<<

. 22
( 131 .)



>>

Intellectual property
*
Investments
*
Lending to third parties
*
Banking facilities/borrowing from third parties, financial grants
*
Guarantees/indemnities/letters of credit
*
Product liability
*
Investigations, litigation, disputes
*
Insurance
*
Taxation
*
Non-compliance with agreements/change of control
*
Voidable transactions/reconstructions
*
Impending legislative changes
*
Compliance with special industry sector legislation
*
The effect of the euro on contracts, including payment arrangements
*




Beneficiaries of legal risk management and due
diligence
Organisations should be aware that, with the ever-increasing pressure from
regulators, security exchanges and stakeholders, there are a growing number of
beneficiaries of the risk management and due diligence processes. An overlap
in functions can occur, indeed when the parties are establishing the methodolo-
gies for legal risk management and due diligence tasks it is important that the
user of this information is considered. For example, in many places if it is a
government regulator, there are specific forms and formats in which data must
be presented. It will be very frustrating and more expensive to have to recast the
information multiple times just to conform to the regulator™s penchant for
specificity.
Chapter 4 “ Background to key aspects of legal risk management 87



Practical issues
In the context of this discussion practical examples of combining internal and
external activities are joint deals/transactions/joint ventures and other relation-
ships. As has been seen above, for this work due diligence is actually two-sided.
Each company within the relationship will have due diligence to perform.
Company 1 will want to investigate and examine Company 2 and vice versa “
Company 2 will need to assess Company 1. Mergers are especially the subject of
a due diligence exercise by each company, their lawyers, their accountants, gov-
ernment regulators (if public companies), insurance advisors, etc.
Bearing in mind the importance of the quality of data the key is to have
each due diligence team determine the level of exposure based on what can or
cannot be answered. Many deals or negotiations never get past due diligence
because there is not enough documentation about the company operations. As
with personal relationships, like marriage, the deal can be filled with risk as
there cannot be a total investigation just as there is never a complete investiga-
tion of the medical, emotional, financial history for each party to a marriage.
There has to be a balance that is part of the risk reward formula for all due dili-
gence activities. For example, in the case of a £50 million deal, not being able
to verify a £1000 transaction may not be worth the thousands that it takes to
validate the transaction.
This is where the experience and capability of the due diligence team is
essential. First, they have to possess training and expertise to be able to recognise
the important and the unimportant. Second, they need to have the appropriate
tools necessary to perform their tasks. The tools can include, but not be limited to:
Internet research capability;
Legal databases “ especially for lawyers;
Tax databases “ especially for accountants and lawyers;
Industry perspective and data;
Access to company personnel;
Access to all relevant regulations “ securities, government, environment,
etc.; and
Appropriate computer and resource tools that support this work.
The presentation of information is also important. Shareholders, investors and
stakeholders can be satisfied with accurate and timely information but typically
are less concerned with the precision of the page layout. In fact, most would
prefer simpler rather than complex information. They may be making decisions
about company compliance with a specific regulation, but also they are con-
cerned with understanding the company™s ability to survive and prosper.
As indicated the identification of the risk owner is vital. For instance, it is
important to ensure that employees are not forgotten in this process. Clerks,
middle managers, management and all other related individuals who receive
compensation from the company enjoy hearing about the company. Moreover
the due diligence exercise can include preparation of reports, without violating
the rules of privacy and government regulations.
Part A “ Overview of Risk Management
88



As the impact of risk management and due diligence continues to expand,
companies will rely on the information gathering that can sustain the enter-
prise, reduce the risk of business activity and reward the various stakeholders.

Critical factors for successful risk management
Throughout the book several basic requirements should be borne in mind, fac-
tors transcending legal risk management and as pre-requisites for establishing
an effective risk management programme. These include the following:
Commitment at senior level: it is essential that there is commitment to the
programme at the highest level of the organisation. Without the personal
commitment of the members of the board or equivalent body, the programme
will not become fully embedded throughout the organisation so as to pro-
duce the desired benefits. This is often reflected in the delegation of author-
ity for risk management implementation to a particular officer or committee;
Consistency: it is important that risks are evaluated and monitored consist-
ently across the relevant operations. This requires a clear framework for
recording and assessing risks, and clear procedures for reporting and moni-
toring them. Furthermore, an internal programme will be needed in order to
explain the approach to be taken and the responsibilities of individuals and
groups within the organisation;
Communication and feedback: the key objectives and features of the risk
management strategy must be well understood throughout the organisation.
The roles and responsibilities of different individuals should be clear and
transparent. Information about risks should be shared both upwards and
downwards so as to bring about the maximum benefit;
Investment of time and resource: the implementation of a risk management
programme requires a significant investment in terms of management time
and resource. External advice may be required on particular issues. These
costs need to be recognised and planned for. It is equally important to be real-
istic about the time which may be required to establish the systems required.
This may be a matter of months or years depending on the complexity of the
systems involved and the nature of the systems currently in place;
Continuous improvement and review: it is vital that the risk management
system should be seen as a continuously evolving programme of refinement
and adjustment rather than a static framework. It is also critical that there is
an effective process for monitoring progress and reassessing priorities. This
requires active feedback on risk issues. From SERM case studies it has also
been found that the implementation of any risk management system, even if
it is imperfect or incomplete, will usually bring benefits over having no sys-
tem at all. Effectiveness should improve over time with the experience of the
organisation. Similarly, the risk profile of an organisation will be in a state of
flux corresponding to internal factors (such as changes in the nature or scope
of the business) and external factors (such as regulatory changes or an
increased threat of terrorist attack). Any risk management system must be
capable of reacting to those changes in order to be successful; and
Chapter 4 “ Background to key aspects of legal risk management 89



Culture: the culture of the organisation must support the aim of managing
risks in an open and transparent way (see also Chapter 13). Establishing a ˜no
blame™ culture which rewards rather than penalises the identification of risks
is helpful in addressing commercial or personal pressures which may other-
wise tend to inhibit accurate reporting.


