. 19
( 131 .)



The shading in the diagram represents a possible assessment of overall
risk, with risks falling within darker sections carrying a higher priority for
Chapter 4 “ Background to key aspects of legal risk management 71

In considering the impact of a particular risk if it occurs, it has been recog-
nised that it can be useful to consider the different types of consequences
involved, as opposed to the sources of the risk. Bearing in mind also what has
been stated about the SERM approach, various methods of categorisation may
be possible. The table below describes two possible approaches.

˜Type of impact™ method ˜Site of impact™ method

Financial: e.g. loss of revenue, impairment Assets: an impact on the assets of
of cash flow, incorrect pricing the business, whether tangible or
Reputational: e.g. damage to the perceived intangible
standing or reputation of the organisation Business processes: an impact
with its stakeholders and the public at large affecting effective functioning or
Operational: e.g. impairment of the performance of particular systems
organisation™s ability to carry out its or processes within the
day-to-day activities organisation
Strategic: e.g. impairment of the Revenue: loss of earned income or
organisation™s ability to meet its strategic cash receipts
objectives Costs: an increase in cost base or
Legal: e.g. potential liability for claims, loss the loss of an opportunity to
of ability to enforce rights or claims decrease costs
People: an impact on the human
resources or staff of the

It should always be borne in mind when considering such approaches and
classifications that with other forms of categorisation, the classification of types
of consequence should not be seen as prescriptive and should be adapted so
that it is meaningful for the business concerned.

Risk management and risk recording
An effective risk management programme requires a systematic approach to
recording risks so that they can be addressed and monitored consistently.
In any organisation risk management experts have advised that it is help-
ful to categorise risks so that procedures can be put in place to monitor and con-
trol them. The actual method of classification used is less important than the
existence and monitoring of systems to control the risks involved and the con-
sistency with which they are appraised.
The table below sets out an example of the type of generic information
which may be recorded in relation to a particular risk, regardless of sector or
Information concerning individual risks should be aggregated at the
relevant level of the organisation. The overall risk ratings produced using an
evaluation matrix or similar tools can be used to prioritise actions to address
Part A “ Overview of Risk Management

Name The name or reference number for the risk concerned

Description Description of the circumstances or events in relation to which the
risk arises
Category Identification of the business process, asset or issue to which the
risk relates
Risk owner The individual or group responsible for managing the risk
Risk stakeholders Description of the stakeholders (internal and external) with an
interest in the management of the risk, together with any specific
requirements or expectations
Evaluation Assessment of the likelihood and impact of the risk arising, with
an overall risk rating
Target rating Statement of the desired risk rating, reflecting the organisation™s
tolerance of that particular risk
Controls Description of the present controls used to manage the likelihood
of the risk arising or its impact
Monitoring Description of the processes used to monitor the risk and the
effectiveness of controls, including key indicators
Corrective action Description of proposed action to improve the management of the risk

risks. Note, however, that the perception of a particular risk by stakeholders can
be as important as the rating produced by considering its impact and likeli-
hood. For example, environmental issues may have particular significance in
relation to the public perception of the organisation™s activities and may there-
fore require demonstrable systems to address environmental risks (see Chapters
18 and 19). This should be reflected in a lower tolerance to those risks, and a
correspondingly higher prioritisation of relevant controls.

Risk owner
The identification of the appropriate ˜risk owner™ is key to the ongoing
process of addressing risks. This term is used to indicate the individual or
work group who or which is primarily responsible for managing that risk.
This will usually be at the level of the activity giving rise to the risk, or
alternatively the point where the risk is likely to impact most directly. It is
important that the risk owner has the authority to ensure that the neces-
sary actions are taken. Where appropriate, arrangements may be necessary
for a risk to be escalated to a higher level in order to ensure an appropriate

Implementing risk management systems
A system for managing risks should be seen by the whole organisation as an
ongoing process involving the following basic steps:
Identifying risks;
Evaluating risks;
Chapter 4 “ Background to key aspects of legal risk management 73

Prioritising action to controlling risks; and
Reviewing the effectiveness of controls.
At a strategic or corporate level, the process of reassessing risks and reviewing
the appropriate controls should be carried out on a periodic basis, at least annu-
ally. However, at this and other levels the process should be triggered by
matters such as:
Implementation of new business activities or new ways of working;
Preparing for major investment decisions;
External events which affect the business objectives;
Changes in external environment, including regulatory constraints or market
Changes in the cost of controls; and
Failure of control mechanisms or occurrence of unexpected risks.
This process may be especially valuable when considering the integration with
the legal due diligence process (see below).
There are various possible responses to risks once they have been identi-
fied. These include:
Prevention: by adopting systems to minimise the likelihood of the risk being
Containment: taking action to reduce the consequences of the risk once it has
been realised, e.g. disaster recovery plans, asset protection through corporate
structures (see Chapters 8 and 6);
Spreading: taking action to spread the risk between different operations or
units (diversification);
Transference: e.g. by insurance or contractual arrangements with suppliers; and
Retention: by accepting that certain potential outcomes are unavoidable costs
to be absorbed.
It is important that the responses to the relevant risks are proportionate to the
impact and likelihood of the risk. This relates not only to the cost of measures for
controlling or mitigating the risk. Particular responses may carry an indirect cost
in making the organisation less able to take advantage of opportunities or the
potential ˜upside™ of uncertain events. It is therefore a matter of optimising the
management of risk, rather than simply attempting to remove or minimise risks.
The process of assessing and managing risks should include a review of the
controls currently operated, together with the costs and side effects of those
controls as compared to the other responses that are available. However, it
should be noted that different responses may address some but not all of the
types of impact of a particular risk. For example, product liability insurance
may cover the direct financial impact of a claim for compensation, but not the
adverse effects on the business™s reputation.
As regards legal risk management it should also be understood that some
responses may create new risks of their own. For example, the risks associated
with a particular manufacturing process may be transferred by ceasing those
Part A “ Overview of Risk Management

