and indicators of sanctions evasion, along with sound practices and steps to take if you are concerned. Risks of sanctions evasion Failing to notice an attempt to circumvent sanctions can put you yourself in breach, eg if you end up handling the funds of, or supplying services or other assistance to, an individual who is designated. It could also...

This Practice Note This Practice Note is aimed at in-house lawyers contemplating transferring certain legal work to external providers. It forms part of a broader suite of guidance and precedents created to support your outsourcing decision-making. It explains how to determine which legal services are appropriate for outsourcing. See also Practice Notes: Legal services outsourcing—in-house lawyers—information gathering Legal services outsourcing—in-house lawyers—outsourcing options Before selecting the services to outsource, you should already have assembled information about: what legal advice your organisation has previously relied upon what legal advice it is expected to require in the future, and the resources available within your legal team See Practice Note: Legal services outsourcing—in-house lawyers—information gathering. The next step is to evaluate which legal services you might consider outsourcing. This Practice Note is intended to prompt consideration of: key practical matters, including your aims in...

Cybercrime is a rapidly shifting, continually changing and unpredictable threat to every commercial organisation and it demands firm management. This Practice Note brings together examples of sound practice for generally lowering the likelihood of cybercrime and cyber security breaches. It is written for compliance practitioners rather than cybercrime specialists. It also excludes niche industries such as telecommunications. Responsibility Treat cyber risk, as with any other business hazard, as a top-tier priority for the in-house compliance or legal function and manage it accordingly. It sits within a wider information risk management and crime-prevention framework, and must not be parked with IT alone. A senior individual should assume overarching responsibility to run a risk assessment and, from that, craft and roll out your policies and procedures. They should receive training and have sufficient resources to keep those policies and procedures up to date. All personnel should know who holds this...

While adopting preventative measures clearly makes sense (see Practice Note: Cybercrime prevention), the possibility of cybercrime or a cyber attack can never be entirely eliminated. A robust approach to cybercrime and wider cyber security risks should pair strong technical and organisational defences with a clear plan for responding to, and mitigating, the impact of any attack that does occur. This Practice Note offers practical guidance on assembling the incident management strand of your Cybercrime prevention strategy and your incident management plan. It also outlines breach notification obligations under the General Data Protection Regulation ( UK GDPR), Assimilated Regulation ( EU) 2016/679, where a cybercrime incident amounts to a personal data breach. The Practice Note is aimed at compliance specialists within general commercial organisations and does not address sector-specific...

This Practice Note distils the principal insights from the National Cyber Security Centre ( NCSC) publication Cyber Threat Report: UK Legal Sector, and also draws on data in the Solicitors Regulation Authority ( SRA) Cyber security thematic review ( September 2020) together with the SRA’s Information security and cybercrime risk outlook. Headline facts and figures The cyber threat facing the UK legal sector is substantial, with reported incidents rising sharply over recent years. The financial and reputational fallout for law firms is likewise considerable. Costs can arise from: the incident itself remediation and recovery restoring damaged reputations The SRA’s thematic review noted that three quarters of the firms it visited stated they had been targeted by a cyber attack. Others reported that cyber criminals had directly approached their clients during live legal transactions. Although not every incident resulted in client financial loss, in 23 of the 30 matters where firms were...

What is cyber insurance? Cyber insurance has rapidly progressed from a narrow form of cover, originally focused on liabilities anticipated following the 2002 Californian Data Security Notification Law, to a sophisticated product delivering a blend of first- and third-party protections, chiefly intended to help insureds manage cyber attacks and to indemnify them for the losses that follow. There is no single, settled definition of cyber risk. For insurance purposes, it is typically viewed as the chance of harm, financial loss, or legal liability resulting from damage to, or unauthorised access to, information systems. Frequent sources of loss include accidental events (e.g. damage to equipment that hosts data or system misconfiguration) and deliberate attacks (e.g. ransomware, business email compromise, distributed denial-of-service attacks). Such events may give rise to a range of significant incident response and remediation costs and expenses; first-party loss;...

From 30 September 2017, the Criminal Finances Act 2017 ( CFA 2017) created a corporate offence for failing to stop the facilitation of tax evasion. Government guidance outlines what it expects from compliance arrangements. This Practice Note draws on the final form of the legislation and the accompanying guidance. That guidance should be interpreted and implemented proportionately, using a risk-based approach. In doing so, you should reflect the size, profile and complexity of your organisation. A small entity and a large multinational may reasonably apply the principles quite differently: measures that suit a low-risk small business could be wholly inadequate for a large enterprise in a high-risk sector. The Law Society has likewise issued CFA 2017 guidance for law firms, approved by the Chancellor on 21 November 2018. The Law Society states that the Chancellor regards its guidance as aligned with the...

The Criminal Finances Act 2017 ( CFA 2017) brought in a corporate offence for failing to prevent the facilitation of tax evasion, taking effect on 30 September 2017. The government has also published guidance outlining its expectations for compliance arrangements. This Practice Note is informed by the final legislation and the guidance. That guidance should be applied in a proportionate, risk-based manner, reflecting the size, nature and complexity of your organisation. A small entity and a large multinational may adopt the principles in very different ways: what is reasonable for a small business in a low-risk environment may be entirely unreasonable for a large enterprise operating in a high-risk context... The offences There are two possible offences, depending on whether the evaded tax is due in the UK or in another jurisdiction. Each offence involves three essential stages, all of which must be present for...

