Businesses are faced with a variety of risks on a daily basis. While certain types of risk are an accepted part of business, others that relate to legal matters—like contracts, corporate entities, IP and compliance—can have serious adverse effects. The role of a general counsel is to support the organization in assuming the right types of risk while mitigating, if not eliminating, negative consequences. By understanding risk, general counsel create legal solutions that generate real value for the organization, resulting in a strategic role for in-house law departments in defining and achieving the business’s overall objectives.
Before You Get Started
When implementing a risk management program, you need to address the following key questions before getting started:
- How does the general risk management function relate to the compliance and legal departments?
- How will legal counsel, accountants and risk management professionals work together to best manage legal risk?
- How will credible and dependable legal risk assessments be provided in the absence of a quantitative framework?
- Is there a need for a more holistic system of legal governance, risk and compliance management?
Step 1: Set the Scope and Rules
Before you can start managing risk, it’s important to define the scope of your legal risk management program. This means understanding what departments and entities should be involved. The scope should be defined within the context of your organization’s objectives and aligned with your risk management mandate and commitment—otherwise known as your company’s “risk appetite.”
It is important to evaluate both external and internal factors that can affect the organization. Reviewing external factors, such as the regulatory environment and market conditions, as well as internal factors, such as your approach to decision-making, contractual relationships, work flows and the use of resources, can help you understand which processes may be subject to increased risks.
Step 2: Identify Your Legal Domains
Once you have defined the scope of your risk management program, you need to identify what types of legal risk will get tracked. Typical legal risks that fall under the responsibility of the legal department include corporate entities, contracts, disputes and regulation.
Step 3: Involve the Organization
It’s crucial to have a clear picture of the entities, departments, employees and roles of the various stakeholders, including legal counsel, contract owners and managers, all of whom have an impact on risk.
Collaboration with key people early on can help you gain buy-in for your risk management program and can help you identify the person or entity with the authority to manage a particular risk.
Step 4: Collect Relevant Data and Identify Risk
The consistent collection of relevant data is critical to the success of legal risk management. Not only does data help you identify a particular legal risk, but it can also be leveraged proactively to control future risk and ensure your readiness in the event of litigation.
When it comes to information, in-house counsel need to understand:
- What data (documents, emails, etc.) the company and its employees have
- Where data is located, stored, shared and managed
- Who is responsible for the various types of data
- What data is necessary for the ongoing operations of the company, in terms of both business and legal operations
One of the easiest ways to ensure that you have a clear map of all the relevant data is to consolidate it in a secure online repository that is set up to manage specific legal matters.
Armed with the requisite data, you can now begin to identify risks that relate to your legal domain. This involves describing risks, along with the possible causes and potential consequences. Typical risks that every in-house legal department should consider include failures, inconsistencies or losses in commercial relationships and obligations. There may be changes in legal expectations and liabilities, shifts in economic circumstances and disruptions due to technological innovations. There may also be management shortcomings. A risk can be triggered by one or multiple causes and can have one or more consequences.
Step 5: Assess Your Risks
Once you have identified the risks related to a specific legal matter, you can begin to understand which risks your business is willing to accept and which need to be avoided. Risk assessment is a systematic approach to measuring, ranking, comparing and prioritizing these dangers in a consistent way across your company. Risk is measured as a function of likelihood using a system known as a risk assessment matrix. You can create a risk assessment matrix using a rating scale that you can customize to your organization.
Likelihood of Risk
The likelihood of a certain occurrence can be given a rating based on qualitative or quantitative terms, such as probability or frequency of an occurrence over a specified time frame. For example, likelihood can be rated as rare, unlikely, possible, likely or frequent.
Impact of Risk
Just like likelihood, the impact or consequence of a certain occurrence can also be given a rating based on qualitative or quantitative terms. Depending on the nature of risk, impact assessment can be tied to a variety of consequences, including but not limited to financial loss, health and safety, security, regulatory, operations, reputation and environmental impact. A best practice is assessing impact using a combination of considerations and assigning a rating where impact is greatest. Impacts may be deemed insignificant, minor, moderate, major or catastrophic.
Assigning a Risk Rating
Once you have ranked each risk by likelihood and impact, you can assign a rating that takes both into account. This risk rating can then be used to guide subsequent actions. One example of a risk assessment scale is as follows:
- Low—Acceptable risk that is unlikely to require specific application of resources
- Moderate—Acceptable risk that is unlikely to cause damage and/or threaten project or asset
- High—Not acceptable, as it is likely to cause some damage, disruption or breach of controls
- Extreme—Never acceptable, as it is likely to threaten the survival of the project or asset
Additional Assessment Criteria
Assessing risk based on likelihood and impact can help set the groundwork for an initial risk management plan; however, not all risks are foreseeable. You also need to understand your company’s vulnerability to risk and velocity. By looking at vulnerability, you can determine your exposure and response rate to risks. And understanding the speed at which risks may arise can help you define the level of agility required in your response. Areas where you are most vulnerable and slow to respond may be the ones that your organization needs to address first.
Step 6: Implement Controls and Mitigation
Now that you have identified and assessed your risks, it’s time to manage them with controls and/or mitigation. Risk controls are the actions in place that aim to reduce the likelihood of risks occurring and, if they do happen, actions you have in place to reduce their impact. Generally, additional controls are applied to risks that are rated “extreme” or “high” to reduce the rating to an acceptable level.
While controls can help you prevent risks from happening, mitigation is aimed at reducing adverse effects. There are four ways of dealing with risks that you have identified. You can:
- Accept it. Risks that are unlikely to happen and can be controlled if they do are deemed acceptable. However, they should still be monitored. Also, when the cost of avoidance for low-likelihood risks outweighs the cost of the risk itself, it may make more sense to accept it.
- Avoid it. This action avoids any exposure to the risk, where practical.
- Reduce it. Limit the likelihood or impact of risk occurring through the use of preventative solutions.
- Transfer it. This action involves another party bearing or sharing some part of the risk.
The right solution depends on the context of the risk.
Finally, it’s important to create a list or registry of the risks that relate to each legal matter. By listing the nature of each risk, and mitigation measures that can empower stakeholders to reduce risk proactively, you can monitor your risk management progress.
Step 7: Review and Report Results
Once you have managed your risks and created a registry, it’s important to review and report the results. If you are using a smart repository for all your legal data, you can quickly review and report on business objectives, and demonstrate the strategic and financial impact of risk management. You can also build in risk reporting protocols to highlight areas of concern, areas of change and areas that harbor emerging threats—along with opportunities to enable effective decision-making and proactive risk management.
To be effective, in-house legal counsel need to partner with the business, understand the issues relating to achieving objectives and produce viable and tangible solutions to managing risk. By implementing a systematic and structured risk management plan, you can encourage proactive management of business processes that aim to protect your business, while increasing the possibility of achieving business objectives.
To facilitate the process, adopt tools that can help you get started quickly and become more sophisticated as your risk management program grows. Whether you are looking to manage risks related to contracts, compliance or corporate assets, a smart online repository of all your legal data can help you get where you need to go.
Published March 7, 2017.