. 18
( 131 .)


indirectly affect operations.

Useful web links
* EMAS “ Eco-Management and Audit Scheme Sites. Regulatory texts
and background information, guidance documents and a list of verifiers:
* GRI “ Global Reporting Initiative, including a GRI content index and
guidelines: http://www.globalreporting.org/reportsdatabase/
* International Finance Corporation (Part of the World Bank Group) has
documents relating to the emerging opportunities with regards to the
trends we discuss in this chapter: http://www.ifc.org/sustainability
* INEM “ International Network for Environmental Management.
Documents and hyperlinks to other websites of interest, including:
EMAS Tool Kit for Small Organisations, Environmental Policy
Checklist, and Environmental Statement and/or Environmental Report
Checklists: http:// www.inem.org/
* ISO “ International Organisation for Standardisation “ ISO 14001
Global Overview. This site provides an up-to-date overview of sites cer-
tified against ISO 14.001 and sites registered under EMAS: http://www.
* United Nations. Reports on global trends are available from: http://
This page intentionally left blank
Background to key aspects of legal
risk management
4 Background to key aspects of
legal risk management

The purpose: to achieve compliance with regulatory requirements and
licence to operate
Having regard to what has been said in Chapter 2 regarding
Sustainable Enterprise Risk Management (SERM) this chapter is intended
to set the scene on business risk management and to highlight certain
aspects and principles that affect businesses wherever they operate and
regardless of their size. It therefore covers:

* Legal risk management:
The purpose;
The process;
Banks and compliance risk management: a case study;
Typical transaction risk management and due diligence procedures
and documentation; and
Formal and informal risk management processes.
* Financial risk management;
* Risk and insurance; and
* Beneficiaries of risk management:
Transactional and operational concerns; and

Legal risk management
In today™s business climate legal risk management affects virtually every organ-
isation, and in particular highly regulated public businesses, such as banks and
healthcare organisations. A solid risk management plan and framework enable
the organisation to:
Improve safety;
Minimise lawsuits;
Achieve best practice;
Chapter 4 “ Background to key aspects of legal risk management 67

Make better business decisions;
Enhance asset management; and
Meet regulatory compliance standards; which in turn:
Protects reputation;
Improves the bottom line; and
Leads to a more attractive insurance proposition.

It should be emphasised that the cost to implement a risk management plan is
always less than the potential costs involved if the organisation does not man-
age risk. Banks are particularly under the pressure of compliance risk manage-
ment as a popular management tool. Compliance risk management can be well
illustrated in the banking sector which is increasingly under pressure to
demonstrate transparency to all stakeholders (see further case studies below).
For example, in relation to securities, it enables the board to:

Achieve a clear picture of a company™s corporate hierarchy to better under-
stand their entire securities structure and global exposure;
Verify the inter-relationship between securities, their issuers, related sub-
sidiaries and affiliates; and
Determine conflicts of interest relative to their holdings, potential holdings
or client inter-relationships.

Legal risks
Some confusion can arise in the use of the term ˜legal risks™. It may be used to
indicate the source of the risk (such as a change in regulatory environment), or
alternatively the impact of the risk (such as a legal claim for compensation).
Equally, it may indicate a particular course of action to control a risk “ such as
obtaining legal advice to ensure that a key contract meets a company™s strategic
requirements. In the context of this book the issue lays not in the categorisation
or classification adopted, but in the risk that legal issues in terms of the source,
impact or controlling of risks may not be properly taken into account. Applying
a more consistent process for evaluating legal risks may result in a recognition
that risks have been overcontrolled (due perhaps to an excessive weighting of
legal issues), as much as a finding that certain legal consequences merit a
greater investment in control mechanisms.

Analysis of risks: key questions
Any risk management system should be based on clearly defined risks.
These should be aligned to the business objectives of the organisation so
that they can be reviewed alongside other business information, such as
financial performance, and used to inform decision making. When risk
Part A “ Overview of Risk Management

commentators are analysing risks, they have found it to be useful to ask
several key questions:
* What information is available regarding historic incidences of the risk?
* What additional sources of information could be used to help anticipate
the incidence or impact of the risk? (For instance, publicly available
financial information about suppliers or contractors.)
* When the risk is likely to arise: at what point in time after the relevant
activity or event does the risk become less likely?
* What factors may affect the likelihood of the risk arising?
* What value is lost if the risk does arise?
* What would be the costs of remedying the risk if it arises?
* How will we know when the risk has arisen and who would have this
* What indicators or warning factors are there that the risk is more likely
to arise?
* How is awareness of risk currently reflected in decision making within
the relevant area?
* Who, either internally or externally, has the most experience of evaluat-
ing the way the risk impacts on the organisation, or has the most
experience of handling the risk once it has arisen?

