Recently, I celebrated Father's Day on the beach! I am close to retirement and have just re-located from Seoul to Busan. Actually to Gwangali Beach in Busan to be precise. The sun is out and the weather very nice. A great time to be at the beach. The beach is crowded today so I am enjoying the beach from a nearby coffee shop. But tomorrow is a week day and I assume the beach wont be that busy. A nice part of retirement is the fact you no longer have to worry about time. I can always enjoy the beach on a weekday instead of just the weekend. I look forward to enjoying my time, not having to worry about deadlines.
Soon I will join the ranks of retired workers. My career as a lawyer will more or less be over unless my consulting business takes off. It will be time to reflect on my career, visit my kids and grandkids in the US and spend more time with my lovely wife…..of course she has her own business to run so perhaps she wont have much time to spend with me right now. My wife asked me the other day what I thought of the fact I will retire soon. My legal career ends after 40 plus years. My career- primarily with Korean companies comes to a close. I think all of us in the professional space expect to leave our respective professions a little better off when we retire. We hope that we have mentored enough younger professionals to make a difference. At least that is what I hope for as a lawyer, in-house counsel and law professor. Many of us think perhaps that we can last forever and that we should stay in the game until we die. I however don’t. I hope to pass on my knowledge in some form or fashion, but for many of us who built our careers in-house, retirement at 65 is the most likely scenario.
Looking back, I think one of life’s lessons is not to get caught up in the small stuff. Enjoy the moment if you can. Don’t get too stressed out…after all our time is limited. Enjoy the people and things around you. The office will always be there. Work will always be there, whether you feel like working or not. Some people live for work, but I would rather work to live. Time is what we only have so why waste it if we can avoid it. Sure, everyone wants to start a business and see it grow. But is growing a business the only measure of success? Is working 80 hours a week for a company or someone else's business worth it? These are questions you should ask yourself.
A number of my friends and colleagues have told me they envy the fact I am retiring. Some of them are very successful and could probably retire if they wanted too. But some of them have gotten caught up in the work till you drop mentality. Obviously, to some of them having a successful law practice or successful business is the definition of success. Some of them may have forgotten how to have fun have forgotten how to enjoy themselves. Some may only equate success with work. But is that true?
I may or may not decide to work part time or have a part time consulting business in the future. It will be on my own terms though. But right now I am content to think about retirement while sipping a glass of ice tea.
Of all the risks facing companies in today’s business world, reputational risk is one of the most serious. Reputational risk can not only damage a company’s brand, but can even lead to the demise of the company. It is of primary importance to executives, in-house counsel and risk managers in many multinational companies and is seen as one of the top risks a company may face. In fact, in Aon’s 2019 t Global Risk Management Survey, it is one of the top risks that are of concern to companies. Deloitte surveyed companies as well and found out that the majority of companies it surveyed rated reputational risk as more important than strategic risk. Many of those surveyed acknowledged they had suffered a brand risk or reputational risk event that resulted in a loss of brand value or a loss of earnings.
Damages caused by reputational or brand risk events are not tied to just domestic related issues. Approximately half of the executives that Kroll polled for its recent Global Fraud Report opined that their companies are at risk of vendor, supplier, or procurement fraud tied to overseas expansion. Many of those surveyed felt their companies were highly or moderately vulnerable to corruption and bribery risks which can of course lead to reputational risk or loss of brand as well as FCPA investigations and fines. According to the respondents in the Kroll Global Fraud Report, ethics and integrity (or lack thereof) was the major cause of reputational risk.
