It’s difficult to be part of any business and not hear about “risk.” Risk is the new black. It’s on the lips of every CEO, CFO, and board member, as it should be. And anything important to the board and the C-Suite is important to the legal department. Businesses are placing more responsibility on in-house lawyers to spot and manage risk. This means that more and more, in-house counsel need to be masters of the company’s business operations and strategy and, more importantly, aligned with the company’s level of risk tolerance.
What is risk?
When we think of “risk” we tend to think only of bad things. Yet not all risk is negative. Avoiding all risk is not the way to run a successful business, sports team, legal department, research facility, military, or pretty much any organization you can name. Taking risks is important to the success of any endeavor. There is risk in any merger for example, but companies still take that risk every day because there may be a big financial payoff. Instead, think of risk as a continuum of degrees of consequences ranging from very negative outcomes to very positive outcomes. Your ability as in-house counsel to understand the different consequences of what you, or the company, want to do, where those consequences fall on the continuum, and how everything balances out when the good and the bad are added up (i.e., are you looking at value creation or value destruction).
Different types of risk
For our purposes, it is easy to categorize risk as either “legal” or “strategic.” Legal risks are things lawyers are very familiar with, such as compliance risks, litigation risks, and regulatory risks. Strategic risks are things that business leaders tend to focus on that are critical to the survival of the business, such as financial risks, marketplace risks, reputational risks, natural disaster risks, and so forth. Interestingly, these types of risks are not mutually exclusive – they often overlap.
For example, hard times financially include both strategic risks (severe financial problems, governments teetering on default) and legal risks (regulatory and litigation problems for many companies tied to financial problems – theirs or those of others). For example, in the U.S., there is a constant battle in Washington over H1-B visas (i.e., highly skilled foreign workers who can fill jobs U.S. employers have difficulty filling from the domestic workforce). Companies may have a strategic risk in that if they cannot find enough qualified employees with the right skills to perform critical jobs. The company also has a legal risk in that regulations limit the number of H1-B visas, and the cap number fluctuates from year to year. Thus, companies must promptly begin the legal process of applying for H1-B visas or risk getting shut out. The most valuable in-house lawyers see the company’s strategic and legal risks, how these risks interconnect, and can advise the company on what to do next (e.g., lobby the U.S. government to add to the number of available visas).
Dealing with risk
To deal with risk (good or bad) you need to know what types of risk are most important to the company and where to look to get information about those risks. Many companies have an enterprise risk management department. If so, this is the group you want to insert yourself into in some manner. If not, you may need to organize a group yourself. This will include internal audit, finance, legal, information security, and members of the primary lines of business. The group will help evaluate the company’s opportunities and threats across all businesses and staff group functions. And you need to arm yourself with a framework to review risk. Here is an example of just some of the types of things to consider:
- What type of risk is it?
- Under what scenarios would the risk arise/happen?
- What is the likelihood of the risk occurring?
- What type of harm/opportunity can arise from the risk?
- Is this something a regulator might be interested in?
- Is this something that could make customers or vendors upset or bring on litigation?
- Is this something that if it became public or goes “badly” could damage the reputation of the company?
- Is this something covered by specific laws (and does it comply)?
- Is this something you have seen other companies (competitors, etc.) have problems with?
- Is this something that could severely injure someone?
- Can third parties cause the risk to the company?
- Can we exploit this risk?
- How can we minimize bad outcomes and maximize good outcomes?
Aligning with the company’s risk tolerance levels
The company’s level of risk tolerance comes primarily from the board of directors and the C-Suite. Some companies are very conservative, some not so much. And, as is typical, some companies are more or less conservative depending on the circumstances. Company policies also set the bar on risk tolerance and in-house lawyers must be hyper-aware of these sources. Additionally, internal audit and the individual business units/staff groups (including members of the compliance department and the legal department) can and should weigh in on acceptable levels of risks. It is not a solo endeavor.
Most importantly, the legal department should not impose its level of risk tolerance on the business. Lawyers tend to be very risk-averse, and that predilection often leads to clashes with the business and unnecessary friction in the day-to-day operations of the business, especially when it comes to contracts. Yes, lawyers can spot a crummy deal from a mile away but legal doesn’t run the business. You are there to advise and offer thoughts and recommendations. The decision about what risks to take or reject lies with the business – they own the risk. Your job is to 1) make the business fully aware of the risks and options and 2) that the right person is making the decision. “No,” however, is usually not the answer from the lawyers unless the plan is criminal, someone can get seriously injured, or it would cause you to violate the code of professional responsibility. Otherwise, your job is to help make whatever decision the business takes the best decision possible under the circumstances, even if you disagree with it.
Accordingly, when discussing risks with the business you must cover five things: 1) what the risk is; 2) the likelihood of the risk occurring; 3) the range of outcomes the company could face; 4) the options the company has for dealing with the range of outcomes; and 5) if appropriate, a recommendation about which option the company should choose and why. It’s okay to mention the “doomsday” scenario but if the chance of that happening is highly unlikely, don’t make that all you talk about. And if the business goes in a different direction than what you recommend, it’s not personal. They just have a different viewpoint and it’s their prerogative to take the decision. It may, however, be in your best interest to document the advice you gave and who decided the course of action because if something does go wrong down the road someone will ask, “How did the legal department let this happen?” Memories will grow very short. I know that feels a bit off, but it is part of the risk of being an in-house lawyer. Ideally, the legal department and the business have worked out how decisions around risk will be taken and who gets to decide. If that is not something you have in place, a process like that can save a lot of second-guessing down the line.
Dealing with risk is a challenging part of the job of being in-house counsel and alignment with the company’s risk tolerance is crucial. The key is recognizing that you do not need to deal with it alone. Involve the business and, more importantly, understand the company’s appetite for risk, and don’t substitute your thinking for that of those who run the business. Try to build out a formal framework for a cross-company group to evaluate and decide on risks. This will lead to better decisions and keep legal out of the deal-killing business.
If you have access to Practical Law you have access to many tools to help you implement the right kind of risk evaluation process for your company.