How to Do Legal Risk Physical Examination for Enterprises by E┃

Abstract: The legal risk management of the enterprise can be divided into three stages, i.e., prevention beforehand, control during the incident and relief after the incident. The traditional lawyers' business mainly focuses on the two parts of control and relief after the fact, which is specifically manifested in the legal consultant service and litigation agency business provided to the enterprises, especially the litigation business is the main business, but the intervention in the prevention beforehand is relatively small. However, the significance of prevention is often more important than the other two parts. This part of the shortage of legal services for lawyers in the future business development provides a broad space. This article will focus on the significance of the prior risk prevention and how to provide enterprises with prior risk prevention legal services.

Keywords: legal risk, physical examination, internal control

Text:

I. Introduction of the problem

How did we do legal counseling in the past? We sat in the office and waited for our clients to call, and we seldom visited our clients if they didn't come to us. In addition to daily legal counseling and contract review, we basically have nothing else to do. We may occasionally be invited to participate in client negotiations, but that is also passive. Then we spend all day in the office waiting for our clients to come up with some kind of legal dispute so that our cases will come in. After a long time, slowly the clients also began to understand, the original lawyer only know how to fight the lawsuit, and even look forward to our company accident, so that he can have a case to do. So, our clients have gone to recruit their own legal staff. So the role of the lawyer as the main person responsible for litigation was reinforced even more. It's as if that's the way things are supposed to be. But is that really the way things are supposed to be?

I don't think so. For clients, fighting a lawsuit is like putting out a fire, and while you need to put out a fire, you need to keep it from burning! In this analogy, the law firm is like a fire department, where there is a fire where to put out the fire, we lawyers are also happy. The fire-fighting business was good in the beginning because there were a lot of fires and few fire departments. But later on, the number of fire departments began to increase, but the rate of fire growth was not as fast. At this time, many lawyers began to feel that the business was hard to do and the competition was incentivized ...... By this point in the story, you've probably realized the cause of the problem. It's because we're just selling what we want to sell without thinking about what our customers want to buy. As I said at the beginning, what customers want is always "not on fire". That's why more and more companies are starting to have their own legal staff and legal departments.

So what can we do about our clients' needs? That's what this article wants to focus on: we need to help our clients with legal risk prevention! Some people may say, you kill all the legal risks of the enterprise in the cradle, then we do not have lawsuits to fight? Isn't this digging your own grave? I say no, why?

First of all, no one stipulates that a lawyer's main job is to fight lawsuits. The boom in non-litigation business over the years is proof of that.

Secondly, even if the enterprise's own legal risk management level is improved through our services, it is still possible to face the following risks: 1) infringement by others; 2) breach of contract by the other party to the contract; 3) risks caused by the enterprise's own inadequate management; 4) legal risks voluntarily assumed by the enterprise in accordance with the needs of its production and operation.

There is, therefore, absolutely no need for us to worry about this issue. The reason is very simple, let's say, just like the world has so many medicines, nutrients, health care methods, but every day there are still a lot of people will be sick to go to the hospital, the hospital's business is still very hot.

It seems that this business can be done. So how should this business be done? This leads to the theme of this article, is to give the enterprise to do a legal risk body check. This is like going to the hospital to check the body, want to know what disease, have to check the body, know the problem, so that the right medicine. Then give the enterprise to do this legal risk physical examination and what is a thing?

Two, what is the enterprise legal risk medical examination

This medical examination is actually a bit like due diligence, but there is a big difference. The due diligence report is generally for people outside the company to see, such as equity transactions with each other. Therefore, the due diligence report is more concerned with the existing legal risk status of the enterprise. But it is less concerned about the mechanism, process and management level of the enterprise's legal risk management. And this is precisely the focus of the legal risk physical examination. The current status of the risk is not what it focuses on. To put it bluntly, the due diligence report is concerned about the "fruit", while the risk medical examination is concerned about the "cause". Only grasp the letter of the "cause", in order to avoid bad "fruit", in order to prevent problems before they occur, which is the significance of risk management.

