Practical GuidanceFree Trial
Register to request a downloadable copy
Learn More AboutPractical Guidance
By: Gary Deutsch M.B.A, C.P.A.
AS COUNSEL FOR ONE OR MORE BUSINESSES TYPES (for-profit and/or non-profit), you are often asked to advise on many different types of legal and regulatory compliance issues, but how well prepared is any business to incorporate your advice into its daily routine? At issue is the process a business uses to manage legal risk. Here are some key questions to consider:
The answers to these questions may expose some weaknesses in the risk management process that could lead to increased exposure to losses. Even if the answers do not expose significant risk management process weaknesses, attorneys need to review management’s risk assessments to form their own conclusions about the adequacy of the risk management process. Furthermore, even with a well-functioning risk management process, organizations are exposed to unexpected losses. For instance, significant changes in laws and regulations may be difficult to factor into plans until the structure of the changes have become clear. Risks that rarely occur, like natural disasters, or those occurring unexpectedly, like hacker attacks, cannot easily be included in plans except as contingency or reserve factors. Transferring those types of risks through insurance may be advisable if the transfer is cost-effective.
Risk assessments evaluate an organization’s inherent risks or the risks that are imbedded in the nature of the business. Here are some examples:
Of course, this list is only a sampling of the types of risk that are unique to (inherent in) various organizations. Understanding risk assessments can help attorneys assess the legal risks that the board (or owner) needs to consider in their planning and risk tolerance determination.
The Risk Assessment Process
Before discussing the risk assessment process, it’s important to understand that even small organizations need to consider the interaction among the various functions, departments, divisions, products, and services that operate within an organization.
This interaction requires an enterprise approach to the risk management process (called enterprise risk management or ERM).
Here’s an example.
ABC Corp. makes widgets. They decide to launch a new widget and outsource the manufacturing process to XYZ LLC. The new widgets start selling well and ABC’s accounts receivable grow accordingly. However, shortly after the new widgets reached customers, there was feedback that the widgets weren’t operating as ABC marketed. After an investigation, it was determined that XYZ LLC had a defect in a component part of the widget. While the investigation was underway, ABC’s accounts payable department paid XYZ under the contract provisions for the new widget. The accounts receivable department, credit department, supply management function, and accounts payable did not communicate with one another, resulting in accounts payable paying an XYZ invoice that should have been withheld pending the results of the investigation. If accounts receivable, credit, or supply management had provided accounts payable with a copy of the manufacturing agreement with XYZ as well as a notification that there was a defect part investigation, accounts payable would have been alerted to the defect part provision, allowing for payment to be withheld pending investigation.
An assessment of payment risks focused solely on the accounts payable department may have identified the weakness noted in this example after the payment had been made to XYZ. However, an ERM risk assessment may have identified the lack of communications among the accounts receivable department, credit department, supply management function, and accounts payable as a control weakness that if corrected could have prevented the payment to XYZ.
Sample ERM Risk Assessment Questionnaire
This sample ERM risk assessment questionnaire for outsourced vendor contracts may have helped identify the payment issue discussed above. This assessment is not a legal review—it is a review of operational and security-related provisions to ensure that the organization’s interests are continuing to be protected.
When evaluating ABC’s outsourcing arrangement with XYZ, the following operational and technology contract issues should be considered:
This risk assessment together with a policy stating that all affected parties within ABC must be notified of outsourced contract provisions, changes to contracts, and violations of terms, if any, could have prevented the payment issue in this example. The discussion below will focus on an overview of the ERM risk assessments process.
The Committee of Sponsoring Organizations (COSO) issued the "Enterprise Risk Management - Integrated Framework" in 2004 to assist organizations worldwide with principles-based guidance for designing and implementing effective enterprise wide approaches to risk management or enterprise risk management (ERM) as this process is appropriately named.
COSO defines its ERM framework as "a process, effected by an organization’s board of directors, management, and other personnel, which is applied in strategy setting and across the enterprise. The goal of ERM is to provide reasonable assurance regarding the achievement of organizational objectives by identifying events that may affect the organization and managing risk to be within the organization’s risk appetite."
