Audit of Legal Risk Management (AU1611)

Audit Branch
Natural Resources Canada

Presented to the Departmental Audit Committee (DAC)
September 22, 2016

TABLE OF CONTENTS

• EXECUTIVE SUMMARY
  • Strengths
  • Areas for Improvement
  • Internal Audit Conclusion and Opinion
  • Statement of Conformance
• INTRODUCTION
  • Audit Purpose and Objectives
  • Audit Considerations
  • Scope
  • Approach and Methodology
  • Criteria
• FINDINGS AND RECOMMENDATIONS
  • LRM Governance and Processes
  • Legal Cost Forecasting
• APPENDIX A – AUDIT CRITERIA

EXECUTIVE SUMMARY

Legal risk involves the risk of liability exposure and associated legal costs related to areas such as litigation, settlements, and legal advice. Legal Risk Management (LRM) is “the process of making and carrying out decisions that reduce the frequency and severity of potential risks that may impact the government’s ability to successfully meet its objectives.”^{Footnote 1} This definition links LRM to Natural Resources Canada’s (NRCan’s) Integrated Risk Management Policy Framework (IRMPF), which recommends a proactive and systematic approach to identify potential risks early on and to develop and manage a response that will mitigate negative impacts on operations. LRM involves the identification, assessment, communication, prevention, management, and mitigation of legal risks. 

An effective system of LRM can assist departmental senior management to identify and address their most significant legal risks, and may prevent adverse financial, reputational, and program impacts. It has been recognized as a key component in the Treasury Board Secretariat’s (TBS’) Framework for the Management of Risk, which indicates that the Deputy Head of each federal department and agency is responsible for the management of risks, including legal risks, associated with their program and policy decisions. Day-to-day, management makes decisions that can have legal implications. They are also responsible to take a proactive approach to manage legal risks.

The role of the Department of Justice (DoJ) is to assist federal government departments and agencies in the management of legal risks by providing legal advice in contexts such as litigation, settlements, and legislative drafting to inform key business and decision making processes. NRCan’s Legal Services Unit (LSU), consisting of representatives from the DoJ, provides legal advisory services to NRCan on all matters falling within the Department’s mandate. The Department may also fund external legal services, in areas related to trade disputes with other countries, through arrangements with Global Affairs Canada (GAC).

The Department’s Sectors primarily use the services of NRCan’s LSU on either regulatory matters or corporate/commercial matters. In this regard, legal advice on regulatory matters supports the development of departmental policy, whereas advice related to corporate/commercial matters includes services related to procurement, grants and contributions, intellectual property, services agreements, Memoranda of Understanding with third parties, and Indigenous consultation issues.

It should be noted that NRCan’s legal risk exposure is limited in cases where another government department takes the lead role on legal obligations, based upon the guidance and direction that is provided through the TBS’ Management Framework for International Trade Litigation. 

The objective of the Audit of Legal Risk Management was to assess the processes and controls in place, as they specifically relate to the identification, monitoring, and mitigation of risks associated with NRCan’s legal obligations.

STRENGTHS

Each Sector has established a distinct process to adequately manage and monitor legal risks based on its individual mandate, including identifying and assessing these risks. Sectors have also developed tools to forecast legal costs as part of their existing program funding. In addition, a departmental process exists whereby Sectors can request additional internal funds, should legal costs exceed the operating budget of a program.

AREAS FOR IMPROVEMENT

Methods to prioritize requests to NRCan’s Legal Services Unit (LSU) and the sharing of legal risk management good practices could be further strengthened across Sectors, as part of the department’s existing Integrated Risk Management process. The audit also identified that as Sector legal costs, including potential litigation costs, can often be difficult to predict for complex files, Sector Financial Advisors (SFAs) require timely information from their respective Sectors in order to adequately update forecasts. In addition, NRCan does not have an ongoing contingency to ensure that funds are available to address significant legal costs that may arise.

