risk management Archives | Page 2 of 3

The recent outbreak of the Corona Virus is a perfect example of how risk, whether biological in nature, man-made, environmental or regulatory, can rapidly change a company’s business plan or effect the current global business outlook. As the virus continues to spread, business plans are being impacted, especially the business plans of companies in the travel, tourism and convention industries. This should give everyone pause and perhaps encourage everyone to reflect on the current risk management processes they have in place including employee safety related processes. Perhaps it is time to change the processes. Or at least re-examine them.

When talking to your staff or to other departments, how often have you heard the phrase “That the way we have always done things.” Just because corporate processes have been done one way doesn’t mean that the best way or even in todays’ fast changing world- the right way. Even after the financial meltdown of 2008 many companies continued to use the failed metrics that got them into trouble in the first place. Even the credit markets haven’t changed as much as you would think after 2008. Why?

I truly believe that once processes are created in a corporate or bureaucratic environment, it is as if the processes have been set in stone. They are very hard to change. Even if the world around the company has changed. It is human nature to accept what has been done in the past. Few people want to “rock the boat” even if the proverbial boat is actually sinking. Companies get into real trouble because of this. What happens if the company’s business model actually is out of date or its business plan is no longer viable? Just because it worked in the past doesn’t mean it will work in the future. Do the processes really mitigate risk or not?

Remember, if local or national laws have changed maybe the current processes are out of date. If the products that your company manufactures or the services it provides have changed maybe the internal processes surrounding the review of those products and services are out of date. What about the current social environment? What about the regulatory environment? When reviewing your current product liability review processes have you factored in the new risks created by the Internet of all Things? These risks are real. Are you ready for them?

It is a fundamental truth that all things change. Some change faster than others. Regardless, don’t rely on your old or standard risk management processes to continue to provide the same level of comfort they did in the past. Continue to review and to modify them if necessary.

Law firms and other service oriented organizations are just beginning to realize that risk management concepts apply to them as well as manufacturing based organizations. Lately, consultants are advising law firms to implement project control methods, look at legal processes from a six sigma point of view and even apply the basics of marketing 101 or sales 101 to increase business from potential clients. As the legal industry continues to shift from the old “charge per hour” model, law firms are beginning to realize that not only do marketing concepts apply to the “business and management of law” but risk management concepts apply as well including loss control.

Risk management should be viewed as an essential part of everyday management, including legal management. Managing a company’s risks is not only important but vital. Until recently, lawyers have been trained to think reactively- i.e. to react to a threat or perceived legal risks. But given the recent changes in the global business environment, as well as changes in how law firms manage themselves, attorneys and support staff must now learn to proactively manage risks. Such proactive management encompasses a large area of not only pure legal risks but also business risks that could lead to legal threats and issues. In essence, lawyers must now learn to proactively manage risks by minimizing risk, mitigating risks, transferring risks and eliminating risks. All are in a sense a proactive response to a risk rather than a purely reactive response. This of course includes minimizing costs and using processes or tools to minimize costs and risk.

Loss control is a tool that a law firm or other service related organization can utilize or should use to minimize or reduce risk. If properly used, loss control can reduce losses and decrease exposure associated with such losses. Loss control can of course be simply defined as “efforts that reduce expected losses”. But of course it is more than that as it encompasses management of efforts that reduce expected losses – or in other words processes that can prevent, reduce, or mitigate losses. Loss control processes, in other words, if properly used, can mitigate and reduce risk. Normally, loss control processes can be very effective in reducing costs and expenses faced by any organization, especially a manufacturing company that manufactures products. But it can also be applied to service organizations such as law firms or accounting firms.

The traditional definition or concept of loss control relates to loss prevention or loss reduction that is associated with products or monies related or associated with products. Loss control processes are normally divided into two main categories—loss prevention and loss reduction and are defined as follows:

Loss prevention: activities that reduce expected losses of inventory or monies associated with inventory by proactively reducing the frequency of losses

Loss reduction: activities that reduce expected losses of inventory or monies associated with inventory by decreasing the size of the loss, which is a reactive and not a proactive process

Applying these concepts to a law firm or service related organization we can see how six sigma and other concepts such as project management can be utilized as a loss control process. After all the main goal of six sigma as well as and project management would be to improve efficiencies and minimize waste or the costs associated with waste. Law firms tend to over analyze and over process matters. How much cost can be saved if documents are no longer over processed or over analyzed? How much time can be saved for more productive matters? From a loss control standpoint, what processes can a law firm or law department implement that reduces cost and monies associated with cost? What efficiencies will be gained once project management processes are implemented?

