
Risk management differs from compliance and internal audit – but from legal?

OpRisk & Compliance, Vol. 10, April 2009 at 29, makes the point that risk management is not like compliance and it is not like audit. One person interviewed for the article offered this view: “The other two [compliance and audit] are about policing. They are about looking backwards and ticking boxes. But risk is forward-looking and is a partnership with the business.”

The legal function should also be forward-looking and aligned with clients, not reactive and “sweeping up after the elephants” (See my post of April 15, 2006: the metaphor used by one general counsel.). In-house lawyers who are shunned as “police” do a disservice to their companies. Partners, not police, I say (See my post of March 23, 2008: risk management with 18 references; Nov. 22, 2008: “control functions”; and Jan. 2, 2009: don’t charge legal with responsibility for risk management.).