respond much more readily to â€˜riskâ€™. This approach may therefore provide the
organisation with an effective means of getting management to understand and
give appropriate attention to compliance priorities.
Practical hints and tips in compliance risk management
In the face of increased compliance obligations, a dynamic business and IT
environment, fragmented risk and compliance projects, and exposure to tort
and criminal liability, organisations are seeking a formalised approach to man-
aging risk and compliance. Pertinent questions facing organisations are:
How do we know if we are meeting compliance requirements?
Is our compliance and risk management programme effective?
How do we identify and measure critical risks to the organisation?
How do we capture what we are doing about them?
More generally certain key hints and tips have been cited as a guide to imple-
menting a legal risk management programme regardless of sector, size, or
Make a list of the laws that affect the organisation;
To get a quick measurement of risk from these laws, identify what has histor-
ically been a problem;
List the top three sources of compliance risk for the organisation;
Review the written compliance programme to determine whether it has the
elements of a risk management programme. In particular, policies, proced-
ures and controls for the top three risks identified;
Read the last two reports sent to management or the board of directors.
Consider the extent to which they identified risk and used risk terminology.
Think about how to rewrite the reports using a risk management approach;
Study examination procedures based on risk. Look for tools and strategies to
incorporate into your compliance programme; and
Post a reminder for communication to others in terms of risk management.
Legal risk measurement and control
When considering the SERM case studies it has been found that in an effort to
measure and control risk and compliance, organisations are seeking a structured
Chapter 4 â€“ Background to key aspects of legal risk management 77
Trends in legal risk management
Accordingly the trends as regards legal risk management in 2006 and
* Increased interest and adoption of risk management frameworks (particu-
* Managing and measuring compliance as a process as opposed to a
* Adoption of governance, risk and compliance tools;
* The integration of compliance controls into the corporate structure;
* The appointment of a chief risk officer to manage enterprise risk and
compliance for large critical infrastructures.
approach that allows them to: quantify risk; establish risk appetite/tolerance;
identify and prioritise controls; and establish a system of record to meet a multi-
tude of compliance obligations. The goals in establishing an enterprise risk and
compliance management programme are to:
Improve confidence in operational and financial integrity;
Maintain accurate and timely information which enhances visibility, meas-
urement, management and sharing of risk;
Accurately measure risk through a consistent and systematic approach, as
opposed to disparate views that are reactively managed;
Measure risks not only at the system or project level, but from the business
process and business unit level, as well as from the organisation-wide view
of risk management;
Provide consistency in terminology, measurement, compliance and risk tol-
Quantify and justify risk decisions to support accurate response and decision
Key drivers for risk and compliance management
It is evident that there are many different approaches and techniques that can
be adopted for managing risks. As the banking case study has indicated, in
some fields complex guidelines have been developed â€“ such as the principles
for the management of credit risks. In this context one should note the prin-
ciples published by the Basel Committee on Banking Supervision. What follows
represents a methodology which may also be capable of general application
and will need to be adapted to reflect the unique characteristics of the relevant
Part A â€“ Overview of Risk Management
An established or recognised definition of operational risk is: â€˜The risk of
loss resulting from inadequate or failed internal processes, people and sys-
tems or from external events.â€™ (Basel Committee on Banking Supervision)
These risk managers agree that organisations are facing mounting
pressures in dealing with compliance management, are driving them toward a
structured approach to enterprise risk and compliance management (see also
Multiplicity of risk: where organisations have minimised risk and compli-
ance management in the past, the complexity of todayâ€™s business, depend-
ency on IT and processes, growth in business partner relationships, and
increased liability and regulatory oversight has amplified risk to a point
where it demands governance (see also Chapters 21â€“23). Furthermore, the
multiplication of compliance requirements that organisations face increases
the risk of non-compliance, which has potential civil and criminal penalties;
Increased accountability: for companies listed on the US Index Sarbanes-
Oxley (SOX) places executives and the board under pressure. While SOX is
not specifically aimed at operational risk and compliance, its impact has
been felt throughout the organisation. Following the Enron debacle and SOX
response executives are faced with stiff penalties regarding the integrity of
financials. Therefore they require that risk and compliance be consistently
managed within defined levels of risk tolerance to control impact on the
financials. The only way to combat potential litigation from one of the major
risks requiring management in the US is through increased control and over-
Fragmentation and duplication of effort: as management grapples to under-
stand how risk and compliance are being managed in the organisation, they
often discover an inconsistent approach. Through relevant case studies SERM
has also found that risk and compliance management has been fragmented
throughout organisational silos, resulting in a duplication of technologies and
efforts with inconsistent approaches, measurement and reporting. The lack of
central visibility and oversight has resulted in islands of information trapped
in documents and individuals throughout the enterprise.
Legal risk management and due diligence: the purpose
It is well recognised that records and information are at the core of every trans-
action any organisation undertakes. This is generally true wherever one operates
and whatever the sector or even size, bearing in mind supply chain pressures.
Accordingly any inadequacy in those records and information â€“ including
Chapter 4 â€“ Background to key aspects of legal risk management 79
non-compliance with regulations such as the Sarbanes-Oxley Act and inter-
national privacy laws â€“ can threaten the organisationâ€™s ability to conduct business.
