Keywords: Internal control legal risk examination
Text:
1. Derivation of the problem
How did we become legal consultants before? of? We sit in the office waiting for calls from clients. Customers don’t come to us, and we rarely take the initiative to visit customers. Apart from routine legal consultation and contract review, there is basically nothing else for us to do. You may occasionally be invited to participate in client negotiations, but that will be passive. Then we waited in the office for a day, waiting for the client to have a legal dispute, and then our case came. As time passed, the parties involved gradually began to understand. It turns out that the lawyer only knows how to litigate, and even hopes that something will happen to our company. He has a good case to work on. As a result, our clients have gone to recruit their own legal staff. The role of lawyers primarily responsible for litigation is therefore enhanced. It seems like that's how things should be. However, should things really be like this?
I don’t think so. For clients, fighting a lawsuit is like putting out a fire. Although there is a fire and they need to save it, what they need more is "not to catch fire"! To use this metaphor, a law firm is like a fire brigade. Wherever there is a fire, we lawyers are always willing to put out the fire. The firefighting business was good at first because there were many fires and few fire brigades. But then more and more fire brigades were added, but the fire did not grow so fast. At this time, many lawyers began to feel that it was difficult to do business, and competition stimulated them... At this point in the story, everyone probably realized the cause of the problem. Because we are just selling what we want to sell, without considering what the customer wants to buy. As I said at the beginning, what customers always need is “not hot”. This is why more and more companies have their own legal staff and legal departments.
So, what can we do to meet customer needs? This is also what this article wants to focus on: we need to help customers prevent legal risks! Some people may say that if you nip the legal risks of enterprises in the bud, we will have no lawsuits to fight? Isn’t this digging one’s own grave? I said no, why?
First of all, no one stipulates that a lawyer’s main job is litigation. The booming development of non-litigation business in recent years is an obvious proof.
Secondly, even if the company's own legal risk management level is improved through our services, it may still face the following risks: 1. Infringement by others; 2. Breach of contract by the other party; 3. Mismanagement of the company itself. risks; 4. Legal risks voluntarily assumed by enterprises based on production and operation needs.
Therefore, we don’t need to worry about this problem at all. The reason is simple. For example, there are so many medicines, nutritional products, and health care methods in the world, but many people still get sick and go to the hospital every day, and the hospital's business is still booming.
It seems this business is feasible. So, how to do this business? This leads to the theme of this article, which is to conduct a legal risk physical examination for enterprises. Just like going to the hospital for a physical exam. If you want to know what the problem is, you must first check your body and know where the problem is before you can prescribe the right medicine. So what is this corporate legal risk examination?
2. What is a corporate legal risk examination?
This physical examination is actually a bit like due diligence, but very different. Due diligence reports are generally directed to people outside the company, such as counterparties to equity transactions. Therefore, the due diligence report pays more attention to the legal risk status of the enterprise. However, less attention is paid to the mechanism, process and management level of corporate legal risk management. This is precisely the focus of the legal risk medical examination. The current status of risk is not its primary focus. To put it bluntly, due diligence reports focus on “results”, while risk examinations focus on “causes”. Only by grasping the "cause" can we avoid bad "consequences" and nip them in the bud. This is the meaning of risk management.
Before introducing how to do a risk physical examination, let me tell you a short story. This was an experience I had when I was a trainee solicitor.
At that time, a lawyer from our hospital and I went to a company to see if there were any legal risks in the company. I actually went for a legal risk physical exam. But the lawyer took me around the office and to the production workshop to watch workers making their product, "garlic chips." I don't see the point of looking at this. Although we made a survey list before coming here, we always felt that these questions did not hit the mark and we could not find any problems. As you can imagine, this operation was a failure, and we did not provide any valuable risk prevention advice.
