This is a question I often ask people in business because legal business risk is not well defined neither is there an appreciation in understanding how to identify it in first instance. This includes mitigation of the potential loss through litigation, regulatory fines and reputation loss. Some of the responses I get vary from a bemused smirk, or “it’s on our minds” when I asked a well established family office about there cyber risk security. The other common response is “what risk” and so on, a view held until something goes horribly wrong.
It is an extraordinary position to take when you think that compliance and due diligence is cheaper in the long run than taking a chance in throwing caution to the wind.
Yet even in my profession, us well trained lawyers tend to be better at reacting to an event rather than preventing it. An example is if somebody publishes your teaching material or artworks without your authority. A lawyer will advise you can file a claim for IP infringement or some other recourse. However with technology making it difficult to source who infringed it sometimes and costs to pursue also make it next to impossible to pursue, is it then not better to prevent in the first place?
Contracts risk is another example. Often many agreement fall past their use by date and really should be reviewed regularly. Or they just provide insufficient safe guards including warranties and conditions to protect the parties against defaults and breaches. Also definitions in contracts can change too over time so keeping up to date with later court cases is crucial to ensure you have the right ones in the agreement.
Risk and legal risk
Whether the uncertainty leads to negative or positive outcomes depends on situation type of risk, how both the problem and the solution affect the organization’s enterprise. Risk impacts small and large organizations alike and more high profile examples we saw just recently with the findings of the Australian Royal Commission into the financial services sector.
For example, AMP, the insurance giant shed 2.3 billion off profit for the first half in 2019 due to revelations of misconduct revealed at the Hayne Royal Commission. The scandal hit the reputation much harder than it has the big four banks, and all five organizations now must prove they have changed their ways if they are to bounce back.
Other examples over the last few years include the UK banking sectors and in others, companies like Petrobas which lost 62% of its market share in the wake of the corruption scandal. There is also Volkswagen which copped a 5 billion dollar fine imposed after its “cheat device” scandal damaging its brand and long term organizational health. The other consideration is legal risks tend to go from “no risk” to “serious risk” without anything in between rather than gradual and constant.
Risk management includes identification, assessment, and mitigation and involves four actions:
Risk identification
Business & legal risk identification requires knowing what your risks are, by doing a thorough review of internal and external factors to identify where they come from.
Examples
Risk Examples
Legislation and regulation risk-Failure to comply appropriately
Failure to monitor changes. Non-contractual obligations risk-Failure to observe duty of care to staff, customers, market or environment.
Contractual-
Failure to execute obligations
Breach of conditions
Acceptance of excessive liability from
liability transfer clauses
Disputes Failure to monitor risk areas before dispute
gets out of control
Failure to resolve disputes
Rights Risk-Intellectual property infringement
Risk assessment
Risk assessment is an important step so organization understand importance of the risks they face, enables comparisons of different risks, and facilitates decisions about appropriate risk management and mitigation.
Risk management
The process of risk management involves avoid, transfer, reduce the risk’s probability, and impact. Avoiding risk creates a different set of problems in that the organization fails to grow. Taking this option requires a clear identification of recognizing which risks should be avoided and which risks should be managed. Transferring risk involves moving either risky activities or risk consequences to another organization by outsourcing, insurance, and for financial sector organizations, derivatives and hedging.
Risk mitigation
Risk mitigation is often used where the specific risk is so common and so difficult to eliminate that plans to manage the impact are necessary and frequently implemented. Secondly, where the risk infrequently crystallizes but has a substantial impact when it does crystallize. Risk mitigation can be applied by itself or in conjunction with the other risk management processes. Contingency plans are a common risk mitigation method, can be diverse, covering areas from financial hardship to natural disasters and business continuity.
However, the constant common elements of contingency plans include where nothing is left ambiguous, undecided, and not implemented Experience shows that early activation at the top is more effective than late activation, and that rehearsals and simulations provide valuable learning about implementing and refining the plans. Buffers and reserves should be planned to provide sufficient funds to cover typical scenarios.
Just a final note, you don’t want to be so risk adverse to slow growth of your business, as that is a risk in itself but it must be reasonable and well considered. It follows the old saying that prevention is always better than the cure. More to follow.