Today, many in house lawyers and managers still think of risk management as the department that manages insurance policies. Some may in fact think that risk management also encompasses handling bad publicity or maybe even covers a disaster recovery plan. Many in house lawyers, as well as some corporate managers don’t believe risk management is part of their job description. However, given the globalization of business, the increased volatility of today’s business climate and the changes in social media that has increased communication tenfold, risk management is now part of every manager’s job description, including the in house lawyer.

The main role of in-house counsel in corporations or legal entities is now, of course, to mitigate legal risk in connection with the sale of products or services provided by the company. In essence how the company protects its success will be based in part on its ability to manage, control, and minimize legal risk, especially in a litigious society such as the US marketplace. Legal counsel must take an active effort in developing strategies, systems, and processes that will minimize the legal risks faced by the company on a daily basis. The area of risk management for in house counsel has become so large it can now be labeled “Legal Risk Management” or LRM.

What is LRM? Legal risk is the probable occurrence of a future event or non-event that will have a negative impact on the company that could result in law suits, fines, investigations, crisis, reputational harm, financial harm and of course the destruction of the company’s brand or even the company. Legal risks and business risks intertwine to such an extent that business risk have legal impact. Therefore, in house counsel must become involved in the day to day management of business risk itself and think in terms of risk analysis. The lawyer must use tools to not only identify risk but provide a qualitative analysis a risk’s probability and its impact on the company’s objectives and bottom line. Various tools include risk map, use of processes such as interviews of key personnel, procedures involving review of industry guidelines, internal procedures, risk diagrams, etc. What risk analysis has been developed to gauge the safety controls in the manufacturing division’s product design protocols? How does the R&D division handle the potential risk of defective parts and materials?

It is time that in house counsel realize they are in fact legal risk managers. The law department of a corporation can serve it well by playing a substantial role in the corporate wide management of risk by proactively managing potential risk instead of just reacting to it. By working with cross corporate teams to manage risks through corporate governance, compliance, loss control, review of HR processes or product safety concerns besides just purely legal issues, a corporation’s law department increases its value to the company.

By controlling and managing legal risk, an organization is able to control its future. Without adequate LRM processes, a company is exposed to claims, lawsuits, fines, and investigations. Not a day goes by where some governmental investigation or lawsuit is not reported in the local newspaper. These days it is a common occurrence. Therefore, it is imperative that an organization and its in house legal team understand that by managing legal risk it can control its’ future. Therefore, it is imperative that an organization understands the role that LRM plays in an organization.

Besides managing risk, risk managers must also have a knack for good stakeholder management. In fact, in order to provide effective leadership in today’s corporate world, risk managers and those who have a risk management function, must understand the significance of good stakeholder management. Considering the high employee and investor turnover rates it is no wonder that risk managers must take the lead in providing risk management information to various stakeholders not only from a compliance perspective but from a profit/loss perspective as well.
Who are the various stakeholders that a risk manager must concern himself or herself with? Of course the more sophisticated a company is the more stakeholders there are. Nonetheless, the main stakeholders of any company or organization usually include:

1. Employees
2. Upper Management including the Board
3. Customers
4. Suppliers
5. Regulators
6. Investors
7. Business partners; and
8. Credit Analysts

Each group of stakeholders mentioned above is important to the overall success or survival of a company. They may have a key role in determining the strategy of a company and therefore need to understand relevant risk related information in order to understand the issues facing the company. Of course, depending on the various laws and regulations facing companies, it may be there are in fact reporting requirements that should be met. The Board as well as Upper Management has risk management responsibilities when it comes to addressing risk, and in order to provide effective leadership, Management must look at Stakeholder Management as part of good Corporate Governance.

The first step for any risk manager when dealing with stakeholders is to ask the hard questions such as: (i) Are you prepared to handle risk events relating to your stakeholders? (ii) In a crisis management event, are you ready to address your customers? (iii) In case of litigation, do you have the right information to communicate to your regulators? , and (iv) What are the risk management process to use in case you have major employment related issues?

Providing effective risk management leadership requires the risk manager to understand who the major stakeholders really are and what risk management reporting processes actually exist or should exist. Once you can answer these questions, you are on your way to provide effective risk management leadership.

