Leadership
Hogan Lovells senior management and governance structure comprises the International Management Committee and the Board.
International Management Committee
The International Management Committee (IMC) is the body that is responsible for setting and implementing the strategic direction and business operations of the firm. The IMC comprises the CEO, the Deputy CEO, and the heads of Hogan Lovells' practice groups and regions, plus clients and markets. The CEO has primary responsibility, subject to the supervisory role of the Board.
Our Board
The Board has overall supervisory responsibility. It oversees and makes recommendations with respect to the management and affairs of both LLPs. It has ultimate responsibility for recommendations on partner-related issues (while executive responsibility for strategy, management, and operating decisions lies with the CEO and the IMC). The global Board of Hogan Lovells comprises twelve members – the Chair, the CEO, and ten members elected by the partners of Hogan Lovells.
Governance of our sustainability impacts and material topics
Governance of our sustainability impacts and material topics is embedded into our strategic priorities and business operations. This is overseen by our International Management Committee (IMC) and Board, which comprises senior partners with deep legal and business expertise. The IMC and Board are supported by senior Business Team members who are responsible for the day-to-day delivery of our strategic priorities. Briefings and presentations to leadership are given by those with the relevant expertise on our sustainability impacts and material topics.
We accept that we impact the economy, the environment, and society through our operations and the services we provide clients. In 2025-2026, we aim to update our double materiality assessment (in line with the requirements of the EU Corporate Sustainability Reporting Directive) to better understand our impacts, risks, and opportunities across our value chain and to integrate those findings into our management approach.
Business conduct
Conflicts of interest
A conflict of interest is broadly defined as any situation where an individual's personal, professional, or business interests, or those of their family, could, or could appear to, influence their business judgment, decisions, or actions at the firm. Our Global Conflict of Interest Policy mandates that all of our people must disclose any actual or potential conflicts of interest to their Office Managing Partner or the General Counsels’ Office. Upon disclosure, the firm will determine whether an actual or potential conflict of interest exists and implement measures to mitigate or manage it as necessary. Failure to comply with this policy can result in disciplinary action up to and including termination of employment.
Grievance mechanisms and remedy
Our Global Whistleblowing and Hotline Policy provides a way for our people to raise concerns in a manner that protects them from the fear of reprisals or victimization, and which is fair to all those involved. It is intended to cover serious concerns that could have an impact on the firm, our people, or our clients. This includes actions that are dishonest or unlawful, may lead to incorrect financial reporting, are in violation of the Rules of Professional Conduct, are contrary to firm policy, or otherwise amount to improper conduct. We have a standard reporting policy which enables a full discussion of the circumstances with the person making a report; however, reports can also be made on an anonymous basis using our Whistleblowing Hotline.
Human rights
We have a Global Human Rights Policy, which confirms that we respect and support international human rights, including the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the International Covenant on Economic, Social and Cultural Rights. We monitor its implementation and report to our International Management Committee on issues related to human rights in our business and supply chain in order to continuously assess and improve our human rights due diligence procedures and integrate the findings into our operational procedures. In addition to being a Participant of the UN Global Compact, we have endorsed the UN Guiding Principles on Business and Human Rights. We implement our respect for human rights through our management policies and processes and by providing education and training for our people.
Modern slavery
We have a dedicated core group addressing risks in the area of modern slavery and ensuring that appropriate measures are applied to assess, manage, and minimize risk. This group comprises representatives from compliance, procurement, and our Business and Human Rights practice. As a regulated provider of legal services and employer of predominantly professionally qualified and highly skilled people, the risk of modern slavery within our business is considered low. We apply robust policies and procedures concerning employment screening and employment conditions. We have implemented internal procedures, including a global Supplier Code of Conduct, standard contract review guidelines, and a Contract Authorization and Signature Policy.
Suppliers categorized as presenting significant risk of modern slavery are subject to additional due diligence and risk assessment. Where our standards are not met, suppliers are expected to take and evidence remedial steps to ensure their activities in our supply chain are free from modern slavery, considering what approach will result in the safest outcome for potential victims and enhance supplier behavior.
Anti-corruption
Our Global Anti-Bribery and Anti-Corruption Policy supports our commitment to the prevention of bribery and corruption and to the promotion of an anti-bribery and anti-corruption culture. The policy sets out expectations and requirements relating to the prevention, detection, and reporting of bribery and other forms of corruption and covers gifts and hospitality, facilitation payments, political contributions, and charitable contributions. We require all our people to comply with all laws, rules, and regulations relating to anti-bribery and anti-corruption in all the jurisdictions in which we operate. We have an anonymous reporting procedure as part of our Global Whistleblowing and Hotline Policy.
Anti-competition
We are committed to adhering to all relevant competition and antitrust laws and regulations and have zero risk appetite or tolerance for anti-competitive behaviors. Our internal policies and procedures reflect this, and the firm has always implemented rigorous internal controls and mitigating measures aimed at minimizing the risk of non-compliance. However, given the complexity of antitrust compliance, it is recognized that there is an inherent risk, and to supplement our existing policies, controls, and procedures, we are now formalizing an Anti-Competitive Risk Assessment to better understand the exposure and ensure our policies and internal controls continue to be effective.