Before introducing how to do a risk checkup, let's tell a little story first. This is an experience I had when I was a trainee lawyer. At that time, I followed one of our lawyers to an enterprise, the purpose is to see what legal risks this enterprise has, in fact, to do the legal risk checkup. But the lawyer led me around the office, but also went to the production workshop, to visit the workers to make their products "garlic tablets" process. I didn't understand what was the point of seeing this. Although we had done a survey list before coming here, we always felt that the questions did not hit the nail on the head, and we could not find any problems. The result was predictable, the operation was a failure, we did not put forward any valuable risk prevention advice.

A few years later, when I have been quite knowledgeable about the enterprise's legal risk management and have done many risk checkups for the enterprises I serve, I suddenly realized what was wrong with that attempt. I think the mistake was that we did not grasp the main line of the enterprise's operation and management process, but stayed on the surface of some problems, which led to the failure. To do a risk checkup for an enterprise, we must do it in close connection with the management process of the enterprise, or else we will have no target, fail to find the problems, and fail to catch the main points.

As I said earlier, the physical examination focuses on the cause of the risk, not the effect. Therefore, our attention can not stay in what problems have occurred, but focus on identifying the causes of these problems. How do we find the causes? This goes to management. It can be said that all internal problems are caused by management. This brings us to a concept called "internal control".

The concept of "internal control" comes from the United States and is a core concept in the field of enterprise risk management. It refers to the process implemented by the board of directors, the supervisory board, the management and all employees of an enterprise to achieve the control objectives. The goal of internal control is to reasonably ensure that business management is legal and compliant, assets are safe, and financial reports and related information are true and complete, to improve operational efficiency and effectiveness, and to promote the realization of the enterprise's development strategy.

The reason for introducing the concept of internal control in these is that internal control runs through all the processes of enterprise operation and management. Its core idea is to carry out risk control on the process, through the process of each risk point for effective control, so that enterprises can be in the risk of the most beginning of the link on the relevant risks to effectively intervene, so as to minimize the risk of the enterprise. Therefore, in order to do a good job of legal risk physical examination must start from the internal control of this throughout the enterprise management of all processes of risk management means.

From the internal control point of view of the enterprise, the enterprise's business management is actually composed of a series of processes, according to the classification of the "basic norms of internal control of enterprises", these processes can be summarized as eighteen modules: 1, organizational structure; 2, the development of strategy; 3, human resources; 4, social responsibility; 5, corporate culture; 6, capital activities; 7, procurement business; 8, asset management; 9 , Sales Operations; 10, Research and Development; 11, Engineering Projects; 12, Guarantee Operations; 13, Business Outsourcing; 14, Financial Reporting; 15, Comprehensive Budgeting; 16, Contract Management; 17, Internal Messaging; 18, Information Systems.

With the above categorization, it is already obvious which activities are likely to generate legal risks. For example: organizational structure, human resources, capital activities, procurement business, asset management, sales business, research and development, engineering projects, guarantee business, business outsourcing, contract management and so on. These activities may involve the following legal risks: corporate governance structure risk, labor and personnel risk, investment and financing risk, intellectual property risk, contract risk, security liability risk, engineering dispute risk, etc..

I think one of the biggest contributions of the internal control approach to our understanding of corporate legal risk is that it allows us to have the concept of process, and to look at corporate legal risk through the lens of process, rather than a brow-beating approach. The legal risk of an enterprise arises from its operation and management processes, so if certain parts of these activities are not done properly, it may bring corresponding legal risks to the enterprise. Here we take human resource management as an example to illustrate how to process the vision to sort out the enterprise's legal risk:

An enterprise's human resource management generally includes four major categories of activities: one, the introduction of human resources; two, the development of human resources; three, the use of human resources; four, the exit of human resources. The introduction part includes human resources planning, recruitment activities, labor contract establishment, probationary period management, etc.; human resources development includes training, internal promotion, job rotation and other management activities. The use of human resources includes performance management, salary management, rewards and penalties, employees' occupational health and safety, social insurance payment and so on. And the withdrawal of human resources includes the termination of labor contracts, employee dismissal and so on.