A few years later, when I had a good understanding of corporate legal risk management and had done many risk physical examinations for the companies I served, I suddenly looked back and understood what happened back then. What went wrong with that attempt. In my opinion, the mistake lies in not grasping the main line of the enterprise management process, but staying on some superficial issues, which leads to failure. Conducting a risk physical examination for an enterprise must be closely integrated with the enterprise's management process, otherwise it will be aimless, unable to find problems, and miss the key points.
As I said just now, the focus of physical examination is on the causes of risks, not on the results. Therefore, our attention should not stay on what problems occurred, but should focus on identifying the causes of these problems. How to find the reason? It is necessary to find it in management. It can be said that all internal problems are caused by management. This involves a concept called "internal control".
The concept of "internal control" comes from the United States and is a core concept in the field of enterprise risk management. It refers to the process implemented by the company's board of directors, board of supervisors, managers and all employees to achieve control objectives. The goal of internal control is to reasonably ensure the legal compliance of corporate operations and management, asset security, the authenticity and completeness of financial reports and related information, improve operating efficiency and effectiveness, and promote the realization of corporate development strategies.
The reason why the concept of internal control should be introduced in these areas is because internal control runs through the entire process of enterprise management. The core idea is to control risks in the process. By effectively controlling every risk point in the process, companies can effectively intervene in related risks at the very beginning, thereby minimizing the company's risks. Therefore, to conduct a good legal risk review, we must start with internal control, a risk management tool that runs through the entire process of corporate management.
From the perspective of internal control, the operation and management of an enterprise is actually composed of a series of processes. According to the classification of the "Basic Standards for Enterprise Internal Control", these processes can be summarized into 18 modules: 1. Organizational structure; 2. Development strategy; 3. Human resources; 4. Social responsibility; 5. Corporate culture; 6. Capital activities; 7. Procurement business; 8. Asset management; 9. Sales business; 10. Research and development; 11. Projects; 12. Guarantee business; 13. Business outsourcing; 14. Financial reporting; 15. Comprehensive budget; 16. Contract management; 17. Internal Information transfer; 18, information system.
Through the above classification, we can clearly see which activities are prone to legal risks. For example: organizational structure, human resources, capital activities, procurement business, asset management, sales business, research and development, engineering projects, guarantee business, business outsourcing, contract management, etc. These activities may involve the following legal risks: corporate governance structure risks, labor and personnel risks, investment and financing risks, intellectual property risks, contract risks, guarantee liability risks, engineering dispute risks, etc.
I think the biggest contribution of the Internal Control Law to our understanding of corporate legal risks is that it gives us the concept of process, and we can look at corporate legal risks from the perspective of process, rather than scratching our eyebrows and beards. An enterprise's legal risks arise from its management process, so if certain aspects of these activities are not done well, it may bring corresponding legal risks to the enterprise. We take human resource management as an example to explain how to sort out the legal risks of an enterprise from a process perspective:
The human resource management of an enterprise generally includes four activities: first, the introduction of human resources; second, human resources The development of resources; third, the use of human resources; fourth, the withdrawal of human resources. Among them, the introduction part includes human resource planning, recruitment activities, establishment of labor contracts, probation period management, etc. Human resource development includes training, internal promotion, job rotation and other management activities. The use of human resources includes performance management, salary management, rewards and punishments, employee occupational health and safety, social insurance payment, etc. Human resources exit includes terminating labor contracts and dismissing employees.
Through this sorting out, we have a clearer understanding of the human resources management process.
