I find myself enjoying the beach more and more in retirement.  I enjoy watching the people walking on the beach and of course enjoying the sound of the waves as they come crashing in.  All in all, it is a very pleasant experience.  And of course, I expect to continue seeing the beach and enjoying the beach experience.  This has created a kind of “normalcy bias” …. the beach has always been pleasant and therefore I expect it will continue to be pleasant.  Erudite Risk in its recent DRB risk report has discussed normalcy bias in detail.  All risk managers and in-house counsel need to pay attention.

Normalcy bias can be seen as a major reason why so many companies as well as some countries were not prepared for Putin’s invasion.  After all, Putin hadn’t invaded Ukraine for a number of years so the odds were that he wouldn’t…despite the signals leading up to the invasion.  Normalcy bias can be seen affecting everyone’s perception of many kinds of risks.  Yes, geopolitical risk is a major risk that is now looked at perhaps with a greater degree of interest.  But financial risk, operational risk, and legal risk among others should also be looked at in a new light.  Has normalcy bias affected a company’s perception of the risks it faces?  If no one actually thinks risks should be taken too seriously as such risks have never led to a major crisis, have they really taken a hard look at the risks facing the company?  Does the risk mitigation strategy really work when everyone’s perception is clouded by normalcy bias?

The Black Swan event may be more likely to happen than people think.  In today’s business climate, more and more crises are beginning to happen when a few years ago many never thought they would occur.  Everyone was lulled to sleep because of “normalcy bias”. So people tend to lump Black Swan events into risk events they thought would never happen.  A kind of normalcy bias has set in, people continue to look at potential risk events as they always looked at them. Nothing happens until of course it does.

But risk events you never thought would happen may very well happen.  Just because you look at the past or present a certain way doesn’t mean it will be the same in the future. North Korea hasn’t attacked South Korea in more than 70 years.  Many look at the potential of a North Korean attack as nil because they don’t even remember the last invasion.  Today, South Korea’s younger generations have no recollection of the post-war years and extreme poverty that many went through following the Korean War.  Younger politicians think it is absurd that an attack would occur.  But there have been warning signs.  North Korea has ramped up its ballistic missile program as well as its nuclear testing. But a kind of normalcy bias or complacency has set in.  If an attack occurs, it may catch everyone by surprise. Just look at the Russian invasion of Ukraine.

If you or your organization does business in South Korea or anywhere else in Asia, are you prepared in case there is an invasion or attack on South Korea?  What about Taiwan?  Or anywhere else in Asia? What plans are in place?  Have you really spent time analyzing all the details or have you simply paid lip attention to it because everyone believes it won’t happen?  After all, nothing has happened in 70 or 80 years (except for bombings, acts of terrorism and kidnappings, threats, nuclear bomb testing, etc).  My advice when it comes to risk mitigation is to plan for every eventuality regardless of how you perceive it.  Don’t let normalcy bias set in.  This includes:

1.  Looking at your contracts.
2.  Looking at your insurance policies.
3.  Looking at your risk mitigation and legal risk managment processes currently in place.
4.  Looking at your vendors and suppliers’ risk policies too.  Are they prepared?
5.  Looking at your supply chain.
6.  Have you brought in a 3^rd party risk consultant to examine your operations?
7.  Many people doing business in Seoul don’t realize that by the time North Korea launches an  invasion it will be too late to get out of Seoul except maybe on foot. Are there contingency plans in place?

In essence, don’t let normalcy bias set in.  It may be too late to act once the unthinkable happens.

Today, many in house lawyers and corporate executives still think of risk management or legal risk management as the department that manages insurance policies. Many in house lawyers as well as some corporate managers don’t believe risk management is part of their job description. However, given the globalization of business, the increased volatility of today’s business climate and the changes in social media that has increased communication tenfold, the management of risk is now part of every manager’s job description, including the in house lawyer. Risk management should be viewed as an essential part of everyday management, including Legal Risk Management or LRM. Managing a company’s risks is not only important but vital. Until recently, lawyers have been trained to think reactively- i.e. to react to a threat or risks. But given the recent changes in the global business environment, in house counsel must now learn to manage risks. Such proactive management encompasses a large area of not only pure legal risks but also business risks that could lead to legal threats and issues. In essence, an in house counsel must now learn to proactively manage risks by minimizing risk, mitigating risks, transferring risks and eliminating risks. All are in a sense a proactive response to a risk rather than a purely reactive response.