The COSO framework provides guidance in the following general areas:
COSO’s ERM guidance moves beyond theory to explain how ERM integration into processes can help to balance risks and rewards. Consider the following risk assessment issues—does the institution’s ERM approach:
The traditional non-ERM approach to conducting risk assessments is to have the organization’s financial function carry them out on a monthly, quarterly, or yearly basis. During the process, errors are detected and corrected and people are considered the primary source of risk. Operational plans focus on short-term risks.
Following the ERM performance approach, risk assessments are continuous and performed by management of the various organization functions. ERM stresses that everyone controls and achieves the organization’s strategic plan and controls are focused on all risks, not just a risk selected in isolation. Errors are prevented and processes are the primary source of risk, not people.
The strategic plan focuses on long-term risk. Therefore, a wellfunctioning ERM program will provide for the systematic internal assessment of risks based on the following criteria:
The ERM program should also provide for open communications among organizational units, risk management staff, senior management, and board members, as well as corporate counsel, to enhance enterprise level decision-making about major risks and to react faster to emerging issues.
However, look for signs that the ERM program is not working. Here are some signs to consider:
To ensure that the organization’s ERM program is functioning as intended, ask management and the board the following questions:
Although ERM may sound like a risk management approach that is best suited to large organizations, keep in mind that smaller organizations may be practicing ERM without a formal ERM program. In smaller organizations, owners, the board, and management may be the same people or certainly a small group who can recognize risks more easily due to the small size of the organization. Corporate counsel can also help by providing an objective combined legal and business perspective on risks that the others may not recognize as they are immersed in daily activities.
Core Risk Assessment Components
There are two core components of ERM risk assessments. The components should be designed to answer the following questions:
Below is a brief overview of each of these components.
Inherent Risk Assessment
Inherent risk is defined as the possible damage to earnings, capital, or reputation because of an organization’s involvement in a certain line of business. This risk exists in each line of business, regardless of the level of management control in place. For example, credit risk associated with attracting new business is typically higher than the risk of extending additional credit to existing customers. When a risk is inherent, the frequency with which a risk event occurs and results in a loss, and the extent of exposure to such losses, can be managed. The risk frequency and severity of exposure can be directly managed through the processes the organization uses to identify, measure, monitor, and control risk. The inherent risk assessment is intended to identify those risks that are specific to a line of business. The management of risk assessment discussed in the next section is designed to evaluate the processes the organization uses to identify, measure, monitor, and control risk.
The inherent risk assessment is divided into three main sections: historic, predictive, and impact. The first section, historic, is intended to assess past loss experience within the industry as well as the organization’s actual historical loss experience. Since the past is often a poor guide to what might happen in the future, the predictive part of the assessment is intended to assess the potential for future adverse events in each risk category. The impact section addresses the expected result from significant adverse events.
Exhibit A includes sample assessment standards and a rating system to measure inherent risk. In this exhibit, a rating of 9 indicates that there is a strong likelihood of an adverse impact on earnings, capital, or reputation, but only if management controls are not in place or functioning properly. Since effective management controls can mitigate risks, the assessment should evaluate the organization’s total inherent risk exposure separately from the assessment of current management policies and processes in place to control the risk as discussed in the following section.
It is important to assign a score for each category of risk. Any categories that are not applicable should be scored zero. Also, comment on reasons for assigning any score of 7 to 9 since those risks will need to be evaluated for risk mitigation controls.
Management of Risk Assessment
Organizations profit by taking measured risks. However, they can lose money or even fail by not managing those risks. Effective risk management means integrating several elements, including strategy, organization, policies and procedures, process and controls, measurement/monitoring, technology, and reporting.
Management of risk can significantly reduce volatility and the potential damage to earnings, capital, or reputation. Management cannot, however, eliminate risk, especially when an organization assumes levels of inherent risk associated with their line of business.
In the preceding section, we discussed the need to assess an organization’s inherent risks. The second core risk assessment component is to evaluate the quality of the management of those inherent risks.
Exhibit B includes sample assessment standards and a rating system for the management of risk assessment. A rating of 9 indicates that there is a strong likelihood of an adverse impact on earnings, capital, or reputation, but only if current management controls are not in place or functioning properly. Accordingly, as with the inherent risk assessment, evaluate the organization’s total risk exposure separately from the management policies and processes that are currently in place to control the risk.
It is important to assign a rating for each category of risk. Also, comment on reasons for assigning a grade of 7 to 9 since those risks will need to be evaluated for risk mitigation controls.
