Successful Risk Management Requires A View From The Top Not A View From The Trenches
Today I was fortunate to visit a large electronics company in Seoul. In fact, I was on the 39th floor of the company located in southern Seoul and had an amazing view of Seoul- as evidenced by the picture to the left. Looking at Seoul from this viewpoint made me not only appreciate how large and expansive Seoul is but how things appear different from 20,000 feet than on the ground. In a way, risk management is like this. Many people faced with risk management issues only see separate issues that are not connected or that are limited in scope. For instance, some lawyers still think of risk management as the department that manages insurance policies. Some may in fact think that risk management also encompasses handling bad publicity or maybe even covers a disaster recovery plan. In general, executives as well as some corporate managers don’t believe risk management is part of their job description or don’t even know what risk management really is. However, given the globalization of business, the increased volatility of today’s business climate and the changes in social media that has increased communication tenfold, risk management is now part of every manager’s job description. It is also much larger than it was 20 years ago.
Risk management should be viewed as an essential part of everyday management, including legal management. Managing a company’s risks is not only important but vital. But what many companies have failed to realize is that risk management covers a broad spectrum of issues and concerns and that to successfully handle them requires an integrated approach that comes from a view from the top- not a view from the trenches. Until recently, manager’s lawyers have been trained to think reactively- i.e. to react to a threat or risks. Or they have been thought to think in narrow terms or in narrow tasks. Managers have been trained to think of sales and marketing but not compliance. Data privacy maybe important to some, but others don’t think about it. Few executives fully understand the ramifications of cyber risk and leave it up to the risk management department or IT department to handle cyber security not realizing that cyber threats and the financial consequences of cyber risk is enormous.
But given the recent changes in the global business environment, managers in general must now learn to manage risks. Such proactive management encompasses a large area of not only pure legal risks but also business risks that could lead to legal threats and issues. In essence, management must now learn to proactively manage risks by minimizing risks, mitigating risks, transferring risks and eliminating risks. All are in a sense a proactive response to a risk rather than a purely reactive response. Management must also realize that business and legal risks encompass a myriad or risks that their predecessors did not have to think about such as cyber security, compliance, antitrust concerns, regulatory issues, crisis management, IP protection, trade secrets, and data privacy and so on.
The main role of in-house counsel in corporations or legal entities is now, of course, to mitigate legal risk in connection with the sale of products or services provided by the company. In essence how the company protects its success will be based in part on its ability to manage, control, and minimize legal risk, especially in a litigious society such as the US marketplace. But managers play a role too. Upper management must allocate resources to adequately manager risk. Therefore, to properly address risk requires a view from the top.
For a company to properly manage risk- management has to understand what risks it is willing to take in the market place and what risks it is not willing to take. What is the company's appetite for risk? Is it willing to buy inferior parts for its product and risk the probability of a product liability lawsuit in order to make a greater profit or not? What does the Board of Directors think about risks? Has the BOD ordered a risk audit of the whole company? Is the company willing to accept more risk than it currently accepts, and if so, what is the rate of return it needs to justify the additional risk? These questions can only be asked when looking at the company from the top. To properly handle risk, don’t get caught in the trenches.
