According to a recent survey of global CEOs, the top ten risks facing companies doing business around the world includes political risks, employment risks and even climate change risks. In fact, the top ten or even twenty risks do not include cyber security risks, IP related risks nor even credit control risks. If however, you look at the major scandals and threats facing companies in the last few years you will notice that cyber security, IP and credit related risks are actually front and center. Why the disconnect between upper management and perhaps reality?
Once of the reasons for such a disconnect ( yes the Board of Directors may focus on geo-political risk or climate change but not cyber security) is the failure of companies to fully implement an Enterprise Risk Management ( ERM) solution that in fact connects all facets of a company when reviewing risks and fully integrates risk management process across the board. The failure to create a comprehensive ERM system is the reason why so many companies even today are caught flat footed when confronted with major risk related events.
In fact, today, many in house lawyers still think of risk management as the department that manages insurance policies. Some may in fact think that risk management also encompasses handling bad publicity or maybe even covers a disaster recovery plan. Many in house lawyers, as well as some corporate managers don’t believe risk management is part of their job description. However, given the globalization of business, the increased volatility of today’s business climate and the changes in social media that has increased communication tenfold, risk management is now part of every manager’s job description, including the in house lawyer.
To properly handle risk and create a fully functional ERM system that also encompasses legal risk management ( LRM) processes , risk management should be viewed as an essential part of everyday management, including legal management. Managing a company’s risks is not only important but vital. Until recently, lawyers have been trained to think reactively- i.e. to react to a threat or risks. But given the recent changes in the global business environment, in house counsel must now learn to manage risks. Such proactive management includes a large area of not only pure legal risks but also business risks that could lead to legal threats and issues. In essence, an in house counsel must now learn to proactively manage risks by minimizing risk, mitigating risks, transferring risks and eliminating risks. All are in a sense a proactive response to a risk rather than a purely reactive response.
The main role of in-house counsel in corporations or legal entities is now, of course, to mitigate legal risk in connection with the sale of products or services provided by the company. In essence how the company protects its success will be based in part on its ability to manage, control, and minimize legal risk, especially in a litigious society such as the US marketplace. Legal counsel as well as middle manaegment in general must take an active effort in developing strategies, systems, and processes that will minimize the legal risks faced by the company on a daily basis.
But that is not all. The lack of true ERM standards ( yes- there are no standards when it coinmes to creating a ERM solution) has resulted in a wide range of different definitions which in turn has resulted in many companies prioritizing different aspects or ERM resulting in a ERM framework that does not always work or resulting in a refusal to implement a total ERM solution. Once aspect of a failed ERM process is corporate governance. Though the Board of Directors of most companies acknolwedge the importance of corporate governance ( for many reasons), many companies fail to connect good corporate governance to legal risk management processes necessary for a ERM solution. For example, though the Board of Directors should be setting the corporate tone of risk appeptite, many times you will find a disconnect between risk appetite at the top and risk appetite in middle management.
Therefore I highly recommend a company engage in a complete LRM audit. Maybe the ERM process is really not working. So I suggest the following considerations:
1. Look at the Organizational Structure- is risk management aligned with the organizationalstructure?
2. Risk Appetite- What is the orgnizations's overall risk appetite and does it represent the Board's risk tolerance?
3. Has risk management been incorporated into the organizations's values and culture?
4. What is the relationship between line management and risk management?
5. Are risk analytics being used to measure risk throughout the organization or just in a few departments?
Reviewing and answering these and other questions will help your organization determine whether its has a LRM process in place that supports a fully implemented ERM system. Or, maybe there is in fact a disconnect between the Board's view of risk management and reality.