A couple of years ago, I wrote an article on “Risk Management 101.” Risk management is not the same as risk avoidance — taking risk is an important driver of business growth. As an attorney, it’s important to recognize that “zealously representing your client” is not the same thing as insulating your client from risk. Risk in business is like risk in investing; you have to be willing to take a loss if you want to achieve solid growth, and your appetite for risk determines how much risk you’re willing to take. Any risk management decision is a decision on whether or not to proceed with a particular course of action (or inaction) given the balance between the potential benefits and the potential risks. Given the importance of risk management, I thought it was time to revisit the topic.
What to do with business risk. Once you’ve identified a business risk, there are four things you can do with it:
- Mitigate it by following or implementing technical, administrative or procedural steps or safeguards, or best practices, to reduce your company’s exposure to the risk;
- Shift it by making another party responsible for the risk exposure through contract terms (e.g., representations and indemnification, liquidated damages, etc., requirements to be named as an additional insured or loss payee under the other party’s insurance), or through obtaining your own insurance;
- Reject it by walking away from the proposed course of action or inaction that causes the business risk; or
- Accept it by proceeding with the proposed course of action or inaction knowing it could cause an exposure based on the business risk.
When faced with a business risk that calls for a risk management decision, you should first reduce the risk, then decide what to do with the remaining risk.
- To reduce the risk, the attorney will partner with his or her business counterparts to mitigate and shift as much of the risk as possible. For example, the attorney will work with business owners to determine if there are procedures in place to control the risk, or whether procedures could be put in place to help control the risk. The attorney will work with the company’s insurance group to see if its insurance will cover the risk. If the risk is arising in the context of a contract, the attorney will work to incorporate risk shifting provisions into the agreement to control the risk. The goal is to reduce the risk as much as possible, but be mindful that there can be an ROI impact here. If mitigating a risk through new processes, new insurance premiums, etc. increases the cost to the business, the overall costs from taking the course of action is impacted.
- Once the risk has been reduced, a decision has to be made to accept or reject the remaining risk. Unless the risk relates to a violation of law, the attorney will turn to the business decision-maker to call the ball. When presenting a risk decision to the decision-maker, (1) describe the business risk; (2) explain what risk mitigation steps will be implemented or taken; (3) explain the potential costs related to the remaining risk (both tangible, e.g., cost, and intangible, e.g., impact to the business), and the benefits of the course of action; and (4) let the business decision-maker call the ball. This way, the business decision-maker can make an informed business risk decision. The amount of detail you go into is often driven by the speed at which the decision needs to be made. If a decision must be made quickly, you may not have the time to explore risk mitigation steps first, in which case you can describe the mitigation steps that could be taken. Consider your audience — be as concise as possible in describing the costs and benefits to management. Make sure the person that is approving or rejecting the risk has the authority to do so within the organization. Lastly, the attorney and business person should ensure that the risk management decision is documented in case an issue arises later on.
What to do if a risk exposure occurs. While the initial instinct when something bad happens is to assess blame, an authorized decision-maker who makes a well-informed business risk decision should not be “thrown under the bus” if the risk exposure ultimately occurs. If proper risk management procedures are followed, the exposure should result in a review of the risk management decision to see if other “hindsight” data points would have impacted the risk management decision if known at the time, and determine if changes to the decision-making process or the company’s risk profile are appropriate on a go-forward basis. Risk exposures will happen in business. If a decision-maker is disciplined (or worse) in the event of an exposure just for making the business risk decision, even if the benefits far outweighed the potential risks at the time the decision was made, the company will send the message that good risk management practices don’t matter to management. Reward those who follow good risk management practices.
Accepting a business risk is the same thing as electing to self-insure against the risk. If you don’t identify and manage a risk, your business is accepting the entire risk without any mitigation steps. For small risks, this usually doesn’t cause a problem. For bigger risks, this can be catastrophic. Understanding, implementing, and fostering solid risk mitigation practices at your company can make all the difference.