In order to be fully effective, the management of risks should be integrated
across the business. In other words, the assessment and treatment of individual
risks arising in connection with one part of the business should form part of a
programme for addressing risks generally across the organisation. This is
because the effect of different risks can be multiplied if they occur simultan-
eously. For example, the effect of the failure of IT systems may be compounded
if it coincides with the launch of a new product or service (see also Chapter 11).
It has been clearly established that an effective risk management strategy
should recognise and address those inter-relationships.

Best practice compliance guidance
A best practice information security framework should support the coordin-
ation of compliance strategy across multiple channels and guide control
responses to multiple threats to all sorts of information assets. While it is
clear that no individual information security product is capable of making
any user organisation ˜compliant™, those products and services that reflect
best practice guidance will assist organisations to position themselves
most effectively to deal with current and emerging regulatory require-
ments (see also Chapters 19“23).

Similarly, the management of risk must be integrated into the processes
and policies for managing the business as a whole. It should be used to inform
Chapter 4 “ Background to key aspects of legal risk management 69

decision making alongside more traditional information such as financial per-
formance. The SERM approach found that the impact of risk management tech-
niques will be undermined if they are not consistent with the approaches and
policies applied elsewhere in the organisation. For example, a risk-based
methodology for pricing projects with potential long-term liabilities may have
little effect if it is contradicted by remuneration policies that reward short-term
financial performance on the part of particular individuals or units.
As has been indicated in the Handbook Overview and Chapter 2, it should
be noted that the ultimate objective is risk management, not necessarily the
elimination or reduction of risk. A systematic analysis of risks and how they are
currently managed in a business may indeed indicate that particular risks are
being overcontrolled. The operation of controls in a disproportionate manner
may have disadvantages, not only in terms of the incurring of unnecessary
costs, but also the loss of the flexibility to take advantage of opportunities. For
instance, this may be especially evident in circumstances such as competitive
tenders for new business. For instance, an over-rigid set of controls may inhibit
the organisation from responding quickly enough to enable success.

Risk identification
One recognised approach is to consider the key processes, assets and issues
that drive the business and support or threaten the achievement of its business
objectives. This is a similar exercise to identifying the drivers for the value of a
business when investigating the proposed purchase of that business (see
further below).
The table below gives some practical examples:

Processes Assets Issues

Recruitment and industrial relations Know-how Product liability
Order pricing and processing Corporate brand and reputation Regulatory
Waste management Product branding approvals
Treasury management Customer connections Health and
Negotiation of key contracts Supplier connections safety
Financial reporting IT systems Data protection
Marketing Plant and machinery Corporate
Business acquisitions Infrastructure/premises manslaughter
Key staff Competition

Useful acknowledged techniques for identifying risks include brainstorm-
ing and SWOT analysis (Strengths, Weaknesses, Opportunities and Threats).
Whereas external consultants may be used, the effectiveness of the systems
will depend on a comprehensive understanding of how the business oper-
ates in practice, and any ˜standard solutions™ should be approached with
Part A “ Overview of Risk Management

As indicated above, risks can operate at different levels of an organisation.
A programme of managing risks needs to operate not only a strategic or corpor-
ate level (i.e. top-down approach), but also at the level where the risk arises or
has its most direct impact (bottom-up). Almost every person within an organ-
isation is involved in managing risks, even if it is not labelled as such. What is
obvious to one individual may not be obvious to others. It is therefore always
important to involve individuals from a full range of the organisation™s func-
tions in order to capture information about risks and allow better decision mak-
ing. This is very relevant to the SERM approach.

Risk evaluation
Several acknowledged techniques can be used to help to understand the signifi-
cance of particular risks, and therefore prioritise action to address them. A
common approach of risk experts and commentators is to use a matrix that
combines the following factors:
Likelihood: the perceived probability of the risk occurring; and
Impact: the expected consequences if the risk actually does arise.
The particular risk is given a rating for each factor (such as very high/
high/medium/low/very low), and the combination of those two factors is used
to produce an overall risk rating for the particular risk. This is not a scientific
or mathematical exercise, and involves a degree of judgement. However, it is
important that the evaluation of risks is carried out in a consistent manner
which, as far as possible, avoids bias due to perceived commercial or personal
interests. This can be achieved by carrying out tests within different levels and
functions of the organisation concerned.
The diagram below has been accepted by risk advisors and seeks to set out
a possible representation of the assessment of a risk.





. 18
( 131 .)