Corporate Risk

---

Abstract

The globalisation is moving the competition from domestic market to international market, exposing organisations to a complex operating environment within a variety of legal risks that would arise from the usual operations and decision-making processes. 

In this scenario manage the legal risks is fundamental, a player cannot just meet the legal and contractual requirements but should be able to create value also in the adversity. 

The purpose of this article is to illustrate the principles, framework and process related to the management of the legal risk. 

1. What is risk 

2. What is risk management and what are the benefit? 

3. Risk Assessment

4. Risk identification 

5. Risk analysis 

6. Risk evaluation

1.What is risk 

Currently, all kinds of organisations including corporations and N.G.O.s are facing increasingly challenging legal risks, including the regulatory and legislative requirements for organisations in many countries are becoming more stringent and commercial contracting is become more complex.

Evaluate the risk in doing business is a fundamental need and a legislative requirement, but what is understood as risk is not always clear.

Following the definition recognise by most of the international organisation

A risk is the combination of

• impact  
  • the potential harm that could be caused
• probability 
  • the likelihood of the issue or event occurring

When it comes to the definition of legal and regulatory risk  the impact is the introduction of a new legislation, E.G. 

• o G.D.P.R.
• o New treaties 
• o Different Taxation 
• o Brexit 

The probability is constituting by the foreseeable impact that those events could have on the organisations, in particular in: 

• - meet the legal and regulatory requirements
• - manage contractual risk 
• - enhance the organisation’s strategic decision-making and
• - improve the organisation’s capability of handling complex legal environments. 

For an instance, the introduction of the A.M.L. disposition has changed the process of financial institution on how on-board client, and at the same time have pushed the development of new technology to deliver the same result in a cost-effective manner and faster.

2. What is risk management and what are the benefit?

Within the law that has been created in direct response to corporate collapses and scandals, effective legal management is important, and should be noted that the management of legal risk is much more than just compliance.

A firm must adopt effective arrangements, processes, and mechanisms to manage the risk relating to the firm's activities, processes, and systems, considering the level of risk tolerance adopted.

A legal analysis on all the contracts in place, a modification of the process in place enhance the organisation’s strategic decision-making and improve the organisation’s capability of handling complex legal environments. 

The concept is very simple and is connected to the ability to evaluate an event as risk and be able to predict and anticipate the outcome to maximise the effectiveness of the measure adopted. 

In this operation the criteria are the same in evaluating any other risks and should be followed:

It is fundamental 

• Reduce uncertainty to acceptable level 
• Control the probability of events occurring 
• Reduce the likelihood of a negative consequence.

The management community has created a set of standards that are peculiar for any country to help any organisation at building its own risk evaluation system:

• AS NZS 4360: 1995 Risk Management Standard, (Australia&New Zealand 1995 meanwhile updated by AS NZS 31000: 2009)
• CAN/CSA Q850 Risk Management Guide to the management of business-related project risk (UK 2000)
• COSO ERM Enterprise Risk Management – Integrated Framework (USA 2004 – meanwhile updated by Enterprise Risk Management – Integrating Strategy and performance in Juni 2017)
• ONR 49000:2004ff. Risik-management fur Organisationen und Systeme: Begriffe und Grundagen (Austria 2004)
• ISO 31000:2009 Risk Management – Principles and guidelines (international, 2009 – meanwhile updated by ISO 31000:2018 Risk Management – Guidelines in February 2018)

All those standards contain a clear set of Principles, Frameworks, and process applicable to reach a conscious decision, valid also when the organisation is facing a fundamental normative change.

Accordingly, with those principle a decision must: 

• Create value 
• Be an Integral part of organisational process 
• Be a Part of decision making 
• Explicitly addresses uncertainty
• Systematic, structured, and Timely 
• Be based on the best available information 
• Tailored 
• Takes human and cultural factors into account 
• Transparent and inclusive
• Dynamic, interactive, and responsive
• Facilitates Continual improvement and enhancement of the organisation.  

Those outcomes are reachable using a Framework that assists and integrates the principle into the organisation, introducing procedure for:

• Implementing risk management
• Monitoring and review of the framework 
• Constantly improve the Framework 

Finally, the step necessary to take the decision must be based on:

• Risk identification 
• Risk Analysis 
• Risk evaluation 
• Risk Treatment
• Monitoring and Review  

The ultimate object is to crate value and protection for the company asset, that ultimate secure the investment made by the shareholder, lowering the risk embedded with the event that has been presented.  

3.The risk assessment 

Represent the only instrument to finally evaluate the impact that a particular change has on the structure of the organisation and should be conducted systematically.   

An effective risk assessment is composed by:

• Risk identification 
• Risk analysis 
• Risk evaluation

4. Risk identification 

Help finding, recognise and describe the issue that might help or prevent an organisation achieving the objectives required by the normative.  

Cannot be generic, must be relevant, appropriate, and up-to date, contain all the information is important in identifying the risk. 

An e.g. is the contractual analysis carry-on by the legal and compliance department to identify all the area that are touched or potential touched by the changed legislation. 

The challenge is represented also in be able to present those result to the stakeholder, not always aware of all the transaction in place.  

A risk non identified, means a risk not analysed, not evaluated a not treated, and ultimate represent a treat for all project. E.G. not identify all the data flow occurred in particular transaction, during the process of updating the company procedure to the G.D.P.R. normative could lead to a sanction. 

5. Risk analysis 

When identified the risk must be analysed, this process comprehends an evaluation on the nature of the risk and its characteristics including, where appropriate, the level of risk. 

It involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, and  can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis and the source available.

Risk analysis or data analysis are not different at all, both processes involve techniques that can be qualitative, quantitative or combination of these. 

Recently most of those decision are made by Artificial Intelligence utilising complex algorithm and a diffuse amount of data, but their function must be consider a valid support, not the Holy Grail.  

6. Risk evaluation 

The third steps in the risk assessment is represented by the Risk evaluation that has the purposes to support the decisions.

It involves comparing the results of risk analysis with the established risk criteria to determine where action is required. 

E.g. 5th money laundering normative, required to the cryptocurrencies company to be registered and follow the F.C.A. principle.  

Since now those company were unregulated, and they didn’t have any system in place, now within this introduction they should carry on the Risk assessment and evaluate after the Risk evaluation what action taken.   

The Decisions might be to:

• Do nothing further
• Consider risk treatment options
• Undertake further analysis 
• Maintain existing controls 
• Reconsider their objectives 

In  conclusion the purpose of applying a risk treatment is to establish a process of constant evaluation of the scenario and allowed the company to react properly, this is possible only by adopt and customise a system that embedded the criteria above described. 

May 2020

by  Daniele Lupi