The reputational risk caused by supply chain issues can escalate out of control unless properly managed. Loss of brand value can happen quickly if a fraudulent event becomes public or if a bribery scandal is publicized in the media. Just look at the some of the crisis that happened over the last decade. Many people have been affected (some have died) because of the crises or mega-crises that have happened. Many of them also included reputational risks as well. Examples include:
The financial and housing collapse and major recession of 2008
Toyota implicated in recalls because of brake issues
Major Banks having their credit card customers’ names stolen by computer hackers
Volkswagen was implicated in a pollution emissions scandal
Target’s customers had personal data stolen due to lax security systems. Over 40 million
Credit and debit card customers effected
Sony Pictures- Sony as well as its employees had confidential information stolen
As you can see from the examples above, there are numerous kinds of crises that a company should be prepared to handle, especially in an international context. Among them are financial crises, natural disasters including pandemics, product failures, workplace violence, cyber-attack, or hacking, and, of course, terrorism. However, most if not all have resulted in serious reputational crisis which also led to legal risk.
It is undisputable that a major crisis can pose serious threats to a company, and, therefore, the crisis must be managed. Crises can result in (a) government fines, (b) loss of retailer confidence, (c) loss of investor confidence, (d) loss of employee confidence, and (e) massive litigation, including class actions. In other words, the end of the company! Crises also result in reputational risks or damage to the company’s brand which may have a greater effect on the company’s bottom line than the damage caused by the original crisis itself.
The problem facing any risk manager or in-house counsel is that the media in today’s society has become very anti-business. As this anti-business culture of attack has gotten worse over the last twenty years, a crisis can no longer be handled by a simple PR or marketing statement. A full-fledged crisis management operation must be put in place. Damage control is now a very serious matter for any potential crisis, no matter how small. Today, more and more companies have to consider issues that negatively affect the company’s brand and how best to counteract them.
Key considerations when considering potential brand or reputational risk caused by ethical or fraudulent behavior within the company or within the company’s supply chain:
-Compliance- does the Company have a compliance program and is it up to date?
-Compliance- does the Compliance program and code of conduct promote an ethical culture within the company?
-Supply Chain- has the Company’s vendors involved in the supply chain been vetted? Do they follow the Company’s code of conduct? Do they have compliance programs?
-Are there sound corporate governance and control processes in place?
Major considerations for handling brand risk once a crisis has started includes:
-Is there a Crisis Management Plan in place to handle brand risk once a crisis starts?
-Does the Company have an effective internal investigation process in place that may shorten the time taken to discover internal risks and mitigate reputational harm?
-Have the appropriate decision makers been trained to handle PR and media issues once a crisis has occurred?
-Does the Company have appropriate 3rd party consultants, including risk management companies and media crisis companies in place to help mitigate reputational/brand risk once a crisis event takes place?
-Does the Company have an appropriate international Crisis Management Plan in place in case the crisis is international in scope?
Companies must realize that there are many risks associated with doing business internationally as well as domestically. Brand or reputational risk is very serious and can lead to the loss of money or even the destruction of a company unless the right steps to mitigate or prevent brand risk are in place. So when considering what risks should be addressed on a regular basis, remember reputational risk should be of primary importance.
Today, many in house lawyers and corporate executives still think of risk management or legal risk management as the department that manages insurance policies. Many in house lawyers as well as some corporate managers don’t believe risk management is part of their job description. However, given the globalization of business, the increased volatility of today’s business climate and the changes in social media that has increased communication tenfold, the management of risk is now part of every manager’s job description, including the in house lawyer. Risk management should be viewed as an essential part of everyday management, including Legal Risk Management or LRM. Managing a company’s risks is not only important but vital. Until recently, lawyers have been trained to think reactively- i.e. to react to a threat or risks. But given the recent changes in the global business environment, in house counsel must now learn to manage risks. Such proactive management encompasses a large area of not only pure legal risks but also business risks that could lead to legal threats and issues. In essence, an in house counsel must now learn to proactively manage risks by minimizing risk, mitigating risks, transferring risks and eliminating risks. All are in a sense a proactive response to a risk rather than a purely reactive response.
