Trends & special topics

Legal — what, why and how?

By Duncan Ramsay, Lawyer and Consultant

People talk about . bad due diligence, an unconsidered • The meaning of legal But what is it really? And exposure in a contract and poor risk is often assumed. structuring) or inadequate asset why is it important? How protection (such as not registering a • Effectively dealing with do you minimise it? security interest or trademark). legal risk increases an Legal risk can result in civil and criminal organisation’s ability What sanctions for the company and to achieve its goals individuals as well as loss of reputation References to legal risk often assume (including losing customers, a lower by way of greater its meaning is obvious. The joint share price and write downs of goodwill). efficiencies. judgment of the New South Wales Court of Appeal in Morley & Ors v ASIC Legal in turn • The risk management [2010] NSWCA 331 mentions legal involves the organisation providing process involves risk eleven times without definition goods or services that maximise its establishing the when stating it was the duty of James opportunities while minimising failure Hardie’s general counsel and company to comply with the requirements of the context; conducting secretary to protect it from legal risk. law, including of a court or a regulator. a risk assessment; Sheryl Sandberg, chief operating officer Very importantly, legal risk management identifying the ; of Facebook, in her 2013 book Lean In does not mean avoiding legal risk analysing the risks; writes about legal risk (‘The first time altogether. Rather it involves identifying I asked a prospective employee if she legal risk, facing risks deliberately, not evaluates the risks; was considering having children soon, and then treating taking unnecessary risks and carefully I knew that doing so could expose me managing the risks that the organisation the risks. and my company to legal risk’ p 151). decides to accept. My description of legal risk is: The Basel Committee on Banking ‘the extent to which the law will Supervision sees legal risk as part of adversely affect the organisation , namely the risk of from achieving its objectives, where financial loss resulting from inadequate the organisation did not consider the or failed internal processes, people law, wrongly believed the law to be and systems or from external events. different, is subject to an adverse This view has influenced the Australian judgment that is contrary to advice Prudential Regulation Authority (APRA) received or is uncertain as to the law. and other regulators. Legal risk can be from either mandatory or voluntary sources Operational risk is seen as different from (examples of the former are case other risks such as strategic, credit, law and statutes and instances of market, investment or liquidity risks. the latter are contracts and the Legal work by its nature involves organisation's code of conduct). operational risk, whereas other risks Legal risk can involve a claim, change are more for others (such as strategic in law, defective transaction (including risk and management consultants).

90 However, risk categories are somewhat arbitrary. The main point is to be thinking afresh and contributing to the The main point is to be thinking afresh and organisation’s business by identifying contributing to the organisation’s business by a risk, be it legal or not, and then agreeing on steps to manage the risk. identifying a risk, be it legal or not, and then agreeing on steps to manage the risk. Why Risk management is topical, especially to regulators. ASIC published regulatory guide 247 on effective disclosure in an operating and financial review (OFR) of a listed entity d) the operational structure of the • 7.3 a listed entity should disclose (a) on 27 March 2013. Its paragraph 61 institution facilitates effective if it has an internal audit function, defines material business risks as the risk management how that function is structured most significant areas of uncertainty or e) policies and processes are and what role it performs and exposure at a whole of entity level that developed for risk-taking that are (b) if it does not have an internal could have an adverse impact on the consistent with the RMS and the audit function, that fact and the achievement of financial performance established risk appetite processes it employs for evaluating or outcomes referred to in the OFR. and continually improving the f) sufficient resources are dedicated to effectiveness of its risk management This comment is in reference to risk management section 299A(1) of the Corporations and internal control processes and Act 2001 which provides for a listed g) it recognises uncertainties, • 7.4 a listed entity should disclose entity’s annual directors’ report to limitations and assumptions whether it has any material exposure include information that its members attached to the measurement of to economic, environmental and would reasonably require to make an each material risk. social sustainability risks and, if it informed assessment of the business Paragraph 20 of CPG 220 defines does, how it manages or intends to strategies and prospects for future material risks as those that could manage those risks. financial years. have a material impact, both financial The recommendations apply to As a result, listed companies’ annual and non-financial, on the institution financial years from 1 July 2014. reports last year expanded their or the interests of depositors or policyholders. Like ASIC, APRA refers These developments provide a commentary on material business framework for boards to establish, risks. Three examples are BHP Billiton, to ‘could’, not a higher threshold of ‘would’ in determining materiality. support and monitor risk management Commonwealth of Australia and practices across a broad spectrum Caltex Australia. Thirdly, the ASX and make management responsible Secondly, APRA revised its prudential Council issued the third edition of for their effective functioning. standard CPS 220 on risk management its Corporate Governance Principles These steps include drafting board during 2014 and its accompanying and Recommendations on 27 March and committee charters, updating prudential practice guide (both are 2014. These include ‘if not, why not’ compliance programs as well as other effective from 1 January 2015). recommendations on risk management: policies and procedures, together • 7.1 (in summary) the board of a listed with providing general comments on In particular, paragraph 13 of CPS 220 corporate governance, especially the requires the board to ensure that: entity should (a) have a committee or committees to oversee risk and responsibilities of non — executive a) it sets the institution’s risk appetite disclose its charter and (b) if it does directors compared with management. within which it expects management not have a risk committee, disclose Governance practitioners are already to operate and approves a risk that fact and the processes that it familiar with risk. Its allocation is a management strategy (RMS) employs for overseeing the entity’s common issue in contracts, through b) it forms a view of the institution’s risk risk management framework indemnities, limitation of liability culture and the extent to which that • 7.2 the board or a committee of the clauses and otherwise. Being involved culture supports the risk appetite board should (a) review the entity’s in disputes includes assessing c) senior management monitors all risk management framework at prospects of success. material risks consistent with the least annually to satisfy itself that Governance practitioners should be able strategic objectives, risk appetite it continues to be sound and (b) to demonstrate that sensibly dealing with statement and policies approved by disclose, in relation to each reporting legal risk increases an organisation’s the board period, whether such a review has ability of meeting (if not exceeding) its taken place goals by way of greater efficiencies,