INTERNAL AUDIT CONCLUSION AND OPINION

Overall, the Department has governance processes within the Sectors to support the management of legal risks and to forecast legal costs based on perceived risk exposures. Opportunities exist to further strengthen prioritization and information-sharing practices; and to adopt a common approach to legal cost forecasting.

STATEMENT OF CONFORMANCE

In my professional judgement as Chief Audit Executive, the audit conforms with the Internal Auditing Standards for the Government of Canada, as supported by the results of the Quality Assurance and Improvement Program.

Christian Asselin, CPA, CA, CMA, CFE
Chief Audit Executive
September 22, 2016

ACKNOWLEDGEMENTS

The audit team would like to thank those individuals who contributed to this project and particularly employees who provided insights and comments as part of this audit.

INTRODUCTION

Legal risk involves the risk of liability exposure and associated legal costs related to areas such as litigation, settlements, and legal advice. Legal Risk Management (LRM) is “the process of making and carrying out decisions that reduce the frequency and severity of potential risks that may impact the government’s ability to successfully meet its objectives.”^{Footnote 2} This definition links LRM to Natural Resources Canada’s (NRCan’s) Integrated Risk Management Policy Framework (IRMPF), which recommends a proactive and systematic approach to identify potential risks early on and to develop and manage a response that will mitigate negative impacts on operations. LRM involves the identification, assessment, communication, prevention, management, and mitigation of legal risks. 

The full spectrum of federal LRM activities is broad and covers a continuum of government operations, from the development of policy to the management of litigation:

LRM / Dispute Prevention and Resolution Advice

Advice on policy/ programs e.g., recommendations in Submissions to Cabinet; and, choices of Policy Instruments

Legislative drafting e.g., drafting and amending legislation and regulations

Advisory Services e.g., In-house advice in a wide variety of practice areas

Litigation e.g., Preparing for litigation or settlement; Contingency Planning

An effective system of LRM can assist departmental senior management to identify and address their most significant legal risks, and may prevent adverse financial, reputational, and program impacts. It has been recognized as a key component in the Treasury Board Secretariat’s (TBS’) Framework for the Management of Risk, which indicates that the Deputy Head of each federal department and agency is responsible for the management of risks, including legal risks, associated with their program and policy decisions. Day-to-day, management makes decisions that can have legal implications. They are also responsible to take a proactive approach to manage legal risks.

The role of the Department of Justice (DoJ) is to assist federal government departments and agencies in the management of legal risks by providing legal advice in contexts such as litigation, settlements, and legislative drafting to inform key business and decision making processes. LRM is understood to be a joint responsibility between federal government departments and agencies and the DoJ to manage legal risks and identify opportunities for proactive LRM strategies. NRCan’s Legal Services Unit (LSU), consisting of representatives from the DoJ, provides legal advisory services to NRCan on all matters falling within the Department’s mandate. The Department may also fund external legal services, in areas related to trade disputes with other countries, through arrangements with Global Affairs Canada (GAC).

The Department’s Sectors primarily use the services of NRCan’s LSU on either regulatory matters or corporate/commercial matters. In this regard, legal advice on regulatory matters supports the development of departmental policy, whereas advice related to corporate/commercial matters includes services related to procurement, grants and contributions, intellectual property, services agreements, and Memoranda of Understanding with third parties. Given the Department’s mandate concerning the prudent development of Canada’s natural resources, the LSU’s services are also regularly relied upon for a broad spectrum of advice, for example on Indigenous consultation issues.

It should be noted that NRCan’s legal risk exposure may be limited in cases where another government department takes the lead role based upon the guidance and direction that is provided through the TBS’ Management Framework for International Trade Litigation. For example, Global Affairs Canada (GAC) is the lead department with respect to legal issues on international trade files.

The Audit of the LRM was included as part of the Department’s 2015-2018 Risk-Based Audit Plan, approved by the Deputy Minister on March 12, 2015.

