Question
This case presents an issue that becomes more likely the larger an organization becomes. The legal department of any company is an important part of
This case presents an issue that becomes more likely the larger an organization becomes. The legal department of any company is an important part of the organization. The laws and regulations surrounding company operations require a legal department aware of all of the requirements to operate within the law and avoid fines and other violations of regulatory requirements.
As you read the case, here are the questions that I want you to respond to at a minimum. If you find other aspects of the case noteworthy, I would expect you to include a discussion of those aspects as well.Remember, you are looking at this case, as well as all of the other cases, as if you were the Chief Risk Officer for the entity.
- What are Jason's options? Can he accept a risk management program that does not involve the legal department?
- Do you agree with George's arguments? Are they valid?
- How would you proceed as the risk officer?
Please make some reference
The Reluctant General Counsel
NORMAN D. MARKS, CPA, CRMA
Fellow of the Open Compliance and Ethics Group, and Honorary Fellow of the Institute of Risk Management
Business Software Corporation (BSC) is a global software company headquartered in the Silicon Valley of California, with annual revenues of over $1 billion. It is listed on major North American stock exchanges. The head of the Internal Audit function, Jason Garnelas, has been asked by the board to lead the establishment of an enterprise risk management (ERM) function. Top management, led by the chief executive officer (CEO), John Black, and the chief financial officer (CFO), Jim Toll, have indicated their support for this important initiative. The plan is for Jason to run the program for the first year, at which point management and the board will consider whether it is necessary and appropriate to hire a full-time risk officer.
Jason is grateful for the support of both the board and top management, because it is unusual for an entrepreneurial technology company to recognize the value of risk management and dedicate both time and resources to its implementation. In fact, at a meeting of the executive leadership, John Black explains that he holds his direct reports individually and collectively responsible for the management of risks to the business. He sees the role of the risk officer, currently Jason Gamelas on a part-time basis, as a facilitator to the leadership team. Jason will lead the development of a framework and process, and will facilitate the identification, assessment, and treatment of risk, but all decisions are a management responsibility.
Jason holds a series of one-on-one meetings with each of the CEO's and CFO's direct reports to understand, with them, the more significant risks to the organization. Most of them engage actively and with energy into the discussions, as they can see that the process will contribute to their and the company's success. Due to their travels, Jason is initially unable to meet with the executive vice president (EVP) of development (responsible for all the software developers) and the general counsel. But he is able to develop a preliminary list and assessment of the more significant areas.
The preliminary assessment is reviewed with the executive leadership team, and the CEO expresses his appreciation for the work that has been performed, but he is concerned that several of his direct reports identified the same areas of risk with significantly different evaluations of both potential impact and likelihood. He decides to assign each area of risk to individual executives who will own them and be responsible not only for monitoring the risk levels and assessing the potential impact and likelihood, but also for ensuring that actions are taken as and when necessary to bring the risk levels in line with acceptable limits established by the CEO and the board.
As everybody leaves the meeting, Jason chats briefly with the EVP of development and the general counsel, George French. The EVP quickly agrees to meet later in the week for an hour to review the risks in his assigned areas. But the general counsel asks Jason to step into his office.
The general counsel tells Jason that while he agrees that a risk management program is fine in theory, he has strong reservations. His concerns fall into two general areas.
First, the company, like every technology company, is routinely engaged in multiple lawsuits. Some lawsuits, particularly those concerned with the protection of intellectual property, involve potential settlements in the hundreds of millions of dollars - both in favor of and against BSC. These lawsuits have been identified as areas of risk that should be addressed by the new risk management program, but any formal assessment is discoverable by the opposition attorneys and could be used against BSC both in negotiations and at trial.
George understands that Jason needs his and his team's input to identify the potential impact of both favorable and adverse results to current and future lawsuits, and the likelihood of those results. But, because of the risk to the company that would be created by a formal risk assessment of the lawsuits, he has decided he cannot participate.
Second, BSC is listed on some U.S. exchanges and is subject to all U.S. Securities and Exchange Commission (SEC) filing requirements. The quarterly and annual filings have to include a discussion of the significant risks facing the organization.
The general counsel is concerned that BSC's competitors could gain an unnecessary advantage from a risk management program. His reading of the SEC rules is that the discussion in the filings has to be consistent with any formal discussion of risks by management and the board. So, if the internal discussion is too detailed and includes specific likelihood and potential effects for each risk area, that would lead to excessive and unnecessary disclosures to the company's disadvantage.
George believes that participation by the legal department will constitute formal risk discussions. Discussion of risk by the rest of the management team is a normal part of running the business, but when he and his team join the discussion, it raises risk management from informal discussions to a formal process that should influence the risk disclosures in the company's SEC filings.
George tells Jason that he commends him for the initiative but cannot support it by contributing legal advice to the risk assessment and evaluation process. That should be the responsibility of the executive leadership team, with Jason's assistance. The involvement of the legal department represents, itself, too great a risk.
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Jasons options are somewhat limited given Georges concerns However he could consider several courses of action 1 Engage in Dialogue Jason can engage in a constructive dialogue with George to address h...Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started