Corporate counsel can have a significant impact on compliance with the board’s objectives through oversight of the ERM risk assessment process in the following manner:
To accomplish these and other related roles, counsel must participate as an advisor to the risk management team that creates and implements the periodic ERM risk assessments. Counsel should:
Counsel’s oversight role should be objective as well as a routine part of the oversight process, which traditionally includes the internal and external audit functions as well as other oversight positions such as the chief risk officer. In addition, the board should allow counsel to work directly with the oversight functions and human resource and regulatory compliance managers to assist with evaluating risks inherent in the organization and the effectiveness of management in managing those risks.
Corporate counsel can assist the board and management in identifying trending risks that should be considered in ERM risk assessments. Below are some examples of the types of risks that counsel might consider.
Invasion of Privacy
A hacker accesses ABC, Inc.’s account information through a financial institution’s website and sells the information to a third party. ABC sues the institution, alleging that it was negligent in safeguarding the account information and that ABC suffered economic loss as a result of the account breach.
Loss or Damage to Electronic Customer Data
ABC, Inc. applies for a loan on an institution’s website. A loan officer sends an e-mail to ABC concerning the status of the application. ABC later alleges that the e-mail contained a virus that deleted all financial records from one of ABC’s servers. ABC demands that the institution compensate them for the cost of reconstructing the data and for losses suffered when ABC could not access data to file tax returns on time.
Denial, Impairment, or Interruption of Service
A hacker institutes a denial of service attack on ABC, Inc.’s website, shutting down the site for more than 24 hours. During that time, a customer attempts to access his account to pay an outstanding invoice. Because ABC’s website is down, the payment is deemed late before the customer can complete the electronic payment. The customer alleges that the delay caused by the denial of service caused a loss of service from ABC that resulted in a loss of business for which ABC is responsible.
Unauthorized Access to a Customer Account
A hacker accesses ABC, Inc.’s account through their financial institution’s website and uses personal information in the account records to obtain credit cards in ABC’s name. When the credit card issuers attempt to hold ABC liable for the unpaid charges, ABC sues their financial institution for failing to safeguard their confidential information.
Loss of Business Opportunity
ABC, Inc. wires funds online from their corporate account at Bank A to their payroll account at Bank B. The funds are not transferred due to a systems malfunction at Bank A. When ABC’s payroll processor cannot verify that ABC has sufficient funds on deposit to pay employees through direct deposit, ABC is late paying its employees. ABC sues Bank A, alleging that their business was adversely impacted when their employees were not paid on time.
Libel, Slander, and Defamation, or Other Actionable Oral or Written Disparagement
ABC states on its website that its product is superior to competitor products. A customer sues ABC after he purchases a product from them, alleging that he could have obtained a better product from a competing vendor. Although ABC obtains dismissal of the complaint, significant defense costs are incurred.
Infringement of Copyright, Misappropriation of Ideas, or Plagiarism
ABC, Inc. obtains a report from a consultant concerning issues facing ABC’s market to support their claims of superior service. In preparing the report, the consultant copies extensively from another report, written by the consultant’s former partner. ABC places the report on its website for informational purposes, along with other information ABC provides to attract new customers. The consultant’s former partner sues ABC, alleging that ABC plagiarized his work.
Infringement of Trademark, Trade Name, or Service Mark
ABC, Inc.’s marketing department develops several slogans and phrases to emphasize the quality of their new service. ABC includes these slogans on the home page of its website. However, the marketing department neglects to seek the advice of an intellectual property attorney as to whether any of the slogans are already in use by other companies. A national corporation, which has registered two of the slogans as service marks, sues ABC.
ABC, Inc. terminates an employee who feels he has been unjustly treated. In retaliation, he threatens to disseminate confidential information over the Internet unless a year’s salary is wired to a specified account within 24 hours.
Ransomware is malware that restricts access to an infected computer system until the user pays a ransom to the malware operators to remove the restriction. For instance, ransomware might systematically encrypt files on ABC, Inc.’s server hard drives. The drives become difficult or impossible to decrypt without paying the ransom for the encryption key.
ABC Inc.’s financial institution incurs credit risk in different forms, depending on the type of transaction and the institution’s role in the transaction. Here are examples:
ACH Credit Entries
For ACH credit entries, the Originating Depository Financial Institution (ODFI) incurs credit risk upon initiating the entries until ABC funds the account at settlement. The Receiving Depository Financial Institution (RDFI) incurs credit risk if it grants ABC funds availability prior to settlement of the credit entry.