This was well illustrated in Enron and its aftermath (see also Chapters 21â€“23).
Despite this logic recent studies indicate that many organisations lack effective
policies and procedures for systematic control of recorded information. As a
result, they risk:
Extensive penalties for non-compliance with record-keeping regulations;
A tarnished reputation; and
Potential legal liability.
This has meant that record management has become one of the most powerful
tools in the compliance and risk management approach. Financial trans-
parency, corporate governance, anti-terrorism and privacy protection are major
regulatory themes in the United States and abroad. Recent developments have
given corporate directors many reasons to pay attention to enterprise risk; for
instance, with $184 billion in revenue and 59 000 employees in 180 countries,
energy giant Chevron Corp. has been highly aware of the need for risk manage-
ment. When SOX was implemented with its calls for a risk-based approach to
assessing internal control over financial reporting, Chevron executives were
prepared because they had put in place a risk-based system years ago. Yet evi-
dently less than 25% of corporations are giving their internal audit functions
the rigorous external reviews recommended by the Institute for Internal
Auditors as a standard of strong corporate governance in the post-SOX eco-
nomic era. Moreover, companies attempting to comply with the internal con-
trol provisions of SOX are finding that they must evaluate the controls not only
of their own operations but also those of partners with whom they may form an
The emergence of the US Sarbanes-Oxley Act in 2002 brought statutory
pressure to bear on US-listed organisations to demonstrate corporate gov-
ernance compliance. These requirements have had significant impacts on
the internal control and risk management approaches of listed companies,
and compliance with Section 404 and preparation for the new auditing
rules have all been major tasks for many US companies (see Chapter 22).
That challenge is now passing to non-US headquartered companies that
nevertheless have US listings. Every organisation dealing with Sarbanes-
Oxley needs Practical Implementation Guidance. SEC Regulation outside
the United States is the authoritative guide for non-US companies trading
in the US. Most usefully, the Section 404 Implementation Toolkit can save
many organisations many millions in implementation dollars.
Part A â€“ Overview of Risk Management
The purpose of legal risk management as part of due diligence by a pur-
chaser (buyer) or party entering a joint venture is to ensure that:
The relevant assets have the value the vendor (seller) has given them;
The vendor has good title to those assets free from encumbrances, including
intellectual property and â€“ in particular â€“ the key assets that are being acquired;
There are no risks, liabilities or commitments that reduce the value or use of
the assets, for example another party having the right to use them; and
There are no other existing or potential liabilities that may adversely affect
the object of the due diligence (the target or candidate).
As a priority, therefore, the purpose of the legal due diligence relates to the ver-
ification of the legal affairs and good standing of the target, which, in turn,
impact on or verify the consideration being given.
Traditional due diligence usually covers such topics as:
Assets Primarily, assets are considered tangible property, such as
buildings, computers, furniture, etc. However, other important
assets include people, contractors, business ideas, product
relevance in the marketplace.
Contracts Contracts for work to be done, commitments by others to do
work for the company. The contract can be with individuals or
companies. Keep in mind that it is not just the contract terms
but whether the terms are in fact enforceable. A lot of employment
contracts have appropriate terms, but if the individual has
a serious accident and is incapacitated, none of the work-
related terms may be enforceable.
Customers Customers for products and services are important elements.
Who they are and where they are. When reviewing this topic,
consider whether there is a secondary market for the resale of
products such as through Amazon or eBay. Customer support
may start to come from locations not anticipated.
Employee agreements This requires appropriate legal support to make sure that the
agreement is not so restrictive that the employee could easily
break the agreement as being unfair, etc. These agreements may
also require consistency which is a process that due diligence
can support. (see also Chapter 14)
Employee benefits This is not just about health insurance. Due diligence requires
the comparison of planned benefits with actual received.
Environmental issues These can form a significant part of any due diligence activities.
Environmental impact statements have to be considered a
never-ending part of the business operations as well as the
business planning. Regulators from government agencies as
well as non-governmental organised groups can delay or
prevent a specific development project (see also Chapter 18 for
further discussion of environmental issues).
Facilities, plant and Classically, this item is included within the asset category. It is
equipment separated here to indicate the requirements for a continuing due
Chapter 4 â€“ Background to key aspects of legal risk management 81
diligence for the potential retirement or sale of any old facility
that is no longer effectively supporting the enterprise business.
Examples of this can be old buildings. In the US recently many
municipalities have torn down old sports stadiums to construct
new ones with 21st century features like adequate bathrooms
and enough executive suites.
Financial condition Traditionally the province of the accountant, this topic has
expanded to recognise the confluence of cash availability, debt
limitations and restrictions, the industryâ€™s economic climate,
the countyâ€™s economic climate and the global economy. All of
these components can be monitored on a continuing basis as
part of the overall financial review of the business.
Foreign operations Globalisation is the major element of 21st century business.
and activities Outsourcing, multiple worldwide locations, different business
and governmental regulations, currency conversions,
transportation issues, employees, cultural differences all add
up to substantial impact on company operations. Some of these
issues are addressed in Chapter 13.
Legal factors Laws never go away. Legal issues country by country, state by
state, municipality by municipality all have to be considered,
Product issues Product life cycles need to focus on old products, products
about to be launched and products in the development
pipeline. Moreover, due diligence includes the need to monitor