top of page

The Legal Landscape is Changing​

Emerging Risk Oversight and Legal Risk

Scott Ewart

 

Emerging risk oversight requirements are driving Audit Committees, CEO’s, Internal and Independent Auditors to focus on new and different areas of risk within organizations. This includes reviews of Legal Departments and the underlying risk that they represent. There is a combination of factors driving these risk reviews, including the definitions of risk oversight and the obligations stated by various oversight bodies.

 

 

Definition of Risk Management

 

While there is no generally accepted definition of risk oversight the simplest definition can be found in ISO – Guide 73 Risk Management, namely “the effect of uncertainty on risk”.  COSO Enterprise Risk Management – Integrated Framework (2004) further developed this definition to state:

 

“Enterprise risk management is a process, effected by the entity’s Board of Directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives.”

 

Essentially when you distill these definitions one can conclude that the obligation of the Board is to oversee the enterprise risk management within the organization and define the “risk appetite” for the enterprise.

 

Obligations of the Board

 

NACD Blue Ribbon Commission looking at “Risk Governance: Balancing Risk and Reward” noted that while risk oversight objectives may vary from company to company, every Board should be certain that:

 

•       the risk appetite implicit in the company’s business model, strategy, and execution is appropriate;

•       the expected risks are commensurate with the expected rewards;

•       management has implemented a system to manage, monitor, and mitigate risk, and that system is appropriate given the company’s business model and strategy;

•       the risk management system informs the Board of the major risks facing the company;

•      an appropriate culture of risk-awareness exists throughout the organization; and

•       there is recognition that management of risk is essential to the successful execution of the company’s strategy.

 

All Boards and consequently Audit Committees and CEO’s, should require the:

 

•         development periodic review of the Company’s risk profile;

•         integration of risk oversight and management into the Company’s strategic plan;

•         identification of significant elements of risk management, including policies and procedures to manage risk; and

•         an assessment of the effectiveness of risk management policies and procedures, where applicable

 

Expanded Scope of Review

 

As a result of these definitions and expanded risk review obligations, Audit Committees, CEO’s, internal and independent auditors are expanding their risk and process reviews into areas that have not traditionally been reviewed.  Often areas within an organization have not been reviewed because of the complex nature of what they do.   One such area is the Legal Department.

 

Traditional audits or reviews of Legal Departments simply focused on ensuring legal invoices were properly documented but now reviews are being initiated to ensure:

 

• The retention of external counsel is both defensible and competitive;

• A major area of organization risk is independently reviewed; and

• There are proper controls surrounding legal budgets.

 

A properly resourced independent co-sourced legal review can help the Internal Auditor identify for Management and the Audit Committee the legal risk issues and provide recommendations related to:

 

• legal budgets, large legal expenditures, external legal fees and processes for purchase;

• the right structure of the legal department for the organization;

• the right size of the Legal Department for the organization;

• the process for hiring external counsel and ensuring it is defensible and competitive;

• the right legal controls; and

• process improvements to improve efficiency and controls.

 

Increasingly internal and external auditors are putting forth audit plans in anticipation of a request from the Audit Committee or the CEO to review previously un-reviewed areas including, Legal Departments.

 

 

Improving Year-end Legal Department Performance Reviews

​Scott Ewart

Legal Departments are always managed by General Counsel who are very talented lawyers.  Their careers have been focused on the law itself and traditionally they have not had general management experience or training, and often learn their skills on the job.  They can overlook the benefit of putting a Functional Business Plan in place and, as a result, the Legal Department is not managed in the most effective and productive way.

 

One of the early skills learned by all general managers is the benefit of the operational plan which defines the targets for a department consistent with the goals of the organization.  Such plans also provide tactics to meet both the mid-year and year-end goals.  General Counsel often do not create these plans and, as a result, at year end review time have difficulty demonstrating to the CEO the value both the General Counsel and the Legal Department has generated for the organization during the past year.

