Risk management is, whether actively or passively, an ongoing process at all levels of an organization, one that can lead a company down the path to prosperity or ruin. Any time someone asks, out loud or to themselves, “What if…,” “That could mean…,” “That might cause…,” “Have we considered…,”, or the like, they’re engaging in risk management. Attorneys, whether in-house or in private practice, practice risk management in their daily activities – the core of our job is to facilitate our client’s business objectives while managing legal risk (attorneys are often viewed as the “de facto” risk management group within an organization). Moreover, effectively managing risks can be a lot more difficult in practice than it sounds in theory. Fostering a culture throughout an organization that embraces, rather than shies away from, risk management (understanding what potential risks are, being able to identify them, knowing who should make risk management decisions, and making reasoned decisions) is critical to the success of any company.
At its core, “risk management” in the business and legal context can be defined as “the process of identifying, analyzing, and determining how to handle risks that may result from a proposed course of action or inaction.” In other words, it’s the process of weighing both the positive and negative consequences from any particular course of action in making business and legal decisions. I use the following in my business discussions to summarize the importance of good risk management practices: “It’s much easier to stop a snowball from rolling the wrong way while it’s still at the top of the hill.”
There are four core parts of risk management – (1) understanding what “risks” need to be managed, (2) identifying manageable risks during day-to-day business activities, (3) determining who makes risk management decisions, and (4) making risk management decisions. I’ll save a detailed analysis of each for a broader article, but provide an overview and some basic guidance here.
Understanding the risk. Risk management isn’t “avoiding all risk” – risk is an important part of business. (There is an old AIG slogan – “the greatest risk is not taking one.”) The trick is to manage risk to a level acceptable to the company. Every company has a different tolerance for risk – e.g., start-ups may be willing to take more risk than a well-established company. Understanding what risks must be managed and an appropriate risk tolerance level is something that senior management (with the advice and guidance of internal or external attorneys) must determine, and must re-evaluate over time as the company grows and changes. The main types of risks that companies face on a day-to-day basis are (1) revenue risks (getting the business versus lost opportunity); (2) precedent-setting risks (the slippery slope); (3) legal risks; and (4) operational risks (writing checks the company can’t cash).
Identifying the risk. If you remember anything after reading this, let it be this – you can’t make a risk management decision if you can’t identify and escalate the risk that needs to be managed. Many companies are equipped to manage a risk, but don’t have good processes or training on how to spot them in the first place. Company personnel – whether attorneys, sales team members, business owners, or any other employee, contractor, or advisor – must learn to spot risks associated with a proposed or ongoing course of action or inaction and escalate them internally (e.g., to their manager, to a designated risk management officer or team, etc.). Managers should be responsible for educating their teams on spotting and escalating risks, and this should be a core component of any corporate-wide risk management training.
Approving the risk. Once a risk has been identified, the next step is to determine the right approver of a risk management decision. One of the hardest aspects of an effective risk management culture is getting someone to make a risk management decision, which is why effective risk management approval structure is essential. Everyone is willing to take credit for a good risk management decision – no one wants to take the blame if the risk exposure actually happens. If people fear they’ll be “thrown under the bus” for bad risk management decisions (whether that person is the presenter or the approver), establishing a robust risk management culture is not going to succeed. Companies should consider assigning roles for approval of certain risks, discouraging/punishing individuals who do not follow the proper approval process, keeping good records of risk management approvals, and ensuring that individuals who make informed, well-analyzed risk management decisions aren’t thrown under the bus if the risk exposure ultimately occurs. (If proper risk management practices are followed, the realization of a risk exposure should not result in a “witch hunt” to find someone to blame, but should result in a re-analysis of the risk management decision to see if other “hindsight” data points would have affected the risk management decision and determine if changes to the risk profile of the company and/or risk management practices are appropriate.)
Making the risk management decision. There are four things a company can with an identified risk – avoid it (don’t take the proposed course of action or inaction); mitigate it (implement new processes, obtain insurance, or take some other action to control the risk exposure) shift it (make another party responsible for the risk exposure, e.g., through a contractual indemnity and hold harmless); or accept it (proceed with the action or inaction knowing what might happen). Each of these is a completely valid risk management decision, and they can be used individually or in combination once the identified risk has been evaluated (i.e., both the benefits and risks of a particular course of action or inaction should be presented to the appropriate decision-maker). There are only two “bad” risk management choices – (1) accepting the risk because of a perceived need on the part of the business to “act quickly” and not take the necessary time to evaluate and manage the risk, and (2) accepting the risk because the risk was never identified in the first place.