Thriving through effective risk management
Most in-house lawyers describe themselves as risk managers, but do they approach the subject in a structured way? Many of us are used to completing risk registers, but how often do we use them proactively? In business, profit is the reward for successfully taking a risk. As lawyers, we can use legal risk management as a way of realising the positive consequences, as well as reducing the negative ones.
Reappraising risk allows you to take positive steps to creating real value for your organisation through legal risk management, as well as embedding a successful risk management culture.
Risk management is natural
Every day we manage risk. We get up to go to work. We travel to distant destinations on holiday, play sports and engage in many diverse activities. Sometimes we subconsciously assess the risk involved (for example, when we get out of bed). At other times, we consciously analyse the risks and manage them (such when we organise a holiday). We also recognise the rewards for taking risks as well as the possible dangers.
However, when understanding risk in a business setting, our analytical skills – clear in our personal lives – either seem inadequate or disappear. People to whom I teach legal risk management often leave the course realising that they had always understood the fundamentals of risk management – they just needed structure. The fact is we are all skilled risk managers.
What is a legal risk?
Many business risks have legal consequences, but those consequences do not make them a ‘legal risk’. The distinction is important because in an organisation the responsibility for management of the legal risks should rest with the lawyers. It does not mean the lawyers have no involvement with non-legal risks, just that the responsibility to manage those risks rests with others.
A risk is ‘a possible intervening event that changes the current value into a future value’. That future value may either be a gain or a loss.
Risk management is organic. It is based on perception, and perceptions change. Perception often reflects recent events: in 2003/2004, after the events of 9/11, lists of risks give terrorism a high rating, whereas by 2010/2011, following the banking crisis, financial risks top the lists.
In business a lot of time is often spent trying to pinpoint each possible intervening event. The danger is that you end up with inflated lists with many events, which creates unnecessary complexity. Rather than trying to identify individual causes, stick to generic categories. Thus, I use the following definition of legal risk.
1. Litigation risk
A failure of the organisation to properly conduct a claim being made (including a defence to a claim or a counterclaim) which results in liability for the company or other loss.
2. Asset risk
A failure to adequately protect the legal rights in assets owned by or otherwise managed for the benefit of the organization.
3. Contract risk
A failure to ensure that the organisation adequately manages the benefits or obligations arising under contracts or other legally binding commitments entered into it including enforcing the benefits.
4. Transaction risk
A defect in transaction documentation causing a defective transaction.
5. Change of law risk
A change in the law.
Depending on the structure of your organisation, you may wish to add to that definition regulatory risk – the failure of the organisation to realise the opportunities or minimise the losses created by the regulatory environment in which the organisation operates.
The four key elements of risk management
There are four key factors in successful risk management:
- appetite; and
Traditional business risk management has focused on incidence (the likelihood of a risk event occurring) and impact (the consequences of occurrence) alone. The problem is that such a focus creates a two dimensional picture of risk.
In the last decade, the ‘two dimensional’ inadequacy of traditional risk management has been recognised. Two other elements are now considered to give a much greater understanding in risk management: appetite and tolerance. In our personal lives, we recognise these straight away. Our risk appetite is how much risk we are prepared to take. Some people fear flying, others are happy to go parachuting – their risk appetites are different. Risk tolerance concerns our ability to tolerate the risk once we are involved in the activity. For example, you may decide to wear hiking boots rather than flip-flops when walking in the mountains!
Understanding an organisation’s risk appetite
Different organisations, like individuals, have different appetites for risk: the appetite of a pension trustee is likely to be very different to a venture capitalist. How do you know where on the spectrum your organisation sits? Your organisation may have a ‘risk appetite statement’ setting out the organisation’s willingness to accept risk. If you do not, how can you create one?
Look for expressions within your organisation of the levels of risk it is prepared to take; how far it is prepared to trade off the risk occurring against the benefits of taking the risk. Often, the appetite will be stated across various corporate statements.