At the same time, the corresponding legal risks can also be placed in the appropriate place. For example, the legal risks that may be faced during the human resources introduction stage include: failure to conclude labor contracts with workers in a timely manner or the contents of the labor contracts are illegal; companies failing to pay social security for workers in a timely manner; failing to sign confidentiality agreements or non-compete restrictions with employees in core and key positions. protocol. Legal risks in the human resources development stage may include: failure to change the labor contract in a timely manner after promotion or transfer, failure to sign a training agreement or service period agreement for paid training with employees, etc. Possible legal risks in the use of human resources: imperfect performance appraisal systems lead to the inability to provide sufficient institutional basis and evidence when adjusting employee salaries, thus triggering labor disputes; failure to pay wages in a timely manner; industrial accidents; workers entering into contracts with other companies at the same time Labor contract. The legal risks of exit may include: improper termination of the labor contract causing labor disputes; failure to exercise termination rights in a timely manner, causing the company to overpay workers; resigning employees failing to comply with confidentiality agreements, resulting in the leakage of corporate business and technical secrets; failure of the company or employees to Comply with non-compete agreements, etc. (The above only lists the legal risks of relevant links and is not exhaustive.)
Isn’t it much clearer to sort it out this way? We can use this method to include all the legal risks that the company may be involved in, so that there will be no omissions and the context will be clearer.
3. How to do a good corporate legal risk examination
So, after having the idea of ??this process, how do we operate it?
First, sort out the business modules with more legal risks, such as human resources, procurement, sales, research and development, engineering projects, guarantee business, outsourcing, contract management, etc. Then, based on the content of the basic principles and guidelines for internal control and the specific circumstances of the enterprise, all processes of these modules are sorted out. Then list and analyze the possible legal risks in each process, and try to exhaust all possible legal risks. Then describe the ideal control status of the above legal risks. Finally, based on this ideal control state and the actual situation of the enterprise, find out the gap. This is an existing problem and we need to find a way to solve it. Finally, based on our analysis of this gap, we put forward our countermeasures and suggestions, and the entire physical examination is completed.
The above process can be summarized into three components, namely: 1. Risk identification; second, risk analysis; third, design of risk control measures. The following is a detailed introduction:
Risk identification
1. The meaning of risk identification
Legal risk identification refers to the legal risks that may exist in the specific business processes of an enterprise. The purpose of identification and enumeration is to form a complete map of legal risk points. This link is the starting point and foundation for all subsequent work. If this link is not done well, it will affect the quality and effect of the entire risk physical examination. What needs to be grasped most in this link is the comprehensiveness and completeness of risk point identification, that is, identifying all possible legal risk points in the business process as comprehensively and without omissions as possible.
2. Risk identification method
So, what method do we use to identify the legal risk points of an enterprise? The following methods are generally used:
①Process sorting method
This method is based on internal control guidelines, analyzes the business processes of the enterprise, and lists the processes in the process based on the relevant business processes. Possible legal risks.
②Legal search method
This method refers to the comprehensive search and analysis of laws and regulations related to the enterprise's business to find out the risks that the enterprise may face. The advantage of this method is that it is more comprehensive and avoids the shortcomings of other methods.
③Individual interview method
This method refers to a method of understanding relevant risk points through face-to-face individual communication with business personnel and management of the company. The advantage of this method is that it can quickly find some risk points that management and business personnel are concerned about. These risk points are often the actual risks of the enterprise. The disadvantage is that it is not easy to fully grasp all risks in the business process.
④Case analysis method
This method refers to analyzing actual cases that have occurred in the enterprise to find out possible problems in enterprise management. The advantage of this method is that it is highly targeted and can often identify some key pain points of the enterprise. The information is more specific and can be used to conduct in-depth research on related risks.
⑤Group discussion method
Also known as the brainstorming method, this method refers to all lawyers involved in the project and managers in key positions of the company, organized by the lawyers handling the case to discuss freely. Feel free to express your opinions without giving too much thought to whether the opinions expressed are correct. Finally, the lawyer will organize and analyze all opinions and retain valuable opinions. The benefit of this approach is that it can creatively raise important questions and inspire participants through unrestrained communication.
