Risk Management For the Board of The Law Society 16 February 2005

The Law Society As a board member – What am I expected to be doing? Board is not management – What do I expect from senior management? – What are the bigger risks? Reputational risk – Especially as a regulator

Risk!

The Law Society Voluntarily complies with The Combined Code – To the extent applicable C.2 Internal Control Main Principle The board should maintain a sound system of internal control to safeguard shareholders’ investment and the company’s assets. Code Provision C.2.1 The board should, at least annually, conduct a review of the effectiveness of the group’s system of internal controls and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational and compliance controls and risk management systems.

OBJECTIVES RISKS CONTROLS

What is risk? Anything that contributes to the organisation’s failure to meet its stated objectives The chance of something happening that will have an impact upon objectives - measured in terms of consequences and likelihood (AS/NZS 4360:1999)

What is risk? ‘Risk - The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood.’ [The Institute of Internal Auditors, Glossary to Standards until end 2003] IIA Standards Glossary from 2004 Residual Risks – The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk. Risk - The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Risk Management– A process to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organization’s objectives.

Risk management Know your objectives Identify risks – external e.g. reputation, customers, suppliers, lenders – internal e.g. operations, staff, working capital, capacity Assess risk, prioritise and know what you can accept Manage risk – Tolerate (Acceptance – COSO ERM) – Treat (Reduction – COSO ERM) – Transfer (Sharing – COSO ERM) – Terminate (Avoidance – COSO ERM) – Track (Law Society) Monitor, learn and improve, reconsider objectives

Some COSO definitions Event – An incident or occurrence, from sources internal or external to an entity, that affects the strategy implementation and achievement of objectives. Exposure – Portion of the range of possible impacts of future events for which the entity is susceptible to loss. Impact – Result or effect of an event. There may be a range of possible impacts associated with an event. The impact of an event can be positive or negative relative to the entity’s related objectives. Risk – The possibility that an event will occur and adversely affect the achievement of objectives. Risk appetite – The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission or vision. Uncertainty – Inability to know in advance the exact likelihood or impact of future events.

COSO’s components of Enterprise Risk Management (2004)

The Law Society Strategic risk register – Ideally should be related to the corporate plan – eg.: Loss of role Operational risk register – eg.: Business continuity threats Breakdown of financial controls

Risk assessment matrix – undertake first before taking account of control

Risk assessment matrix – Overlay suggests control approach

Risk assessment matrix Adjust after taking account of control

CONTINGENCY PRIMARYSHOWSTOPPER CONTINGENCY PRIMARY MONITORING & REVIEW HOUSEKEEPING Likelihood Impact Risk Control Matrix

Risk response key Showstopper: Continuous focus, as with 'Primary' risks (below), supplemented by regular attention of the board. The intention is to eliminate as far as possible the risk of this unwanted outcome materialising, which would prudently involve avoidance of risk taking in this area. Primary: Risks which must be focussed upon continuously by top management to minimise the likelihood of them occurring and the impact of them if they do occur. Contingency: Requires carefully pre-designed and tested contingency plans to be in place to cater for the eventuality if it occurs. Housekeeping: Sufficiently regular and careful attention by way of effective internal control to minimise the likelihood of this unwanted outcome. Monitoring and review: Provision of periodic information to confirm the containment of this risk within acceptable levels, together with assigned responsibilities to keep this periodic information under review.

Ideal layout for a risk register RiskGross RiskBoard Accounta- bility Control description Control effectiveness Net/residual risk ActionResponsi -bility Review Date Im- pact Likeli- hood Im- pact Likeli- hood Numeric scale 1 to 5 Strong, Good, Weak or Poor Numeric scale 1 - 5

Illustration: overall state of relationship health …The Court of Public Opinion Local Communities Business partners The Media Business Leaders Competitors PoliticiansRegulators Government CustomersEmployeesShareholders Financiers

Illustration: relative importance of each stakeholder group …The Court of Public Opinion Local Communities 3 Business partners 1 The Media 1 Business Leaders 3 Competitors 3 Politicians 3 Regulators 3 Government 3 Customers 1 Employees 2 Shareholders 1 Financiers 1

Other points Downside risk + upside risk = overall risk – Mitigate threats – Capture/realise opportunities – Upside risk risk which relates to outcomes more favourable than expected

Other points Risks are like buses – they tend to come all at once Risk management is embedded when it is a ‘mindset’ – a natural part of management rather than an add-on

Risk Management Andrew Chambers audit.com)