AUDIT PURPOSE AND OBJECTIVES

The objective of the Audit of Legal Risk Management was to assess the processes and controls in place to identify, monitor, and mitigate risks associated with NRCan’s legal obligations.

Specifically, the audit assessed whether:

1. The Department has established and implemented adequate governance processes to support the management of its legal risks; 
2. Sectors have established effective processes and controls to identify, monitor and mitigate risks associated with NRCan’s legal obligations; and,
3. The Department has established procedures and tools to build departmental legal risk awareness and foster a common approach to legal risk management (LRM).

AUDIT CONSIDERATIONS

A risk-based approach was used in establishing the objectives, scope, and approach for this audit engagement. A summary of the underlying risks that were identified during the Planning Phase of the audit is included below:

• Roles, responsibilities, and accountabilities for LRM may not be documented or communicated to the Sectors;
• Adequate communication and reporting of legal risks to facilitate informed decision making at the senior management-level may not be in place;
• Legal risks may not be effectively identified by the Sectors;
• An effective process (i.e., awareness) may not be in place at the Sector-level to assess the likelihood of adverse legal outcomes and their potential impacts;
• Effective legal risk mitigation responses may not be developed, implemented, communicated, or regularly reviewed by the Sectors;
• Sectors may not have effective processes in place to manage, monitor, and fund their legal costs; 
• Standardized LRM procedures and/or tools may not be established and communicated to the Sectors; and,
• LRM best practices may not be shared and considered as part of departmental decision making.

SCOPE

The scope of the audit included relevant departmental and Sector LRM processes, procedures, controls, and tools used to identify, monitor, and mitigate NRCan’s legal risks for program activities from April 1, 2014 to March 31, 2016.

Since the LRM concept encompasses a broad range of corporate functions and operational activities, the scope of the audit focused solely on the LRM practices in place for the three Programs Sectors that make the most use of legal services related to the nature of their work: the Energy Sector (ES), the Major Projects Management Office (MPMO), and the Canadian Forest Service (CFS). In addition, since the audit focused on LRM processes, the details of specific legal cases were not examined.

It should be noted that given that NRCan’s Legal Services Unit is an external service provided by the Department of Justice, their advice and services provided to NRCan were not assessed as part of this audit. Furthermore, all recommendations related to this audit will be directed towards senior management within NRCan. 

APPROACH AND METHODOLOGY

The audit methodology was based on the TBS’ Policy on Internal Audit and the GoC’s Internal Auditing Standards and included the following:

1. Interviews with key personnel with respect to the Department’s practices in place to identify, monitor, and mitigate legal risks;
2. Review of key documents, including relevant policies and directives; and,
3. A detailed examination of information and documentation relating to LRM processes, procedures, controls and tools.

The conduct phase of the audit was substantially completed in June 2016.

CRITERIA

Please refer to Appendix A for the detailed audit criteria. The criteria guided the audit fieldwork and formed the basis for the overall audit conclusion.

FINDINGS AND RECOMMENDATIONS

LRM GOVERNANCE AND PROCESSES

Summary Finding

Sectors are adequately identifying, assessing, managing, and monitoring legal risks based on their individual mandates. These processes enable the identification and assessment of legal risks that are ultimately integrated into the Department’s CRP, in alignment with the requirements of the Department’s 2015 Integrated Risk Management (IRM) Policy Framework.

Opportunities were identified to increase the emphasis on legal risk management as part of the existing annual IRM process as well as share good practices in place across Sectors with regards to the management of legal risk such as when to engage legal services for advice, prioritizing requests to legal services based on risk, and other relevant practices.  

Supporting Observations

LRM Direction and Guidance

The audit found that within the Sectors examined, adequate processes are in place to manage and monitor their legal risks, including agreements with other government departments, which outline their respective roles and responsibilities. For example, in the case of the Canadian Forest Service (CFS), a Treasury Board Secretariat (TBS) Management Framework for International Trade Litigation exists that outlines the roles and responsibilities of Global Affairs Canada (GAC) and all other government departments/agencies involved. As such, it is understood that, in general, GAC is the lead department with respect to legal issues for international trade or investment-related litigation, including such files as the Canada-U.S. softwood lumber case.