The main role of in-house counsel in corporations or legal entities is now, of course, to mitigate legal risk in connection with the sale of products or services provided by the company. In essence how the company protects its success will be based in part on its ability to manage, control, and minimize legal risk, especially in a litigious society such as the US marketplace. Legal counsel must take an active effort in developing strategies, systems, and processes that will minimize the legal risks faced by the company on a daily basis. The area of risk management for in house counsel has become so large it can now be labeled “Legal Risk Management” or LRM. What is LRM? First you must define legal risk. A good definition is:
"The probable occurrence of a future event or non-event that will have a negative impact on the company that could result in law suits, fines, investigations, crisis, reputational harm, financial harm and of course the destruction of the company’s brand or even the company."
Using this term, legal risks are in fact many. Legal risks can be operational, strategic, financial, regulatory, contractual or corporate in nature. Virtually any risk that can result in litigation, fines, investigations or pose harm to the company or organization (reputational, etc.) can be included. A number of legal risks a company may face can be associated with the following:
Corporate Responsibility Risks
Brand / Reputation Issues
R&D Development Strategy
Corporate Governance standards
Loss of Intellectual Property
Foreign exchange risks
Pension Liabilities and related laws
Fraud / Money Laundering-FCPA risks
Receivables / Credit-Insolvency risks
Inside a company risks may be placed in many categories:
• Legal and Regulatory
• Contractual breaches and damages
Legal risks and business risks intertwine to such an extent that business risk have legal impact. Therefore, in house counsel must become involved in the day to day management of business risk itself. This leads to the question of a company’s appetite for risk. For a company, as well as its in house lawyer, to properly manage risk- management has to understand what risk it is willing to take in the market place and what risk it is not willing to take. Is it willing to buy inferior parts for its product and risk the probability of a product liability lawsuit in order to make a greater profit or not? What does the Board of Directors think about risk? Has the BOD ordered a risk audit of the whole company? Is the company willing to accept more risk than it currently accepts, and if so, what is the rate of return it needs to justify the additional risk? A company may have competing objectives that result in increased risk or a decision to accept additional risk. Does the company have a business model that compares the benefits over the potential increased risk?
Not only must the in house counsel identify legal risks but he must assess the inherent likelihood and impact of the legal risk. Will the impact of the risk be very minor or could it be a major event. Once the in house counsel analyses the risks and assesses the potential impact of the risk, he can then determine how to handle the risk- such as risk mitigation, risk transference, risk avoidance and risk acceptance. The law department of a corporation can serve it well by playing a substantial role in the corporate wide management of risk by proactively managing potential legal risk instead of just reacting to it. By working with cross corporate teams to manage legal risks through corporate governance, compliance, loss control, review of HR processes or product safety concerns, a corporation’s law department increases its value to the company.
By controlling and managing legal risk, an organization is able to control its future. Without adequate Legal Risk Management (LRM) processes, a company is exposed to claims, lawsuits, fines, and investigations. It is imperative that an organization and its in house legal team understand that by controlling and managing legal risk, an organization is able to control its future. It is imperative that an organization understands the role that LRM plays in an organization and that adequate systems, processes, and procedures be implemented to minimize, control, and transfer such legal risk.
Last year Covid 19 had a major impact on the world's supply chain including Northeast Asia. To a certain degree it still does. Just after the outbreak of Covid 19, A number of airlines canceled flights to South Korea, China and other countries. Korean companies such as Samsung and LG have had to shut down production lines in some of their Korean based plants as well in order to prevent the spread of Covid 19. That in turn, caused a cascading number of economic issues to impact Korea’s economy as well as the world’s supply chain. Much of the world’s high tech based supply chain is based in Northeast Asia ( China, South Korea, Japan, etc.) and the negative effects of the corona virus can be seen everywhere. As a major supplier of memory chips, cell phones, computers, consumer electronics and home appliances, any disruption in Korea’s economy spells trouble for the rest of the world.
