It’s difficult to be part of any business and not hear about “risk.” It’s everywhere. Risk is the new black. It’s on the lips of every CEO, CFO, and board member, as it should be. And, anything that is important to the board and the C-Suite, is important to the legal department. In fact, over the past five or so years, one of the key responsibilities businesses are placing on in-house lawyers is spotting and managing risk. The business wants its in-house lawyers to be the ones who sniff through virtually every situation looking for risk (legal or otherwise). What this means is that, more and more, in-house counsel need to be masters of the company’s business operations and strategy (both short and long term), because you cannot successfully spot and manage risk unless you understand how the company operates and where it wants to go.
Generally, when asked about risk, most in-house lawyers respond retroactively, i.e., they talk about risk in terms of things the company has already experienced – a recent lawsuit, a data breach, an internal investigation, etc. While this is helpful, it is only part of calculus of identifying risk. The harder part (and the more valuable skill) is being able to look forward and see risk. While a more valuable skill, my experience is that there is little to no training around how to “look for risk,” let alone how to evaluate it or report it out. For many in-house lawyers, it is largely a self-taught skill. My goal here is not to write a treatise about risk or risk management. I have read enough of those types of articles to know that they look really impressive, have complicated charts, graphs, and formulas, but most are hard to apply in the everyday, fast-paced in-house world. I want to set out a handful of simple ideas and processes you can use to spot and identify forward-looking risk and to evaluate and manage that risk alongside the business. This edition of “Ten Things” will discuss a few guidelines that will help you be better able to fulfill the demand from the business that you become “Risk Spotter in Chief” or, as I was often called, the “Risk Guy:”
1. What is risk? When we think of “risk” we tend to think only of bad things. Yet, not all risk is negative. Avoiding all risk is not the way to run a successful business, sports team, legal department, research facility, military, or pretty much any organization you can name. Taking risks is important to the success of any endeavor. There is risk in any merger for example, but companies still take that risk every day because there may be a big financial payoff. There is risk in “going for it” on fourth down in American football, but teams still take the chance because it may allow them to win the game.
2. The risk continuum. It important to not always view risk as negative. For simplicity, think of risk as a continuum of “degrees of consequences” ranging from negative outcomes to increasingly positive outcomes:
The key is your ability as in-house counsel to understand the different consequences of what you, or the company, want to do, where those consequences fall on the above continuum, and how everything balances out when the good and the bad are added up (i.e., “value creation” vs. “value destruction”). Where the negative consequences clearly outweigh the positive consequences and the downside is material, you probably do not take the risk or vice versa. The really hard part is when the negative and positive consequences are close or nearly equal. Now you have the premise of what I call the “risk conundrum”, i.e., how do you best manage a situation that has nearly equal negative and positive outcomes? As they say, that’s why the C-Suite gets paid the big money. And because the C-Suite wants to keep making the big money, they want their in-house lawyers helping spot and manage risk with the goal of helping the business get to positive outcomes.
3. Types of risk – Legal. As in-house counsel I made it simple for myself and categorized risk as either “Legal” or “Strategic.” Legal Risks are things lawyers are very familiar with, including such broad categories as:
- Compliance risk
- Litigation risk
- Regulatory risk
- Security risk (e.g., is the physical plant a “safe” work place)
- Information risk (e.g., data breach, theft of trade secrets)
4. Types of risk – Strategic. Strategic Risks are things that the business leaders tend to focus on that are critical to the survival of the business, such as:
- Financial risk
- Marketplace risk (e.g., competitors, disruptive technology/business model risk)
- Succession risk (e.g., sudden death or departure of a CEO)
- Major political uncertainty risk (e.g., a political coup, currency devaluation)
- Natural disaster risk (e.g., pandemic, earthquake, flood)
5. Overlapping “risk.” The lists above are not exhaustive and my two categories of risk are not mutually exclusive. In fact, they often overlap:
For example, the bank/financial markets meltdown in 2008 in the U.S. (and elsewhere) included both Strategic Risks (severe financial problems for most companies, governments teetering on default) and Legal Risks (regulatory and litigation problems for many companies tied to financial problems). Similarly, in the U.S., there is a constant battle in Washington over H1-B visas (i.e., visas given to highly-skilled foreign workers so they can fill jobs U.S. employers have difficulty filling from the domestic work force). Companies may have a Strategic Risk in that if they cannot find enough qualified employees with the right skills to perform critical jobs, the business will be negatively impacted. The company also has a Legal Risk in that regulations limit the number of H1-B visas and the cap number fluctuates year to year, typically running out in the first or second calendar quarter. Thus, companies must promptly begin the legal process of applying for H1-B visas or risk getting shut out. The most valuable in-house lawyers see the company’s Strategic and Legal risk, how they interconnect, and advises the company on what to do next (e.g., lobby the U.S. government to add to the number of available visas, a process to ensure applicants are qualified for H1-B visas). Lastly, on a global front, the impact of the “Brexit” and the United Kingdom leaving the European Union is fraught with both Legal Risk and Strategic Risk for companies. The smart in-house lawyers are already planning on how to deal with the fallout.