 

The answer to this problem is the creation of a Legal Functional Business Plan with appropriate scorecard measuring progress against a set of pre-determined objectives agreed with the CEO.  Without the rigour of this process, a CEO might be hard pressed to see what the Legal Department has delivered, particularly when he is evaluating the performance of other departments.

 

Legal Functional Business Plans provide a framework that link the Legal Department to the objectives of the organization.  In addition, this Plan can provide other benefits for the management of the corporate Legal Department, namely:

 

1. more cohesive Legal Department and organization working relationships;

2. all Lawyer activities linked to, and delivery of, the business objectives;

3. defined lawyer accountabilities with improved year-end performance reviews;  and

4. reduced organization risk through active management of litigation and major contracts.

 

A Legal Functional Business Plan linked to the goals of the organization will help the General Counsel demonstrate to the CEO at review time the value the Legal Department has generated over the prior year.

Improving the Legal Cost Efficiency of an Organization

​Scott Ewart

Traditional reviews of legal departments and/or process simply focused on ensuring legal invoices were properly documented. This is a typical control function but does not focus on the true issue of budget size and Organizational risk.

 

The scope of review should be expanded to include both legal departments and/or process because Legal:

  • Dramatically affects the legal risk profile of an Organization

  • Controls large budgets for Internal and External Legal Costs

  • Often works with no defined Mission, Strategy, Tactics or Accountabilities

  • Process is not historically reviewed by Audit Committees or Internal Audit

  • Is usually on the back foot to defend budgets and it is virtually impossible for the person acquiring legal services to do self surgery or be self critical.

 

It is generally accepted that risk assurance is now assuming a much greater prominence with Boards of Directors. Audit Committees are now asking for highly reliable business and controls assurance across the business. As a result, Internal Audit is beginning to review high risk, big - ticket, strategic areas. With the size of legal budgets and the amount of risk legal manages, legal process can be considered a “high risk, big-ticket strategic area”. Audit Committees and Internal Audit are uniquely positioned to provide an objective appraisal of this area of cost and risk.

 

As a result:

  • Audit Committees should focus on legal departments and/or process to ensure:

    • The retention of external counsel is both defensible and competitive

    • A major area of Organization risk is independently reviewed

    • There are proper controls surrounding significant legal budgets

    • A Legal Department is the right size for the Organization

  • Internal Audit Departments should focus on Legal Departments and/or process to:

    • Focus on major areas of the Organization’s expenditure - external legal fees

    • Drive internal and external legal costs down and improve Legal Cost Efficiency

    • Ensure the process for the retention of external counsel is defensible and competitive

    • Ensure the proper legal cost controls are in place

    • Assist in creating a legal functional business plan linked to Organization’s goals to improve efficiency

The Legal Oversight Gap

​Scott Ewart

Legal Departments represent a major investment on the part of organizations.  Management and Boards are increasingly looking to understand the profile of and processes within these departments in terms of their risk, performance, cost and return on that investment.

 

We have now firmly moved into an era of transparency and accountability and Legal Department process reviews are now becoming part of internal audit reviews.    There is recognition that Legal Departments manage a significant amount of risk and cost and are extremely important to the continued success of the business.  As a result, the operations of Legal Departments are going under the ‘spotlight” and Boards, Audit and Risk Committees, CEO’s, General Counsel, and Internal and External Auditors want both an independent assessment of the level of legal risk and an assurance that Legal Department processes are as efficient and cost effective as possible.

     

Traditionally both Internal and External Auditors have, as part of an internal audit plan, simply reviewed external fee invoices and then tied them to enterprise payments.  This type of review generally did not go beyond this narrow process audit and was perfectly acceptable to ensure the financial records of the enterprise properly reflected the payments made.  However, the world has moved into the realm of rigorous transparency and accountability and, as a result, management and stakeholders are requiring greater assurance on both risk and process.

 

With the emergence of this greater governance, transparency and accountability obligations, Directors, CEO’s and CFO’s have moved from a world of “we have not heard from the Legal Department so all must be fine” into the world of “independent functional legal risk and process reviews”.  This has occurred so they can understand the level of risk within, the financial return of, and the processes of the Legal Department.  This need for greater understanding is taking the traditional scope of legal risk oversight within a program of Enterprise Risk Management (ERM) into specific legal process reviews.