Until recently, for companies doing business in South Korea and other areas of Northeast Asia, the most pressing geo-political risk was the threat of war. Seoul is not far from the DMZ and any altercation between North and South Korea would have an immediate impact upon Seoul and its surrounding cities as well as Japan. However, the impact of the current virus, drives home the fact that for companies doing business in South Korea, not only do they have to think of geo-political risk in terms of war, but as health emergencies and pandemics as well. Therefore, a company contemplating potential business projects in Korea must at least on a tactical level consider the implications of geopolitical risks as well as everyday market risks such as financial, legal and operational risks.
Considering recent geo-political events, many companies need to review old risk management policies and procedures, in case updates are needed. Companies are only now beginning to realize they are not prepared to handle the escalating risks caused by the corona virus. Of course, what happens if the Covid 19 pandemic causes the world to lockdown? Many companies are not prepared for that. Some risk management processes that should be reviewed are not being considered as they are viewed as too expensive or impractical. Such is the case with political risk insurance.
Companies face many kinds of risks when engaged in offshore projects; of course geo- political risk is one of them. Witness the current issues in the US. This comes about when a government changes its policy, ideology or even itself which creates instability, disorder, war, strikes, riots, etc. Or of course health risks that effect the region.
What must be done to manage such risks? Political risk insurance comes to mind, but some forms of political risk insurance that are offered by capital –exporting nations ( such as OPIC, etc.) is subject to politically motivated conditions or motivations that may not take the needs of the investor into account. Case in point- OPIC can only operate in countries which have a bilateral investment treaty with the US. If you are a US investor trying to invest in a country which lacks a bilateral investment treaty with the US- you are out of luck when trying to obtain political risk insurance from OPIC. This is true of outer countries which supply similar political risk insurance through export development programs.
For more on political risk see my previous blog: “Managing Political Risk” at Seoullegalriskmgmt.com.
As 2020 comes to a close, it is time for many organizations to analyze its risk management processes and how well the processes managed the risk events that has recently occurred. For many companies, Covid-19 was a catastrophic or near catastrophic event. Those companies that were prepared to handle the pandemic (such as those that had business continuity plans in place, etc.) were able to handle the risks presented by Covid 19. Those that were not prepared had a harder time. What successful companies know is that in order for a company to succeed it not only has to a sustainable business model but it has to constantly review its risk processes. After all, what happens when the current business model does not work anymore? What happens when the risks outweigh the benefits of continued standard corporate operations? So, maybe it’s time to re-examine your risk management processes. Do they really work?
When talking to your staff or to other departments, how often have you heard the phrase “That the way we have always done things.” Just because corporate processes have been done one way doesn’t mean that the best way or even in todays’ fast changing world- the right way. Even after 2008 many companies continued to use the failed metrics that got them into trouble in the first place. Even the credit markets haven’t changed as much as you would think after 2008. And of course, some companies have not changed processes during Covid. But why?
I truly believe that once processes are created in a corporate or bureaucratic environment, it is as if the processes have been set in stone. They are very hard to change. Even if the world around the company has changed. It is human nature to accept what has been done in the past. Few people want to “rock the boat” even if the proverbial boat is actually sinking. Companies get into real trouble because of this. What happens if the company’s business model is out of date or its business plan is no longer viable? Just because it worked in the past doesn’t mean it will work in the future.
I therefore caution everyone not to blindly accept the current risk management processes in place. Risk managers as well as in house counsel and other managers should be challenging risk management metrics on a regular basis. Counsel should be auditing departments on a regular basis. Does that compliance program really work? Does the business continuity plan really work? Maybe it did 5 years ago. But what about today?
What about re-examining the areas of risk management responsibility? The areas should include the purpose and policy of the RMD in the organization, the functions and execution points of the RMD (who does what, when, how, reporting lines, etc.) as well as a detailed outline of the procedures and processes of the RMD. Procedures and processes can include:
-conducting risk assessments of the organizations’ divisions and departments
-developing solutions for the various risk management issues
-developing business continuity plans
-coordination with various departments to assist with compliance issues
-oversee loss control concerns
-develop training for the organization’s employees covering various risk related areas of concern such as product safety, etc.
