New Zealand Lawyer Web Site > Archives > Issue 133

NZ Lawyer Magazine Home Page

Friday, September 03, 2010

WebSite Search

Home

About Us

Current Issue

NZLawyer2B - NEW!!!

NZLawyer extra

NZLawyer extra - Sign up!

HOT JOBS!!!

Get A Life!

Expert Witness Directory

2010 NZ Law Awards

Archives

Advertise

IN-HOUSE COUNSEL
Risky business
Good risk management goes beyond establishing a comprehensive compliance and reporting framework. Craig Sisterson looks at how in-house counsel can take the lead

Nowadays, getting your business to comply with the seemingly ever-increasing myriad of legislation and regulations that apply to it, in diverse ways, is absolutely vital to its survival and success, says David Woodnorth of ComplyWith. “It’s becoming increasingly important as corporate governance becomes more sophisticated and informed,” he adds. “Because when it comes down to brass tacks, you don’t want the value of your business diluted by compliance cock-ups. You want to make [large amounts] of money, but in a legally compliant way.”

The overall need for good risk management, particularly including legal and regulatory compliance, goes beyond avoiding penalties such as fines or worse, says Woodnorth. “These days so much is built on brand, and compliance is being seen not only just as ‘a keeping your directors out of jail’ scenario, but also in keeping your brand, keeping your shareholder value, as high as possible.”

There are a number of things that go into good risk management, says Steve Vaughn, Executive Director of the New Zealand Society for Risk Management. “Good risk management is systematically identifying what you want to achieve, working out what it might affect, and how likely it is, and deciding to put things in place to treat those situations. Good risk management requires communication with those affected, and continually monitoring what is going on.” It’s that final bit, communication, which is a very critical part of risk management, says Vaughn. “Getting people in the loop and having them understand.”

And while good risk management should permeate throughout a business, and not just be the responsibility of one person (even if there is a Chief Risk Officer), in-house counsel, in particular, are in a great position to play a key role in communicating and embedding risk management throughout the diverse parts of a business. They are in the relatively unique position of being in a role which can touch on any and all divisions and areas of a business, no matter how diverse and disparate they are. Every part of a business can have legal issues, and in-house counsel inherently have the broader view across a business that can be so useful when it comes to embedding good compliance and risk management practices.

Getting to grips with risk
In-house counsel who want to contribute more to their business by taking a more proactive and influential role when it comes to overall compliance and risk management need to make sure they have first a good grasp of general risk management principles, says Vaughn. “A good place to go is the new risk management standard published in November last year.” That standard, AS/NZS ISO 31000:2009, is also very useful, he says, because it discusses how to embed risk management throughout an organisation.

“Really, there are five elements when it comes to embedding risk management in an organisation,” says Vaughn. Those elements, which form something of an ongoing circle, are:
• The mandate and commitment for risk management.
• The design of the risk management framework.
• The implementation of risk management.
• Monitoring and review.
• Using the above to improve the framework and behaviour.

A business absolutely has to have a good mandate for, and commitment to, compliance and good risk management, says Vaughn, before a framework can be tailored and used within the context of the organisation to establish “policies and accountabilities and those sorts of things”.

ComplyWith often goes into organisations, including government entities, to help them create a framework tailored to their specific needs, says Woodnorth. “When we’ve done a really nice, tidy, robust job, we’ve profiled the organisation and its risks, and its size, and its operations. And then you match the compliance framework to the business, so if it’s a small business delivering policy advice, then operational-type legislation is a very light touch. And then, you know, if it’s Housing New Zealand and it’s very operationally focused, with things up and down the country, and it’s very big, then you go into [operational-type legislative compliance] in much more detail.”

The same goes for any business looking to create a compliance framework, says Woodnorth. You want a framework that is comprehensive but tailored – so you go deep enough in terms of the compliance risks that apply to you, without spending unnecessary time and energy on compliance that is out of date or otherwise doesn’t apply to your business (or a particular part of your business). But a good framework is just the start.