Cultural aspects
The establishment of risk management mechanisms may require a substantial
change in the way that an organisation operates; including a significant change
in culture (see also Chapter 13). For this reason, it may be advisable to introduce
the approach incrementally, starting with one particular function or business
unit before extending it to other units and the business as a whole. This will
allow the benefits of the approach to be demonstrated more clearly, and the experi-
ence and know-how gained in the pilot phases should help reduce any disrup-
tion or uncertainty associated with implementing the systems on a wider basis.


Trends in risk and compliance management
The drivers referred to above (and discussed further in Chapter 3) result in the
following trends as organisations begin to build their approach to risk and com-
pliance management:
The adoption of an enterprise risk management framework: for risk and com-
pliance to be consistently managed, a framework is necessary. In the US, for
instance the response to SOX, most organisations have turned to the COSO
Internal Control Framework to model their approach to documenting con-
trols. The COSO Enterprise Risk Management framework extended the
Internal Control Framework to establish guidance on how to build an enter-
prise risk management process. It is likely that the COSO ERM framework is
poised to be the de facto standard of enterprise risk management;
Managed and measured compliance: in the past, organisations approached
compliance as a project as opposed to a process. In today™s business environ-
ment, this opens up significant risk to the organisation. Dynamic business
processes, workforces, partner relationships, and IT systems require that
compliance be managed and validated on an ongoing basis. As organisations
face an increasing amount of compliance obligations, the mandate will come
for a formal compliance management programme;
Tool consolidation and integration: in order to control costs, as well as to pro-
vide a single interface into risk and compliance management, organisations
will look toward tools that provide a central repository of risk and compli-
ance management functions. This will cover policies, control documenta-
tion, assessments and metric reporting. It should integrate with other
technologies that take a more granular view in specific areas of compliance
and risk (such as information security, privacy, business partner relation-
ships and financial systems);
Part A “ Overview of Risk Management
90



Integration into enterprise architecture: risk and compliance must integrate
into the business. The controls and measurement of risk and compliance
require that they be integrated into an organisation™s enterprise architecture.
This involves integration of control into policies, operations and technolo-
gies that support business processes; and
The chief risk officer: where an organisation exceeds $1 billion in revenue
and is a critical infrastructure “ finance, energy, healthcare, transportation,
utility, telecommunications “ it will generally have a chief risk officer (or some-
one of similar responsibility) aimed at managing enterprise risk and compl-
iance. It has been predicted by experts that 75% of large critical infrastructure
organisations will have established a formal enterprise risk management
office with a CRO or equivalent role.


Practical hints and tips
Organisations considering a formalised approach to risk and compliance man-
agement should:
Start with one or two compliance/risk initiatives: taking on too much at once
is a recipe for disaster. Identify the key risk and compliance issues and let
these form the foundation of the risk management programme;
Keep the enterprise in mind: a too-narrow focus may limit what can be built
on the foundation. Make sure that the enterprise requirements are borne in
mind;
Introduce others over time: as it develops, integrate other areas of risk and
compliance management into the programme; and
Ensure business needs drive initiatives: risk and compliance management
needs to be driven by the business, not IT (see Chapter 11). Business man-
agers and information owners are the ones ultimately responsible for risk
acceptance and integration of controls “ they should be involved and part of
the process from the beginning in building frameworks and supporting IT
solutions for risk and compliance management.


Governance and regulatory compliance: IT and risk
management
From an IT perspective, governance and regulatory compliance today is pri-
marily about data protection, information security and the organisation™s general
control environment. It can provide essential benefits in risk management and
yet also increase certain risks (see also Chapters 11 and 21“23). In today™s com-
plex regulatory environment, organisations must:
Grapple with the complexities, costs and overlaps of governance require-
ments (Combined Code, Turnbull, Sarbanes-Oxley, Basel 2, etc.);
Comply with a wide range of information-related regulation, from: the Data
Protection Act; GLBA (the Financial Modernisation Act of 1999, also known
Chapter 4 “ Background to key aspects of legal risk management 91



as the ˜Gramm-Leach-Bliley Act™); HIPAA (Health Insurance Portability and
Accountability Act); PIPEDA (Personal Information Protection and
Electronic Documents Act); and the Computer Misuse Act; and
Deal with an increasing exposure to rapidly mutating, sophisticated threats
to their information and information assets. These threats exploit a diversity
of technical vulnerabilities in IT systems as well as loopholes in procedures
and the behavioural characteristics of employees.
Whereas regulatory and commercial penalties for failing to secure information
and information assets can be severe and value-destroying, regulatory guidance
on compliance requirements remains very limited.



Useful web links
Risk management professional bodies:
Casualty Actuarial Society
* www.CASact.org
Global Association of Risk Professionals
* www.garp.com
Institute of Risk Management
* www.theirm.org
Institute of Internal Auditors
* www.theiia.org
Professional Risk Managers International Association
* www.prmia.org
Risk & Insurance Management Society

<<

. 22
( 131 .)



>>