- Corporate values statement or mission statement
- Investment policy
- Regulatory compliance statements and codes of conduct (e.g. anti-bribery and corruption)
- Governance policies
- HR policies
Do not expect consistency – many statements will have been drafted in isolation without reference to other policies. In creating an appetite statement, you have the opportunity to develop a uniform risk-based approach to decision making for your organisation, at least in the legal risk arena. If successful, you create a framework against which your organisation’s people can exercise their judgment when making business decisions. Indeed, if you can get a good understanding of the appetite for risk, then many risks that seemed previously relevant will fall away, leaving the real risks to your organisation in sharp relief.
Avoid the ‘data fetish’
A difficulty when assessing the four elements is that we make judgments based on what has happened in the past. Whilst there is some value in understanding the past, it does not predict the future with any certainty. The use of management data can be informative, but should not be relied on exclusively. In the latter part of the 20th century there was a school of thought that considered it possible to predict all risks through data analysis – such reliance was a fetish. This failed to take into account the fact that life cannot be reduced to an algorithm.
Data can be helpful. If you use it, look at trends in the data rather than just the numbers themselves. But never exclude common sense.
One area often overlooked by business is ‘near misses’. A near miss is ‘an unplanned event that did not result in injury, illness, or damage – but had the potential to do so.’ Had the chain of causation not been broken, it would have resulted in injury, illness or damage. By understanding why the chain was broken you can identify a gap in your risk management before disaster strikes. If the worse does happen, it is important to review the incident and understand the cause: root cause analysis.
Managing risks - the tools available
As lawyers we have a number of tools available to manage the incidence of risks and the consequences of their occurrence. These fall into two categories – controls and mitigations.
Controls are the steps that we take to reduce the likelihood of a risk occurring.
The types of control that we may use in respect of legal risks are:
- the use of written contracts;
- ‘know your customer’ formalities;
- reserving authority so that only certain people can exercise governance responsibilities (for example, disposing of property or starting litigation);
- legal training and knowledge dissemination to the business – note, however, you cannot ‘train away’ all your problems;
- introduction of trading policies, standard terms and conditions; and
- monitoring of legislative changes.
Mitigations are the measures that are adopted once a risk has occurred to reduce its impact.
Common legal mitigations are:
- use of subsidiary companies to ring-fence liabilities;
- warranties and Indemnities – caps, collars, warranty periods;
- limitation of liability;
- section 36 offers;
- compromise agreements; and
Given the dynamic nature of risk, you will need to keep these controls and mitigations under regular, periodic review. The risk landscape will always be shifting, so you must be ready to adapt your response. Furthermore, if you understand your organisation’s risk appetite, you can adapt these tools to build the appropriate levels of risk tolerance. These will be proportionate to the potential impact of the risk and the degree to which your organisation is prepared to accept those consequences in pursuit of its goals.
Risk management and value creation
Risk management is not something that is done in isolation of the rest of business operations. Understanding the risks and how they are managed means that an organisation can allocate its finite resources in the right areas to minimise its losses and maximise returns.
If, as a lawyer, you understand the management of business risk, then you automatically gain admission to the full business decision-making process. Being able to speak the language of risk is vital. The ability to make good risk judgments is a core skill for business people.
The successful in-house lawyer will go beyond just understanding these issues. That lawyer will create legal solutions that generate real value for the organisation. Let us take two examples.
First, you could create a structure that gives the procurement or sales team increased autonomy. You do this by setting out the degree to which they can negotiate individual clauses based on a risk analysis. If done correctly you will reduce overall contracting time and unnecessary demand for your services, so you may concentrate on other things. It will also highlight the areas that present the greatest risk to your organisation.
In the second case, by understanding your organisation’s risk appetite, you can build mitigation strategies that are proportionate to the needs of the business. In creating proportionate responses, the business will deploy the right level of resources and decision making to manage a risk occurrence. You are thereby ensuring that valuable resources are not tied up in a disproportionate response and that flexibility is maintained in decision-making.
We are all risk managers
It is a common mistake to believe that risk management is the province of dedicated risk managers alone. That belief creates an additional vulnerability in an organisation. By adopting a proactive approach to risk management with a uniform understanding of risk appetite, you are creating an environment in which ‘legal’ plays an active role in the business decision-making process. If you are managing a team of lawyers, you will be able to use the approach to give your team autonomy to make good judgments when working with their non-lawyer colleagues. After all, if we are natural risk managers in our personal lives, then there is no reason why we cannot be the same in our business ones too.