Through such a sort of combing, we have a clearer picture of the process of human resource management. At the same time, we can also put the corresponding legal risks into the right place. For example, in the introduction of human resources stage may face legal risks: not timely and workers to enter into labor contracts or the content of the labor contract is illegal; the enterprise did not pay social security to the workers in a timely manner; not with the core, the key positions of the employees signed confidentiality agreements or non-competition agreements. Legal risks in the development stage of human resources may include: failure to change the labor contract in a timely manner after promotion or transfer, failure to sign a training agreement or a service agreement with employees for paid training, etc. Legal risks during the use of human resources may include: failure to provide sufficient institutional basis and evidence for adjusting the salary of employees due to an imperfect performance appraisal system, which may lead to labor disputes; failure to pay wages in a timely manner; work-related accidents; and the conclusion of an employment contract between a worker and another enterprise at the same time. The legal risks in the exit process may include: improper termination of labor contracts leading to labor disputes; failure to exercise the right of termination in a timely manner leading to overpayment of wages by the enterprise; failure to comply with the confidentiality agreement leading to leakage of commercial and technical secrets of the enterprise; failure to comply with non-competition agreement by the enterprise or the employee. (The above legal risks for the relevant links are just a list, not exhaustive.)

This right-sized sorting method is much clearer, isn't it? We can use this method to the enterprise may be involved in the legal risk of all included, so that there will be no omissions, and the vein is also more clear.

Three, how to do the enterprise legal risk medical examination

So, after the idea of this process, how do we operate?

First of all, to sort out the legal risk points more business modules, such as the above mentioned human resources, procurement business, sales business, research and development, engineering projects, guarantee business, business outsourcing, contract management and so on. Then all the processes of these modules are sorted out according to the content of the "Basic Standards and Guidelines for Internal Control" and the specific situation of the enterprise. Then list and analyze the possible legal risk points on each process, and try to exhaust all possible legal risks. Then describe the ideal control state of the above legal risks. Finally, we compare the ideal control state with the actual situation of the enterprise and find out the gap, which is the existing problem and needs us to find ways to solve it. Finally, based on our analysis of the gap, we put forward our countermeasures and suggestions to solve the problem, and the whole physical examination is done.

The above process can be summarized as three back-and-forth components, i.e.: i. risk identification; ii. risk analysis; iii. design of risk control measures. Here are specifics:

(a) risk identification

1, the meaning of risk identification

Legal risk identification, refers to a specific business process in the enterprise may exist in the legal risk identification, and listed, the purpose is to form a complete legal risk point mapping. This link is the starting point and foundation of all subsequent work, this link is not good, will affect the quality and effect of the entire risk medical examination. The most important thing to grasp in this link is the comprehensiveness and completeness of the identification of risk points, that is, to be as comprehensive as possible, no omission of the business process may exist in all the legal risk points to find out.

2, the method of risk identification

So, what exactly do we use to identify the enterprise's legal risk points? General use of the following methods:

①Process combing method

This method is to internal control guidelines as a clue to the analysis of business processes, according to the relevant business processes listed on the process of possible legal risks.

②Regulatory search method

This method refers to a comprehensive search and analysis of laws and regulations related to the business of the enterprise, from which the enterprise may face risks. The advantage of this method is more comprehensive, avoiding the shortcomings of other methods.

③Individual Interview Method

This method refers to the method of understanding the relevant risk points through face-to-face individual communication with the relevant business personnel and management. The advantage of this method is that it can quickly find some of the management and business personnel concerned about the risk points, these risk points are often more relevant to the enterprise risk. The disadvantage is that it is not easy to get a full picture of all the risks in the business process.

④Case study method

This method refers to the analysis of actual cases that have occurred in the enterprise, from which to find out the problems that may exist in the management of the enterprise. The advantage of this method is that it is targeted, often able to identify some key pain points in the enterprise, and the information is more specific, allowing in-depth study of the related risks.

⑤Collective discussion method

Also called brainstorming method, this method refers to the case lawyers to organize all the lawyers involved in the project and the key positions of the enterprise's management personnel to discuss, speak freely to express their own views, without having to think too much about whether the proposed views are correct. Finally, the lawyer will organize and analyze all the opinions, and keep the valuable opinions. The advantage of this method is that it can creatively put forward some important issues, but also can make the participants through the uninhibited exchange of mutual inspiration.

