top of page
The Legal Oversight Gap

​Scott Ewart

Legal Departments represent a major investment on the part of organizations.  Management and Boards are increasingly looking to understand the profile of and processes within these departments in terms of their risk, performance, cost and return on that investment.

 

We have now firmly moved into an era of transparency and accountability and Legal Department process reviews are now becoming part of internal audit reviews.    There is recognition that Legal Departments manage a significant amount of risk and cost and are extremely important to the continued success of the business.  As a result, the operations of Legal Departments are going under the ‘spotlight” and Boards, Audit and Risk Committees, CEO’s, General Counsel, and Internal and External Auditors want both an independent assessment of the level of legal risk and an assurance that Legal Department processes are as efficient and cost effective as possible.

     

Traditionally both Internal and External Auditors have, as part of an internal audit plan, simply reviewed external fee invoices and then tied them to enterprise payments.  This type of review generally did not go beyond this narrow process audit and was perfectly acceptable to ensure the financial records of the enterprise properly reflected the payments made.  However, the world has moved into the realm of rigorous transparency and accountability and, as a result, management and stakeholders are requiring greater assurance on both risk and process.

 

With the emergence of this greater governance, transparency and accountability obligations, Directors, CEO’s and CFO’s have moved from a world of “we have not heard from the Legal Department so all must be fine” into the world of “independent functional legal risk and process reviews”.  This has occurred so they can understand the level of risk within, the financial return of, and the processes of the Legal Department.  This need for greater understanding is taking the traditional scope of legal risk oversight within a program of Enterprise Risk Management (ERM) into specific legal process reviews.

 

The Risk Framework     

 

While various regulatory bodies and self governing organizations have provided their own definitions of risk oversight and what is expected within an ERM program, it is safe to say that there is no generally accepted comprehensive definition of what it means or what it is comprised of.  All of these definitions focus on risk identification and mitigation, but specifically do not delve into the underlying processes that may be the cause of risk itself.  However, starting from first principles it is clear that specific process reviews are contemplated within the scope of these definitions. 

 

At its most fundamental level, what is the enterprise harm you are trying to identify and manage when you commence a program of risk oversight?  Is it simple risk?  Or is it risk and the process to manage that risk.  The risk oversight process is attempting to discover the effect of uncertainty, in its various forms, on the risks faced by the organization.  (ISO - Guide 73 Risk Management)  Uncertainty within an enterprise can manifest itself in a variety of different ways and each way must be identified.  Process within a functional department is an uncertainty that dramatically affects risk. 

 

The following definition captures the essence of the risk oversight process:

 

Enterprise risk management is a process, effected by the entity's Board of Directors, management, and other personnel, applied in [a] strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within the risk appetite, [and] to provide reasonable assurance regarding the achievement of objectives. (COSO Enterprise Risk Management - Integrated Framework (2004)

 

Risk Appetite Obligations of the Board within ERM

 

After the Board receives the results from risk oversight process, namely, the identification of the uncertainty; the risk and its potential impact on the organization must be examined.  At that same time you can determine if the existing department processes either increase or decrease the level of risk. 

 

Once these elements are determined, the Board is then in a position to evaluate and then define the risk appetite of the enterprise.  While the risk appetite may vary from enterprise to enterprise, every Board should be certain that:

  1. the risk appetite implicit in the company's business model, strategy, and execution is appropriate;
  2. the expected risks are commensurate with the expected rewards;
  3. management has implemented a system to manage, monitor, and mitigate risk, and that system is appropriate given the company's business model and strategy;
  4. the risk management system informs the Board of the major risks facing the company;
  5. an appropriate culture of risk-awareness exists throughout the organization; and
  6. there is recognition that management of risk is essential to the successful execution of the Company’s strategy: (NACD Blue Ribbon Commission: Risk Governance: Balancing Risk and Reward)

 

These principles should be applied within the context of any enterprise whether it is within the public, private or corporate sector.  Taking it a step further the process should be institutionalized to:

  1. understand critical risks in the company's business and strategy;
  2. allocate responsibilities for risk oversight among the full Board and its committees;
  3. evaluate the company’s risk management processes and whether they are functioning adequately;
  4. facilitate open communication between management and Directors; and
  5. foster an appropriate culture of integrity and risk awareness. (The Board’s Role in Risk Management (Coca-Cola 2010 Proxy)

 

It is virtually impossible to “evaluate the company’s risk management processes and whether they are functioning adequately” without an independent review, as part of the internal and external audit process, of each functional department’s process. 

 

Legal Department Risk and Process

 

Having set the theoretical basis for process reviews within an ERM process it is time to turn our attention the activities of the Legal Department.