The main role of in-house counsel in corporations or legal entities is now, of course, to mitigate legal risk in connection with the sale of products or services provided by the company. In essence how the company protects its success will be based in part on its ability to manage, control, and minimize legal risk, especially in a litigious society such as the US marketplace. Legal counsel must take an active effort in developing strategies, systems, and processes that will minimize the legal risks faced by the company on a daily basis. The area of risk management for in house counsel has become so large it can now be labeled “Legal Risk Management” or LRM. What is LRM? First you must define legal risk. A good definition is:

"The probable occurrence of a future event or non-event that will have a negative impact on the company that could result in law suits, fines, investigations, crisis, reputational harm, financial harm and of course the destruction of the company’s brand or even the company."

Using this term, legal risks are in fact many. Legal risks can be operational, strategic, financial, regulatory, contractual or corporate in nature. Virtually any risk that can result in litigation, fines, investigations or pose harm to the company or organization (reputational, etc.) can be included. A number of legal risks a company may face can be associated with the following:

Corporate Responsibility Risks
Brand / Reputation Issues
Pricing Issues
Competition Risks
R&D Development Strategy
Regulatory changes
Corporate Governance standards
Legal compliance
Loss of Intellectual Property
Foreign exchange risks
Pension Liabilities and related laws
Contractual Liabilities
Fraud / Money Laundering-FCPA risks
Receivables / Credit-Insolvency risks

Inside a company risks may be placed in many categories:

• Strategic
• Operational
• Financial
• HR
• Technology
• Legal and Regulatory
• Contractual breaches and damages

Legal risks and business risks intertwine to such an extent that business risk have legal impact. Therefore, in house counsel must become involved in the day to day management of business risk itself. This leads to the question of a company’s appetite for risk. For a company, as well as its in house lawyer, to properly manage risk- management has to understand what risk it is willing to take in the market place and what risk it is not willing to take. Is it willing to buy inferior parts for its product and risk the probability of a product liability lawsuit in order to make a greater profit or not? What does the Board of Directors think about risk? Has the BOD ordered a risk audit of the whole company? Is the company willing to accept more risk than it currently accepts, and if so, what is the rate of return it needs to justify the additional risk? A company may have competing objectives that result in increased risk or a decision to accept additional risk. Does the company have a business model that compares the benefits over the potential increased risk?

Not only must the in house counsel identify legal risks but he must assess the inherent likelihood and impact of the legal risk. Will the impact of the risk be very minor or could it be a major event. Once the in house counsel analyses the risks and assesses the potential impact of the risk, he can then determine how to handle the risk- such as risk mitigation, risk transference, risk avoidance and risk acceptance. The law department of a corporation can serve it well by playing a substantial role in the corporate wide management of risk by proactively managing potential legal risk instead of just reacting to it. By working with cross corporate teams to manage legal risks through corporate governance, compliance, loss control, review of HR processes or product safety concerns, a corporation’s law department increases its value to the company.

By controlling and managing legal risk, an organization is able to control its future. Without adequate Legal Risk Management (LRM) processes, a company is exposed to claims, lawsuits, fines, and investigations. It is imperative that an organization and its in house legal team understand that by controlling and managing legal risk, an organization is able to control its future. It is imperative that an organization understands the role that LRM plays in an organization and that adequate systems, processes, and procedures be implemented to minimize, control, and transfer such legal risk.

Law firms and other service oriented organizations are just beginning to realize that risk management concepts apply to them as well as manufacturing based organizations. Lately, consultants are advising law firms to implement project control methods, look at legal processes from a six sigma point of view and even apply the basics of marketing 101 or sales 101 to increase business from potential clients. As the legal industry continues to shift from the old “charge per hour” model, law firms are beginning to realize that not only do marketing concepts apply to the “business and management of law” but risk management concepts apply as well including loss control.

Risk management should be viewed as an essential part of everyday management, including legal management. Managing a company’s risks is not only important but vital. Until recently, lawyers have been trained to think reactively- i.e. to react to a threat or risks. But given the recent changes in the global business environment, as well as changes in how law firms manage themselves, attorneys and support staff must now learn to manage risks. Such proactive management encompasses a large area of not only pure legal risks but also business risks that could lead to legal threats and issues. In essence, lawyers must now learn to proactively manage risks by minimizing risk, mitigating risks, transferring risks and eliminating risks. All are in a sense a proactive response to a risk rather than a purely reactive response. This of course includes minimizing costs and using processes or tools to minimize costs and risk.

Loss control is a tool that a law firm or other service related organization can utilize or should use to minimize or reduce risk. If properly used, loss control can reduce losses and decrease exposure associated with such losses. Loss control can of course be simply defined as “efforts that reduce expected losses”. But of course it is more than that as it encompasses management of efforts that reduce expected losses – or in other words processes that can prevent, reduce, or mitigate losses. Loss control processes, in other words, if properly used, can mitigate and reduce risk. Normally, loss control processes can be very effective in reducing costs and expenses faced by any organization, especially a manufacturing company that manufactures products. But it can also be applied to service organizations such as law firms or accounting firms.