6. Spotting risk. Risk is everywhere. While the company wants you to spot every risk, doing so is impossible. In order to make it manageable, you need to know what types of risk are most important to the company and where to look to get information about those risks. Here are three things to do:
- First, you need to either create or become part of a team that spots risk and/or determines what types of risk are important to measure. Many companies have an enterprise risk management department. If so, this is the group you want to insert yourself into in some manner, i.e., as a member, partner, subject matter expert. If not, you may need to organize a group yourself. This would include Internal Audit, Finance, Legal, Information Security, and members of the primary lines of business. The goal of this risk team, however constituted, is to regularly identify and consider the company’s key strategic, operational, and legal risks. This group will need to evaluate the company’s opportunities and threats across all businesses and staff group functions. And this team will need to constantly update its work product to account for changes in facts, circumstances, or law.
- Second, keep your eyes and ears open in meetings: Board meetings, C-Suite meetings, “Town Hall” meetings, strategy planning meetings, staff group meetings, etc. There is an amazing amount of information flowing at these types of meetings. As different topics are introduced, quickly run through these questions:
- Is this something a regulator might be interested in?
- Is this something that could make customers or vendors upset or bring on litigation?
- Is this something that if it became public or goes “badly” could damage the reputation of the company?
- Is this something covered by specific laws and does it comply?
- Is this something you have seen other companies (competitors, etc.) have problems with?
- Is this something that could severely injure someone (e.g., a safety or environmental mishap)?
This is not an exhaustive list, but it is a “good enough” list that if you hit on any of these, it tells you to do some more digging about the risks associated with the project or idea. You can also use this same list (or any list you care to create) as you read documents or emails discussing the company’s business or when you read or watch third party information sources (newspapers, television, magazines). As in-house counsel you should be constantly on the lookout for risk. A list of questions like these give you a tool to use as you do so.
- Third, create a simple “alarm” system to tell you if something bad might be coming your way. Set up an alert in each of the main Internet search engines: Google, Yahoo!, and Bing. Use the name of your company (or any of its subsidiaries) when setting up the alert. You can also add specific topics if helpful. Anytime the search engine finds an article containing the name(s) or terms in the alert, you will get an email with a link to the article. You can also monitor social media regarding your company’s brand. Here is an article that lists a number of ways to do this for free. Most of what you get back from these tools can be quickly discarded but every once in a while you’ll find something that requires more attention.
7. Evaluating risk. In order to evaluate risk and potential outcomes, you need to understand three things:
- The company’s business goals and strategy.
- The company’s level of risk tolerance, i.e., how much risk will the company accept?
- The right questions to ask.
The company’s business goals and strategy (short and long term) should be easily available to you and the risk team mentioned above. Again, as an in-house lawyer you need to fully understand how your company operates in order to understand its goals and strategies. Educate yourself – and help others in the legal department educate themselves as well. Once you know the goals and strategy, you can be on the lookout for developments that could impact either one (negatively or positively).
The company’s level of risk tolerance comes primarily from the board of directors and the C-Suite (or in small businesses directly from the owner(s)). Some companies are very conservative, some not so much. Company policies (e.g., business ethics) also set the bar on risk tolerance. Additionally, Internal Audit and the individual business units/staff groups (including members of the Compliance Department and the legal department) can and should weigh in on acceptable risks. The most straight forward method of getting this information is to ask the right people, e.g., interviews, surveys, workshop, offsite, etc.
When you ask the right people, it is fundamentally important that you also ask the “right” questions. By this I mean finding a way to go beyond discussing historical failures or problems and, instead, attempting to peer into the future and spot new or different types of risk. For this, you and the risk team need to be able to explain to those you are interviewing what you are trying to accomplish with respect to gathering information about risks. If you don’t, and just ask them to “set out any risks you see for the company next year?” you will probably get a recitation tied to past failures, but get little about new potential risk arising from future problems. Regardless, think about the things you need to know from your source, including:
- What type of risk is it?
- Under what scenarios would the risk arise/happen?
