Today, many in house lawyers and corporate executives still think of risk management or legal risk management as the department that manages insurance policies. Many in house lawyers as well as some corporate managers don’t believe risk management is part of their job description. However, given the globalization of business, the increased volatility of today’s business climate and the changes in social media that has increased communication tenfold, the management of risk is now part of every manager’s job description, including the in house lawyer. Risk management should be viewed as an essential part of everyday management, including Legal Risk Management or LRM. Managing a company’s risks is not only important but vital. Until recently, lawyers have been trained to think reactively- i.e. to react to a threat or risks. But given the recent changes in the global business environment, in house counsel must now learn to manage risks. Such proactive management encompasses a large area of not only pure legal risks but also business risks that could lead to legal threats and issues. In essence, an in house counsel must now learn to proactively manage risks by minimizing risk, mitigating risks, transferring risks and eliminating risks. All are in a sense a proactive response to a risk rather than a purely reactive response.
The main role of in-house counsel in corporations or legal entities is now, of course, to mitigate legal risk in connection with the sale of products or services provided by the company. In essence how the company protects its success will be based in part on its ability to manage, control, and minimize legal risk, especially in a litigious society such as the US marketplace. Legal counsel must take an active effort in developing strategies, systems, and processes that will minimize the legal risks faced by the company on a daily basis. The area of risk management for in house counsel has become so large it can now be labeled “Legal Risk Management” or LRM. What is LRM? First you must define legal risk. A good definition is:
"The probable occurrence of a future event or non-event that will have a negative impact on the company that could result in law suits, fines, investigations, crisis, reputational harm, financial harm and of course the destruction of the company’s brand or even the company."
Using this term, legal risks are in fact many. Legal risks can be operational, strategic, financial, regulatory, contractual or corporate in nature. Virtually any risk that can result in litigation, fines, investigations or pose harm to the company or organization (reputational, etc.) can be included. A number of legal risks a company may face can be associated with the following:
Corporate Responsibility Risks
Brand / Reputation Issues
R&D Development Strategy
Corporate Governance standards
Loss of Intellectual Property
Foreign exchange risks
Pension Liabilities and related laws
Fraud / Money Laundering-FCPA risks
Receivables / Credit-Insolvency risks
Inside a company risks may be placed in many categories:
• Legal and Regulatory
• Contractual breaches and damages
Legal risks and business risks intertwine to such an extent that business risk have legal impact. Therefore, in house counsel must become involved in the day to day management of business risk itself. This leads to the question of a company’s appetite for risk. For a company, as well as its in house lawyer, to properly manage risk- management has to understand what risk it is willing to take in the market place and what risk it is not willing to take. Is it willing to buy inferior parts for its product and risk the probability of a product liability lawsuit in order to make a greater profit or not? What does the Board of Directors think about risk? Has the BOD ordered a risk audit of the whole company? Is the company willing to accept more risk than it currently accepts, and if so, what is the rate of return it needs to justify the additional risk? A company may have competing objectives that result in increased risk or a decision to accept additional risk. Does the company have a business model that compares the benefits over the potential increased risk?
Not only must the in house counsel identify legal risks but he must assess the inherent likelihood and impact of the legal risk. Will the impact of the risk be very minor or could it be a major event. Once the in house counsel analyses the risks and assesses the potential impact of the risk, he can then determine how to handle the risk- such as risk mitigation, risk transference, risk avoidance and risk acceptance. The law department of a corporation can serve it well by playing a substantial role in the corporate wide management of risk by proactively managing potential legal risk instead of just reacting to it. By working with cross corporate teams to manage legal risks through corporate governance, compliance, loss control, review of HR processes or product safety concerns, a corporation’s law department increases its value to the company.
By controlling and managing legal risk, an organization is able to control its future. Without adequate Legal Risk Management (LRM) processes, a company is exposed to claims, lawsuits, fines, and investigations. It is imperative that an organization and its in house legal team understand that by controlling and managing legal risk, an organization is able to control its future. It is imperative that an organization understands the role that LRM plays in an organization and that adequate systems, processes, and procedures be implemented to minimize, control, and transfer such legal risk.
The recent outbreak of the Corona Virus is a perfect example of how risk, whether biological in nature, man-made, environmental or regulatory, can rapidly change a company’s business plan or effect the current global business outlook. As the virus continues to spread, business plans are being impacted, especially the business plans of companies in the travel, tourism and convention industries. This should give everyone pause and perhaps encourage everyone to reflect on the current risk management processes they have in place including employee safety related processes. Perhaps it is time to change the processes. Or at least re-examine them.
When talking to your staff or to other departments, how often have you heard the phrase “That the way we have always done things.” Just because corporate processes have been done one way doesn’t mean that the best way or even in todays’ fast changing world- the right way. Even after the financial meltdown of 2008 many companies continued to use the failed metrics that got them into trouble in the first place. Even the credit markets haven’t changed as much as you would think after 2008. Why?
I truly believe that once processes are created in a corporate or bureaucratic environment, it is as if the processes have been set in stone. They are very hard to change. Even if the world around the company has changed. It is human nature to accept what has been done in the past. Few people want to “rock the boat” even if the proverbial boat is actually sinking. Companies get into real trouble because of this. What happens if the company’s business model actually is out of date or its business plan is no longer viable? Just because it worked in the past doesn’t mean it will work in the future. Do the processes really mitigate risk or not?
I therefore caution everyone not to blindly accept the current risk management processes in place. Risk managers as well as in house counsel and other managers should be challenging risk management metrics on a regular basis. Counsel should be auditing departments on a regular basis. Does that compliance program really work? Does the safety program really work? Maybe the plans worked properly 5 years ago. But what about today?
Remember, if local or national laws have changed maybe the current processes are out of date. If the products that your company manufactures or the services it provides have changed maybe the internal processes surrounding the review of those products and services are out of date. What about the current social environment? What about the regulatory environment? When reviewing your current product liability review processes have you factored in the new risks created by the Internet of all Things? These risks are real. Are you ready for them?
It is a fundamental truth that all things change. Some change faster than others. Regardless, don’t rely on your old or standard risk management processes to continue to provide the same level of comfort they did in the past. Continue to review and to modify them if necessary.