Risk management: Cover your bases

Jahmiah Ferdinand-Hodkin shares five mistakes to avoid when developing your risk management strategy

Jahmiah Ferdinand-Hodkin

Risk management remains one of the top concerns among in-house counsel in Canada, as revealed by Canadian Lawyer InHouse’s annual Canadian Corporate Counsel survey. When one considers the potential business impact of an unforeseen litigation, major regulatory infraction or high-profile HR scandal, it should come as little surprise that this area keeps general counsel awake at night. 

Identifying and implementing a fulsome and foolproof risk road map is indeed a large task — one that requires the input and involvement of all business departments. A risk plan must also evolve over time and be continuously revisited, re-evaluated and revised. 

To help ensure your business is in the best possible position to mitigate risk, below we highlight some common mistakes to avoid when preparing and executing your organization’s risk management protocols: 

1. Mistaking risk management with crisis management 

When a crisis occurs, the time for developing and implementing an effective risk management strategy has already passed. Crisis management requires teams from all aspects of the business to respond cohesively and quickly — and in a pre-planned, organized manner — to a specific emergency. The best crisis management response is in large part the result of a well-considered and designed risk management protocol. Risk management is about identifying all of your company’s potential risks and determining how you will respond should these materialize. 

2. Not updating your policies regularly 

As your business matures, so does its risk profile. Not only does your exposure to internal risk grow as your company expands, but the commercial and legal landscape in which your business operates is constantly changing as well. From legislative and political shifts to economic headwinds and environmental concerns, your business’ relationship to the outside world is always in flux. For this reason, risk policies should be reviewed routinely. This is particularly critical following times of significant change for your organization — including mergers, acquisitions, corporate restructurings and forays into new sectors or jurisdictions. 

3. Not keeping up with technology 

Recent advances in technology have given rise to a new generation of operational risk. Whether it be related to social media, cybersecurity or privacy, failing to keep pace with the tools and systems central to your company’s business could result in large holes in your risk management plan. Working closely with your IT team, take the time to anatomize the vulnerabilities associated with the technology you and your colleagues use every day. 

4. C-suite tunnel vision 

For too many companies, risk management begins and ends at the board level. However, if executive priorities are informing the entirety of your risk management strategy, then you’re missing a significant part of the picture — and putting your business in jeopardy. Resolve to venture outside the C-suite and take the time to engage meaningfully with a broad cross-section of employees representing all departments. This 360-degree perspective will help ensure your risk management policies encompass the intricacies of how your business is run. 

5. Not knowing when to seek outside help 

The risks companies face today are as varied as business itself. For in-house counsel working for organizations with broad interests, certain threats may be less apparent than others. Sometimes, the smartest move is knowing when to call for outside help — if only to have someone ask the questions you haven’t yet thought to ask. A risk management specialist, in particular, is well placed to identify risks, propose risk management solutions and implement strategies to reduce loss, exposures, litigation and claims. 

Your company’s risk management strategy doesn’t need to be overly complex, but it does need to be thorough, up to date and well informed. Take the time to ensure that you’ve not only covered your bases but also that you have a system in place so that your risk plan can evolve with your business.