The traditional definition or concept of loss control relates to loss prevention or loss reduction that is associated with products or monies related or associated with products. Loss control processes are normally divided into two main categories—loss prevention and loss reduction and are defined as follows:

Loss prevention: activities that reduce expected losses of inventory or monies associated with inventory by proactively reducing the frequency of losses

Loss reduction: activities that reduce expected losses of inventory or monies associated with inventory by decreasing the size of the loss, which is a reactive and not a proactive process

Applying these concepts to a law firm or service related organization we can see how six sigma and other concepts such as project management can be utilized as a loss control process. After all the main goal of six sigma as well as and project management would be to improve efficiencies and minimize waste or the costs associated with waste. Law firms tend to over analyze and over process matters. How much cost can be saved if documents are no longer over processed or over analyzed? How much time can be saved for more productive matters? From a loss control standpoint, what processes can a law firm or law department implement that reduces cost and monies associated with cost? What efficiencies will be gained once project management processes are implemented?

Six Sigma and Loss Control

Six Sigma has been championed by companies such as GE, Motorola, Samsung, IBM and others. Originally promoted as a process to improve profitability it is really about reducing expenses, waste, and loss as well as adding value and efficiency. Consider using six sigma when reviewing processes that involve:

(i) Client expenses
(ii) Office expenses such as mail
(iii) Over review of documents
(iv) Use of software

Project Management

Project management has become another Legal Risk Management tool or process that has become more popular amongst law firms lately. Firms are realizing that once they get away with the old “charge per hour” paradigm and start focusing on alternative fee arrangements there is really a need to manage the matter on a project by project basis to contain and reduce costs.

Parts of a project management process

(i) Initiation of the matter- this includes the scope of the matter, the desires of the client and the goals of the client and law firm.

(ii) Planning of the project- just like an architect plans the design and building of a house or a building, the planning portion of legal project management covers the key decisions in achieving the desired outcome.

(iii) Implementation- this is when the firm of the staff conducts the work to implement the plan.

(iv) Monitoring of the project- is the budget being followed? Are the expenditures reasonable for the work being performed?

The concepts of loss control (and really risk management) can be applied to the legal industry as well as other service industries. Just because the original concepts were applied to the manufacturing industry doesn’t mean these concepts can’t be applied to service related organizations as well. Remember, for law firms it’s all about effectively and efficiently representing clients in a manner that not only achieves the goals and objectives of the client but does so at minimal cost and expenses. The more efficient a law firm becomes at handling matters at minimal cost, the more value the firm adds to the client’s business. The will usually equate to a higher client retention rate.

As 2020 comes to a close, it is time for many organizations to analyze its risk management processes and how well the processes managed the risk events that has recently occurred. For many companies, Covid-19 was a catastrophic or near catastrophic event. Those companies that were prepared to handle the pandemic (such as those that had business continuity plans in place, etc.) were able to handle the risks presented by Covid 19. Those that were not prepared had a harder time. What successful companies know is that in order for a company to succeed it not only has to a sustainable business model but it has to constantly review its risk processes. After all, what happens when the current business model does not work anymore? What happens when the risks outweigh the benefits of continued standard corporate operations? So, maybe it’s time to re-examine your risk management processes. Do they really work?

When talking to your staff or to other departments, how often have you heard the phrase “That the way we have always done things.” Just because corporate processes have been done one way doesn’t mean that the best way or even in todays’ fast changing world- the right way. Even after 2008 many companies continued to use the failed metrics that got them into trouble in the first place. Even the credit markets haven’t changed as much as you would think after 2008. And of course, some companies have not changed processes during Covid. But why?
I truly believe that once processes are created in a corporate or bureaucratic environment, it is as if the processes have been set in stone. They are very hard to change. Even if the world around the company has changed. It is human nature to accept what has been done in the past. Few people want to “rock the boat” even if the proverbial boat is actually sinking. Companies get into real trouble because of this. What happens if the company’s business model is out of date or its business plan is no longer viable? Just because it worked in the past doesn’t mean it will work in the future.

I therefore caution everyone not to blindly accept the current risk management processes in place. Risk managers as well as in house counsel and other managers should be challenging risk management metrics on a regular basis. Counsel should be auditing departments on a regular basis. Does that compliance program really work? Does the business continuity plan really work? Maybe it did 5 years ago. But what about today?

What about re-examining the areas of risk management responsibility? The areas should include the purpose and policy of the RMD in the organization, the functions and execution points of the RMD (who does what, when, how, reporting lines, etc.) as well as a detailed outline of the procedures and processes of the RMD. Procedures and processes can include:

-conducting risk assessments of the organizations’ divisions and departments
-developing solutions for the various risk management issues
-developing business continuity plans
-coordination with various departments to assist with compliance issues
-oversee loss control concerns
-develop training for the organization’s employees covering various risk related areas of concern such as product safety, etc.

