The legal team and risk management: What you need to know

Sterling Miller

Over the past decade, a growing part of an in-house lawyer’s responsibilities has been spotting and managing risk. Unfortunately, the expectation is that in-house lawyers will spot all risks and weigh in to mitigate them. That’s a problem, as no lawyer or legal department can spot and manage all risks, and there is little formal training for in-house lawyers around risk management. The solution is twofold: in-house lawyers must learn to recognize and evaluate risk and work with other departments to manage it.  This article will discuss how to do both.

Recognizing and evaluating risks

When lawyers think of risk, we tend to think only of bad things — yet not all risk is negative. Avoiding all risks is not the way to run a successful business; taking risks is essential to the success of any endeavor. For example, there is risk in any merger, but companies still take that risk every day because there may be a significant financial payoff. Instead of thinking of risk as black and white or good and bad, in-house lawyers must reset and think about risk as a continuum with degrees of consequences ranging from really bad to really good.

The key is your ability to understand the different consequences of what you or the company want to do, where those consequences fall on the above continuum, and how everything balances out when the good and the bad are added up — such as “value creation” versus “value destruction.” The ability to do this calculation and plot a course toward good outcomes is what executives want from their in-house lawyers.

In-house lawyers can categorize risk as either legal, strategic, or mixed. Legal risks are those that lawyers are very familiar with, including such broad categories as compliance risk or litigation risk. Strategic risks are things that business leaders focus on and are critical to the business's survival, such as financial risk or marketplace risk — for example, competitors and disruptive technology or business-model risk.  Mixed risk is when the two overlap. That is, mixed risk carries both legal and strategic implications, such as new regulations on the business or political instability, whether domestic or overseas. Think “Brexit.”

Managing risks

There are several action items in-house lawyers must perform to do a good job with risk management:

1. Create or become part of a team that spots risk and determines which types of risk are important to measure. Many companies have an enterprise risk management department. If so, this is the group you want to insert yourself into in some manner, whether as a member, partner, or subject-matter expert. If not, you may need to organize a group yourself. The goal of this risk team is to regularly identify and consider the company’s critical strategic, operational, and legal risks.

2. Learn these three things: the company’s business goals and strategy, the company’s level of risk tolerance — that is, how much risk the company will accept — and the right questions to ask, including:

  • What type of risk is it?
  • Under what scenarios would the risk arise?
  • What is the likelihood of the risk occurring?
  • Can third parties cause a risk to the company?
  • What type of harm can arise from the risk?
    • Monetary?
    • Operational?
    • Criminal?
  • What is the company's best, worst, and most likely case regarding harm?
  • How can we deal with the risk to minimize bad outcomes and maximize good ones?
    • Policies and training?
    • Contractual terms?
    • Insurance?
    • Operational controls?
    • Take a “bigger” risk?
    • Prepare for the risk?
  • Are there benchmarks or standards we can use to measure against?
  • How can we best monitor the risk, and what are the trigger points?

3. Be alert for risk. When you have mastered the above and as you participate in meetings — whether they’re with the board, C-suite, “town hall,” strategy planning, staff group, etc. — listen closely to what is discussed and quickly run through these questions:

  • Is this something a regulator might be interested in?
  • Is this something that could make customers or vendors upset or bring on litigation?
  • Is this something that could damage the company's reputation if it became public or went “badly?”
  • Is this something covered by specific laws, and does it comply?
  • Is this something you have seen other companies — competitors, etc. — have problems with?
  • Is this something that could severely injure someone, such as a safety or environmental mishap?

Assessing risks

Once you have spotted and analyzed risk, you will likely want to estimate the cost or value of the risk, depending on whether the risk is negative or positive. There is a relatively simple and standard formula for this:

Risk value = probability of event x cost/value of event if it occurs

For example, you are faced with a large breach of contract claim. While the dollar value claimed is high ($1M), you estimate the probability of losing is low (25%). The risk value is then:

Probability (.25) x cost ($1M) = $250,000

On the positive side, if you have a merger worth $25M in incremental operating income every year if consummated and you think the odds that regulators approve the merger is high (80%), the risk value is:

Probability (.80) x value to company ($25M) = $20M

Finally, you need to report risk to the business. Doing so will occur in one of two ways: a formal risk assessment report, usually prepared by the risk team, or an ad hoc report made when necessary. You write a formal report and follow a relatively rigid process and established format. This report will likely go to the board of directors, audit committee, and C-suite.  An ad hoc report may be an email to the general counsel, a memo to the CEO, or an off-the-cuff discussion during a meeting.

Regardless of the way you report the risk, you need to cover five things:

  • What the risk is
  • The likelihood of the risk occurring
  • The range of outcomes the company could face
  • The options the company has for dealing with the range of outcomes
  • A recommendation about which option the company should choose and why

If you report the risk in writing, ensure you take the necessary steps to preserve the attorney-client privilege or work product protection if litigation is likely. If you fail to do so, understand that any writing — email, report, presentation, etc. — may have to be turned over to the other side in the event of a government investigation or civil litigation.

You will not spot every risk your company faces, and that’s okay. But you need to have a plan in place to catch the most important ones. The information above gives some simple ideas and processes to help in-house counsel spot and evaluate risk.

The key takeaways here today are:

  • Constantly be alert for risks to your company.
  • Don’t just report risk, be prepared to discuss the potential outcomes and options for the company.
  • Don’t create additional bad risk by not putting a lot of thought into writing documents that discuss and analyze risk — or failing to teach your fellow employees doing the same how to draft smart documents.

If you subscribe to Practical Law, you already have a host of tools to help you spot, manage, and report on risk.

Expert legal guidance at your fingertips

Practical Law for startups and small businesses offers everything you need to grow and support your business at every stage