- What is the likelihood of the risk occurring?
- Can third parties cause the risk to the company?
- What type of harm can arise from the risk?
- What is the best case, worst case, most likely case for the company in terms of harm?
- What are the ways we can deal with the risk to minimize bad outcomes and maximize good outcomes?
- Contractual terms?
- Operational controls?
- Take a “bigger” risk?
- Preparation for the risk?
- Are there benchmarks or standards we can use to measure against?
- How can we best monitor the risk/what are the trigger points?
You will likely/should come up with your own tailored list of questions for your company, but the above list covers a wide swath of what you need to know.
8. Estimating risk. Once you have spotted and analyzed risk, you will likely want to estimate the “cost” or “value” of the risk, depending on whether the risk is negative or positive in nature. There is a relatively simple and standard formula for this:
Risk Value = Probability of Event x Cost/Value of Event if it Occurs
For example, you are faced with a large breach of contract claim. While the dollar value claimed is high ($1M), you estimate the probability of losing to be low (25%). The Risk Value is then: .25 (probability) x $1M (cost) = $250,000. On the positive side, if you have a merger worth $25M in incremental operating income every year if consummated and you think the odds that regulators approve the merger is high (80%), the Risk Value is: .80 (probability) x $25M (value to company) = $20M. An additional tool for estimating risk is a Risk Impact/Probability Chart mentioned in the “resources” section below. And remember, business people love math vs. gut-instinct (even if they are essentially the same thing in many cases).
9. Reporting risk. You need to report risk to the business. This will occur in one of two ways:
- A formal risk assessment report (usually prepared by the risk team), or
- An ad hoc report (made when necessary).
The formal report will likely go to the board of directors/audit committee and the C-Suite. It will be written and follow a fairly rigid process and established format. An ad hoc report may be an email to the general counsel, a memo to the CEO, or an off-the-cuff discussion during a meeting. Regardless of the way the risk is reported, you need to ultimately cover five things: 1) what the risk is; 2) the likelihood of the risk occurring; 3) the range of outcomes the company could face; 4) the options the company has for dealing with the range of outcomes; and 5) a recommendation about which option the company should choose and why.
If you are reporting the risk in writing, be sure to take the necessary steps to preserve any privilege that might apply. If you fail to do so, understand that any writing (email, report, presentation, etc.) may have to be turned over to the other side in the event of a government investigation or civil litigation. This means you need to spend time with the non-lawyers helping them learn to write smart and to know when to appropriately involve the legal department so as to preserve any privilege. Both are important because poorly drafted or thought out documents discussing risk could be as harmful to the company as the worst risks they describe. Keep in mind that if you work for a publicly traded company than you will need to identify material risks to the business in the “risk factors” section of your public filings.
10. Resources. Here are several resources you can use to help you spot, analyze and manage risk:
- Institute of Risk Management
- Risk Management Society
- Risk Factor Disclosures For Publicly Traded Companies
- Risk and Compliance Magazine (free e-magazine)
- Risk Impact/Probability Chart
- Risk Management Magazine (free online)
- Harvard Business Review – Risk Management
- Wall Street Journal – Risk and Compliance Journal (subscription needed)
You will not spot every risk your company faces and that’s okay. But you need to have a plan in place to catch the most important ones. The above sets out some simple ideas and processes to help in-house counsel spot and evaluate risk. A lot of it you probably already know or intuitively understand based on your legal training (though thinking about risk as potentially “positive” can be new). The challenge is translating your understanding and knowledge of risk into something the business values and can use to maximize the success of the company, and therefore the interests of the shareholders, customers, and employees. Being able to spot and communicate risk (and solutions/options) is a core skill you need to develop on the way to becoming general counsel. The key takeaways here today are: 1) be constantly alert for risks to your company; 2) don’t just report risk, be prepared to discuss the potential outcomes and options for the company; and 3) don’t create additional “bad” risk by not putting a lot of thought into writing documents discussing/analyzing risk (or failing to teach your fellow employees doing the same how to draft smart documents).
June 28, 2016
(If you find this blog useful, please click “follow” in the top right so you get all new posts automatically, pass it along to colleagues or friends, and “Tweet” it. “Ten Things” is not legal advice or legal opinion. It is intended to provide practical tips and references to the busy in-house practitioner and other readers. You can find this blog and all past posts at www.TenThings.net. If you have questions or comments, please contact me at either firstname.lastname@example.org or email@example.com).
My first book, “The Evolution of Professional Football,” is available for sale on Amazon and at www.SterlingMillerBooks.com.