Jonathan Stevens provides a practical guide to legal risk mapping for in-house lawyers.

Risk is not a bad word – businesses need risk. Risk is good. The problems arise when you have too much, or too little of it. Without risk, there is no reward. The one gives rise to the other. The higher the risk, the higher the reward. Let me give you a simple example.

If I spend £10 per month on lottery tickets, the risk of me losing my investment is very high, because the chances of winning are so low. But if I do win, the likely return is very high. If I spend £10 on tickets at the local village tombola, the risk of me losing my investment is quite low, as the chances of me winning something are pretty high, but the return is much lower. A jar of homemade jam doesn’t compare to a lottery win!

Why understanding risk is crucial

The corporate graveyard is littered with the tombstones of companies whose demise was caused by poor risk management, that is failing to understand and control their risk. But there are also companies who have suffered huge failure because they have failed to take a risk. Kodak is a good example – it had a dominant and enviable position in the photography marketplace, but it failed to recognise the risk that digital photography would present. Inaction and a failure to adapt to and anticipate the changing market resulted in the company having to file for chapter 11 bankruptcy in 2012.

inside out cover april 2017

So, it’s the company that does not know or manage the risks it faces that presents a risky business. Napoleon Bonaparte summed it up rather nicely when he said: ‘To be defeated is forgivable, to be surprised is unpardonable.’ The key to good risk management is to seek to identify, anticipate and assess potential risks, and then devise and implement action plans to address those risks.  

The company that only reacts to risks when they materialise will be seen as risky to its investors, shareholders, insurers, creditors, clients and suppliers.

Why good risk management makes good sense

Good risk management enables better decision-making, helps the company to be more competitive, reduces claims, protects reputation, improves insurance coverage / costs savings and instills confidence in the market and shareholders.

Good risk governance is much more than rules and procedures. Enron had those in abundance; it just did not follow them

Corporates are increasingly aware of the importance, value and need for proper risk management, not least because of a series of high profile risk management failures over the last 15 to 20 years. The fruit of all these failures has been an increasingly burdensome regulatory framework and a growing expectation of the market, shareholders and investors for strong risk governance. However, good risk governance is much more than rules and procedures. Enron had those in abundance; it just did not follow them. Good risk management must also be communicated, managed and embedded into the very culture of the organisation.

Legal risk mapping

The in-house legal function is a key part of a company’s risk management infrastructure, helping to anticipate and avoid risks rather than simply reacting to them. Therefore it’s imperative that in-house lawyers understand the principles of good risk management and play an active and integral role in the identification, assessment and management of risk.

So, how do you anticipate and avoid legal risks? The answer is by legal risk mapping, which is a process in which you identify, assess and mitigate the legal risks faced by the business. This requires you to analyse the business operations, activities, service lines, geographies and jurisdictions and identify all the legal risks that the business does or could face.

Categories of risk

First, you should identify different categories of legal risk (eg labour, product liability, competition, criminal etc) and then detail the risks within each category relevant to your business. This takes a bit of time, but provides a fantastic opportunity to sit down with various subject matter experts in the business (HR, internal audit, compliance, tax, finance etc) to really identify the risks. 

Your insurers will likely be happy to help, too. They will love the idea of your risk profile being reduced and are generally able to share their risk experience to help you understand and anticipate what could happen to a business like yours.

Your external lawyers will add further insight – they will have experience of different claims and cases in your sector with other clients.

Action plans have to be devised effectively and put into place, otherwise all the risk mapping is futile

You also need to be clear as to what a legal risk is in your risk-mapping process. There does not appear to be one simple agreed definition. The Association of Corporate Counsel has provided one helpful definition, but in simple terms, you may want to define a legal risk as breach of a legal obligation.

Risk ratings

Once the actual or potential risks have been identified, each risk should be rated or scored to estimate the:

(1)     probability or likelihood of the risk materialising 

(2)     impact or consequence that the business would face if the risk did materialise 

(3)     effectiveness of the measures currently in place to avoid or mitigate that risk.

However, before you can map the risks in this way, you have to identify the ‘mappers’ – exactly who is going to complete risk ratings for all the identified risks? Inevitably, it will be a mix of the in-house legal department and various subject matter experts within the business. The mappers need to be given guidance and training so they understand what they are doing and how to do it. They will need a list of definitions so that everyone has the same understanding of terms used in the exercise. Not everyone will apply the risk, impact and mitigation ratings in the same way, so the results will need to be checked, moderated and validated to make sure all the mappers are applying the same methodology and that any anomalies and inconsistencies are identified.

You can map every risk, giving each a rating on a scale (eg 1-5). However, in a world where the ‘more for less’ philosophy applies to just about every business, you may prefer your ‘mappers’ to consider, say, the top 10 risks in each category and rate only those.

Having mapped and validated the risks, you can now assess the top risks by giving them a risk rating. This is achieved simply by multiplying the likelihood rating and impact rating. For example, if using a 1-5 scale (where 5 is the highest risk and impact), the highest risk rating would be 25 (5 x 5). Placing all the results into a spreadsheet then allows you to cut, slice and dice the data and advise the business on, for example, the top 25 risks of the group, the top 10 risks per service line, the top 10 risks per category of risk etc. You can also then prepare different reports highlighting the top risks relevant to different parts of the business.

Action plans

Mapping the risks in this way is, of course, a complete waste of time if you don’t actually do something about the risks, which means devising and implementing action plans. Established risk management theory teaches us there are four ways of dealing with a risk:

(1)     Eliminate the risk

(2)     Transfer the risk to somebody else

(3)     Reduce the risk

(4)     Keep the risk.          

There are numerous ways to mitigate risk which could include:

  • updating / drafting policies
  • extending insurance cover
  • adding new clauses to a contract
  • issuing alerts
  • providing training
  • implementing changes in the business practices.

These are just a few examples; the number of ways to deal with risk is many and varied.

It is critically important to devise action plans to address the top risks. This means first identifying the person(s) best placed to ensure the risks are dealt with. Somebody should be accountable for this and a follow-up process should be developed to make certain the actions are implemented. Linking the delivery of action plans to objectives and bonuses helps. This really is where the rubber hits the road – the action plans have to be devised effectively and put into place, otherwise all the work of the mapping is futile. You can imagine the justifiable wrath of management if the time-consuming risk mapping process each year identifies the same top risks, and each year the business reports that nothing has progressed in addressing those risks.

The role of in-house counsel will focus, naturally, on legal risks. But risk mapping is wider than just legal risks. It provides a valuable risk management exercise for the business as a whole, particularly when carried out as part of an overall enterprise risk mapping project, that looks at the broader risks facing the business: operational, market, financial, strategic and fiscal. Obviously, the mapping process needs to be aligned so that each part of the business maps its risk in the same way, using the same methodology.

Risk mapping is a time-consuming process, but the benefits to business are wide-reaching. And as Kodak discovered, the risk of doing nothing is too great…