"How did this happen?" is the first question every general counsel or compliance officer has to answer once an organization is sued or receives a regulatory sanction of some kind. The answer is that the organization does not manage legal risks systematically as it does other risks. Legal risk remains one of the most challenging and least understood risks to manage.
To improve legal risk management for any organization requires six steps. This process will not prevent every lawsuit or regulatory penalty, but it will bring more clarity to legal risks and enhance the organization's responses.
1. Select framework
Risk management is a continuum
Objectives for a framework
A risk management framework for legal risk and compliance should meet four objectives:
- Simple but not simplistic
- Scalable but not overbearing
- Adaptable but with clear guidance
- Practical but not regimented
The risk management framework that best meets these objectives is ISO 31000. ISO 31000 defines risk as, "...the effect of uncertainty on objectives." This sweeping definition includes events that bring unexpected costs, classically thought of as "risk," as well as threats to opportunities.
2. Obtain organizational commitment
Risk management initiatives often stall and stagnate because the organization insists on "doing it right," meaning implementing a risk management framework for the entire enterprise. Enterprise risk management (ERM) is a noble and important endeavor. However, it is not an essential starting point.
General counsel, compliance officers, contract managers, other legal professionals can implement legal risk management within their own domain. A focus on legal risk yields two benefits. First, the broader enterprise will benefit from clarity and measurement of formerly opaque risks. Second, the bar for approval of software and processes is lower than enterprise risk management, because the systems are simpler and the field of use is constrained.
There are four key questions to obtain organizational commitment:
- What is the scope of the legal risk management initiative (meaning: departments, divisions, or enterprise)?
- What types of legal risk will get tracked with the initiative (contracts, regulations, litigation, etc.)?
- Who is the audience for legal risk reporting (management layer, corporate functions, etc.)?
- How much budget is available to track and treat legal risk in terms of time, money, and staff?
Answering these questions will focus the organizational commitment needed to get started.
3. Identify legal risks
Risk identification is an issue spotting exercise. The objective is to compile a broad list of risks. There are three steps to identify legal risks:
Step 1: Find sources of legal risk. The primary sources of legal risk are contracts, regulations, litigation, and structural changes.
Step 2: Recognize potential and actual risks. Uncertainties with legal consequences can arise from hazards (physical injuries), events (a single occurrence), situations (entering a new international market), and scenarios (counterparty does X, Y, or Z).
Step 3: Record risks in a risk register. A risk register is basically a list that also captures some attributes of each risk. To start, track the name of the risk, the likelihood on a simple scale as an estimate, the consequences rating on a simple scale as an estimate, and the combined risk rating on a simple scale.
Now you can subject the risks to analysis, driving toward decisions about how to manage legal risks.
4. Analyze legal risks
Risk analysis is about understanding the risks in the risk register. To analyze legal risks, begin with an assessment of controls. Risk controls can take a variety of forms depending on the risk, the industry, and the organization. For example, to manage a contract risk, an organization might use a requirements tracking system to ensure that individual obligations are satisfied.
Once you have gauged the effectiveness of risk controls, analyze the likelihood and consequences of each risk. The likelihood of a legal risk is the combination of the chance of discovery (will a claimant or regulator identify the problem) and the chance of an adverse decision. Similarly, consequences are the product of damages (usually in financial terms) and frequency (the number of incidents).
Precise measurement of likelihood and consequences is rarely, if ever, possible or even desirable. Risk involves uncertainty. Risk analysis aims to refine, but not resolve, the identified risks. The final part of risk analysis is to build in parameters or variables for the elements. For example, damages for a claim might range between $X and $2X.
With the analysis in hand, you can refine the risk register with more definitive ranges. Risk analysis is an iterative process. Some risks will fall off the list; some will merge with others; new risks will emerge after analysis.
5. Evaluate legal risks
Evaluating legal risks is quite different from the analysis of risks. To evaluate a legal risk is to prioritize the response to the risk. At the core of risk evaluation is your organization's risk tolerance. Legal risks that are above the line - intolerable - need risk treatment. The idea behind risk treatment is simple: modify the risk so that it is tolerable. Notice that it is not necessary to eliminate the risk, just render it tolerable.
Risk treatment options are as diverse as the risks we manage. However, there are several repeatable techniques:
- Avoid the risk by not starting or continuing the activity that can create the uncertainty
- Increase the activity that creates the risk, if the consequence is beneficial
- Remove the source of the risk
- Change the likelihood and/or consequence of the risk
- Share the risk through contracting or insurance
Each of these techniques can change the character of legal risk. Adapting these techniques to legal risks brings legal professionals closer to the operations of the organization to reduce the cost and impact of uncertainty.
6. Communicate and advise
Once legal risks are inventoried and analyzed in the risk register, it is important to communicate the results to the broader enterprise. However, many risk professionals diminish the power of their message and the effectiveness of their communication by presenting each risk.
To make a lasting impact on the organization, think holistically and communicate clearly. The principles of effective risk management presentations are detailed in "The 20 Minute Risk Manager."
Risk management is the frontier for lawyers, compliance officers, and contract managers to add value to their organizations. A pragmatic approach to legal risk management is within reach!