originally published in The Lawyers Weekly
“It would be interesting to return to post-Enron days and read quotes saying how we need to clean things up,” mused Blake Redding, cofounder of legal consultancy VistaLaw International. “And here we are again, even worse.
Asking whether certain businesses effectively manage risk would be rhetorical at this point. But the crisis currently clouding headlines worldwide may spark one silver lining – a renewed interest in risk management.
“Money and risk are correlated,” said Olivier Fischer, managing director of legal management software vendor Legal Suite Canada Inc. “If you manage risks, you have potential expenses under control.”
And corporate counsel can play major roles. “Any competent lawyer can understand the scope of regulation,” said Redding. “Then there is implementation – putting real systems and controls in place. In-house counsel should be involved since they know both the law and the company.
The field, however, is not as well understood as it might be, partly because of its inherent complexity. For instance, outside of common risk types like regulatory and litigation, different companies face different types of risk. Avian flu and reliability of the electrical grid are two examples that don’t trigger every company’s radar.
Then there are political considerations. Since the speed of the leader determines the rate of the pack, staff will take its cues from the behaviour of top management.
“If top managers do not want to resolve the issues of risk management, corporate counsel will not get the mandate to deal with risk,” Fischer said,
Other obstacles can include the “everybody else is doing it” mentality, bonuses based on short-term results and the absence of disincentives, legal or otherwise, to certain risky behaviours.
Companies that seek to implement and maintain effective risk management might separate their efforts into stages:
1. establishing good corporate governance
2. identifying risk and aligning risk appetite and strategy
3. establishing policies for compliance, including ethics
Redding offers the acronym GRC: “Start with governance, then risk, then compliance,” he said. “Also, implicit in compliance is that once you form policies, you start the real work of educating, training, auditing, measuring and so forth.”
Risk management initiatives can founder without a solid foundation. “You have to get corporate governance right,” Redding said. “Everything else – from the identification of risk to the establishment of controls to eventual audits and follow-up – will succeed or fail depending on how well the base structure exists.”
As an example, Fischer mentions the handling of contracts. General counsel might help negotiate contracts “before signature”, but assume others track the consequences of said contracts “after signature” (two intervals whose acronyms have been judiciously omitted from this article). “It’s not counsel’s mandate,” he said of the after-signature period.
A further complication: chief legal officers can wear a number of hats, according to an ACC CLO Thinktank Executive Report entitled “Enterprise Risk Management & The Law Department’s Strategic Role.” These hats carry labels like: chief compliance officer; ethics officer; chief regulatory officer; and privacy officer, among others.
“Principles like accountability, transparency and good corporate citizenship are just the beginning,” Redding said. “You can’t really advance until you start putting flesh onto those big principles. Risk management and compliance must be embedded in the core operations.”
That flesh needs to come from within the firm as it recognizes risks honestly and builds consensus that the company must deal with them proactively. “If counsel stop and reflect on risk management within the organization, they can probably address 75 to 80 per cent of what they need to do,” said Fischer.
The remaining gap concerned Brett Curran during his previous career as a chief compliance officer. “What is out there that we don’t know about?” he would wonder. “Are there other rules and regulations lurking out there?”
The current vice president of GRC and Regulatory Practices at Axentis, a provider of on-demand solutions for enterprise governance, risk and compliance, cites a variety of external sources of rules, laws, standards and regulation, such as trade associations and specific jurisdictions, that would-be risk managers need to check.
Once the foundation of corporate governance is set, counsel can help draft risk management and compliance policies. Some will enlist consultants at this stage. “There are two reasons to buy outside advice,” Redding said. “To help you structure things and to CYA.”
“Obviously, the former is the best reason.”
Regulatory compliance may be the most straightforward type of risk to manage, thanks partly to the Enron fiasco.” You often have detailed regulations to review and even regulators you can talk to,” Redding said.
“Other areas can be less clear-cut.”
At this stage, “siloization” can derail the initiative. “We typically see several different departments looking for rules and regulations applicable to their role in the organization,” said Curran. “For example, a chief information security officer looks at security-related laws and maybe some privacy. The privacy officer looks for privacy-related laws. People responsible for federal regulations such as anti-money laundering look at those laws.”
“Each party creates their own methods for storing that information, for determining what information they are going to collect,” Curran continued. “Then they use their own means and mechanisms to determine the impact on the organization.”
“It isn’t as effective when spread out over 14 separate document management systems,” Curran quipped.
Risk management research resources
“There is a whole industry on risk identification, risk mapping and so forth,” Redding said. “The big acronyms today are GRC (governance risk compliance) and ERM (enterprise risk management).”
Redding provided a list of resources for counsel who seek to shore up their firm’s risk management approach, particularly on the international stage.
Organizations
• IFC – International Finance Corporation
• OECD – Organization for Economic Co-operation and Development
• ECGI – European Corporate Governance Institute
• COSO – Committee of Sponsoring Organizations
• European Commission – Single Market – European Corporate Governance Forum
• Hawkamah
• Centre for International Private Enterprise
• In-house counsel organizations (e.g. Association of Corporate Counsel and Canadian Corporate Counsel Association)
Shareholder groups
• European Association of Securities Dealers
• Council of Institutional Investors
• Euroshareholders
Redding also suggests academia, consultants, regulators and law firms as sources of information.
For a PDF of this article, please click RiskMgmtTLW.