The US-China trade dispute as well as the Japan-Korea dispute have to a certain extent caught many companies as well as investors off guard. Considering these political and economic events, many companies should consider reviewing old risk management policies and procedures, if they haven’t already. Geo-political risks are now front and center, whether companies are prepared for such risks or not.

Companies face many kinds of risks when engaged in offshore projects; but geo-political risks can be the most serious if not handled properly. Such risks comes about when a government changes its policy, ideology or even itself which creates instability, disorder, strikes, riots, war, embargoes, etc. What must be done to manage such risks? Political risk insurance comes to mind, but some forms of political risk insurance that are offered by capital –exporting nations ( such as OPIC, etc.) is subject to politically motivated conditions or motivations that may not take the needs of the investor into account. Case in point- OPIC can only operate in countries which have a bilateral investment treaty with the US. If you are a US investor trying to invest in a country which lacks a bilateral investment treaty with the US- you are out of luck when trying to obtain political risk insurance from OPIC. This is true of outer countries which supply similar political risk insurance through export development programs.

The answer for some companies therefore, is to consider obtaining private political risk insurance. Due to the increased use by some companies of political risk insurance from government agencies as well as a lessening of perceived political risk, private political risk insurance offerings have exploded. Several markets provide private political risk insurance including Lloyds of London insurance syndicates as well as groups operating under a reinsurance treaty that are controlled by an underwriter. There are advantages to this.

As private political risk insurers have no political agenda to worry about, there are normally no political pre-requisites for the issuance of insurance. The host country doesn’t need to be poor and the investor can come from any part of the world. Also, the private insurance approval process can be much faster than the approval process of governmental agencies. Of course it should be noted, that unlike governmental agencies, private political risk insurers are in business and therefore the coverage offered by them can be more expensive than compared with their government counterparts.

All in all, political risk insurance should be considered when investing abroad, especially in markets that are uncertain. There are always ways to manage risk, and political risk insurance is just another form of risk management. It should be carefully considered, especially in today’s rapidly changing world.

One of the main drivers of my success over the years has been the ability to “change”. If you look around you, change is everywhere. In fact, it is the only constant in life. Everything changes whether we like it or not. I’ve been fortunate enough over my 40 year career to change-whether by changing my law practice or by changing my location or even both. In several instances, I even changed countries of residence. All of the change I have gone through has contributed to what success I have achieved.

Change in careers happens if one is willing to grow and experience new avenues of life. I started out as a public defender in Florida and ended up as a general counsel of one of the largest consumer electronics companies in the world. I never expected I would end up as a GC, but I did grasp the willingness to change.

Change not only happens in everyday life but in the workplace as well. Risk managers must always be on the lookout for change. As business changes so do risks. As regulations change so do legal threats. As employees change or as a company’s appetite for risk changes, so does the internal management of risk. In essence, risk is not static- it is always evolving and always changing. So the management of risk must change as well.

The concept of risk itself has changed over the years. Twenty five years ago, risk management was not perceived as a vital function in many organizations. Sometimes companies lumped risk management in with Insurance, Service or QA. But as the perception of risk has evolved along with compliance and SOX related laws, rules and regulations, risk is now deemed a major part of a company’s management structure.

Those organizations that perceive the need for an up to date robust risk management function are most likely to weather the storm of litigation, fines, audits and investigations facing most companies today. Crisis management (part of risk management) is now front and center in many large organizations as well. Companies are realizing that the perception by the public is far more important than in many cases the facts. How do you manage a crisis? When does a serious event become a crisis? How has crisis management changed over the last few years and why? How has compliance changed? All concepts of risk are subject to change as are standard processes for identifying and eliminating risk. Metrics used 20 years ago are no longer valid in many cases. Look what happened in 2008.

To handle risk and all of the consequences that it entails in an effective manner requires the willingness to accept change and in many cases to seek change out. Companies must be willing to change their concept of risk. They must be willing to change processes that may have been set in stone years ago. They must be willing to change not only how they perceive risk but how they address risk.

Yes, change is everywhere.

