Quantifying Legal Risk: A Method for Managing Legal Risk
Publication: Management Accounting Quarterly
Date: Monday, October 1 2007
LEGAL COSTS CAN RANGE FROM 3% TO 10% OF A BUSINESS'S ANNUAL REVENUES, SO COMPANIES NEED TO HAVE A GOOD METHOD FOR MANAGING LEGAL RISK.
EXECUTIVE SUMMARY This analysis presents a process for quantifying legal risk within the context of accountingbased controls.
Return and risk are the two major dimensions of business decisions. While return is a wellidentified factor, risk is less understood. This analysis addresses risk management issues within a firm, specifically with respect to litigation because legal costs can range from 3% to 10% of businesses' annual revenues.1
Here is how the Committee of Sponsoring Organizations of the Treadway Commission (COSO) described enterprise risk management (ERM) in 2004:
"Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."2
This definition can be broken down into the following elements:
A process: A process is ongoing; it is something that has its own momentum but that must be supported by the decision makers in the firm and (if the process is useful) will become a part of the firm's culture. A process, however, is not merely a series of tasks, nor is it just a project (although it may be tested as a project). ERM can only become useful and successful if it is viewed as a process-a way of doing things-not just as a way to fix a problem (whether as a quick fix or a slow fix).
Effected by an entity's board of directors, management, and other personnel: The people who make the decisions in a firm must be involved in ERM and must actively support the plan. In addition, there must be deep support and involvement from throughout the firm. Just as making a profit is "effected by an entity's board of directors, management and other personnel," so, too, is enterprise risk management.
Applied in strategy setting and across the enterprise: Enterprise risk management is not a tactic-it is a strategy. As a strategy, it will have application throughout the firm and will be one of the key factors that points the firm in whatever direction its overall business planning intends for it to go.
Designed to identify potential events that may affect the entity: A fundamental part of enterprise risk management is an analysis to determine the activities and drivers of activities that affect the firm. Such an analysis is not something one person can be told to complete before next Friday. (One person may indeed have that responsibility, but it will take information from throughout the firm to identify these events.)
Manage risk to be within its risk appetite: To manage risk means to control risk, not to handle it by dancing to the tune played by risk. The whole point of enterprise risk management-the whole justification for its cost in time, money, and other resources-the only reason it has useful value-is to put the firm into the position of actually managing, or controlling, its risk. The risk appetite in any firm (the range of risk it can accept as what it will live with) is never going to be large. Even a firm on the cutting edge would prefer to have as little risk as possible, but some activities will always be risky, and some risk may have to be accepted because its causes are difficult to identify and/or do much about.
To provide reasonable assurance regarding the achievement of entity objectives: This is why a firm wants to control its risk-so it can focus on meeting the goals of its business plan.
ERM, therefore, is a strategic process that must be supported properly throughout the firm and that has the fundamental purpose of giving a firm the ability to control its risk so it can focus on its business.
RISK MANAGEMENT FROM A LEGAL PERSPECTIVE
Lawyers do not necessarily look at the world in the same way as others, including business people. This is also true for risk management. The legal perspective of risk management is often seen as a method for protecting the firm-as a plan for putting out fires. Although there is nothing wrong with protecting the firm, risk management is not really about protection. It is about making changes within the firm that lead to an ability to control risk. The focus on risk management is finding a way to control risk so more of the firm's resources can be used to further the firm's business planning.3 A result of all this may mean "protection" for the firm, but if all you want is protection, you really do not need to change much; you could just stand guard and watch carefully.
Companies need to meet certain minimum standards in order to sell their services (quality assurance) or their products (quality control). The common goal is for the firm to have services or products that make it competitive and bring it lots of customers. From a legal perspective, quality assurance and quality control are also great methods for preventing breach of contract (by meeting quality standards or specifications) and for avoiding negligence, especially professional malpractice (by making sure professionals are, and remain, qualified).
Compliance planning has become a legal necessity for many firms. It is all about making sure the firm complies with state and federal law, particularly the regulations of agencies that license, certify, or otherwise have the authority to seriously affect the firm. Aspects of compliance planning are similar to enterprise risk management, but the two are different. Compliance planning is strictly about developing a plan to ensure the firm complies with the law on particular issues. ERM is about controlling risk.
In our model, developing a compliance plan is a part of enterprise risk management in order to carry out the objectives learned from the risk management analysis (sometimes referred to as a legal audit).
A PROCESS FOR RISK MANAGEMENT
Basically, our model presents a method for:
* Getting to know the business and its activities.
* Focusing this information into identifying where risk exists.
* Quantifying or giving weight to the risk.