In addition, the audit found that a ‘Risk Management Centre of Expertise’ exists within the Strategic Policy and Results Sector to support the Sectors with information, tools, and resources related to the identification and management of corporate risks, in order to feed-into the departmental Corporate Risk Profile (CRP) process. There is also the ‘Centre of Expertise on Grants and Contributions’, which along with NRCan’s LSU, provides feedback on the clauses outlined in contribution agreements prior to them being finalized. Although these departmental bodies provide useful advice related to departmental risk management, they do not provide guidance or tools specifically related to LRM; however, the Sectors did not indicate a need for customized LRM tools during the audit.

LRM Communication

In terms of communicating LRM issues, the Sectors examined inform senior management of these issues as they arise, depending on their severity. In the case of the Major Projects Management Office (MPMO), in addition to having bilateral meetings with the Assistant Deputy Minister (ADM) MPMO on legal issues, the ADM MPMO also debriefs the Deputy Minister (DM) prior to monthly inter-departmental Major Projects Deputy Minister Committee (MPDMC) meetings, which discuss horizontal legal issues. A similar approach is employed by the Energy Sector (ES), where, in addition to regular senior management bilateral meetings on legal issues, the Sector participates in periodic meetings with the General Counsel of NRCan’s LSU and the Deputy Minister. The audit also noted that at a recent NRCan Executive Committee (ExCom) meeting in June 2016, General Counsel made a presentation to better bring awareness and clarity into the legal risk management process that is in place within the Department.   

To determine the extent of departmental discussions taking place at the senior management-level, the audit team reviewed meeting minutes of NRCan’s ExCom for Fiscal Year 2015-16. High-level discussions were held on NRCan’s LRM-related obligations on two occasions during the Fiscal Year. One of the discussions focused on the Department’s 2016-17 strategic and operating risks and priorities, and the other pertained to potential legal implications surrounding the Department’s privacy management framework. Based on audit interviews with Sector representatives, the reason that legal issues are not normally escalated to senior management-level discussions is that the initial advice provided by the LSU is usually sufficient to address the issues.

Standardized LRM Processes

Although there are no standardized departmental LRM processes in place, the Sectors examined adequately manage their legal risks by involving NRCan’s LSU throughout the administration of their program and policy requirements. Each Sector’s LRM approach was found to reflect their sensitivity to legal issues, based on Sector management’s experience and risk tolerances. Both of these factors were found to play a significant role in how the LSU’s services are being used by the Sectors. For instance, where there is a ‘duty to consult’ requirement with external stakeholders, both the ES and MPMO make extensive use of the LSU’s services, given the significance and risk-level of the legal issues associated to these public projects. In contrast, the LSU’s involvement with the CFS is limited, given that GAC, through the Department of Justice’s representation, is the lead department handling any litigation proceedings related to international trade obligations such as softwood lumber disputes, mitigating the legal risks for NRCan.

Identification and Assessment of Legal Risks

The Department’s Integrated Risk Management Policy Framework (IRMPF), revised in 2015, requires management to identify and assess the risks facing their organization. Under the revised IRMPF, it is no longer mandatory for Sectors to document their risks in Sector Risk Profiles (SRPs), in order to provide them with the flexibility to set the processes, the governance structure, and the tools that best meet their risk management needs.

Based on the examination of the three Sectors audited, the CFS identified, assessed, and documented its Sector-related legal risks as part of its SRP, and its significant risks were being incorporated into the Department’s Corporate Risk Profile (CRP). Both ES and MPMO have not developed SRPs, but have processes in place to identify and assess risks that ultimately are integrated into the Department’s CRP. For example, the ES reports on its mandated commitments through various dashboards, including a section on the Sector’s broad-scale risks. The CFS, MPMO, and ES also all take part in an annual risk-ranking exercise, coordinated by the Strategic Policy and Results Sector (SPRS) as part of the CRP process, to describe strategic and organizational inherent risks and risk owners at the departmental-level. SPRS’ role also involves providing support and advice to Sectors to ensure that their legal risks are consistently identified, assessed, and mitigated. 