ACH Debit Entries
For ACH debit entries, the ODFI incurs credit risk from the time it grants ABC funds availability until the ACH debit can no longer be returned by the RDFI. ODFIs generally charge back a returned ACH debit to the originator. But the ODFI may suffer a loss if, for example, the originator’s account has insufficient funds or has been closed. The RDFI’s credit risk from a debit entry arises if it allows the debit to post and overdraw its customer’s account.
Institutions implement credit-risk controls that:
Institutions with more complex ACH programs or institutions that do not mitigate credit risk through holdbacks or reserve accounts have more expansive credit-risk management systems. These credit risk issues can adversely impact ABC’s ability to maintain its banking relationships.
The risk assessment of Human Resources (HR) functions requires input from leaders in all disciplines within the organization. Leaders in marketing, sales, operations, finance, etc.—all should be asked for their opinions, ideas, and thoughts on risk areas such as:
It may be helpful to have an HR expert participate or provide leadership in the process, but it would be a mistake to hand off assessment of the HR functions to one or two HR staff people when the assessment questions and considerations require input from many disciplines within the organization.
Data Theft Risk Mitigation Example
The risks described above would require an assessment of their potential impact on the organization (ABC, Inc. in the examples). In addition, the assessment should identify and prioritize risks and provide for risk mitigation controls where necessary. Since this type of risk assessment is focused on specific risks, it is less comprehensive than the organization-wide ERM risk assessments previously described.
Below is an example of a risk assessment that is focused on a specific risk. This risk topic is data theft technology risks. When evaluating how to protect against technology risks, it is important to identify the ways that an organization can be attacked. Attacks take many forms, from breaking into a computer room and stealing data files to a trusted employee who gets around controls because of their trusted position. A summary follows of the typical ways that hackers and thieves carry out their attacks and typical risk mitigation control procedures that may prevent the attacker from succeeding.
Posing as a Customer
Implement, update, and manage:
Using Technology to Launch an Attack
Install, update, and manage:
Taking Advantage of a Trusted Employee Position
Manage and monitor:
In addition to identifying risk trends as discussed above, counsel can assist the board and risk managers with identifying industry-specific risks. These risks are the inherent risks that were discussed earlier in this article. Below are some examples of the risks inherent in a sampling of industries. Counsel should work with the board of each organization they represent to understand, monitor, and evaluate through ERM risk assessments the risks inherent in those industries.
Credit risk is the current and prospective risk to earnings or capital arising from an obligor’s failure to meet the terms of any contract with the bank or otherwise to perform as agreed. Credit risk is found in all activities in which success depends on counterparty, issuer, or borrower performance. It arises any time bank funds are extended, committed, invested, or otherwise exposed through actual or implied contractual agreements, whether reflected on or off the balance sheet.
Risk assessments should consider both the quantity of credit risk and the quality of credit risk management. Quantity of credit risk is derived from the absolute amount of credit exposure and the quality of that exposure. How much credit exposure a bank has is a function of:
Quality of credit risk management involves the adequacy of controls over the process of originating, funding, and overseeing loans until they are paid according to the loan agreement.
All else being equal, banks that have higher loans-to-assets and loans-to-equity ratios and that depend heavily on the revenues from credit activities will have a higher quantity of credit risk. The quality of exposure is a function of the risk of default and risk of loss in assets and exposures comprising the credit exposure. However, the risk of default and loss is not always apparent from currently identified problem assets. It also includes the potential default and loss that will be affected by factors such as bank risk selection and underwriting practices; portfolio composition; concentrations; portfolio performance; and global, national, and local economic and business conditions.
To determine the quantity of credit risk, risk assessments must consider an array of quantitative and qualitative risk indicators. These indicators can be leading (rapid growth), lagging (high pastdue levels), static (greater/less X%), relative (exceeds peer/historical norms), or dynamic (trend or change in portfolio mix). Many of these indicators are readily available from call report and Uniform Bank Performance Report information. Other indicators, such as a bank’s risk tolerance or underwriting practices, are more subjective.