* Making choices based on most to least risky, or whatever method the firm chooses; the risk areas will be quantified, and the drivers or root causes of the legal risk in the various activities will be determined.
* Finally, developing a plan for managing the risk.
The model could be used for a comprehensive firmwide audit. It could also focus on a department, some unit of the firm, or specific activities or issues within the firm. This model will have full value only if it can be adapted to fit the needs of a particular company. Here is an outline of the risk management process:
1. Compose a model of generic value chain4 for the business in order to organize gathering comprehensive information about the company (see Table 1). The purpose is to get to know the firm, identify at least some initial causes of risk, and/or to highlight areas or activities where risk might be more prevalent.
2. Use the value chain information to prepare the Worksheet for Determining Areas of Risk from Value Chain Activities (see Figure 1). Next to each entry on the worksheet, make notes about the things that cause risk, however slight or great. The purpose is to determine what activities are contributing to the risk in the areas identified on the value chain model.
3. The information from the Worksheet is then analyzed using the Model for Determining and Evaluating Causes of Risk from Support and Primary Activities. The goal is to quantify how risky a particular activity is, at least compared to other activities of the firm. (Table 2-A describes the process, and 2-B shows scaling that could be utilized.) For each legal risk source (activity/driver) that is identified in a topic area, managers or advisors can assess the likelihood of occurrence with 1 being the lowest probability and 10 being the highest. In other words, if someone believes that this source has a 90% probability of occurring, he or she would score it as 9. Next, the severity of the risk shall be assessed.5 Multiply Column 2 times Column 3 to get the composite score in Column 4. The scores for various risk sources are then quantified on a scale of 1 to 100.
4. The information in the Model is then used in the Model for Determining and Evaluating Drivers of Specific Causes of Risk (see Table 3). The firm can choose which activities it wants and in what order it wants to do this analysis, perhaps based on level of risk in each activity. The data-gathering problem is analogous to a cost-collection problem that is solved via the activity-based costing (ABC) analysis of Robert Kaplan.6 (It is worthwhile to note that the COSO "decomposition of risk" concept fits consistently with the ABC analysis accounting method.)
This can be a major plus because businesses understand ABC fairly well. While the ABC approach is not an exact science, nor is it flawless, the activityidentification process can lead to improvements with successive iterations.
5. As appropriate, compliance planning (however formal or informal) can be done to manage identified legal risk. Plans can range from very specific to very general and can be formal or informal, complex or simple. The best plans, however, tend to be workable, practical, and have as little disruption as possible (see Table 4).
PITFALLS TO AVOID
How Should "Success" Be Defined?
The definition of "success" from managing legal risk must ultimately be subjective because the nature of legal risk is subjective.7 This is not to say there are no common causes and drivers of legal risk, just as there are common causes and drivers of cost, but how these causes and drivers affect a specific firm and its activities can be defined only by the firm.
Several factors, though, can help companies evaluate success:
1. Clarity in Understanding the Firm's Legal Risks. The better a firm understands the legal risks it must face, the better it will be able to plan to avoid, or at least to minimize, these risks. Even when the firm determines that it must engage in certain activities that it identifies as having a high legal risk (due to the inherent high risk of some activities), it will have better knowledge about the true nature of the risk and can plan to be prepared if actual problems develop. This would also be true for risks that could be reduced but that the firm is not able to deal with at the time (because of lack of sufficient capital or other resources, for example).
2. Recognition that Avoiding All Legal Claims Is not Possible. Although it is reasonable to conclude that a reduction in legal risk should result in fewer legal claims, it is never possible to avoid the necessity of being prepared to defend against a claim. Some people may file a lawsuit of questionable merit because of a perception that the targeted firm will settle the case instead of defending it, as long as the cost of a settlement is cheaper than the cost of defense. If the firm settles a lawsuit, it does not matter whether or not the underlying claim was frivolous or had merit; the act of settling precludes any legal ability to pursue the matter any further. Although under Rule 11 of the Federal Rules of Civil Procedure and corresponding state rules, making frivolous claims violates both federal law and the law in all 50 states, a claim cannot be ignored just because it is seen as being frivolous. A legal claim is considered frivolous when the plaintiff has little or no chance of success, but the determination of whether a plaintiff's case is frivolous probably cannot be made merely by examining the complaint. Instead, a court will have to allow the case to develop until enough facts have been established and the legal arguments clearly show that the case has no merit. Therefore, it is necessary to incur expense in order to establish whether a claim is frivolous or even whether a claim with merit will be unsuccessful against the firm. This situation cannot be avoided by managing legal risk.8
3. Measuring Dollars Alone May Be Inadequate. A firm may very well incur additional cost when implementing a system to manage legal risk, and there probably will be ongoing cost in maintaining this system. In addition, legal risk analysis of certain prior revenuegenerating opportunities may result in the decision not to pursue them in the future. Expenses, opportunities not taken, and the need to still obtain legal opinions at times will all result in a financial impact on the firm. Overall, legal risk analysis may save the firm money, but the goal should not be to merely save money. Knowing when and where to put dollars and other resources to deal effectively with legal risk analysis must be considered a factor in defining success instead of merely measuring the financial impact on the firm.9
4. Ease of Communication about Legal Risk. Quantifying legal risk will allow communications about the causes and drivers of risk, as well as the level of risk for each activity that has been evaluated, to have a common basis for meaning throughout the firm. This can be especially useful for larger firms and for firms with more than one facility. It can also provide a common basis of understanding for firms with facilities and interests in different legal jurisdictions, nations, legal systems, and cultures. Increased clarity in communications about legal risk issues throughout the firm can be an important factor in measuring success.