In the actual operation of the process, generally through the process of combing method and regulatory search method to maximize the list of risks, and then the list of risks into a risk questionnaire, and then give the questionnaire to the enterprise business personnel to fill out and feedback to the lawyer. Then the lawyer stationed in the enterprise, according to the enterprise feedback questionnaire targeted communication with business personnel (interview method), and the enterprise has been the case of analysis (case analysis method), with the management of the enterprise to discuss the more significant risks (collective discussion method), and ultimately form a complete risk questionnaire, so as to lay the foundation for the subsequent analysis work.

(B) the analysis of risk

With the above risk questionnaire, we can analyze the enterprise's legal risk points one by one. The main purpose of the analysis is to identify gaps. When we create the risk questionnaire, we have reflected this thinking inside the table.

The size of the risk = the probability of the risk occurring x the possible loss caused by the risk

If possible, we can assign a value to the three variables above, so as to accurately determine the importance of the risk. Of course, this is more difficult to operate, here only as a kind of analytical ideas to be introduced. In practice, lawyers can use language to make relatively vague risk assessments.

(C) Risk control measures and strategies

Understanding the causes of risk and the importance of risk, we can propose solutions on how to control risk. The internal control guidelines categorize the reasons that lead to problems in the internal control of enterprises into two main categories, namely: design deficiencies and implementation deficiencies. According to the different causes of risks, control measures can be divided into two categories: first, measures against design deficiencies; second, measures against implementation deficiencies.

First of all, let's see what are design flaws and implementation flaws. Internal control theory suggests that all risks within an enterprise are due to no more than two types of causes: system design problems or implementation problems. The so-called design deficiencies refer to the existence of unscientific, unreasonable or illegal situations in the design of business processes, the construction of organizational structure, the division of responsibilities and authorities, and the allocation of internal resources. Execution defects refer to the risks faced by the enterprise due to the failure of internal personnel to strictly and effectively execute the business processes and work instructions that have been formulated. Therefore, by effectively intervening and controlling the causes leading to these two types of defects, the risks to the enterprise can be minimized.

The control measures associated with these two types of defects are different. For design defects, different control measures can be taken according to the different causes of the problem, such as: revamping internal processes; revising rules and regulations; formulating model contracts; adjusting organizational structures and job settings; and re-dividing responsibilities and authorities. As for the implementation defects, they are generally mainly caused by the following types of reasons, such as: lack of understanding of rules and regulations, incompetence in work ability, improper work attitude, poor internal communication, insufficient budget, etc. Therefore, its corresponding control measures may include: special training, strengthened assessment, job transfer, budget adjustment, strengthen the communication of each department through the organization of internal activities, and so on.

The above talk is mainly about the specific form of control measures. However, when formulating these measures, one issue that should not be ignored is that for different risks, companies should adopt different strategies to deal with them, rather than treating all risks equally. This is mainly due to the following reasons: i. The risks themselves are of different levels of importance, so the benefits that can be generated by the control activities are different; ii. The influence that enterprises can exert on the risks concerned is also different; iii. The resources that enterprises can have at their disposal to use for risk control are limited, i.e., risk control itself has a cost. Fourth, compared with the risk of business activities, the benefits it can generate may be greater.

Therefore, the lawyer in the enterprise to develop relevant risk response measures, should be from the actual starting point of the enterprise, taking into account the enterprise's development strategy, business interests, the size of the risk as well as the cost of controlling a variety of factors, the use of different risk response strategy. These strategies include, but are not limited to: risk avoidance, risk transfer, risk reduction, risk taking and so on. Of course, for the design of major risk control measures, lawyers must be with the senior management of the enterprise to carry out full communication and consultation, so as to make the design of the risk control measures in line with the actual situation of the enterprise and for the acceptance of the enterprise.

(D) the output of the results of the risk medical examination

After the risk identification, risk analysis, the design of control measures, the entire legal risk medical examination work base is completed. But in the end, the lawyer should try to medical examination process results produced in written form to the enterprise, as our final summary of this service and deliverables to reflect the value of the lawyer's labor. The results can be reflected in the form of "Legal Risk Checkup Report", together with all the revised systems, contracts, process documents and forms for the enterprise.

Of course, the completion of a medical examination program should not be the end of our work. After the completion of the medical examination service, the lawyer can continue to follow up the rectification of the enterprise, for the enterprise responsible for the end. In this process, the enterprise may also produce follow-up legal service needs, our lawyer's services can be a natural extension.