Beyond the framework
According to Woodnorth, one of the weaknesses of risk management systems that ComplyWith is often called in to help address is that a good framework or programme is in place, but the system assumes relevant managers are fully knowledgeable about the compliance risks they are responsible for, and this “deemed knowledge” is simply not there. “There is a real opportunity for both in-house and external lawyers to proactively add value by helping identify the suite of legal risks applying to different parts of a business,” he says.

Frameworks that are not tailored can run the risk of overwhelming managers and staff with ‘red tape’ that doesn’t really apply to their part of the business. “A classic one for us is that a lot of our Crown clients don’t own buildings any more, they just lease premises. So all the building owner responsibilities sit on a landlord somewhere down the road, and so they don’t have to answer compliance questions about the Building Act 2004, the Resource Management Act 1991, and all that kind of stuff – the owner obligations – because they’re a lessee, so they just need a fairly light touch.”

It is important that compliance frameworks are evaluated so they are tailored both to the needs and risks of a business or organisation as a whole, but also to the different divisions or sections within a business, says Woodnorth. If not, requiring people to put time and effort into irrelevant compliance runs a real risk of creating a malaise towards compliance in general, including the obligations that are actually vital to the survival and success of that part of the business. And that could be a real danger.

On a related point, there is also a great opportunity for in-house counsel to play a key role in helping keep their business up to date with changing compliance, and proactively getting out into the business, communicating what is needed, and making sure that specific details and actions beneath any framework are being communicated and carried out. Woodnorth has seen cases of people being very proud of their “great” legislative compliance systems: “They’re surveying people about bits of legislation that have been repealed five years ago – there’s a whole new regime in place!”

It’s important that people within an organisation have a better and deeper understanding of compliance, and how and why it applies to their part of the business, beyond just “ticking boxes” on a sheet someone has given them and assuming that means everything is in order and will be okay, says Woodnorth.

It is this “monitoring and review” step that is often missed out, says Vaughn. “Are the things that you expect to be happening actually happening?” And this is where in-house counsel can really come to the fore on an ongoing basis. “Having systems to make sure those bits of compliance are up to date is obviously going to be a critical thing.”

Don’t be the ambulance
Keeping the business up to date with both changing compliance, and education about compliance, provides a great opportunity for in-house counsel to be proactive, and get alongside the various areas of their business (or utilise the fact they already regularly get alongside the business). One of the ways to reduce the risk of risk management becoming a malaise-creating, form-filling exercise, says Vaughn, is for in-house counsel to educate key managers and staff about how good compliance can be a tool that will help their area of the company perform better and solve problems. “Using that technique to say that we acknowledge, we identify, certain risks, but how do we then go about working out how big those risks are, and how to avoid them? Looking at it from that point of view, rather than giving people a form and saying to them to tick boxes.”

In-house counsel should get alongside their colleagues in other areas of the business, and help them see that compliance isn’t just an annoyance, or road block, to them “getting on with” what they see as the important parts of their job – but a way to make their lives easier (eg doing a few small things now to avoid big hassles later).

There is a real opportunity when it comes to risk management and compliance for in-house counsel to be proactive within a business, says Woodnorth, “rather than being the ambulance at the bottom of the cliff, that everyone goes to when the shit hits the fan”. Counsel should get out there, he says, and let the managers and staff know that rather than taking up a lot of their time, and being a hassle with a whole lot of compliance requirements that create more work for them, that you’re going to put the work in to bring them tailored and updated information to not only take up less of their time than otherwise, but to help make their jobs easier and better. “Break it down to line up with the business,” says Woodnorth. “Come at it by taking off your lawyer’s hat, and kind of putting on the manager’s hat, and saying ‘how can this be done most efficiently’ for that manager”.

In the end, says Woodnorth, a good way for in-house lawyers to ‘sell’ compliance and good risk management to their colleagues is to focus on why it is so vital for them, and how they’re going to help them and make things easier. “You can explain to them that knowledge is power. So if they’re all over their compliance stuff, and we as lawyers can help them do that, then they’re not only going to do a better job, but their butt isn’t going to be the one on the line when the Audit Risk Committee is reporting through to the Board saying, ‘Yes, the sales figures are fantastic, but, gee, he’s a bloody liability every step he takes – he doesn’t take compliance seriously’.”

Of course, to help do that, lawyers need to be taking it seriously themselves.