"Success" ultimately means that a firm has found a way to identify and manage risk. The determination of whether success has been achieved, therefore, requires a broad analysis. ERM results in achieving factors of success instead of a simple and misleading "examine the bottom line" approach. In addition, avoiding these other pitfalls will further enhance a firm's ERM successes.
Avoid Form Over Substance
It will prove to be a waste of time merely to go through the motions of risk management. As with anything, doing something for the sake of doing it, focusing on how something looks, developing something only to say "we have one," or creating a good process only to place it on the shelf with all the other dusty form-oversubstance plans will be the same as having done nothing at all. ERM is a process that must be implemented.
It Is Only for Big Companies
No it is not! Too many textbooks, articles, presentations, and other types of resources designed for business focus on large businesses to the exclusion of small ones (other than an occasional contrast to the local "mom and pop" business). This can lead to the idea that whatever comes along is supposed to be used by big business and that small business does not have to pay much attention or at least can wait until the "kidsize" version comes along. This may be true for some ideas, but not for legal risk management. No firm is too small to be sued, face other legal problems, or have risks that can eat up its resources and keep the owner awake at night. No firm, therefore, is too small to use this model for legal risk analysis. In fact, it is not all that difficult or expensive for a small firm. Any size firm can benefit.
Do not Just Create a Bureaucracy
While legal risk management takes time and, depending on the issues involved, can result in detailed planning to control the identified risks, it should be kept as simple as possible at all times. Do not create a bureaucracy to handle risk management issues. Do not create a bunch of "stuff." Risk management is about controlling risk, not about making another complicated procedure with accompanying forms. (Think of it like a good coffeemaker: It just makes coffee, and it does not do 5,000 other things that nobody really wants anyway or even knows about.)
Do not Prove Preconceived Ideas
It may be normal to have an idea about what is causing certain types of risk or an idea about how to control legal risk effectively. Fine. Do not, however, gather information simply to prove (or even disprove) any preconceived ideas. Just as a good research project sets out to test instead of prove a hypothesis, effective legal risk analysis must be used gather information for analysis-wherever that analysis leads.
Do not Focus on Blame
Legal risk analysis can determine how a particular person, group, or department (whether an owner, manager, or part-time high school student employee) may be a driver of one of the causes of legal risk. The response is to change how that person is doing things, not to blame them for problems. Risk analysis is not a witch hunt or an effort to identify and round up those among "us" who are really "them." Legal risk analysis is about developing a process that will allow the firm to control risk; it is not about placing blame.10
Keep the Purpose in Focus
No matter what comes up at any point in risk management, remain focused on its purpose: a strategic process that must be supported properly throughout the firm and that has the fundamental purpose of giving a firm the ability to control its legal risk so it can focus on its business.
EFFECTIVE LEGAL RISK MANAGEMENT
In this article we outlined the components of a process for identifying, describing, understanding, evaluating, and quantifying a firm's legal risk. The plan is consistent with both the enterprise risk management model (COSO 2004) and models for conducting legal audits11 and legal compliance.12
By applying a legal risk management model to the value chain, the framework makes it possible to separate legal risk management into the different aspects of a firm's activities. Thus, the organization can make the legal risk management model more feasible to implement and more effective.
Table 1: Model of Generic Value Chain for Typical Business
SUPPORT ACTIVITIES: Infrastructure, Procurement, Human Resource Development, Equipment and Technology Development.
These are activities that are necessary for the company to exist, but they do not relate directly to the production of value.
Infrastructure. Organization of the business. Entity form: sole proprietorship, partnership, limited liability company, corporation (S or C, professional, nonprofit). Accounting method. Tax year. Management (decision making) process. Internal organization (distribution of responsibilities, general policies and procedures not specifically covering operations).