 

Given the mandate of most Legal Departments, it is clear that significant risk is both created by and managed by, the Legal Department and its processes.  These material risks and processes evolve over time and ultimately become institutionalized within the Legal Department.  Boards, Audit and Risk Committees, CEO’s, General Counsel and Internal and External Auditors are beginning to understand that this institutional legal process risk exists and the processes to manage it must be as effective and efficient as possible.   

 

The operations of both Legal Departments and Internal and External Audit departments operate in a very simper way.  They are both “non-operational” departments that are critical to the enterprise and they both identify and manage significant amounts of business risk.  The Board and the Audit Committee have dealt with the oversight of the Internal and External Auditors in a very different way from the Legal Department.  When you examine the degree of Auditor oversight vs. Legal Department oversight it becomes clear that there is a considerable oversight gap in the amount of oversight of the Legal Department.  That gap is summarized below. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

   

This gap exists because the Audit Committee is comprised of financially literate members, often former auditors, and has been set up to specifically oversee the financial affairs of the company.  Other departments are overseen by the CEO and CFO.  No such committee exists for the legal department.   

 

Oversight

 

External and Internal Auditors are subject to oversight by the Audit Committee, who are often former auditors and who understand both the financial position of the enterprise and the type of work that Internal and External Auditors do.  They have often done the exact type of work the auditors have done.  While there is often a reporting relationship from the Legal Department to the CEO, or possibility the Chief Financial Officer, often neither the CEO nor CFO is a lawyer and, as a result, there is not the same quality or rigor of Legal Department oversight as exists between the Audit Committee and the Internal and External Auditors.

 

Review

 

Internal Auditors are subject to periodic 3 year reviews of their processes and outputs.  This periodic review gives the Board, Audit or Risk Committee, CEO and CFO confidence that the Internal Auditors are up to date and their processes are efficient.  There is no requirement that Legal Departments go through any sort of periodic process review.  As a result, Legal Departments are never reviewed and there is never the assurance that the Legal Department processes are up to date and their activities are linked to the goals of the enterprise.   

 

Fees

 

The Audit Committee will regularly review fees paid to External Auditors.  In addition, they will review audit proposals from External Auditors to ensure the scope and cost of the work are aligned.  During this process, the External Auditors are subject to material scrutiny related to the type of work they are proposing.   During this process, the External Auditors are often subject to cost pressure to deliver more services at a lower cost.  This is possible because members of the Audit Committee have often been External Auditors and fully understand the profit margins of the people proposing the work.  In the absence of a CEO or a CFO being a lawyer, there is no internal person or body with the technical expertise to provide independent oversight of the Legal Department as a whole.  

 

While Internal and External Auditors have historically reviewed invoices to the Legal Department for the provision of services, this is a process check without a direct correlation between the amount paid and the value received.  The Audit Committee certainly has the ability and does provide the oversight of the External Auditors to ensure that value for money exists.  

 

RFP Process

 

External Auditors are subject to a formalized RFP process under oversight of the Audit Committee.  Often the enterprise does not have an independent, robust and objective RFP process for the purchase of legal services under the review of an independent oversight committee.  A robust and independent RFP process is becoming more important as stakeholders are demanding greater transparency and accountability for large purchases of services.  Some organizations deal with this requirement by handing the purchase of legal services to their purchasing department. Without this delegation, the absence of a robust RFP process creates significant risk that the value equation may not be quite right and the enterprise is over paying for services. 

 

Functional Business Plan

 

Often Legal Departments grow in response to specific needs of an enterprise and the fix remains in place even after the need has disappeared.  Growth simply occurs in the absence of a functional business plan linking the activities of the organization to the goals of the enterprise.  Within the audit environment the linkage of the work of the Internal Auditors to the goals of the enterprise is achieved through the 5 year and annual audit plan proposed by and approved by the Audit Committee.  The absence of a Legal Functional Business Plan creates a significant risk that the work of the Legal Department is not linked to the major risks or goals of the enterprise and a significant amount of legal time is spent on matters that neither protect nor advance interests of the enterprise.

 

Reviews of Legal Departments

 

As a result of the significant risks managed by the Legal Department and the virtual non-existence of Legal Department oversight it is not sufficient to simply include the Legal Department within risk analysis of an ERM program.   It is imperative that legal process be independently reviewed by Internal or External Auditors to ensure that those processes are capable and sufficient to manage the identified legal risk at a cost that is as efficient as possible.  Once this process review is complete, a proper legal functional business plan can be created to ensure that the activities of the Legal Department are linked to the goals of the organization.   

 

This process will give Boards, Audit and Risk Committees, General Counsel, Internal and External Auditors the assurance they need, similar to that obtained for Internal and External Auditors, that the legal processes created to manage risk are efficient, in fact mitigate risk and are tightly linked to and will fulfill the goals of the enterprise.

© HelixLegal 2014

bottom of page