Mitigating risk Q&A: Samantha Barr
In the next in our series, Samantha Barr, legal projects lead, ODEON Cinemas discusses how you can educate your organisation on risk, and demonstrate and measure your value in relation to risk management.
As in-house counsel, what is your responsibility towards risk?
Thinking about risk is a great way to assess the value your legal activity delivers to your organisation.
Make time to get under the bonnet of your organisation, look at the engine, and assess what could go wrong, focusing on what, when, where, how and who. Ask yourself what may have gone wrong in the past, for your organisation and for similar organisations. Factor in the severity of the risk versus the likelihood of the risk. Talk to as many people as you can within this process.
Consider who manages these risks within the organisation. This will vary greatly according to the size of the business. In larger organisations, there may be teams of people assigned to specific risk areas, particularly sector-specific risks.
Assess where you and your team fit into the overall risk management matrix. There may be many areas where you can make a valuable contribution to someone else’s risk management activity, but for many in-house lawyers, the risk areas you actually ‘own’ can be fairly limited. The core risk management responsibilities for in-house lawyers tend to be contractual risk and litigation risk; there may be more, depending on your role.
Finally, take the time to check that other people in the organisation agree with your conclusions!
How can in-house lawyers understand and adapt to their organisation’s perception of risk?
Gaining insight into your organisation’s approach to risk is key to your effectiveness as in-house counsel. You don’t necessarily have to share the organisation’s risk approach personally, but you need to understand it.
At a basic information level, find out what assets and processes the organisation has to manage risk. This will include things like:
- insurance cover
- risk registers
- policies and procedures
- delegation of authority statements
The range of assets will vary according to organisation size and maturity.
At a more human level, talk to people to get a feel for your organisation’s cultural attitude to risk, and the skills / expertise / approach / resource other people bring to risk management. Respect the fact that others may legitimately have a different and better informed view on risk, and that your legal risk inputs are only one element of the overall risk management process.
How can you educate the business on what risk is?
Raising awareness and skills within your organisation through training activities is a win-win activity for in-house counsel. Training activities build respect, understanding and trust, whilst managing risk in the most proactive way, by stopping problems before they start.
Your training needs to be relevant, and pitched at the right level, with a clear call to action to those you are training. If you can build in some self-help tools, such as templates and playbooks, even better, as this will improve the risk outcome while freeing up internal legal resource (for more training, perhaps).
Make sure that your organisation has bought into your training activity topic and desired outcomes. Ensure that there’s a good feedback loop, so you can assess the value you are adding.
What if the lawyer gets it wrong or makes a mistake?
Mistakes happen. When they do, it is your professional duty to put your organisation’s interests first. Don’t hide the issue or procrastinate; share the issue immediately with an appropriately senior person and work out how best to mitigate it.
Making a mistake is a humbling experience. Try and learn from it at a personal level, and if there is an organisational vulnerability in play, take steps to fix that. Senior leadership will respect an honest, proactive approach to mistakes; they will not forgive deception or delay.
How to you factor in regulatory requirements and updates into your plans?
Check that you are responsible for the regulatory area in question, and consider whether you are best placed to monitor and plan compliance. The scope of the task should be aligned to the risks for which you have responsibility. If you spot a gap in the organisation’s matrix relating to an area of regulatory requirement, either take it on or pass it to someone else.
If the task is truly yours, it’s probably in the “Important, but not urgent” box and needs appropriate prioritisation. For horizon scanning, remember that external subject matter experts may be already doing this, and will often share their knowledge for a reasonable fee.
How to you report on and measure your and your teams ‘value’ with regard to risk management?
The core reporting / measuring should be relevant to the risks you manage.
Assuming you manage contractual and litigation risk, there are many tools and approaches you could take. Whichever approach you decide on, remember that this activity is valuable not only to communicate your outcomes to the wider organisation, but also to assess and plan your own activities. For example, if you are spending a lot of time on contracts which you have identified as low risk, ask yourself whether this is time well-spent – there may be another way of doing this activity which is more proportionate to the risk.
Reporting and measuring can feel like a chore, but used effectively it can deliver valuable and energising insight.