 

The Risk Framework     

 

While various regulatory bodies and self governing organizations have provided their own definitions of risk oversight and what is expected within an ERM program, it is safe to say that there is no generally accepted comprehensive definition of what it means or what it is comprised of.  All of these definitions focus on risk identification and mitigation, but specifically do not delve into the underlying processes that may be the cause of risk itself.  However, starting from first principles it is clear that specific process reviews are contemplated within the scope of these definitions. 

 

At its most fundamental level, what is the enterprise harm you are trying to identify and manage when you commence a program of risk oversight?  Is it simple risk?  Or is it risk and the process to manage that risk.  The risk oversight process is attempting to discover the effect of uncertainty, in its various forms, on the risks faced by the organization.  (ISO - Guide 73 Risk Management)  Uncertainty within an enterprise can manifest itself in a variety of different ways and each way must be identified.  Process within a functional department is an uncertainty that dramatically affects risk. 

 

The following definition captures the essence of the risk oversight process:

 

Enterprise risk management is a process, effected by the entity's Board of Directors, management, and other personnel, applied in [a] strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within the risk appetite, [and] to provide reasonable assurance regarding the achievement of objectives. (COSO Enterprise Risk Management - Integrated Framework (2004)

 

Risk Appetite Obligations of the Board within ERM

 

After the Board receives the results from risk oversight process, namely, the identification of the uncertainty; the risk and its potential impact on the organization must be examined.  At that same time you can determine if the existing department processes either increase or decrease the level of risk. 

 

Once these elements are determined, the Board is then in a position to evaluate and then define the risk appetite of the enterprise.  While the risk appetite may vary from enterprise to enterprise, every Board should be certain that:

  1. the risk appetite implicit in the company's business model, strategy, and execution is appropriate;

  2. the expected risks are commensurate with the expected rewards;

  3. management has implemented a system to manage, monitor, and mitigate risk, and that system is appropriate given the company's business model and strategy;

  4. the risk management system informs the Board of the major risks facing the company;

  5. an appropriate culture of risk-awareness exists throughout the organization; and

  6. there is recognition that management of risk is essential to the successful execution of the Company’s strategy: (NACD Blue Ribbon Commission: Risk Governance: Balancing Risk and Reward)

 

These principles should be applied within the context of any enterprise whether it is within the public, private or corporate sector.  Taking it a step further the process should be institutionalized to:

  1. understand critical risks in the company's business and strategy;

  2. allocate responsibilities for risk oversight among the full Board and its committees;

  3. evaluate the company’s risk management processes and whether they are functioning adequately;

  4. facilitate open communication between management and Directors; and

  5. foster an appropriate culture of integrity and risk awareness. (The Board’s Role in Risk Management (Coca-Cola 2010 Proxy)

 

It is virtually impossible to “evaluate the company’s risk management processes and whether they are functioning adequately” without an independent review, as part of the internal and external audit process, of each functional department’s process. 

 

Legal Department Risk and Process

 

Having set the theoretical basis for process reviews within an ERM process it is time to turn our attention the activities of the Legal Department.

 

Given the mandate of most Legal Departments, it is clear that significant risk is both created by and managed by, the Legal Department and its processes.  These material risks and processes evolve over time and ultimately become institutionalized within the Legal Department.  Boards, Audit and Risk Committees, CEO’s, General Counsel and Internal and External Auditors are beginning to understand that this institutional legal process risk exists and the processes to manage it must be as effective and efficient as possible.   

 

The operations of both Legal Departments and Internal and External Audit departments operate in a very simper way.  They are both “non-operational” departments that are critical to the enterprise and they both identify and manage significant amounts of business risk.  The Board and the Audit Committee have dealt with the oversight of the Internal and External Auditors in a very different way from the Legal Department.  When you examine the degree of Auditor oversight vs. Legal Department oversight it becomes clear that there is a considerable oversight gap in the amount of oversight of the Legal Department.  That gap is summarized below. 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

   

This gap exists because the Audit Committee is comprised of financially literate members, often former auditors, and has been set up to specifically oversee the financial affairs of the company.  Other departments are overseen by the CEO and CFO.  No such committee exists for the legal department.   