Due to the importance of legal risk management, the audit found that an opportunity existed to explicitly integrate and emphasize legal risk discussions as part of the Integrated Risk Management process. Such discussions emphasizing legal risk could provide an opportunity to identify and share good practices across the Department’s Sectors including when to engage legal services for advice and prioritizing requests to legal services based on risk. In addition, the increased emphasis on legal risk management could also further enhance the identification and assessment of mutual legal risks that exist across Sectors.

RISK AND IMPACT

If best practices are not shared between Sectors, common legal risks may not be adequately identified or assessed. In addition, should requests not be adequately prioritized for NRCan’s LSU, the most urgent legal issues may not be managed in a consistent or timely manner.

RECOMMENDATION

1. It is recommended that the Assistant Deputy Minister (ADM) of Strategic Policy and Results Sector (SPRS), in collaboration with Sector ADMs, explicitly integrate legal risk discussions as part of the existing Integrated Risk Management process; and share good practices identified within the Sectors, as appropriate.

MANAGEMENT RESPONSE AND ACTION PLAN

Management agrees. In response to recommendation 1:

SPRS will integrate discussions on legal risks as part of the existing risk identification and management processes. These discussions will also allow for the identification of good practices such as when to engage legal services for advice and prioritizing requests made to legal services based on risk and other relevant practices shared across Sectors.

Position Responsible: Senior Director, Strategic Planning, Performance Management and Reporting Branch, Strategic Policy and Results Sector

Timing: March 31, 2017

LEGAL COST FORECASTING

Summary Finding

Sectors have developed tools to forecast legal costs as part of their existing program funding, where possible. In addition, a standardized departmental process exists where Sectors can request additional internal funds, should legal costs exceed the operating budget of a program.

As Sector legal costs, including potential litigation costs, can often be difficult to predict for complex files, Sector Financial Advisors (SFAs) require timely information from their respective Sectors in order to adequately update forecasts. In addition, NRCan does not have an ongoing contingency to ensure that funds are available to address significant legal costs that may arise.

Supporting Observations

Legal Cost Forecasting

The audit team found that forecasting annual legal costs is a difficult process for the Sectors examined as part of the audit. In general, the unpredictable nature of the legal environment makes it challenging to anticipate and budget for possible litigation costs or perform reasonably accurate trend analyses; however, the audit team expected that legal cost forecasting would be conducted by the Sectors to sufficiently manage their legal risk exposure. Audit interviews confirmed that individual Sectors have developed their own tools to forecast legal costs and account for these costs as part of a given program’s operating budget. For example, this was noted to be the case for the CFS; whereby, the Sector is expected to respond to trade litigation cases by committing to pay for predetermined legal costs, based upon the analysis performed by GAC, as per the general guidance and direction provided by the TBS Management Framework for International Trade Litigation.  

In addition, NRCan’s LSU provides litigation reports to the Sectors’ ADMs to track the types of services provided for billing purposes on a periodic basis, when there are active litigation cases impacting the applicable Sectors. For example, based on the audit team’s review of the ES and MPMO litigation reports for Fiscal Year 2015-16, generic descriptions were available of the LSU services provided, along with the hourly service rates and amounts invoiced for both the current month and the year-to-date. The intent of these litigation reports is not to replace individual Sector forecasts, but may be considered as part of the forecasting process. 

The Departmental Chief Financial Officer advised the audit team that Sectors provide their Sector Financial Advisors with updates on their legal cost forecasts, including changes involving litigation activities; however, the timeliness of some of these updates could be improved to assist with corporate planning for funding coverage. 