Governance Directions March 2015 91 Trends & special topics

through lower costs, less errors, fewer The spreadsheet can also be sub- surprises, improved decision — making divided into which business units of the and better customer, employee and organisation are say high, medium or supplier relationships. low in terms of the particular legal risk. A legal risk plan follows from the Governance How outcome of the legal risk audit. It can involve either accepting the risk practitioners should The general risk management process entirely or transferring the risk in under AS/NZS ISO 31000: 2009 is to be able to demonstrate whole or in part through insurance establish the context; conduct a risk and outsourcing after a cost/benefit that sensibly dealing assessment; identify the risks; analyse analysis. Materiality and priority will the risks; evaluate the risks; and with legal risk increases need to be decided. Avoiding a legal then treat the risks. This will involve risk is usually not possible (clearly not communication and consultation an organisation’s for mandatory obligations). together with monitoring and review. ability of meeting Compliance programs are a common In terms of legal risk, this process feature of a legal risk plan. The courts if not exceeding its includes a legal risk audit, a legal risk and regulators will give credit to such plan and reporting. goals by way of greater programs in the event of a breach As for a legal risk audit, this looks at (some statutes may provide for the efficiencies… the current state of an organisation’s organisation to take reasonable steps to legal risk. Areas to consider include comply or for a due diligence defence). relevant statutes, current contracts For organisations which are financial (standard form and otherwise), institutions, APRA’s CPS 220 requires litigation (present and pending) and In each example, changes may follow they have a RMS management regulatory proposals. Items to review to the legal risk plan. strategy. The legal risk plan can be include the jurisdictions where the incorporated within this strategy. organisation operates, potential legal Conclusion exposures and the litigation culture of Reporting may be either ad hoc the jurisdiction, always bearing in mind or regular and can be divided into Governance practitioners by their the organisation’s particular business information from a governance training are well suited to advising on and customer base. professional alone or as part of risk management. They can contribute another’s report. One example is a by giving their perspective — the end A legal risk audit will usually produce a quarterly memorandum to say the risk result does not have to be a separate legal risk register. This could comprise committee on what risks have occurred category for legal risk. a spreadsheet with columns for the and what happened from them. relevant risk, its source, its likelihood Duncan Ramsay can be contacted on (02) 9437 5595 or by email at and consequence, its inherent risk (pre Another example is to focus on [email protected]. control), its control, the residual risk emerging risks by writing on material (post control) and monitoring (how, recent legal developments applicable when and by whom). to the organisation. Apart from new case law and legislation, legal actions Two crucial concepts are likelihood by or against competitors could and consequence. These can be rated affect the organisation directly by on a scale (one to five is common) in a way of copycat claims or the industry grid diagram with likelihood on the left indirectly through regulatory change. axis and consequence on the bottom axis. Often the consequence of legal A third example is a management risk is relatively fixed, especially if its report on a contractual, employee or source is statutory (for example, fines). other dispute having an appendix from This means the emphasis should be on a lawyer subject to client legal privilege likelihood, through the organisation’s of any investigation as to the merits or its competitors’ experience or even of the complaint or an update of any legal precedent. court action.

92