activities and outsourcing the process to another supplier. This will give rise to
a separate set of risks in managing the performance of the supplier and the
financial relationships involved. Although this may be effective in transferring
some liability risks, the impact of adverse incidents on the business will remain.

Banks and compliance risk management: a case study
Since the debate over risk management and corporate governance has height-
ened following the introduction of Turnbull and other risk management stand-
ards from the 1990s (see Chapters 6 and 21) risk has become a popular and
practical management tool. The financial services sector “ in particular the
banks globally “ have evolved important tools to manage risks and to deal with
stakeholders. Indeed this sector is under constant scrutiny and must demon-
strate enhanced risk management and governance standards. This sector can
therefore provide a useful case study that is helpful for other commercial sec-
tors. Indeed, bank auditors currently use risk as a key audit tool. Bank examin-
ations are increasingly based on risk assessment and subject to more and more
stringent examination having regard to the many stakeholders. This trend
toward risk assessment and risk management is a natural fit for compliance.
For the banking sector in particular regulatory compliance is a crucial form
of risk management. In the case of compliance, most of the risk that is being
managed is based in or created by laws and regulations rather than by market
forces or customer behaviour. However, some of the core elements of compli-
ance risk are shared with many of the same drivers that underlie other risks that
are touched upon elsewhere in the book, such as:
Staff turnover;
Product complexity;
Rapid growth of the bank or a bank product;
Economic forces in the bank™s market; and
All of these risk sources affect compliance. As regards this sector the work of
the Treadway Commission™s Committee of Sponsoring Organisations (COSO) is
relevant. COSO identified risk in the following broad, generic categories:
External factors;
Internal factors; and
Risk relating to change.
In the process of identifying risk, determining its extent, and identifying ways
to manage it, it has been found that it is useful to divide risk into these general
categories. According to the banking community:
External factors are risk sources over which the organisation has no control
but may be able to observe and predict. The experienced risk manager will
foresee them coming and have a strategy for responding; and
Internal factors are risk sources over which the bank (but not necessarily the
compliance manager) may have control. The compliance risk manager should
Chapter 4 “ Background to key aspects of legal risk management 75

use their knowledge about the bank to identify internal risk factors and take
steps to minimise them. Although the bank has some control over internal
risk factors, methods to minimise internal risk may often be at the expense of
business opportunities. Controlling internal risk therefore involves choosing
the optimum balance between risk control and business opportunity.

The US: OCC approach
It has been evident that the bank supervisory agencies have moved toward
risk assessment as a key element of the bank examination, including the
compliance examination. The OCC has identified the following risk cat-
egories: credit risk, interest rate risk, liquidity risk, price risk, foreign
exchange risk, transaction risk, compliance risk, strategic risk and reputa-
tion risk. Although compliance is listed as one of the risk categories, com-
pliance still affects, or is affected by the other categories as well. For
example, compliance requirements are part of transaction risk. Credit risk
is closely tied to many aspects of compliance ranging from rate disclosures
to fair lending decisions. Reputation risk may be affected by compliance
requirements including CRA, fair lending and the accuracy and timeliness
of disclosures.

To measure risk, the OCC considers: ˜the quantity of risk™; the quality of risk
management; aggregate risk; and the direction of risk. For risk controls, the
OCC assesses policies, processes, personnel and control systems. These risk
controls should be familiar to compliance managers: they outline a compliance
programme, as regards the quantity of the risk, and priorities must be deter-
mined. Like the US OCC approach, the central COSO question is whether there
are reliable controls. The goal is not perfection. The goal is the ability to iden-
tify, prevent and minimise problems. The bank that is at risk is the bank with
controls that are less than reliable.
As with other commercial organisations, risk relating to change involves a
combination of factors that are within the bank™s control. Change-related risk
may be the result of the development of new products that trigger a new
analysis of compliance risk. The bank has some control of the choices here.
Change may also occur because of changes in the economy, the bank™s market,
or legislation. In this type of change, the bank is in the position of responding
rather than driving the change. COSO identified a list of factors of change.
These remain useful to study for the ways in which compliance is affected. For
instance, included in the factors of change listed by COSO are:
Changed operating environment;
New personnel;
New or redesigned information systems;
Part A “ Overview of Risk Management

Rapid growth;
New technology;
New lines and products;
Activities and acquisitions; and
Corporate restructuring.
It is helpful to note that commentators have suggested that basing a compliance
management programme on risk management can be an effective communica-


. 19
( 131 .)