The scope of legal responsibilities for in-house counsel varies depending on the size and complexity of the company. For instance, an attorney located at corporate headquarters could be chiefly responsible for issues affecting the shared services that are available and used by corporate headquarters, as well as every business unit and division. And yet at other times, in-house counsel’s concerns may be restricted to matters affecting only the parent company or a specific liability issue faced by only one business unit.
In each instance, however, in-house counsel are generally concerned with specific legal tasks and proactive risk management.
What exactly does risk management mean, and what does it encompass? Furthermore, once the definition of risk management has been established and accepted by the company’s management team, how can in-house counsel efficiently and comprehensively assess all possible risks?
Merriam Webster’s dictionary defines risk as “the possibility that something bad or unpleasant will happen.” Whenever many of us in the accounting and legal profession hear the word “risk,” we inherently may succumb to the aforementioned particular negative connotation of risk. How many times have we heard the phrase, “Risk is a part of life,’ and how often have we associated those five words with an undesirable implication?”
Alternatively, A Positive View of Risk
Taking risks does not always have to be painstakingly negative. It is unlikely that many will disagree with the Institute of Risk Management’s (IRM) assertion that “avoiding all risk would result in no achievement, no progress and no reward.” This statement undoubtedly portrays a different perspective of risk, indicating the potential of a positive outcome.
IRM goes on to define risk as “the combination of the probability of an event and its consequence. Consequences can range from positive and negative.”
Therein lies the basic premise of risk management. If the consequences of risk can be both positive and negative, it would seem only prudent to try and effectively manage risk to have the highest probability of a positive outcome.
Applying IRM’s definition of risk, together with the premise that avoiding all risk would result in no achievement, no progress and no reward, we intrinsically recognize that not all risks are bad and not all risks are to be avoided.
Over the course of three successive articles on risk, we will take a closer look at how in-house counsel works with internal and external resources to help identify, evaluate and categorize risk.
Risk Assessment: The Starting Point for Successful Risk Management
Risk assessment is the identification, analysis and evaluation of risks involved in a given situation. Risk assessment also implies a comparison against benchmarks or standards, and the determination of an acceptable level of risk. The evaluation of risks should also provide management with a remediation or control for the identified hazard.
The word “risk” alone without any context is a vague and ill-defined term. There is safety risk, country risk, political risk, health risk and the ongoing list is virtually boundless and it is next to impossible to comprehensively assess all possible risks.
According to Tori Silas, privacy officer and senior counsel with Cox Enterprises, Inc., Cox uses the external resources of multinational accounting and advisory companies to assist with its risk assessments. Using best practices they have developed by analyzing business processes and assessing risk for companies on a global level, these organizations assist in the identification of risks in particular areas of the business, and provide a framework within which to rate risks and prioritize remediation efforts associated with those risks.
Assessment Begins with Knowing Who Decides Acceptable Levels of Risk
As an example of financial risk, according to a Tulane University study, the chances of getting hit by an asteroid or comet are 1,000 times greater than winning a jackpot mega millions lottery. Yet, some have accepted that level of risk and will habitually trade their money to play the lottery rather than investing their money or capital in an endeavor that has a much higher probability of building wealth. Whether right or wrong, a good or bad decision, those who make the choice of playing the lottery have intrinsically accepted the financial risk of losing their money in lieu of the near impossible odds to reap a grand reward.
No matter our opinion of playing the lottery, I think we would all agree that it would be highly unlikely to find a pragmatic business executive allotting some portion the company’s wealth and assets to invest in lottery tickets. But why not? Who decides the parameters of acceptable levels of risk for a business and against what benchmarks are those decisions made?
The business owners, board of directors and executive management define the business objectives, and establish the risk appetite and risk tolerances that are to be contemplated on an overall basis by management when making decisions and evaluating options and alternatives. Together they establish a system of rules, practices and processes by which their company is directed and controlled. This concept is often referred to as corporate governance. Businesses of all sizes embrace this concept, but small businesses may cloak this concept within the singular frame of mind of its ownership’s values, ideologies, philosophies, beliefs and individual business principles.
As the privacy officer for Cox Enterprises, Silas strives to make certain the employees of their consumer facing companies are aware of Cox’s obligations regarding data privacy and that they are appropriately trained to identify and mitigate risk related to and to protect any private consumer data they may have collected.
Since the purpose of a risk assessment is the identification, analysis, and evaluation of risks that could adversely impact the business meeting its objectives, the process of conducting a risk assessment should be integrated into existing management processes. According to Silas, Cox Enterprises also utilizes its own internal audit services department to examine functional processes and identify opportunities to strengthen controls and mitigate risks. It is recommended that risk assessments should be conducted using a top-down approach beginning with the top level of the company and filtering its way down through each division and business unit.
For example, a company may have three divisions: manufacturing, marketing and finance. Each of those divisions may operate in four global sectors. Using a top-down approach the three top divisions would conduct a risk assessment and each subdivision that is located in each global sector would conduct their own risk assessment. The top-down approach would then be complimented by bottom-up process where the risk assessments are sent up the business chain, gathered and compiled into an integrated risk assessment matrix.
Ten Tips for Conducting an Effective Risk Assessment
In quick summary, here are ten additional tips for conducting an effective risk assessment:
- Create, plan and conduct a formal risk assessment;
- Define the context and objectives of the risk assessment;
- Define and understand the organizations acceptable risk tolerance;
- Bring together the best team to conduct the risk assessment;
- Employ the best risk assessment techniques for the situation;
- Understand control measures to mitigate risk;
- Be objective and impartial conducting the risk assessment;
- Identify the environment that is conducive to risks;
- Identify who could be harmed; and
- Review, revisit and re-perform the risk assessment.
The next two articles will discuss internal and external resources that may contribute to the risk assessment process by evaluating and categorizing the risks and how the individual risk assessments should be aligned in an overall enterprise risk management framework.