{"id":38,"date":"2013-10-11T11:13:23","date_gmt":"2013-10-11T17:13:23","guid":{"rendered":"http:\/\/ericlambert.net\/blog\/?p=38"},"modified":"2013-10-11T11:13:23","modified_gmt":"2013-10-11T17:13:23","slug":"risk-management-101","status":"publish","type":"post","link":"https:\/\/ericlambert.net\/blog\/2013\/10\/11\/risk-management-101\/","title":{"rendered":"Risk Management 101"},"content":{"rendered":"<p>Risk management is, whether actively or passively, an ongoing process at all levels of an organization, one that can lead a company down the path to prosperity or ruin.\u00a0 Any time someone asks, out loud or to themselves, \u201cWhat if\u2026,\u201d \u201cThat could mean\u2026,\u201d \u201cThat might cause\u2026,\u201d \u201cHave we considered\u2026,\u201d, or the like, they\u2019re engaging in risk management.\u00a0 Attorneys, whether in-house or in private practice, practice risk management in their daily activities \u2013 the core of our job is to facilitate our client\u2019s business objectives while managing legal risk (attorneys are often viewed as the \u201cde facto\u201d risk management group within an organization).\u00a0 Moreover, <span style=\"text-decoration: underline;\">effectively<\/span> managing risks can be a lot more difficult in practice than it sounds in theory. Fostering a culture throughout an organization that embraces, rather than shies away from, risk management (understanding what potential risks are, being able to identify them, knowing who should make risk management decisions, and making reasoned decisions) is critical to the success of any company.<\/p>\n<p>At its core, \u201crisk management\u201d in the business and legal context can be defined as \u201c<b>the process of identifying, analyzing, and determining how to handle risks that may result from a proposed course of action or inaction.<\/b>\u201d\u00a0 In other words, it\u2019s the process of weighing both the positive and negative consequences from any particular course of action in making business and legal decisions. I use the following in my business discussions to summarize the importance of good risk management practices:\u00a0 \u201c<i>It\u2019s much easier to stop a snowball from rolling the wrong way while it\u2019s still at the top of the hill<\/i>.\u201d<\/p>\n<p>There are four core parts of risk management \u2013 (1) understanding what \u201crisks\u201d need to be managed, (2) identifying manageable risks during day-to-day business activities, (3) determining who makes risk management decisions, and (4) making risk management decisions.\u00a0 I\u2019ll save a detailed analysis of each for a broader article, but provide an overview and some basic guidance here.<\/p>\n<p><i>Understanding the risk.<\/i>\u00a0 Risk management isn\u2019t \u201cavoiding all risk\u201d \u2013 risk is an important part of business.\u00a0 (There is an old AIG slogan \u2013 \u201cthe greatest risk is not taking one.\u201d)\u00a0 The trick is to manage risk to a level <b>acceptable to the company<\/b>.\u00a0 Every company has a different tolerance for risk \u2013 e.g., start-ups may be willing to take more risk than a well-established company. Understanding what risks must be managed and an appropriate risk tolerance level is something that senior management (with the advice and guidance of internal or external attorneys) must determine, and must re-evaluate over time as the company grows and changes. The main types of risks that companies face on a day-to-day basis are (1) revenue risks (getting the business versus lost opportunity); (2) precedent-setting risks (the slippery slope); (3) legal risks; and (4) operational risks (writing checks the company can\u2019t cash).<\/p>\n<p><i>Identifying the risk.<\/i>\u00a0 If you remember anything after reading this, let it be this \u2013 <b><i>you can\u2019t make a risk management decision if you can\u2019t identify and escalate the risk that needs to be managed<\/i><\/b>.\u00a0 Many companies are equipped to manage a risk, but don\u2019t have good processes or training on how to spot them in the first place.\u00a0 Company personnel \u2013 whether attorneys, sales team members, business owners, or any other employee, contractor, or advisor \u2013 must learn to spot risks associated with a proposed or ongoing course of action or inaction and escalate them internally (e.g., to their manager, to a designated risk management officer or team, etc.).\u00a0 Managers should be responsible for educating their teams on spotting and escalating risks, and this should be a core component of any corporate-wide risk management training.<\/p>\n<p><i>Approving the risk.<\/i>\u00a0 Once a risk has been identified, the next step is to determine the right approver of a risk management decision.\u00a0 One of the hardest aspects of an effective risk management culture is getting someone to make a risk management decision, which is why effective risk management approval structure is essential.\u00a0 Everyone is willing to take credit for a good risk management decision \u2013 no one wants to take the blame if the risk exposure actually happens.\u00a0 If people fear they\u2019ll be \u201cthrown under the bus\u201d for bad risk management decisions (whether that person is the presenter or the approver), establishing a robust risk management culture is not going to succeed.\u00a0 Companies should consider assigning roles for approval of certain risks, discouraging\/punishing individuals who do not follow the proper approval process, keeping good records of risk management approvals, and ensuring that individuals who make informed, well-analyzed risk management decisions aren\u2019t thrown under the bus if the risk exposure ultimately occurs. (If proper risk management practices are followed, the realization of a risk exposure should not result in a \u201cwitch hunt\u201d to find someone to blame, but should result in a re-analysis of the risk management decision to see if other \u201chindsight\u201d data points would have affected the risk management decision and determine if changes to the risk profile of the company and\/or risk management practices are appropriate.)<\/p>\n<p><i>Making the risk management decision<\/i>.\u00a0 There are four things a company can with an identified risk \u2013 <b><span style=\"text-decoration: underline;\">avoid it<\/span><\/b> (don\u2019t take the proposed course of action or inaction); <b><span style=\"text-decoration: underline;\">mitigate it<\/span><\/b> (implement new processes, obtain insurance, or take some other action to control the risk exposure) <b><span style=\"text-decoration: underline;\">shift it<\/span><\/b> (make another party responsible for the risk exposure, e.g., through a contractual indemnity and hold harmless); or <b><span style=\"text-decoration: underline;\">accept it<\/span><\/b> (proceed with the action or inaction knowing what might happen). \u00a0Each of these is a completely valid risk management decision, and they can be used individually or in combination once the identified risk has been evaluated (i.e., both the benefits and risks of a particular course of action or inaction should be presented to the appropriate decision-maker). \u00a0There are only two \u201cbad\u201d risk management choices \u2013 (1) accepting the risk because of a perceived need on the part of the business to \u201cact quickly\u201d and not take the necessary time to evaluate and manage the risk, and (2) accepting the risk because the risk was never identified in the first place.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Risk management is, whether actively or passively, an ongoing process at all levels of an organization, one that can lead a company down the path to prosperity or ruin.\u00a0 Any time someone asks, out loud or to themselves, \u201cWhat if\u2026,\u201d &hellip; <a href=\"https:\/\/ericlambert.net\/blog\/2013\/10\/11\/risk-management-101\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,8,9],"tags":[],"class_list":["post-38","post","type-post","status-publish","format-standard","hentry","category-legal","category-nonlegal","category-otherlegal"],"_links":{"self":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/38","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/comments?post=38"}],"version-history":[{"count":0,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/38\/revisions"}],"wp:attachment":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/media?parent=38"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/categories?post=38"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/tags?post=38"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}