Procurement. Overhead expenses (fixed expenses, long-term debt/obligations, short-term debt/obligations). Inventory valuation problems due to spoilage or waste, including items that do not move. How finances, including taxation, in general are handled (planning as well as actual).
Human Resource Development. Employment policies. Determining what jobs to create, keep, eliminate. How to cover increased need, especially temporary or seasonal increases. Determining pay and benefits.
Equipment and Technology Development. Determining types to use (assessing need, what to get, keep, or eliminate), how and when to implement, how to pay for, and evaluation.
PRIMARY ACTIVITIES: Inbound Logistics, Operations, Marketing and Sales, Outbound Logistics, Service.
These are the activities related directly to how the company produces value for itself.
Inbound Logistics. Getting and maintaining what is needed to handle operations.
Operations. The transformation of inbound logistics items into the products and/or services the business sells its customers. Includes maintenance of current products/services, determining what to add or delete, determining costs, setting prices and payment methods.
Marketing and Sales. Activities performed in order to create demand for the company's products and services, as well as in managing customer relations. Includes targeting and finding customers, keeping customers, dealing with competition, taking care of market share.
Outbound Logistics. Getting products/services to customers. Collections.
Service. Activities performed after goods and services have been delivered, including installation, customer training, and repairs. Includes warranties, service contracts, the process of following through with after-sales activities.
Figure 1: Sample Worksheet Determing Areas of Risk from Value Chain Activities
SUPPORT ACTIVITIES
Infrastructure.
1. Entity Form: _____
2. Accounting Method: _____
3. Tax Year: _____
4. Management Structure: _____
A. Decision-making Process: _____
B. Distribution of Responsibilities: _____
5. State and Federal Regulations that Apply to Business but not Directly to Products and Services: _____
Procurement.
1. Identify Overhead Expenses by Category or Type (i.e., facilities cost, labor, long-term debt/obligations, short-term debt/obligations, taxes, etc.): _____
2. Inventory Problems: _____
Human Resource Development.
1. Issues Covered by Current, Written Employment Policies: _____
2. How Wages and Benefits Are Set: _____
3. How Decisions to Create Jobs Are Made: _____
4. Hiring Process: _____
5. How Temporary or Seasonal Employment Needs Are Met: _____
Equipment and Technology Development.
1. How Need for New Acquisitions Is Determined: _____
2. How Current Assets Are Maintained/Updated: _____
3. How Decision to Dispose of Assets Is Determined: _____
4. Decision Process on Issues such as Purchase or Lease and Source of Funds: _____
PRIMARY ACTIVITIES
Inbound Logistics.
1. Suppliers with Long-Term Contracts: _____
2. Other Suppliers: _____
3. Method for Storing Supplies until Used: _____
4. How Long Supplies Are Stored Before Use: _____
5. Contingency Plans for Alternate Sources of Supplies: _____
Operations.
1. Product Based or Service Based: _____
2. Specific Nature of Products/Services: _____
3. State and Federal Regulations that Apply to Products/Services: _____
4. How Costs Are Determined: _____
5. How Prices Are Determined: _____
8. How Products/Services Are Evaluated: _____
9. Decision Process for Developing New Products/Services: _____
Marketing and Sales.
1. Describe the Market for Company Products/Services: _____
2. Marketing Plan: _____
3. How Customer Relations Are Handled: _____
4. Describe the Competition: _____
5. How Competition Is Handled: _____
Outbound Logistics.
1. How Products/Services Are Delivered to Customers: _____
2. How Customers Ordinarily Pay for Products/Services: _____
3. How Collection of Late Payment Is Handled: _____
Service.
1. What After-Sales Services Are Offered to Customers: _____
2. How After-Sales Services Are Delivered to Customers: _____
Table 3: Model for Determining and Evaluating Drivers of Specific Causes of Risk
Activity: Identify the activity from the previous worksheet.
Risk Sources: Identify the risk sources from the previous model, along with their scores from the Composite Likely Impact section of Table 2-B. List the risk sources in descending order, beginning with the one that has the most occurrences and with formal consequences ahead of informal. If risk sources have the same score, list in order of the company's priority for dealing with them.
Drivers: Identify both suspected and known actual causes, or drivers, for each risk source.
Table 4: Compliance Plan Outline
I. Statement of Purpose
Describes what the firm intends to accomplish with its compliance plan. This would include specific goals or expected outcomes, not just a general narrative.
II. Compliance Officer
Someone, either an individual or a group, must be in charge of overseeing, operating, and monitoring the compliance plan. The compliance officer must have actual authority within the firm to do the job and must have the support of management/ownership.