Remember, if local or national laws have changed maybe the current processes are out of date. If your organization was not prepared for the Covid 19 pandemic, maybe the current processes are out of date. If the products that your company manufactures or the services it provides have changed maybe the internal processes surrounding the review of those products and services are out of date. What about the current geo-political environment? When reviewing your current product liability review processes have you factored in the new risks created by the Internet of all Things? These risks are real. Are you ready for them? Does your current business model still work or is it outdated? What about data privacy laws? What about business continuity plans?

It is a fundamental truth that all things change. Of course, some things change faster than others. Regardless, don’t rely on your old or standard risk management processes to continue to provide the same level of comfort they did in the past. Continue to review and to modify them if necessary. And don’t think that just because “that the way things are done” your company should continue to operate as usual.

So if you haven’t re-examined your risk management processes- now is the time to do so.

At the beginning of litigation and selection of the law firm that will handle the case, the in-house lawyer must assess the case—the strengths, weaknesses, costs, etc., involved. Case evaluation is very important. Evaluation can be made through an early evaluation by outside counsel, knowledge of potential costs, use of employee interviews, and formulation of a plan/budget. When a company has a good idea of the chances of winning, as well as the potential costs, it is in a better position to determine whether to proceed to trial. Therefore, at the beginning of litigation, the company or organization should obtain a thorough evaluation of the case and use internal risk management tools to assess the cost of a trial. Is the cost of litigation worth it?

Risk analysis of litigation can be a useful tool in evaluating a case. One such tool that is often utilized is the decision tree. A decision tree analysis can be used to evaluate the probability of outcome of certain events during trial. Each event can then be analyzed in the context of the probability of the entire outcome. A decision tree risk analysis provides a systematic method of analyzing cases from the beginning

Besides the use of a decision tree, a properly formatted litigation budget should address the fees and costs of going to trial. Using a budget helps to establish a realistic framework for litigation as it should cover expected fees and costs. Remember however, a law firm’s fees at trial could skyrocket for a number of reasons, including:

-The number of lawyers involved.

-Time: Most trial lawyers will work long hours during a trial, so fees will add up.
This especially true if the trial is a complex one involving patent disputes or
Competition/ Anti-trust claims.

-The cost of expert witnesses.

To properly manage civil litigation, especially in the United States, companies need to implement LRM strategies and processes by use of an in-house Law Department that is capable of overseeing or managing outside litigation. Depending on the legal exposure of a company, it can be a full-time job. This management function will be key in properly coordinating litigation to avoid excessive costs, duplication of effort, and minimization of disruptions to a company’s business, as well as setting an effective trial strategy.

What many foreign companies doing business in the United States fail to appreciate is that an outside litigation lawyer does not necessarily have the company’s best interests in mind during litigation. Litigators want to win. Sometimes the desire to win is not in the best interests of the company. Many companies have paid a great deal of money to litigate a case when a resolution to the dispute was available had the parties tried to actively settle the matter. Remember, a trial lawyer’s business and primary goal is to win- not to settle.

An in-house legal manager, representing the company’s best interests, can help facilitate settlement once a legal risk assessment as to the validity, cost, and expense of litigation is made. In fact, during trial, a settlement is still possible and can be facilitated by in-house counsel. Therefore, the Law Department should maintain control and oversight of any litigation. A LRM program can be very helpful in managing the legal risk process as well as providing litigation oversight. Remember, litigation can result in a variety of negative issues such as:

• Loss of time.
• Expense.
• Potential interruption of business.
• The cost and expense of business interruption.
• Potential bad or negative publicity.
• Negative impact on the company’s brand image
• Potential loss of reputation.

As companies facing U.S. litigation are often exposed to excessive fees and costs, massive business disruption, lengthy litigation, and the unpredictability of the jury system, efficient management of the litigation process is necessary. Though, obviously, outside litigation counsel is necessary in most cases, an in-house Law Department can save the company great sums of money by managing the litigation process. Such management involves the assessment, management, and potential transfer of risk through various LRM strategies, including:

-Effective coordination of legal defense efforts in order for the company to avoid duplication of costs and effort from case to case
-Coordination of witnesses, answers and interrogatory responses, documents, and depositions
-Acting as the central site for all facts, positions, decisions on legal issues, and motions
-Development, implementation, and coordination of a defense plan

As part of an overall LRM program, a company’s Law Department must implement processes to control, reduce, and manage outside legal fees and costs. By utilizing legal risk management tools, a Law Department can proactively reduce legal fees and costs.