The Criminal Finances Act 2017 ( CFA 2017) The CFA 2017 created a corporate offence for failing to prevent the facilitation of tax evasion, taking effect on 30 September 2017. The government has published guidance detailing its expectations for compliance systems, and this Practice Note reflects both the legislation and that guidance. The guidance should be applied proportionately and on a risk-led basis, taking into account the size, nature and complexity of your organisation. Smaller organisations in low-risk sectors may reasonably adopt more modest measures. Large multinational businesses operating in high-risk areas may need far more robust controls. The government accepts that a proportionate, risk-based approach cannot deliver a zero-failure regime. Where you can show that reasonable prevention procedures are in place to identify and mitigate risks of facilitating tax evasion, prosecution is unlikely because you will be able to rely on a...

The Criminal Finances Act 2017 ( CFA 2017) created a corporate offence for failing to prevent the facilitation of tax evasion, effective from 30 September 2017. Government guidance sets out what it expects from compliance arrangements. This Practice Note draws on the final legislation and that guidance... That guidance should be applied proportionately and on a risk basis, taking into account the size, nature and complexity of your organisation. A small entity and a large multinational may adopt the principles in very different ways: what is reasonable for a low‑risk small business could be wholly unreasonable for a high‑risk large business... The Law Society has also issued Criminal Finances Act 2017 guidance for law firms, approved by the Chancellor on 21 November 2018. According to the Law Society, the Chancellor considers its guidance consistent with the Government guidance for the corporate offences of failing to...

A privacy risk register is a mechanism for bringing together, documenting, monitoring and administering all data protection, information security and privacy risk information in a single location. This Practice Note walks you through how to create such a register. See Precedent: Privacy risk register. The UK GDPR does not mandate keeping a privacy risk register, though guidance from the Information Commissioner’s Office ( ICO) indicates the regulator views it as good practice. To build one, you must first pinpoint data protection risks within your organisation. This involves reviewing: The personal data you hold How you handle and process it The purposes for processing With whom it is shared Internal data flows Any transfers of personal data outside the UK Measures to keep personal data accurate and current Retention periods and destruction...

Managing risk is never a single task; it is a continual process, as illustrated: This Practice Note sets out how to assess and clearly record risks in practice using a risk register, a tool that gathers all of your risk information in one place by carefully classifying each risk the organisation faces, scoring each entry and then choosing your response to each identified risk accordingly, eg reject or accept and, if the latter, how to control or mitigate the risk—see Precedent: Risk register. What is risk? There is a widely recognised definition of risk, ie: Risk = probability x impact. So, for any given risk faced by your business, two questions arise: how likely is it that the risk will occur, ie what is the probability? if it does occur, how serious will it be, ie what is the impact? A risk register is a means of...

This Practice Note sets out the essentials of counter-terrorist financing ( CTF), covering the offences and duties under the Terrorism Act 2000 ( TA 2000) and related legislation. It outlines the key offences and obligations. It summarises the meaning of terrorist financing, its links with the anti-money laundering ( AML) framework, and why it matters for law firms... What is terrorist financing? Terrorist activity requires money to organise and execute attacks. TA 2000 makes it an offence to engage in terrorism and to finance it. Broadly, terrorist financing means supplying or gathering funds—whether derived from lawful or unlawful sources—with the intention, or with knowledge, that they are to be used to commit any terrorist act, irrespective of whether the money is ultimately applied for that end... Counter-terrorist financing and anti-money laundering CTF and AML are distinct, though they pursue comparable objectives. In the UK, the two regimes...

This Practice Note summarises key UK legislative, regulatory and voluntary best practice resources on corporate social responsibility ( CSR), environmental, social and governance ( ESG), human rights reporting and related company initiatives. It also highlights core EU regimes that require sustainability and ESG disclosures. ESG and sustainability collection We have curated an ESG and sustainability collection to assist practitioners advising organisations on ESG and sustainability, bringing together content from several Lexis+® UK Practice Areas (subscription required). For more details, see: ESG and sustainability collection. Board briefing notes We have additionally prepared briefing notes for the board of a quoted company and for the board of an unquoted company (including an AIM company), summarising the key environmental reporting duties applicable to the business: Board briefing note—environmental reporting—quoted companies Board briefing note—environmental reporting—unquoted companies Defining CSR and ESG Corporate social responsibility ( CSR)—also called corporate...

contract management ‘ Contract management’ carries one meaning for your organisation and a subtly different one for you as an in-house lawyer. To do your job, you must grasp both senses and how they interact within the business. For the organisation, it describes procuring goods or services: scoping requirements, selecting an appropriate supplier, moving into the nuts and bolts of commercial negotiation and, ultimately, formalising the deal in documents. In some organisations, the lengthy drafting and agreement of those papers becomes an afterthought, readily handed off to the lawyer. When signatures are on the page, the real work of overseeing the contract begins, including assuring performance and compliance. These activities are often deprioritised until something goes awry and the legal team is asked to intervene. As an in-house lawyer, you will be involved, to a greater or lesser degree, at every stage of this...