Many articles have been written on the issue of risk management and I do not propose to write the seminal piece on the subject. Rather, my point is that as in-house counsel you need to look at risk as organizational risk, not simply legal risk. To do this you must know your organization’s tolerance for risk and the return on resource investment to manage its risks. Without looking at the RORI for risk management, you are just measuring identifiable risks against some arbitrary standard (typically legal) of what is acceptable risk.
Many articles have been written on the issue of risk management and I do not propose to write the seminal piece on the subject. Rather, my point is that as in-house counsel you need to look at risk as organizational risk, not simply legal risk. To do this you must know your organization’s tolerance for risk and the return on resource investment to manage its risks. Without looking at the RORI for risk management, you are just measuring identifiable risks against some arbitrary standard (typically legal) of what is acceptable risk. With RORI, you are measuring the downside of the risk occurring as against the cost of avoiding it for your organization. This is a critical risk management tool for the modern in-house lawyer.
Organizational risk is an organizational issue
Your organization will have the traditional legal risks, such as governance, compliance/regulatory, data/cyber security, employment, contract, and others. But they all fall under the broader umbrella of organizational risk, alongside the bigger risks of organizational reputation, business model and financial loss, to name a few. In most organizations, there will be a team managing organizational risk. The GC is often ultimately responsible, but she is only one part of the team. Other key players can include the CFO, CIO, head of communications, head of HR, and the heads of your business units. Every employee in your organization plays a role in managing overall organizational risk. In fact, the frontline teams can often reduce risk the most.
GC – general contractor for risk
Organizations today do not have legal risks. They have business risks. As GC overseeing the management of organizational risk, you will need to work with and gain the insights of the other key players on the risk-management team and factor their views and contributions into the assessment of risk. For example, you will need to factor in the contributions of your CFO and head of HR when CRA asserts a series of independent contractors are in fact employees. You will also need to seek outside legal counsel or other outside advisors where you do not have the internal skill-set. For example, in addition to your heads of communications and HR, you may need to bring in a PR firm when you have a key employee charged with a crime; or, your CFO and a U.S. tax lawyer when you have a U.S. tax issue; or, your CTO and your insurance broker when your data gets hacked. These players, internal and external, all have critical insights and skills that you will not.
Proactive management – policies, process, training and communication
You will need a plan, and speed is always a factor. In some instances, you will have no choice but to be reactive. Responding like an ER doctor, dropping all else and fully immersing the team into resolving the issue. This is both late and expensive, pulling key players and resources from their work. Your real value will come in preventing potential risks from occurring. This will involve implementing key risk-management policies to proactively manage risk. These will include: Risk management plan; data protection plan; disaster recovery plan; code of conduct; privacy policy; and social media policy. These policies need to be focused on prevention and written in clear and concise language that all can understand and implement. You are not drafting banking documents here. If a high school student couldn’t easily understand them, they will not be effective.
Like any policy, they will need good process around them and, most importantly, they will need to be supported by communication and training. Posting them on your intranet site or placing them in your onboarding package is helpful, but not enough. You need to ensure that all employees, and most importantly your leadership team, is aware of and understands these processes and policies.
Stop, limit, change, advise
Processes and policies will help minimize risk. But, they can’t prevent all risk. Particularly, those in evolving or new areas of business. This is where your relationships and meetings with your Heads of business units will be key. Before it comes about, you will need to:
RORI is the key
RORI is your key tool to manage risk. In fact, it is a key tool for you to use in managing all aspects of your work as in-house counsel. But let’s look at how it can be used to manage contract risk. If you have a high volume of certain standard contracts that for years you have not sought to enforce terms or had them enforced on you, you can safely reduce the time and resources spent on reviewing and revising them. You need to strip out clauses and use party-neutral language on clauses that are not critical to the business of for your deals. Where not your paper, don’t negotiate or revise these clauses. Once you get these contracts to a stripped-down level, using party-neutral language where possible, you can build templates for your business units to use without further Legal review. This is not something you can do on key agreements, and you cannot remove language on key deal points in any deal. But, for high volume, standard agreements, spending time ‘over-lawyering’ them does not reduce risk. Your resource effort is high and your risk low – your RORI is low. It would be better to redeploy scarce legal resources to work that provides higher value to the organization. This approach works for all manner of organizational risk. There’s just a bigger RORI for some types of risk.