I am always asked how a company or risk manager is able to identify legal risks that a company faces. Obviously, many companies face a myriad of legal risks due to the industries they operate in or for that matter, the environment they exist in. Though risk management in any organization is an evolving process the key to risk identification and risk assessment is to ask the right questions.
A good question to ask when beginning a risk identification phase of a legal risk management audit would be:
What are the major risks in any department that could or would generate legal liability or negatively impact the brand of the company?
How are these risks identified? Through the use of risk identification and risk assessment tools such as employee interviews, focus groups, industry literature, surveys, document reviews,etc. It is important to understand that the key however is to ask the right questions. A risk that will or might negatively impact a company's brand is a risk that must be minimized or controlled. But the risks don't always become evident unless the right questions are asked and the right risk management tools are used.
Organizations are well advised to look at broad categories of risk when asking questions. This allows the organization to identify major ares or risk which in turn results in the identification or specific ares of risk and the development of potential solutions that can minimize or control the exposure to the relevant risk. It becomes easier to manage risk. Perhaps the risk consists or weak internal controls or the absence of protocols or processes when dealing with a particular situation or both.
Questions don't stop however when a particular risk is identified. One has to also ask the question of "what do I do now?" In other words, what action plan should be implemented once a risk identification and risk assessment plan has been completed? Identifying risk means nothing if actions are not properly taken to mitigate or minimize the risk. It is often the risk managers, in-house counsel or managers that must ask the tough questions when risks are identified. But, many times management and upper management must get involved when these questions are asked.
Managing legal risk is an ongoing and evolving process. An organization is never completely protected from risk and new risks are always surfacing. It is the risk manager's job to manage the process and to help identify the risks a company faces. It may involve asking tough questions. It always involves an on-going process.