Emerging Risk Oversight and Legal Risk
Scott Ewart
Emerging risk oversight requirements are driving Audit Committees, CEO’s, Internal and Independent Auditors to focus on new and different areas of risk within organizations. This includes reviews of Legal Departments and the underlying risk that they represent. There is a combination of factors driving these risk reviews, including the definitions of risk oversight and the obligations stated by various oversight bodies.
Definition of Risk Management
While there is no generally accepted definition of risk oversight the simplest definition can be found in ISO – Guide 73 Risk Management, namely “the effect of uncertainty on risk”. COSO Enterprise Risk Management – Integrated Framework (2004) further developed this definition to state:
“Enterprise risk management is a process, effected by the entity’s Board of Directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives.”
Essentially when you distill these definitions one can conclude that the obligation of the Board is to oversee the enterprise risk management within the organization and define the “risk appetite” for the enterprise.
Obligations of the Board
NACD Blue Ribbon Commission looking at “Risk Governance: Balancing Risk and Reward” noted that while risk oversight objectives may vary from company to company, every Board should be certain that:
• the risk appetite implicit in the company’s business model, strategy, and execution is appropriate;
• the expected risks are commensurate with the expected rewards;
• management has implemented a system to manage, monitor, and mitigate risk, and that system is appropriate given the company’s business model and strategy;
• the risk management system informs the Board of the major risks facing the company;
• an appropriate culture of risk-awareness exists throughout the organization; and
• there is recognition that management of risk is essential to the successful execution of the company’s strategy.
All Boards and consequently Audit Committees and CEO’s, should require the:
• development periodic review of the Company’s risk profile;
• integration of risk oversight and management into the Company’s strategic plan;
• identification of significant elements of risk management, including policies and procedures to manage risk; and
• an assessment of the effectiveness of risk management policies and procedures, where applicable
Expanded Scope of Review
As a result of these definitions and expanded risk review obligations, Audit Committees, CEO’s, internal and independent auditors are expanding their risk and process reviews into areas that have not traditionally been reviewed. Often areas within an organization have not been reviewed because of the complex nature of what they do. One such area is the Legal Department.
Traditional audits or reviews of Legal Departments simply focused on ensuring legal invoices were properly documented but now reviews are being initiated to ensure:
• The retention of external counsel is both defensible and competitive;
• A major area of organization risk is independently reviewed; and
• There are proper controls surrounding legal budgets.
A properly resourced independent co-sourced legal review can help the Internal Auditor identify for Management and the Audit Committee the legal risk issues and provide recommendations related to:
• legal budgets, large legal expenditures, external legal fees and processes for purchase;
• the right structure of the legal department for the organization;
• the right size of the Legal Department for the organization;
• the process for hiring external counsel and ensuring it is defensible and competitive;
• the right legal controls; and
• process improvements to improve efficiency and controls.
Increasingly internal and external auditors are putting forth audit plans in anticipation of a request from the Audit Committee or the CEO to review previously un-reviewed areas including, Legal Departments.