Six Sigma and Loss Control

Six Sigma has been championed by companies such as GE, Motorola, Samsung, IBM and others. Originally promoted as a process to improve profitability it is really about reducing expenses, waste, and loss as well as adding value and efficiency. Consider using six sigma when reviewing processes that involve:

(i) Client expenses
(ii) Office expenses such as mail
(iii) Review of documents
(iv) Use of software

Project Management

Project management has become another Legal Risk Management tool or process that has become more popular amongst law firms lately. Firms are realizing that once they get away with the old “charge per hour” paradigm and start focusing on alternative fee arrangements there is really a need to manage the matter on a project by project basis to contain and reduce costs.

Parts of a Project Management Process

(i) Initiation of the matter- this includes the scope of the matter, the desires of the client and the goals of the client and law firm.

(ii) Planning of the project- just like an architect plans the design and building of a house or a building, the planning portion of legal project management covers the key decisions in achieving the desired outcome.

(iii) Implementation- this is when the firm of the staff conducts the work to implement the plan.

(iv) Monitoring of the project- is the budget being followed? Are the expenditures reasonable for the work being performed?

The concepts of loss control (and really risk management) can be applied to the legal industry as well as other service industries. Just because the original concepts were applied to the manufacturing industry doesn’t mean these concepts can’t be applied to service related organizations as well. Remember, for law firms it’s all about effectively and efficiently representing clients in a manner that not only achieves the goals and objectives of the client but does so at minimal cost and expenses. The more efficient a law firm becomes at handling matters at minimal cost, the more value the firm adds to the client’s business. The will usually equate to a higher client retention rate.

The other day I had lunch with a friend who was lamenting the fact his company’s sales team continued to ink deals without any regard for risk. When he asked them why they continued to do so, the reply was “that’s the way we have always done things.” Unfortunately, many companies continue to plod along doing business without regards to risk. In fact, many companies fail to look at operational risk which can lead to disaster down the road. In order for a company to succeed it not only has to a sustainable business model but it has to constantly review its risk processes. After all, what happens when the current business model does not work anymore? What happens when the risks outweigh the benefits of continued standard corporate operations? Maybe it’s time to re-examine your risk management processes. Do they really work?

When talking to your staff or to other departments, how often have you heard the phrase “That the way we have always done things.” Just because corporate processes have been done one way doesn’t mean that the best way or even in todays’ fast changing world- the right way. Even after 2008 many companies continued to use the failed metrics that got them into trouble in the first place. Even the credit markets haven’t changed as much as you would think after 2008. Why?

I therefore caution everyone not to blindly accept the current risk management processes in place. Risk managers as well as in house counsel and other managers should be challenging risk management metrics on a regular basis. Counsel should be auditing departments on a regular basis. Does that compliance program really work? Maybe it did 5 years ago. But what about today?
Remember, if local or national laws have changed maybe the current processes are out of date. If the products that your company manufactures or the services it provides have changed maybe the internal processes surrounding the review of those products and services are out of date. What about the current social environment? When reviewing your current product liability review processes have you factored in the new risks created by the Internet of all Things? These risks are real. Are you ready for them? Does your current business model still work or is it outdated? What about data privacy laws?

It is a fundamental truth that all things change. Of course, some things change faster than others. Regardless, don’t rely on your old or standard risk management processes to continue to provide the same level of comfort they did in the past. Continue to review and to modify them if necessary. And don’t think that just because “that's the way things are done” your company should continue to operate as usual.

Today, many in house lawyers and managers still think of risk management as the department that manages insurance policies. Some may in fact think that risk management also encompasses handling bad publicity or maybe even covers a disaster recovery plan. Many in house lawyers, as well as some corporate managers don’t believe risk management is part of their job description. However, given the globalization of business, the increased volatility of today’s business climate and the changes in social media that has increased communication tenfold, risk management is now part of every manager’s job description, including the in house lawyer.

The main role of in-house counsel in corporations or legal entities is now, of course, to mitigate legal risk in connection with the sale of products or services provided by the company. In essence how the company protects its success will be based in part on its ability to manage, control, and minimize legal risk, especially in a litigious society such as the US marketplace. Legal counsel must take an active effort in developing strategies, systems, and processes that will minimize the legal risks faced by the company on a daily basis. The area of risk management for in house counsel has become so large it can now be labeled “Legal Risk Management” or LRM.

What is LRM? Legal risk is the probable occurrence of a future event or non-event that will have a negative impact on the company that could result in law suits, fines, investigations, crisis, reputational harm, financial harm and of course the destruction of the company’s brand or even the company. Legal risks and business risks intertwine to such an extent that business risk have legal impact. Therefore, in house counsel must become involved in the day to day management of business risk itself and think in terms of risk analysis. The lawyer must use tools to not only identify risk but provide a qualitative analysis a risk’s probability and its impact on the company’s objectives and bottom line. Various tools include risk map, use of processes such as interviews of key personnel, procedures involving review of industry guidelines, internal procedures, risk diagrams, etc. What risk analysis has been developed to gauge the safety controls in the manufacturing division’s product design protocols? How does the R&D division handle the potential risk of defective parts and materials?