Should the amount of actual legal costs exceed a Sector’s program budget, the Sector may seek to obtain additional funds by initiating a request through the departmental process in place. There is a formal process that the Sectors must follow when requesting these funds. This process includes an initial review of the Sector’s proposal by the Investment Planning Office (IPO) within the Corporate Management Services Sector, followed by a recommendation by the IPO to the DM to approve the funding allocation. In rare cases, a request for additional funding may also be submitted to the TBS, but these requests may take a significant time to fulfill. The Department may also choose to reallocate funding from other departmental programs to cover unexpected legal costs. The audit found that there is currently not an ongoing departmental fund in place to support significant legal contingencies related to higher risk files that may exceed available departmental funding.

RISK AND IMPACT

If SFAs do not receive timely information on Sector legal cost forecasts, they may face difficulties in supporting their Sectors to secure sufficient funds to cover costs. Should the Department not have an ongoing and timely source of funding for significant legal contingencies that may arise, NRCan may face challenges to secure the funds required to meet its legal obligations.

RECOMMENDATIONS

2. It is recommended that the Deputy Chief Financial Officer ensure that Sector Financial Advisors for the Canadian Forest Service (CFS), the Energy Sector (ES), and Major Projects Management Office (MPMO) update legal cost forecasts as part of their quarterly update exercise.
3. It is recommended that the Assistant Deputy Minister Corporate Management and Services Sector (ADM CMSS), in collaboration with ADMs of CFS, ES, and MPMO, formally engage central agencies to address NRCan’s significant legal costs by finding a funding mechanism.

MANAGEMENT RESPONSE AND ACTION PLAN

Management agrees. In response to recommendation 2:

As part of the call from the Corporate Resource Management Group to the Sector Financial Advisors for the update of forecasts, there will be a specific request for an update of the forecasted legal costs from sectors.

Position responsible: Senior Director, Financial Renewal and Capacity Building  

Timing: August 2016 call and on-going

Management agrees. In response to recommendation 3:

CMSS, in collaboration with sectors, will engage central agencies in discussions in an attempt to find solutions to NRCan's significant and unexpected legal costs.

Position responsible: Senior Director, Financial Renewal and Capacity Building  

Timing: by March 31, 2017

APPENDIX A – AUDIT CRITERIA

The criteria were developed primarily from the Department of Justice’s Legal Risk Management Framework for federal government departments and agencies; the Treasury Board Secretariat’s (TBS’) Framework for the Management of Risk; and the TBS Management Accountability Framework: A Tool for Internal Auditors.

The objective of the Audit of Legal Risk Management was to assess the processes and controls in place, as they specifically relate to the identification, monitoring, and mitigation of risks associated with NRCan’s legal obligations.

Audit Sub-Objectives	Audit Criteria
Sub-Objective 1: The Department has established and implemented adequate governance processes to support the management of legal risks.	1.1  Legal risk management roles, responsibilities, and accountabilities are documented and communicated to the Sectors.
	1.2  Adequate governance processes are in place for communication and reporting of legal risks to facilitate informed decision-making by senior management.
Sub-Objective 2: Sectors have established effective processes and controls to identify, monitor and mitigate risks associated with NRCan’s legal obligations.	2.1  Sectors have developed effective processes to identify their legal risks.
	2.2  Effective Sector-level processes are in place to assess the likelihood of adverse legal outcomes and their potential impacts.
	2.3  Sectors have developed, implemented, and communicated effective legal risk mitigation responses that are regularly reviewed.
	2.4  Sectors have effective processes in place to manage, monitor, and fund their legal costs (i.e. cost of legal services and cost of litigation/settlements).
Sub-Objective 3: The Department has established procedures and tools to build departmental legal risk awareness and foster a common approach to legal risk management (LRM).	3.1    Standardized LRM procedures and tools are established and communicated to the Sectors.
	3.2   LRM best practices are shared and considered as part of departmental decision making.