{"id":275,"date":"2015-10-12T11:50:45","date_gmt":"2015-10-12T17:50:45","guid":{"rendered":"http:\/\/ericlambert.net\/blog\/?p=275"},"modified":"2015-10-12T11:50:45","modified_gmt":"2015-10-12T17:50:45","slug":"revisiting-risk-management","status":"publish","type":"post","link":"https:\/\/ericlambert.net\/blog\/2015\/10\/12\/revisiting-risk-management\/","title":{"rendered":"Revisiting Risk Management"},"content":{"rendered":"<p>A couple of years ago, <a href=\"http:\/\/ericlambert.net\/blog\/risk-management-101\/\" target=\"_blank\" rel=\"noopener\">I wrote an article on &#8220;Risk Management 101.&#8221; <\/a>\u00a0Risk management is not the same as risk avoidance &#8212; taking risk is an important driver of business growth. As an attorney, it&#8217;s important to recognize\u00a0that &#8220;zealously representing your client&#8221; is not the same thing as insulating your client from risk. \u00a0Risk in business is like risk in investing;\u00a0you have to be willing to take a loss if you want to achieve solid growth, and your appetite for risk determines how much risk you&#8217;re willing to take. \u00a0Any risk management decision is a decision on\u00a0<span style=\"text-decoration: underline;\">whether or not to proceed with a particular course of action (or inaction) given the balance between the potential benefits and the potential risks<\/span>. \u00a0Given the importance of risk management, I thought it was time to revisit the topic.<\/p>\n<p><em>What to do with business risk.<\/em>\u00a0Once you&#8217;ve identified a business risk, there are <span style=\"text-decoration: underline;\">four things<\/span> you can do with it:<\/p>\n<ul>\n<li><strong>Mitigate it\u00a0<\/strong>by following or implementing\u00a0technical, administrative or procedural steps or safeguards, or best practices, to reduce\u00a0your company&#8217;s exposure to the risk;<\/li>\n<li><strong>Shift it<\/strong> by making\u00a0another party responsible for the risk exposure\u00a0through contract terms\u00a0(e.g., representations and indemnification, liquidated damages, etc., requirements to be named as an\u00a0additional insured or loss payee under the other party&#8217;s insurance), or through\u00a0obtaining your own insurance;<\/li>\n<li><strong>Reject it\u00a0<\/strong>by walking away from the proposed course of action or inaction that causes the business risk; or<\/li>\n<li><strong>Accept it<\/strong>\u00a0by proceeding with the\u00a0proposed course of action or inaction knowing it could cause an exposure based on the business risk.<\/li>\n<\/ul>\n<p>When faced with a business risk that calls for a risk management decision, you\u00a0should <span style=\"text-decoration: underline;\">first reduce the risk, then decide what to do with\u00a0the remaining\u00a0risk<\/span>.<\/p>\n<ul>\n<li>To <strong>reduce the risk<\/strong>, the attorney will partner with\u00a0his or her business counterparts to <span style=\"text-decoration: underline;\">mitigate and shift as much of the risk as possible<\/span>. \u00a0For example, the attorney will work with business owners to determine if there are procedures in place to control the risk, or whether procedures could be put in place to help control the risk. \u00a0The attorney will work with the company&#8217;s insurance group to see if its insurance will cover the risk. \u00a0If the risk is arising in the context of a contract, the attorney will work to incorporate risk shifting provisions into the agreement to control the risk. \u00a0The goal is to reduce the risk as much as possible, but be mindful that there can be an ROI impact here. \u00a0If mitigating a risk through new processes, new insurance premiums, etc. increases the cost to the business, the overall costs from taking the course of action is impacted.<\/li>\n<li>Once the risk has been reduced, a decision has to be made to\u00a0<strong>accept or reject the remaining risk<\/strong>. \u00a0Unless the risk relates to a violation of law, the attorney will turn to the business decision-maker to call the ball. \u00a0When presenting a risk decision to the decision-maker, (1) describe\u00a0the business\u00a0risk; (2) explain what risk mitigation steps will be implemented or taken; (3) explain the potential\u00a0costs\u00a0related to the remaining risk (both tangible, e.g., cost, and intangible, e.g., impact to the business), and the benefits of the course of action; and (4)\u00a0<span style=\"text-decoration: underline;\">let the business decision-maker call the ball<\/span>. \u00a0\u00a0This way, the business decision-maker can make an <strong>informed business risk decision<\/strong>. \u00a0The amount of detail you go into is often driven by the speed at which the decision needs to be made. \u00a0If\u00a0a decision must be made quickly,\u00a0you may\u00a0not have the time to explore risk mitigation steps first,\u00a0in which case you can describe the mitigation steps that could\u00a0be taken. Consider your audience &#8212; be as concise as possible in describing the costs and benefits\u00a0to management. \u00a0Make sure the person that is approving or rejecting the risk has the authority to do so within the organization. Lastly, the attorney and business person should ensure that the risk management decision is documented in case an issue arises later on.<\/li>\n<\/ul>\n<p><em>What to do if a risk exposure occurs<\/em>. While the initial instinct when something bad happens is to assess blame, an authorized decision-maker\u00a0who makes a well-informed business risk decision should not be &#8220;thrown under the bus&#8221; if the risk exposure ultimately occurs. If proper risk management procedures are followed, the exposure should result in a review of the risk management decision to see if other &#8220;hindsight&#8221; data points would have impacted\u00a0the risk management decision if known at the time, and determine if changes to the decision-making process or the company&#8217;s risk profile are appropriate on a go-forward basis. \u00a0Risk exposures will happen in business. If a decision-maker\u00a0is disciplined (or worse) in the event of an exposure just for making the business risk decision, even if the benefits far outweighed the potential risks at the time the decision was made, the company will send the message that good risk management practices don&#8217;t matter to management. \u00a0Reward those who follow good\u00a0risk management practices.<\/p>\n<p>Accepting a business risk is the same thing as electing to self-insure against the risk. If you don&#8217;t identify and manage a risk, your business is accepting the entire risk without any mitigation steps. \u00a0For small risks, this usually doesn&#8217;t cause a problem. \u00a0For bigger risks, this can be catastrophic. \u00a0Understanding, implementing, and fostering\u00a0solid\u00a0risk mitigation practices at your company\u00a0can make all the difference.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A couple of years ago, I wrote an article on &#8220;Risk Management 101.&#8221; \u00a0Risk management is not the same as risk avoidance &#8212; taking risk is an important driver of business growth. As an attorney, it&#8217;s important to recognize\u00a0that &#8220;zealously &hellip; <a href=\"https:\/\/ericlambert.net\/blog\/2015\/10\/12\/revisiting-risk-management\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,4,9],"tags":[157],"class_list":["post-275","post","type-post","status-publish","format-standard","hentry","category-contracts","category-legal","category-otherlegal","tag-risk-management"],"_links":{"self":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/275","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/comments?post=275"}],"version-history":[{"count":0,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/275\/revisions"}],"wp:attachment":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/media?parent=275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/categories?post=275"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/tags?post=275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}