In the actual operation process, the risk list is generally listed to the maximum extent through the process combing method and legal search method, and then the risk list is made into a risk questionnaire, and then the questionnaire is given to the business personnel of the enterprise to fill in and Feedback to attorney. Then, the lawyer enters the company, communicates with company personnel based on the company's feedback questionnaire (interview method), analyzes the company's past cases (case analysis method), discusses major risks with the company's management (group discussion method), and finally forms a complete risk questionnaire. This lays the foundation for subsequent analysis work.
(2) Risk analysis
With the above risk questionnaire, the legal risk points of the enterprise can be analyzed one by one. The main purpose of analysis is to identify gaps. When we created the risk questionnaire, we already reflected this idea in the form.
The size of the risk = the probability of the risk × the loss that the risk may cause.
If possible, we can assign values ??to the above three variables to accurately judge the importance of risks. Of course, this is difficult to operate, and it is only introduced here as an analysis idea. In practice, lawyers can use language to make relatively vague risk assessments.
(3) Risk control measures and strategies
Once you know the causes and importance of risks, you can propose solutions on how to control risks. The "Internal Control Guidelines" divide the causes of problems in corporate internal control into two categories, namely design defects and execution defects. According to the different causes of risks, control measures can be divided into two categories: first, measures against design defects; second, measures against execution defects.
First, let’s look at what design flaws and execution flaws are. According to internal control theory, all risks in an enterprise are caused by two reasons: problems in system design or problems in execution. The so-called design defects refer to unscientific, unreasonable or illegal situations in business process design, organizational structure construction, division of responsibilities and authorities, and internal resource allocation. Execution defects refer to the related risks faced by the enterprise as a result of the inability of internal personnel to strictly and effectively implement established business processes and work instructions. Therefore, as long as effective intervention and control are carried out against the causes of these two defects, the risk of the enterprise can be reduced to the greatest extent.
For these two defects, the relevant control measures are also different. For design defects, different control measures can be taken according to different reasons, such as: reforming internal processes; revising rules and regulations; formulating contract templates; adjusting organizational structure and position settings; re-dividing responsibilities and authorities, etc. Implementation defects are generally caused by the following reasons, such as: ignorance of rules and regulations, incompetence, incorrect work attitude, poor internal communication, insufficient budget, etc. Therefore, corresponding control measures may include: special training, strengthened assessment, job exchanges, budget adjustments, and strengthening inter-department communication through internal activities of the organization.
The interviews were mainly about specific forms of control measures. However, when formulating these measures, one issue that cannot be ignored is that companies should adopt different strategies to deal with different risks, rather than treating all risks equally. This is mainly due to the following reasons: first, the importance of risks is different, so the benefits generated by control activities are also different; second, the impact that enterprises can exert on relevant risks is also different; third, the resources that enterprises can control for risk control is limited, that is to say, risk control itself has a cost. 4. Compared with the risks of business activities, the benefits it can generate may be greater.
Therefore, when formulating relevant risk response measures for an enterprise, lawyers should proceed from the actual situation of the enterprise, comprehensively consider the enterprise's development strategy, commercial interests, risk size, cost control and other factors, and adopt different risk response strategies. These strategies include but are not limited to: risk avoidance, risk transfer, risk reduction, risk taking, etc. Of course, for the design of major risk control measures, lawyers must fully communicate and negotiate with the company's senior management so that the designed risk control measures conform to the actual situation of the company and are accepted by the company.
(4) Risk physical examination result output
After risk identification, risk analysis and control measure design, the entire basis of legal risk physical examination is completed. But in the end, lawyers should try their best to present the results generated during the physical examination to the company in written form as the final summary and delivery of our services, reflecting the value of the lawyer's labor. This result can be reflected in the form of a "legal risk physical examination report", with all systems, contract texts, process documents, forms, etc. modified for the enterprise attached.
Of course, the completion of a physical examination project should not be the end of our work. After completing this physical examination service, the lawyer can track the company's rectification status at any time and be responsible for the company to the end. During this process, the company may also have subsequent needs for legal services, and the services of our lawyers can naturally be extended.