White paper
How to understand and support your company’s risk tolerance
Managing risk as in-house counsel
For in-house counsel, risk management has evolved into a delicate balancing act that requires doing what’s necessary to safeguard the organization while also trying to help the organization grow and prosper. Those dual responsibilities are further complicated by expanding workloads, changing risk profiles, ongoing communication challenges, ever-present budget constraints, and — in many cases — cultural tensions between the business and legal sides of the enterprise.
In a recent Thomson Reuters webinar, “Managing Risk as an In-House Counsel,” several industry experts discussed the challenges and opportunities facing in-house legal departments tasked with managing organizational risk in today’s volatile business environment. Although all agreed that aligning a company’s risk tolerance with its business goals is an ideal worth striving for, they noted that since every organization is different, there is no single path legal departments can follow to achieve the kind of harmony and cooperation that the concept of “alignment” suggests.
Changing roles
Most in-house legal departments face the common challenge of having to contain costs and drive efficiencies while also protecting the company and managing an ever-increasing workload.
According to a recent report by Acritas, a Thomson Reuters company, cost containment is still among the top priorities in most corporate law departments. leaders surveyed also reported that their workload had increased and 43% said the type of work they are doing has shifted as a result of new risks introduced by various pandemic-related issues and uncertainties.
Because of new risks, it’s understandable that many legal departments are devoting more resources to their safeguarding role. But many are also seizing the opportunity to re-evaluate — and in some cases, re-define — their role as supporters, advisors, and contributors to the organization’s overall business strategy.
According to Acritas VP Jen Dezso,
Determining risk tolerance
Part of that shift involves taking a more proactive stance toward defining and articulating the organization's risk profile. But because every company's business reality is different, so too are their processes for determining risk tolerance. Some organizations have well-established, formal risk-management processes. Others have informal or ad-hoc processes. And some have both, in different degrees, depending on situational circumstances and priorities.
For example, a financially stable company that has concerns about its reputation might approach the risks of litigation with a potential for monetary damages differently from litigation that has the potential to damage the company’s brand. Likewise, a company that monetizes its intellectual property is likely to devote more resources to protecting that intellectual property than to mitigating risks that aren’t as critical to the company’s operations.
A more holistic approach
Regardless of the business issues involved, however, risk management is rarely a cut-and-dried process — nor should it be. “I sometimes say that your risk tolerance is not just set, it’s also discovered,” says David Martin, general counsel for QVC International. “And, like many things in life, you discover it when you go through situations that are uncomfortable and difficult, where the risk decisions aren’t optimal. That’s where you learn.”
Learning more about an organization’s appetite for risk is also crucial for legal departments that want to develop a nimbler, more dynamic approach to risk management — one that is responsive and flexible enough to adapt to ever-changing circumstances.
“Regardless of the size of organizations, the risk tolerance in a world that’s being disrupted by digitization and globalization — introduces new pain points for legal teams,” says Jane Caskey, global head of the risk advisory practice at Norton Rose Fulbright.
The number and range of potential risks are also pushing legal teams to adopt a more “holistic” approach to risk management, Caskey says, one that analyzes tolerance across different business units and regions while also being guided by a deep understanding of the company’s business strategy and goals.
Concrete ideas, flexible implementation
Indeed, it is helpful to have a corporate culture that encourages and rewards legal’s involvement in scenario planning and decision making — but it takes a certain amount of discipline and focus to bake those values into a culture. An important step in that process is taking the time to articulate the organization’s risk-assessment protocols and tolerances concretely in a document that can serve as an anchor point for training and reference. Once such a document is created, however, QVC's David Martin suggests it's also important to allow for some flexibility in interpreting and applying written protocols to real-life situations.
“While documenting a methodology and an approach is helpful, there does have to be that ability to operate on an as-needed basis and not be too rigid, or you could actually take a path that’s not the right call for the organization,” adds Caskey.
At QVC, for example, the legal team regularly re-evaluates its risks to ensure they are still relevant, or to determine whether the risk management protocols are being applied correctly in specific real-world situations. Such reviews are especially valuable says Norton Rose Fulbright’s Caskey, because so many more factors are in play at this particular moment in history.
“In the last six months in the context of data and cyber — there is a trend of legal teams and organizations taking a step back and reviewing risk registers and crisis-management plans with a whole new lens because of the scale and enormity of incidents happening right now,” Caskey says.
Alignment: Harder than it sounds
While defining and documenting a risk-management philosophy can help guide a legal team's decision making, the larger challenge is aligning the legal team’s methodologies and thinking with the strategies, tactics, and priorities of the organization’s senior leadership.
In the abstract, aligning business and legal priorities may not sound too difficult, but that's only if they remain abstract and aren’t ground tested in reality, says QVC’s Martin.