Remember, if local or national laws have changed maybe the current processes are out of date. If your organization was not prepared for the Covid 19 pandemic, maybe the current processes are out of date. If the products that your company manufactures or the services it provides have changed maybe the internal processes surrounding the review of those products and services are out of date. What about the current geo-political environment? When reviewing your current product liability review processes have you factored in the new risks created by the Internet of all Things? These risks are real. Are you ready for them? Does your current business model still work or is it outdated? What about data privacy laws? What about business continuity plans?
It is a fundamental truth that all things change. Of course, some things change faster than others. Regardless, don’t rely on your old or standard risk management processes to continue to provide the same level of comfort they did in the past. Continue to review and to modify them if necessary. And don’t think that just because “that the way things are done” your company should continue to operate as usual.
So if you haven’t re-examined your risk management processes- now is the time to do so.
In the past I have commented on crisis management and the tools needed to handle crisis in today’s business environment. It is clear however, that an international crisis, such as the COVID 19 virus or even a geo-political crisis is harder to deal with than a domestic crisis. Because of international considerations, an international crisis is normally harder to manage than a domestic crisis. As it is more complex, companies caught up in an international crisis have to pay more attention to international, cultural, and communication issues than they would in a purely domestic scenario.
Crisis communications has become very important. Therefore, an international crisis requires a number of steps, including:
• Planning for an international crisis
• Appointing a crisis manager
• Establishment of a Crisis Management Team
• Establishment of a Media Crisis Team to handle international communications
The principle focus of any crisis management strategy, especially in an international contest, is communications. All crisis management plans call for effective crisis communications, which many times are not always executed. Inadequate or failed communications lead to bad publicity, unhappy stakeholders, and potential disaster. An effective crisis communication strategy is necessary for any international crisis. A number of companies and even governments have failed to defuse international crisis because of poor communications.
An effective crisis communication strategy is necessary when dealing with an international crisis. It also requires the establishment of an effective Media Crisis Team that can respond to potential media issues. Who should be on the team? At least 6 people from the following areas or departments:
1. Legal- someone from the GC’s or CLO’s Office
2. HR- HR should designate a staff member capable of handling crisis related issues
3. Outside legal- in the case of most companies, the primary outside law firm should also be on the team
4. PR- if the company has a PR department, someone from PR should be on the team
5. Outside PR- it is a good idea for most companies to retain an outside PR firm if possible
6. QA or Service, etc.- depending on the product or services the company provides, perhaps someone from the Service Department of Quality Control Department should also be on the media crisis team.
A number of processes need to implemented and issues addresses to create an effective Media Crisis Team. Such processes and issues include the following:
• Creation of the Media Crisis Team.
• Identify a key spokesperson or spokespersons on the Media Crisis Team who will speak for the organization. Who are they? What are their roles?
• Training on cultural issues, if the crisis involves other cultures.
• Establishment of communication procedures and protocols for the Media Crisis Team. Who communicates to whom and why? Can the Media Crisis Team members communicate to each other directly?
• The main messages that should be communicated to key stakeholders should be thought through.
• A budget for the Media Crisis Team, should be approved and set up.
• The facts surrounding the crisis should be established as well as the major talking points.
• How will the Media Crisis Team handle the Press? Processes?
• Has a communications war room been set up for the Media Crisis Team in order to meet and handle communications?
• Has a hotline been set up?
Though companies try and resolve the crisis at hand and spend significant sums of money to do so, if they fail to properly communicate to the media and the public, they in effect have lost and can expect outrage and consumer dissatisfaction to such an extent that the very existence of the company can be threatened. So remember, a company doing business internationally has to plan for eventual crisis. If it fails to handle communications properly during a crisis, it faces not only a potential loss of business but a negative impact on its brand. Therefore, I recommend to all companies that now is the best time to create a Media Crisis Team.