I found myself wandering around Seoul the other day. I stumbled across a backstreet filled with European restaurants, new coffee shops, boutique clothing stores with coffee shops, boutiques with restaurants and even a boutique that would take care of your dog while you shopped. One coffee shop had a French bakery inside and another coffee shop was inside a French bakery. In Seoul? I wouldn’t have known it had I not gotten off the beaten path. In fact I only discovered the remnants of a wall that once belonged to an ancient fortress near my apartment by walking along an old hiking path near Nam Mountain. When you deliberately leave the comforts of your regular haunts you find yourself discovering new places and even old ones you didn’t know still existed. Likewise, unless you go off the beaten path, when reviewing your company’s risk management processes and procedures you might not discover the new and maybe old problems and issues your company faces. In other words, you have to explore.

A legal risk management audit is a way of exploring all of the weaknesses your company has when confronted with outdated policies and processes. You will discover gaps in your processes you never thought existed. Perhaps divisions or departments you thought had no or little legal risk are far more exposed to risk than you once thought. What level of risk does your Board of Directors find acceptable? Has it changed? What are your company guidelines concerning environmental or child labor laws and are the guidelines being followed? What about your vendors and suppliers? Does your company have a code of ethics that the suppliers are supposed to follow? Have you looked at your risk scoring methods lately? Or even questioned employees about their perceptions of risk?

A legal risk audit can not only identify potential areas of risk but can identify specific areas that must be addressed internally and externally. However, to properly perform a risk audit you must not only look at familiar places but investigate unfamiliar ones as well. You must go off the beaten path. How?

An audit must not only target the major divisions but should also encompass those departments that are not deemed essential to the company. Maybe looking at the processes of a cost center instead of a profit center will result in discoveries you never thought possible. Sometimes you need an unbiased third party to conduct internal interviews for you even though you always conducted an internal investigation yourself. Maybe an outside third party can provide you with risk metrics or data that you never thought existed. A third party maybe able to conduct an internal investigation for you that you feel too uncomfortable to perform. Maybe a third party audit of your HR or service operations should be considered. Going off the beaten path may entail not only looking at different departments but using an outside risk management consultant to look at things differently. To go off the beaten path may entail using an outside consultant to ask different questions while using different risk management tools to identify and quantify risks not so visible from the inside.

There are many third party consultants to use when conducting risk assessments or audits. One such company in Asia is Erudite Risk. Erudite Risk provides services from due diligence, IP protection, business continuity and competitive intelligence. You may find out more about Erudite Risk at its website- Eruditerisk.com

Regardless of your decision on whether to use an outside risk consultant, get off the beaten path. It might surprise you.

If a company is involved with litigation in the United States, it has a duty to locate all relevant information, data, and documents—including ESI that are relevant to the case. This can be quite onerous, as it requires:

• Familiarity with document retention policies
• Involvement with IT personnel
• Communication to “key players” of the litigation hold
• Location and retrieval of all relevant information wherever that information might be

The legal risks facing a company that fails to handle the above requirements in an economical/efficient manner can be tremendous. Companies have been sanctioned millions of dollars for failing to abide by ESI requirements or, even worse, have lost the respective lawsuits, costing even more. What can a company do to mitigate the legal risks surrounding document management to comply with US legal requirements?

1. Plan of Action

A company must take steps to develop an adequate data and document management plan. It is not too surprising that even the IT Department itself may not have an adequate understanding of where all of the electronically stored documents are considering the plethora of handheld devices that may store documents and other electronic information. Therefore, a company’s management and IT folks need to sit down and map out where all of the documents are located if possible. A document management plan should take the following steps into consideration:

• Assess the company’s current use of technology documents.
• Locate all in the company’s possession.
• Use technology to leverage legal requirements.
• Retain experts or outside consultants to above or to help implement systems/processes.
• Implement policies and procedures addressing all legal risks posed by ESI.

2. Risk Assessment of ESI

To implement an appropriate plan of action, a company must conduct a risk assessment of its processes and capabilities by:

• Seeking proposals of vendors (outside experts)
• A top-to-bottom analysis
• ESI and paper documents
• Hardware and software
• Management of data
• Retention of data
• Litigation holds
• Disaster preparedness

3. ESI Implementation

The legal risks facing companies in today’s legal and regulatory climate, especially in the United States, are enormous. Failure to implement a data and document management program that not only addresses a company’s business concerns but legal obligations as well can be disastrous. The development and implementation of an LRM program addressing these concerns is not a luxury but a necessity. It is highly recommended that a company implement a data and documentation management program that addresses ESI and all of its issues.