The cost of litigation can be prohibitive. Between discovery and motion practice it is easy to spend more than the case is worth before even getting close to trial. Everywhere you look there are stories about the increasing costs of litigation (and lately arbitration, too). We are also in an era of increased regulatory oversight and enforcement in the wake of the financial crisis. There is the emergence of Dodd-Frank and various new reporting requirements and other pushes to enforce existing laws, such as recent emphasis on enforcing the Foreign Corrupt Practices Act.

Now more than ever it is imperative to have a thorough and disciplined approach to risk management. This is the first in a series of three articles on risk management. The focus of this article will be on identifying and quantifying risk and developing and maintaining a risk management program. The second article will focus on how to reduce or transfer risk through insurance and reinsurance. The third article will focus on how to manage your risk with an eye toward gaining an advantage in litigation and enforcement proceedings.

Before we can talk about risk management, we need to define risk. At its most basic, risk is the likelihood that an event will happen. Generally speaking, risk is understood to involve a negative event and that is the primary focus of risk management, but there is also a component of positive outcomes that needs to be factored into a comprehensive risk management program. For example, in research and development it is generally accepted that failures will outpace winners by a wide margin, but without spending heavily on failures there are no winners. Another example is advertising, where the expectation is that return will outpace expenditure. These articles will focus on the traditional concept of risk as involving negative outcomes, but it is important to keep in mind that comprehensive risk management will look at all aspects of risk and in evaluating risk will look at both positive and negative outcomes associated with a particular activity.

Our definition of risk will focus on how likely it is that a negative event will occur. For these purposes, there are two components of risk that need to be evaluated: frequency and severity. Frequency is quite simply how likely an event is to occur. Severity looks at the size of the impact an event will have on business or operations. There are different methods for grading both frequency and severity, but typically this involves scoring each on a sliding scale and then combining the results. The combined risk score is then graded on a scale of low, moderate or high. For example, frequency and severity are both assessed on a scale of one to five. These scores are multiplied and the result is graded, e.g., one to seven is low, eight to 15 is moderate, 16 to 25 is high.

There is no one-size-fits-all approach for these purposes. The grading categories can also be expanded to include four or five categories (e.g., rare, low, moderate, high and extreme). This is the basic approach that is utilized to identify and quantify risk. As you progress through the risk management process, this scaling should be fine-tuned to more accurately quantify the risks your company faces and to address its particular needs.

Risk management is not a one- or two-person activity. Nor is it something to only be done once in a while. It is a vital part of the routine operation of a healthy organization. It requires commitment and discipline to stay focused on the ever-changing risk environment that your company faces. Once established, a robust risk management program, while requiring regular attention, should not require a huge time or cost commitment. Ideally, the risk management team will consist of a cross-section of the organization from the executive level, middle management and the rank and file, along with one or more outside professionals, depending on the nature of your business. For example, a public company that operates in a regulated business area may have an attorney with experience in risk management, an attorney experienced in the regulated field and a tax attorney or certified public accountant familiar with the accounting requirements applicable to that company. The exact composition of the team will vary based on the size and business of the company.

When establishing a risk management program, it is better to start with a larger team, particularly for the initial identification and quantification of risks. This is where the diversity of the team will help, as you want to be as thorough as possible in identifying your risk profile and your appetite for risk. Use of companywide questionnaires or surveys is another way to keep the team to a workable size while getting the broadest input for identifying risks. You can then scale back the scope and size of the team and break it down into working groups responsible for particular aspects of the program. It is good to rotate people through the team to keep a fresh perspective while maintaining continuity. Complacency is the biggest enemy to risk management.

Once you have identified your team, it is time to start identifying risks. This is essentially a brainstorming session and should look at everything big and small, likely and remote. It can be helpful to have general categories, such as business risk, legal risk, legislative/regulatory risk and geopolitical risk, to help focus the discussion. The first pass can be more general and along the lines outlined above in terms of two scales of one to five for frequency and severity. There are multiple resources to draw from to establish the grading of these measures.

Frequency can be sorted by descriptive means, such as: one means rarely (theoretically possible but not likely to actually happen); two means unlikely (happens regularly enough that over a long enough period it will occur); three means possible (event that has a history of occurring in your organization or industry); four means likely (very high probability that event will occur within one- to five-year period); five means almost certain (event is expected to happen and there is a known history in the organization or industry).

Frequency can also be expressed in numeric terms: one means no more than once every 100 years, if at all; two means once every 30 to 50 years; three means once or twice every 10 to 25 years; four means one to nine times every 10 years; five means more than once a year on average.

Once you have established the big picture, you can look at refining your grading scales in a way that more fully encompasses the risk profile that your company faces. For example, a trucking company may use the descriptive five-point scale of rarely to almost certain for its overall risk management planning but develop a more detailed 10-point scale based on the number of occurrences for driving-related accidents, violations or incidents. This will also allow for higher-level analysis, both in cost-benefit analysis and looking at ways of controlling the risks you face.

Now that you have identified and quantified your risk, how are you going to manage it? This can be done in a variety of ways, with the most common approaches being avoidance, control and transfer. Each of these methods should be utilized in a comprehensive approach to managing risk. The outset of this process should again be a brainstorming approach identifying both existing and potential ways to mitigate risk.

For every risk that you have identified, try to come up with at least one mitigation method in each of the management areas of avoidance, control and transfer. Avoidance is just that, and may not be practical for most risks, but in order to fully appreciate your risks and to make the most informed decision on how to manage them requires understanding all potential ways of dealing with a given risk.

Control means actively managing an activity to reduce risk. This can include developing a uniform approach to certain processes, implementing safety procedures, equipment or training, hiring a safety manager/inspector, or conducting periodic training/certification. This is by no means an exhaustive list. Depending on the type of risk at issue, there are resources available to help in this process as well. Insurance companies and agents/brokers are a good place to turn for help in this area. They often have programs in place for just this type of activity and this can even lead to reduced rates for insurance coverage.

Transferring risk can be accomplished in a number of ways, from purchasing insurance to outsourcing different aspects of operations to increased pricing of products. What is right for you will depend on a variety of factors, such as the type of risk, the cost of insurance and the availability of an outside source. This process culminates in a risk-reward or cost-benefit analysis to determine how to manage your risks and to implement the management strategies that you select.

Christopher M. Brubaker is an associate in Clark Hill’s insurance and reinsurance practice group and concentrates his practice in commercial litigation, including appellate work. He also advises companies on regulatory matters involving insurance and environmental laws, rules and regulations. He can be reached at cbrubaker@clarkhill.com.