It is time that in house counsel realize they are in fact legal risk managers. The law department of a corporation can serve it well by playing a substantial role in the corporate wide management of risk by proactively managing potential risk instead of just reacting to it. By working with cross corporate teams to manage risks through corporate governance, compliance, loss control, review of HR processes or product safety concerns besides just purely legal issues, a corporation’s law department increases its value to the company.

By controlling and managing legal risk, an organization is able to control its future. Without adequate LRM processes, a company is exposed to claims, lawsuits, fines, and investigations. Not a day goes by where some governmental investigation or lawsuit is not reported in the local newspaper. These days it is a common occurrence. Therefore, it is imperative that an organization and its in house legal team understand that by managing legal risk it can control its’ future. Therefore, it is imperative that an organization understands the role that LRM plays in an organization.

The US-China trade dispute as well as the Japan-Korea dispute have to a certain extent caught many companies as well as investors off guard. Considering these political and economic events, many companies should consider reviewing old risk management policies and procedures, if they haven’t already. Geo-political risks are now front and center, whether companies are prepared for such risks or not.

Companies face many kinds of risks when engaged in offshore projects; but geo-political risks can be the most serious if not handled properly. Such risks comes about when a government changes its policy, ideology or even itself which creates instability, disorder, strikes, riots, war, embargoes, etc. What must be done to manage such risks? Political risk insurance comes to mind, but some forms of political risk insurance that are offered by capital –exporting nations ( such as OPIC, etc.) is subject to politically motivated conditions or motivations that may not take the needs of the investor into account. Case in point- OPIC can only operate in countries which have a bilateral investment treaty with the US. If you are a US investor trying to invest in a country which lacks a bilateral investment treaty with the US- you are out of luck when trying to obtain political risk insurance from OPIC. This is true of outer countries which supply similar political risk insurance through export development programs.

The answer for some companies therefore, is to consider obtaining private political risk insurance. Due to the increased use by some companies of political risk insurance from government agencies as well as a lessening of perceived political risk, private political risk insurance offerings have exploded. Several markets provide private political risk insurance including Lloyds of London insurance syndicates as well as groups operating under a reinsurance treaty that are controlled by an underwriter. There are advantages to this.

As private political risk insurers have no political agenda to worry about, there are normally no political pre-requisites for the issuance of insurance. The host country doesn’t need to be poor and the investor can come from any part of the world. Also, the private insurance approval process can be much faster than the approval process of governmental agencies. Of course it should be noted, that unlike governmental agencies, private political risk insurers are in business and therefore the coverage offered by them can be more expensive than compared with their government counterparts.

All in all, political risk insurance should be considered when investing abroad, especially in markets that are uncertain. There are always ways to manage risk, and political risk insurance is just another form of risk management. It should be carefully considered, especially in today’s rapidly changing world.

One of the main drivers of my success over the years has been the ability to “change”. If you look around you, change is everywhere. In fact, it is the only constant in life. Everything changes whether we like it or not. I’ve been fortunate enough over my 40 year career to change-whether by changing my law practice or by changing my location or even both. In several instances, I even changed countries of residence. All of the change I have gone through has contributed to what success I have achieved.

Change in careers happens if one is willing to grow and experience new avenues of life. I started out as a public defender in Florida and ended up as a general counsel of one of the largest consumer electronics companies in the world. I never expected I would end up as a GC, but I did grasp the willingness to change.

Change not only happens in everyday life but in the workplace as well. Risk managers must always be on the lookout for change. As business changes so do risks. As regulations change so do legal threats. As employees change or as a company’s appetite for risk changes, so does the internal management of risk. In essence, risk is not static- it is always evolving and always changing. So the management of risk must change as well.

The concept of risk itself has changed over the years. Twenty five years ago, risk management was not perceived as a vital function in many organizations. Sometimes companies lumped risk management in with Insurance, Service or QA. But as the perception of risk has evolved along with compliance and SOX related laws, rules and regulations, risk is now deemed a major part of a company’s management structure.

Those organizations that perceive the need for an up to date robust risk management function are most likely to weather the storm of litigation, fines, audits and investigations facing most companies today. Crisis management (part of risk management) is now front and center in many large organizations as well. Companies are realizing that the perception by the public is far more important than in many cases the facts. How do you manage a crisis? When does a serious event become a crisis? How has crisis management changed over the last few years and why? How has compliance changed? All concepts of risk are subject to change as are standard processes for identifying and eliminating risk. Metrics used 20 years ago are no longer valid in many cases. Look what happened in 2008.

To handle risk and all of the consequences that it entails in an effective manner requires the willingness to accept change and in many cases to seek change out. Companies must be willing to change their concept of risk. They must be willing to change processes that may have been set in stone years ago. They must be willing to change not only how they perceive risk but how they address risk.

Yes, change is everywhere.