“Aligning a team is harder than it sounds,” says Martin. “Depending on the size of the team, you could be dealing with any number of people in different jurisdictions, with different levels of seniority and work experience, and also operating in different markets or perhaps aligned to different functions.”
To persuade such a disparate group of people to think differently about their approach to risk, it’s important to “get right into the details with some real-life examples,” says Martin — because simply producing a high-level statement “just won’t work,” he says.
Caskey agrees, and the reason it won’t work, she says, is that in practice, effective risk management is really more about engaging in a continuous, ongoing dialogue with colleagues on both sides of the fence. “The most effective risk management happens when there is more open communication and collaboration — and, frankly, partnership — so that the business side understands that legal is trying to drive competitive results with the appropriate tolerance for risk.”
Legal needs to think strategically, too
Unfortunately, the legal department in many organizations is thought of as the place where “yes” goes to die. Saying no when necessary is of course legal’s responsibility, but a department that develops a reputation for being too risk averse may need to step back and think more strategically about its own goals, particularly if one of them is developing a more harmonious relationship with the business side.
“If the advice from the law department is always no, it’s like a rock in the middle of a river,” says Practical Law’s David O’Connor. “If you’re the rock as an in-house lawyer, and your advice is always no, that river is just going to flow around you. People are not even going to come to you anymore with questions.” And that can be dangerous, he says, “because if people are ignoring you, that can really harm the organization.”
To keep on top of the organization’s strategic priorities, department lawyers must facilitate open lines of communication between the legal and business sides of the enterprise. Furthermore, just as it is important for the legal department to understand the business side’s priorities, it is also crucial for business leaders to understand how current events are altering the organization’s risk landscape.
For example, says Jane Caskey, issues such as sustainability, and climate change “trigger a much wider swath of stakeholders” than traditional business matters, broadening the range of factors the legal team must take into consideration. Taking the time to explain the legal team’s perspective to organizational leaders makes a “big difference,” Caskey says, and “builds up the credibility of the legal team for future decisions.”
It also helps to speak the business side’s language, which can mean diving into data and analytics. In that regard, “anything that tells you where your team is spending time and money is useful,” says QVC’s David Martin. “Then you can compare that to your departmental objectives or against the overall risk management and see if there’s at least some relationship between what you said was important and where you’re spending your time and money.”
How legal tech can help with alignment
Legal management technology can help with matter tracking and reporting, of course, but it can also help legal departments align themselves by developing consistent templates for routine legal matters — such as contract management, intake tools, e-signatures, etc. — and providing a common platform for crucial communications. Used appropriately, legal technologies can also provide additional layers of legal insight and business intelligence.
As an example, Jane Caskey’s team at Norton Rose Fulbright — acting as outside counsel — used data analytics to help a global airline identify an airline crew that was generating a disproportionate number of claims. In that instance, says Caskey, “We were able to go to the business and say, not only are we doing this more efficiently and effectively, we've actually been able to identify a commercial issue to help mitigate risk. I think that’s the wave of the future.”
Start at the top
Ultimately, however, any successful alignment in a corporate environment requires consistent messaging from the top on down.
“Law department leadership really needs to give clear guidance to the lawyers as to how to make sure they’re aligned with the organization’s risk,” says Practical Law’s David O’Connor. “Lawyers who are involved in the day-to-day, hand-to-hand combat with clients need to know the department has standards and parameters that they’re free to operate within.”
But clear guidance and consistent standards only work if they are communicated and supported by the organization's leaders, O'Connor says — especially if there is a misfire. Among other things, he says, “In-house lawyers need to know that if they make a good, reasoned risk decision that doesn’t work out, they’re going to have the leadership’s support for having made that decision, as long as it was well thought out.”
Tips for starting the risk alignment conversation:
- Develop a sense of curiosity and ownership about the organization’s business objectives, strategies, and tactics.
- Provide lawyers with clear guidance on how to make sure they’re aligned with the organization's risk profile.
- Schedule regular quarterly or monthly meetings with different business teams to discuss legal issues and work toward a shared understanding of institutional risk.
- As a department, work toward having a more holistic, enterprise-wide understanding of the organization.
- Think of the legal and business sides of the operation as a partnership — one that can and should be mutually beneficial, but only if they are striving toward the same goals.
The full webinar, “Managing Risk as An In-House Counsel: How to Understand and Support Your Company’s Risk Tolerance” is available to view on demand. This is but one of the many free resources Practical Law offers to assist in-house counsel in addressing their legal and business needs.
For over 200 years Thomson Reuters has been advancing the art and science of law.
Whether through the most up-to-date legal content, driving innovative legal technology, or groundbreaking legal insight, Thomson Reuters provides legal professionals across the world with the technology, intelligence, and human expertise they need to find trusted answers.
Related insights
Learn how Practical Law for corporations can help you do just that