If a company wants to identify the major legal risks it faces, it needs to come up with a process to assess risks. But how?
When thinking in terms of legal risk management (LRM) in-house counsel or risk managers should ask some questions. First, what is the degree of risk the company is comfortable with? Or what degree of risk is a department in the company comfortable with? Also, what perception of risk does the various levels of management in the company have towards risk? Remember, this requires talking to all departments and the various department heads as well as middle managers, etc. to get a good grasp of their perception of risk or at least their perception of legal issues facing them. Only after that happens and an assessment of the legal risk environment is completed can you then proceed with a risk analysis. Of course, the accounting department may be looking at things under a COSO standard while the HR department may be looking at risks under the ISO standard.
A risk assessment can cover the areas and/or departments that are important to the company. Such areas may include:
• All insurance matters, including the renewal of insurance carrier and recommending obtaining additional or different types of insurance when needed.
• Handling all product liability claims, including product safety claims, subrogation claims, investigations, discovery, and product liability lawsuits for the organization.
• Reviewing product warranties, warnings, and manuals to ensure compliance with relevant laws and regulations.
• Reviewing processes regarding product recalls, government-related complaints, and government investigations and inquiries, including the FDA, and FTC in the United States, etc.
• Working with the Service Department or QA Department and other departments to analysis potential safety issues and report the findings to management.
• Performing due diligence reviews of safety-related issues and evaluating such findings.
• Reviewing PR/marketing processes, other departments and outside PR on responding to the media with respect to safety-related issues (media crisis team/crisis management team).
• Assessing the training given to the service/call center (if any) personnel on how to handle consumers complaining about safety issues and how to recognize product liability issues and escalate them to the proper people.
The above areas are a fraction of what con be looked at or considered when conducting a risk assessment. But it’s a place to start. It depends on the nature of the company and the primary business drivers of the company. And of course, the company's perception of risk.
I found myself wandering around Seoul the other day. I stumbled across a backstreet filled with European restaurants, new coffee shops, boutique clothing stores with coffee shops, boutiques with restaurants and even a boutique that would take care of your dog while you shopped. One coffee shop had a French bakery inside and another coffee shop was inside a French bakery. In Seoul? I wouldn’t have known it had I not gotten off the beaten path. In fact I only discovered the remnants of a wall that once belonged to an ancient fortress near my apartment by walking along an old hiking path near Nam Mountain. When you deliberately leave the comforts of your regular haunts you find yourself discovering new places and even old ones you didn’t know still existed. Likewise, unless you go off the beaten path, when reviewing your company’s risk management processes and procedures you might not discover the new and maybe old problems and issues your company faces. In other words, you have to explore.
A legal risk management audit is a way of exploring all of the weaknesses your company has when confronted with outdated policies and processes. You will discover gaps in your processes you never thought existed. Perhaps divisions or departments you thought had no or little legal risk are far more exposed to risk than you once thought. What level of risk does your Board of Directors find acceptable? Has it changed? What are your company guidelines concerning environmental or child labor laws and are the guidelines being followed? What about your vendors and suppliers? Does your company have a code of ethics that the suppliers are supposed to follow? Have you looked at your risk scoring methods lately? Or even questioned employees about their perceptions of risk?
A legal risk audit can not only identify potential areas of risk but can identify specific areas that must be addressed internally and externally. However, to properly perform a risk audit you must not only look at familiar places but investigate unfamiliar ones as well. You must go off the beaten path. How?
An audit must not only target the major divisions but should also encompass those departments that are not deemed essential to the company. Maybe looking at the processes of a cost center instead of a profit center will result in discoveries you never thought possible. Sometimes you need an unbiased third party to conduct internal interviews for you even though you always conducted an internal investigation yourself. Maybe an outside third party can provide you with risk metrics or data that you never thought existed. A third party maybe able to conduct an internal investigation for you that you feel too uncomfortable to perform. Maybe a third party audit of your HR or service operations should be considered. Going off the beaten path may entail not only looking at different departments but using an outside risk management consultant to look at things differently. To go off the beaten path may entail using an outside consultant to ask different questions while using different risk management tools to identify and quantify risks not so visible from the inside.
There are many third party consultants to use when conducting risk assessments or audits. One such company in Asia is Erudite Risk. Erudite Risk provides services from due diligence, IP protection, business continuity and competitive intelligence. You may find out more about Erudite Risk at its website- Eruditerisk.com
Regardless of your decision on whether to use an outside risk consultant, get off the beaten path. It might surprise you.