INTRODUCTION

Enterprise-wide risk management (ERM) views all risks to the firm as subject to management and control. Legal risk management is certainly no exception. Indeed, this chapter is premised on the principle that legal risk is simply one of many types of risk facing a firm. This necessarily means that like other risks legal risk should be managed in accordance with basic notions of risk management generally—that it should not exist within a risk “silo” but should be managed with a view toward the firm’s overall risk tolerance and through coordinated efforts of senior management, including the board (Simkins and Ramirez 2008). Therefore, ERM includes consideration of the optimal means of managing legal risk.

After the revelation of widespread fraud and illegality within American public companies in late 2001 and 2002, leading to the failure of such major firms as Enron and WorldCom, Congress enacted the Sarbanes-Oxley Act of 2002 (SOX). SOX preempted state rules of professional responsibility governing attorneys and imposed federal standards for those representing public companies. SOX also prompted the SEC to create a new mechanism for the management of legal compliance (the Qualified Legal Compliance Committee or QLCC) within public corporations in the United States. SOX completely reworked ...