 

Oversight

 

External and Internal Auditors are subject to oversight by the Audit Committee, who are often former auditors and who understand both the financial position of the enterprise and the type of work that Internal and External Auditors do.  They have often done the exact type of work the auditors have done.  While there is often a reporting relationship from the Legal Department to the CEO, or possibility the Chief Financial Officer, often neither the CEO nor CFO is a lawyer and, as a result, there is not the same quality or rigor of Legal Department oversight as exists between the Audit Committee and the Internal and External Auditors.

 

Review

 

Internal Auditors are subject to periodic 3 year reviews of their processes and outputs.  This periodic review gives the Board, Audit or Risk Committee, CEO and CFO confidence that the Internal Auditors are up to date and their processes are efficient.  There is no requirement that Legal Departments go through any sort of periodic process review.  As a result, Legal Departments are never reviewed and there is never the assurance that the Legal Department processes are up to date and their activities are linked to the goals of the enterprise.   

 

Fees

 

The Audit Committee will regularly review fees paid to External Auditors.  In addition, they will review audit proposals from External Auditors to ensure the scope and cost of the work are aligned.  During this process, the External Auditors are subject to material scrutiny related to the type of work they are proposing.   During this process, the External Auditors are often subject to cost pressure to deliver more services at a lower cost.  This is possible because members of the Audit Committee have often been External Auditors and fully understand the profit margins of the people proposing the work.  In the absence of a CEO or a CFO being a lawyer, there is no internal person or body with the technical expertise to provide independent oversight of the Legal Department as a whole.  

 

While Internal and External Auditors have historically reviewed invoices to the Legal Department for the provision of services, this is a process check without a direct correlation between the amount paid and the value received.  The Audit Committee certainly has the ability and does provide the oversight of the External Auditors to ensure that value for money exists.  

 

RFP Process

 

External Auditors are subject to a formalized RFP process under oversight of the Audit Committee.  Often the enterprise does not have an independent, robust and objective RFP process for the purchase of legal services under the review of an independent oversight committee.  A robust and independent RFP process is becoming more important as stakeholders are demanding greater transparency and accountability for large purchases of services.  Some organizations deal with this requirement by handing the purchase of legal services to their purchasing department. Without this delegation, the absence of a robust RFP process creates significant risk that the value equation may not be quite right and the enterprise is over paying for services. 

 

Functional Business Plan

 

Often Legal Departments grow in response to specific needs of an enterprise and the fix remains in place even after the need has disappeared.  Growth simply occurs in the absence of a functional business plan linking the activities of the organization to the goals of the enterprise.  Within the audit environment the linkage of the work of the Internal Auditors to the goals of the enterprise is achieved through the 5 year and annual audit plan proposed by and approved by the Audit Committee.  The absence of a Legal Functional Business Plan creates a significant risk that the work of the Legal Department is not linked to the major risks or goals of the enterprise and a significant amount of legal time is spent on matters that neither protect nor advance interests of the enterprise.

 

Reviews of Legal Departments

 

As a result of the significant risks managed by the Legal Department and the virtual non-existence of Legal Department oversight it is not sufficient to simply include the Legal Department within risk analysis of an ERM program.   It is imperative that legal process be independently reviewed by Internal or External Auditors to ensure that those processes are capable and sufficient to manage the identified legal risk at a cost that is as efficient as possible.  Once this process review is complete, a proper legal functional business plan can be created to ensure that the activities of the Legal Department are linked to the goals of the organization.   

 

This process will give Boards, Audit and Risk Committees, General Counsel, Internal and External Auditors the assurance they need, similar to that obtained for Internal and External Auditors, that the legal processes created to manage risk are efficient, in fact mitigate risk and are tightly linked to and will fulfill the goals of the enterprise.

© HelixLegal 2014

bottom of page