Risk management
We face a range of internal and external factors in relation to the firm's operational risk management that make it uncertain whether our stated objectives will be achieved. The effect this uncertainty has on the firm's operational objectives is "risk". While risk is commonly regarded as negative, risk management is as much about capitalizing on opportunities as preventing problems. Formal responsibility for risk and its management is an integral component of the wider governance and management structures.
We are committed to proactively and effectively managing our risk profile, and our approach goes further than simply complying with risk-related regulatory requirements. The integration of risk management into our culture and wider working practices helps enhance business opportunities, reduce threats, maintain regulatory compliance and professional standards, and provides clients with assurances around the way in which legal services are delivered.
Wherever practicable, the firm's risk management activities align with the principles outlined in best practice standards and guidance, such as ISO 31000 Risk Management – Principles and Guidelines.
To effectively manage our risk profile we:
- Utilize an effective and integrated risk management process while maintaining business flexibility.
- Identify and assess material risks associated with our Practice and business.
- Proactively monitor, manage, and mitigate risks.
- Foster a risk-aware culture in all decision-making at all levels of the firm.
Data privacy
Strong data protection practices are a strategic advantage, and we are dedicated to ensuring that policies, processes, procedures, and technologies are aligned with professional obligations and an evolving regulatory landscape. Our team of certified privacy professionals has significant experience untangling some of the most complex data protection issues, working across business teams, practice groups, industry sectors, and jurisdictions. We are committed to implementing leading data practices and are continually improving the firm's security and privacy posture.
Information security
Information security strategy
Our information security strategy focuses on safeguarding the confidentiality, integrity, and availability of clients’ and Hogan Lovells’ business information. We are committed to continuously improving our security controls and promoting a proactive culture to monitor and respond to emerging threats.
We have a mature information security management system (ISMS) which is certified to ISO 27001 and is approved by management. The ISMS encompasses a comprehensive set of policies and procedures that are annually maintained, covering various aspects of information security, such as access control, cryptography, physical and environmental security, operations security, communications security, and more. Additionally, our comprehensive risk management program ensures that we manage the appropriate risk level for the firm and includes the proactive testing of our defenses and evaluation of our vendors. Information Security is also responsible for maintaining IT and Information Security policies, driving security certification and compliance initiatives, and managing client security audits.
Our information security function is staffed with experts in information security, data protection, and privacy. Governance of our program is performed at the highest levels, with a governance body made up of our General Counsel, partners, and other senior leadership of our firm. This governance body manages risk decisions related to protecting client data and oversees the program that develops and implements the policies, procedures, and technologies used to mitigate risk.
We believe that robust information security integrates people, processes, and technology into an inclusive security program. We are constantly working to evolve our capabilities and have appropriate investment plans in place to ensure the continuous development and enhancement of information security processes and practices.
To maintain compliance with the ISMS and ISO 27001 certification, audits are conducted according to the Hogan Lovells Assessment Schedule. This schedule includes both internal and external audits, agreed upon annually, covering policies, procedures, and systems. The firm relies on numerous external assessments and audits throughout the year, including those related to ISO 27001 certification and annual penetration testing, to evaluate and ensure the robustness of the information security control environment.
Furthermore, cybersecurity vulnerabilities and risk analysis forms part of the firm's vulnerability and risk management policies and standards. This process involves identifying known and potential threats, assessing their impact on the firm, and implementing relevant controls to mitigate risks. Information is gathered from various sources, including vulnerability management, internal/external threat alerts, risk assessments, and internal audits. These risks are analyzed, and additional controls are implemented as needed.
Vendor and third party due diligence for information technology
We select and engage industry-leading suppliers for our business services through a rigorous RFP process. This selection is conducted in accordance with our Third Party Vendor Management Program, which includes a governing policy and guiding standard. The program mandates security-related procurement, risk assessment, onboarding, management (including recurring assessments), and offboarding requirements for selected vendors.
We maintain a comprehensive record of vendors, their current risk posture, and their status with the firm. We work collaboratively with vendors to address any compliance gaps, as per our policy. Security reviews include evaluating available data such as ISO certifications and Service Organization Control reports.
Additionally, vendor contracts are reviewed to ensure they contain appropriate data privacy and security provisions, service level agreements, and confidentiality agreements. All third parties providing business support services to the firm are bound by our confidentiality obligations.
Global Information Risk Committee
The Global Information Risk Committee (GIRC) comprises key Hogan Lovells stakeholders who are charged with the protection of information assets and all technical, physical, or virtual environments related to their delivery or storage.
The GIRC oversees all major initiatives related to the firm's management of information asset-related risk. Oversight includes: (i) risk acceptance decisions, prioritization, and resolution of risk issues; (ii) ongoing review of information risks and related security policies; (iii) formulating the decisions necessary to address any and all concerns related to the firm's critical information asset-related risks. The GIRC also makes decisions related to the application of policies, procedures, and technologies in the mitigation of identified risks or the acceptance of risks that cannot be reasonably mitigated. The Chief Operating Officer and Deputy Chief Executive Officer serve as co-chairs for the GIRC, and the Chief Information Security Officer serves as the Secretary.
Privacy education and awareness training
We have a comprehensive information security and privacy education and awareness program. Our people and contractors are required to accept firm policies and complete a data privacy and information security training and awareness course upon joining the firm and annually thereafter. This training includes aspects of physical security, social media, privacy, phishing, data protection, and more. Additionally, our people receive regular communications on evolving threats and are required to comply with the firm's security and data protection policies and procedures.