It is important to note that banks can exhibit an increasing or high level of credit risk even though many, or all, traditional lagging indicators or asset quality indicators are low. Although a qualitative indicator may have the opposite effect on credit risk that a quantitative indicator has (the one may mitigate the other’s effect), the indicators can also work together (the one may add to the other’s effect). While each type of measure can provide valuable insights about risk when viewed individually, they become much more powerful for assessing the quantity of risk when viewed together.
Health Care Workers
Every health care worker can influence the risks related to the health, safety, and welfare of patients. Health care workers are defined as everyone that works within a health care facility.
A risk assessment within a health care facility should provide for a thorough evaluation of the workplace to identify anything that may cause harm to patients. The assessment should consider how probable and severe the risk is and determine what measures should be taken to prevent or control the harm from occurring.
Here is a sample outline of the typical risk assessment:
The outcome of the risk assessment should be to create awareness of hazards and risks, identify who may be at risk, and determine if existing control measures are adequate or if alternative controls should be implemented. Ideally, controls will be designed to prevent injuries or illnesses based on a prioritization of the seriousness of health hazards.
Health care facilities have a legal obligation to limit unprotected exposures to pathogens, the transmission of infections associated with procedures, and the transmission of infections associated with use of medical equipment, devices, and supplies. Risk assessments should address the adequacy of control measures to manage the facility’s obligations to safely care for patients.
Retailers are exposed to many risks due to the need to provide customers with direct physical and online access to their products and services. One access point that has resulted in losses for many retailers is incidents in which a skimming device is physically implanted (tampering) on an asset that reads magnetic stripe data from a payment card (e.g., ATMs, gas pumps, POS terminals, etc.).
Some of the risk assessment issues to consider are:
The objective for risk mitigation controls is to make it harder for criminals to carry out their plans or to detect the heist more quickly if prevention isn’t possible.
Cybersecurity has become a significant risk issue for all organizations. Hackers can attack from throughout the world and mostly remain undetected. These criminals are well funded and can attack for profit or to achieve political objectives. Often the risk implications of successful attacks can be debilitating and can result in reputational damage. There is also the potential for significant costs related to remediating these attacks, which is why the insurance industry has created cybersecurity insurance policies.
Since there is presently little actuarial basis for underwriting these policies, actual underwriting requires a due diligence investigation into an organization’s internal risk management practices and external business dependencies, including vulnerabilities related to the organization’s suppliers, sub-suppliers, and vendors. In addition, the underwriter’s risk analysis considers threats arising from insiders, inadequate physical security, and international travel. Underwriting also evaluates how consistently the organization has adopted, implemented, and enforced an engaged cybersecurity culture that works toward risk prevention and prompt detection if prevention fails.
The results from the insurer’s underwriting provide an objective look at the organization’s enterprise risk including potential highpriority vulnerabilities. Once the insurance is in place, the insurer will conduct periodic risk assessments to gain insight into evolving cybersecurity risks.
Even if the organization decides not to purchase cybersecurity insurance, the insight gained from participating in the underwriting process may uncover invaluable cyber risk insight based on the insurer’s exposure to multiple industries.
Gary M. Deutsch, CPA, MBA, CMA, CBA, CIA, has worked extensively with financial institutions in audit, lending, financial, and operational areas. He has served in senior positions for regional banks as VP of Finance, Real Estate Loan Officer, and Senior Audit Manager. Mr. Deutsch served as a consultant to financial institutions in strategic planning, profit improvement, financial management, and merger- and acquisition-related studies while working at KPMG. Mr. Deutsch is the President of BRT Publications LLC, a professional authoring company serving the financial industry. He has written numerous financial industry books and guides, including Risk Assessments for Financial Institutions, a LexisNexis/Sheshunoff publication.
RESEARCH PATH: Corporate Counsel > Compliance Risk Assessment and Governance > Compliance Programs and Risk Assessment > Articles > Risk Assessment
For additional information on performing risk assessments, see
> RISK ASSESSMENT
RESEARCH PATH: Corporate Counsel > Compliance Risk Assessment and Governance > Compliance Programs and Risk Assessment > Practice Notes > Risk Assessment
For guidance on creating a compliance program, see
> CREATING A COMPLIANCE PROGRAM
RESEARCH PATH: Corporate Counsel > Compliance Risk Assessment and Governance > Compliance Programs and Risk Assessment > Practice Notes > Compliance and Ethics Programs