III. Risk Analysis and Evaluation
This information will come from the worksheet and models and will specifically describe the causes of risk and the drivers of these causes (along with the risk score) that are the subject of the compliance plan. The purpose is to describe the subject matter of the compliance plan and the priorities in the plan and to serve as a benchmark for the firm's position at the time the compliance plan is implemented.
IV. Policies and Procedures
This is the heart of the compliance plan and includes a description of the things to be done in order to address the issues identified in the Risk Analysis and Evaluation section. The focus must not be limited to reducing risk; it must also examine maintaining new levels of reduced risk while continuing to reduce risk as much as possible.
V. Training and Implementation
Describe how the policies and procedures described in the previous section will be made known to personnel. Also, identify when the new policies and procedures will become effective, and describe any process for either phasing in new procedures or implementing them on their effective dates.
VI. Auditing Compliance
The compliance plan must be reviewed, or audited, on a regular basis to ensure that:
* It has been implemented.
* It is being used and followed.
* How any failure to follow it will be handled.
* Whether modifications are necessary.
* Whether it is effective in meeting its goals and outcomes.
ENDNOTES
1 Paul Sweeney, "Keeping Legal Costs Down," Financial Executive, December 2001, pp. 47-48.
2 The executive summary is online at www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf.
3 Linda Skaggs, "Hospital Risk Management Programs in the Age of Health Care Reform," Kansas Journal of Law and Public Policy, Winter 1995.
4 W. Robert Knechel, "Generic Value Chain for Typical Business Organization," Auditing Text & Cases, South-Western College Publishing, Cincinnati, Ohio, 1998.
5 The use of a 1-to-10 scale has the advantage of being simple, and it can be facilitated across a large organization. Note that some advisors/firms might consider using dollar amounts for consequences, as in the various COSO assessment methodologies (e.g., benchmarking, probabilistic models, and nonprobabilistic models). This article's approach fits under COSO's probabilistic models category (e.g., value at risk, cash flow at risk, and operational loss distributions) but is not subject to differing individuals' dollar utility preferences and the changing litigation amounts over time that make dollar numbers more difficult to implement.
6 Robert Kaplan, "Measuring Manufacturing Performance: A New Challenge for Managerial Accounting Research," Accounting Review, October 1983, pp. 686-705.
7 Michael R. Boutot, "Is Litigation Management Cost Control?" Risk Management, June 2002, p. 58.
8 Barry D. Halpern and Thea F. Silverstein, "Ethical Considerations in Elder Care," University of Kansas Law Review, Vol. 44, 1996, pp. 785-786.
9 Ernest J. Bernabei III, "Product Liability Claims," Risk Management, April 2001, pp. 5255.
10 Celia Wells, Derek Morgan, and Oliver Quick, "Disasters: A Challenge for the Law," Washburn Law Journal, Vol. 39, 2000, p. 503.
11 Louis M. Brown and Anne O. Kandel, "The legal audit," Section 1:3, Thomson-West (2003).
12 There are a number of sources for legal compliance planning models. Each tends to have elements in common as described in federal regulations that require compliance plans in specific instances, i.e., HIPAA, OSHA, and the FTC.
BY KEVIN JOHNSON, J.D., AND ZANE SWANSON, CPA, PH.D.
Kevin Johnson, J.D., is an associate professor of business administration and education at Emporia State University in Emporia, Kansas. He can be reached at kjohnson@emporia.edu.
Zane Swanson, CPA, Ph.D., is an associate professor in Emporia State's Department of Accounting and Information Systems. He can be contacted at zswanson@emporia.edu.
In addition, make sure to read these articles:
Email
Digg It
del.icio.us
Related Resources
Business Resources
Sponsored Links
Site Map | Contact Us | FAQs | About Us | Media Kit | Reprints | RSS Directory | Sign Up for Free Newsletters | Disclosure Policy
Copyright © 1999 - 2008 AllBusiness.com, Inc. All rights reserved.
No part of this content or the data or information included therein may be reproduced,
republished or redistributed without the prior written consent of AllBusiness.com.
Use of this site is governed by our Copyright and Intellectual Property Policy, Terms of Use Agreement and Privacy Policy.
Provided by ProQuest, LLC. All rights Reserved.
You may not repost, republish, reproduce, package and/or redistribute the content of this page,
in whole or in part, without the written permission of the copyright holder.
Online Business Database | Online Business Information | Email Marketing Lists | Sales and Marketing Solutions | Business Mailing Lists
AllBusiness.com, its parent company D&B, and its affiliates.
