Emerging Risk Oversight and Legal Risk

Scott Ewart


Emerging risk oversight requirements are driving audit committees, CEOs, and internal and independent auditors to focus on new and different areas of risk within their organizations. This includes reviews of legal departments and the underlying risk that they represent. There is a combination of factors driving these risk reviews, including the definitions of risk oversight and the obligations stated by various oversight bodies.

Definition of Risk Management

While there is no generally accepted definition of risk oversight, the simplest definition can be found in the International Organization for Standardization’s Guide 73:2009–Risk Management, namely “the effect of uncertainty on risk.” The Committee of Sponsoring Organizations of the Treadway Commission’s Enterprise Risk Management–Integrated Framework further developed this definition to state:

“Enterprise risk management is a process, effected by the entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives.”

Essentially when you distill these definitions, one can conclude that the obligation of the board is to oversee the enterprise risk management within the organization and define the “risk appetite” for the enterprise.

Obligations of the Board

The National Association of Corporate Directors’ Blue Ribbon Commission looking at “Risk Governance: Balancing Risk and Reward” noted that while risk oversight objectives may vary from company to company, every board should be certain that:

  • The risk appetite implicit in the company’s business model, strategy, and execution is appropriate.
  • The expected risks are commensurate with the expected rewards.
  • Management has implemented a system to manage, monitor, and mitigate risk, and that system is appropriate given the company’s business model and strategy.
  • The risk management system informs the board of the major risks facing the company.
  • An appropriate culture of risk-awareness exists throughout the organization.
  • There is recognition that management of risk is essential to the successful execution of the company’s strategy.

All boards, and consequently audit committees and CEOs, should require the:

  • Development and periodic review of the company’s risk profile.
  • Integration of risk oversight and management into the company’s strategic plan.
  • Identification of significant elements of risk management, including policies and procedures to manage risk.
  • An assessment of the effectiveness of risk management policies and procedures, where applicable.

Expanded Scope of Review

As a result of the application of these definitions and the expanded risk review obligations, audit committees, CEOs, and internal and independent auditors are expanding their risk and process reviews into areas that have not traditionally been reviewed. Often areas within an organization have not been reviewed because of the complex nature of what they do. One such area is the legal department.

Traditional audits or reviews of legal departments simply focused on ensuring legal invoices were documented appropriately, but now reviews are being initiated to ensure:

  • The retention of external counsel is both defensible and competitive.
  • A major area of organizational risk is reviewed independently.
  • There are appropriate controls surrounding legal budgets.

A properly resourced independent legal review can help the internal auditor identify for management and the audit committee the legal risk issues and provide recommendations related to:

  • Legal budgets, large legal expenditures, external legal fees, and processes for purchase.
  • The right structure of the legal department for the organization.
  • The right size of the legal department.
  • The process for hiring external counsel and ensuring it is defensible and competitive.
  • The right legal controls.
  • Process improvements to improve efficiency and controls.


Posted on Jun 4, 2012 by Tim

Share This Article:    

Leave a Reply